Most organisations still manage cyber-risk through scheduled activities. Vulnerability scans run at fixed intervals, penetration tests arrive once a year and severity scores are used as proxies for danger, even when they do not reflect how attackers actually operate.