Big Tech

Apr 23, 2026

Microsoft's Vulnerability Numbers Went Down, That's Actually the Scary Part

A new cybersecurity report reveals that fewer bugs doesn't mean less danger. It means the bugs that remain are far more lethal, and AI is making them weaponizable at unprecedented speed.

by Kasun Illankoon, Editor in Chief at Tech Revolt

[For more news, click here]

Every year, the security industry holds its breath for the annual tally of Microsoft software vulnerabilities. The assumption is straightforward: fewer vulnerabilities equals a safer digital environment. So when BeyondTrust released the 13th edition of its Microsoft Vulnerabilities Report this week, the headline number looked almost reassuring. Total vulnerabilities dropped 6%, from 1,360 in 2024 to 1,273 in 2025. Progress, right?

Not remotely.

Buried beneath that surface-level decline is one of the most alarming findings in the report's 13-year history: critical vulnerabilities doubled year-over-year, surging from 78 to 157. For the first time in several years, the severity trend reversed direction. And in a threat landscape increasingly shaped by artificial intelligence, that reversal carries consequences that go well beyond patching schedules.

This is not a story about a company releasing more flawed software. It is a story about a fundamental shift in how digital risk is being created, discovered, and exploited — one that the security industry's traditional measurement tools are no longer equipped to fully capture.

The Number That Actually Matters

To understand why a drop in total vulnerabilities can coexist with a surge in danger, it helps to think about vulnerabilities not as a uniform category but as a spectrum. A low-severity vulnerability might require significant effort to exploit and yield limited access if successfully compromised. A critical vulnerability, by contrast, typically allows an attacker to execute code remotely, seize system control, or impersonate a privileged user, often with minimal effort, and sometimes with no user interaction required at all.

When critical vulnerabilities jumped from 78 to 157 in a single year, reversing a multi-year downward trend, the practical implication is that the flaws being discovered are significantly more severe and exploitable than in previous years. For a security team, each of those 157 flaws represents a fire that could burn through an entire enterprise if not extinguished quickly and correctly.

James Maude, Field CTO at BeyondTrust, put it plainly: "Don't be distracted by the dip in total vulnerabilities. Critical vulnerabilities doubled. This is a warning that risk is not decreasing, it is concentrating, and it is concentrating around privilege. Elevation of Privilege made up 40% of all vulnerabilities again this year because that is exactly what attackers need to reach critical systems."

Photo: James Maude, Field CTO at BeyondTrust

The phrase "concentrating around privilege" is the key to reading this report correctly. The security community has long understood that most cyberattacks follow a predictable arc: initial access, privilege escalation, lateral movement, and finally, exfiltration or destruction. Elevation of Privilege vulnerabilities are closely watched because they allow attackers to gain broader access inside systems after an initial breach. When 509 out of 1,273 vulnerabilities fall into that single category, it signals that attackers are consistently finding the one class of flaw that lets them go from a foothold to full control.

The Cloud Is Where the Danger Is Concentrating

If one data point from BeyondTrust's report should cause enterprise IT leaders to lose sleep, it is this: Microsoft Azure and Dynamics 365 experienced a ninefold rise in critical vulnerabilities, climbing from just 4 to 37 in a single year. That is not a gradual trend. That is a cliff edge.

The significance of that number extends far beyond the cloud platforms themselves. Azure is the infrastructure layer where AI services live, authenticate, and interact with sensitive data. A critical flaw in that environment does not just threaten a single application. It threatens every service, every automated process, and every AI agent operating within it.

Jane Frankland, founder of the IN Security Movement and a BeyondTrust report contributor, noted that the Azure critical vulnerability spike matters because this is the infrastructure layer where AI services authenticate and interact with enterprise data — a near-tenfold increase in critical vulnerabilities in that environment, combined with ungoverned machine identities operating autonomously within it, represents a converging risk, not a theoretical one.

The productivity layer is under pressure too. Microsoft Office vulnerabilities surged to 157 in 2025, more than tripling compared to 2024, while critical vulnerabilities within Office increased tenfold. This is particularly significant because Office applications represent one of the most universally deployed software suites in the world. Researchers at BeyondTrust's Phantom Labs found that attackers are using this vector to execute malicious code the moment a user highlights an attachment, requiring no further interaction. The barrier to exploitation, in other words, has nearly disappeared.

On the more optimistic end, Microsoft Edge vulnerabilities fell to 50 in 2025, an 83% year-on-year drop, suggesting risk levels varied widely across the company's software estate. The browser wars of the vulnerability world appear to be calming. But that bright spot should not distract from the broader pattern of risk migrating toward cloud infrastructure and productivity tools.

AI Is Playing Both Sides

Perhaps the most consequential dimension of this year's report is the role artificial intelligence is now playing in shaping the vulnerability landscape — not just as a target, but as a tool in the hands of both defenders and attackers.

Attackers are using generative AI to analyze patches and reverse-engineer exploits in hours, where that process once took days or weeks. The time between a vulnerability being disclosed and a working exploit being deployed in the wild — historically a window in which organizations could patch before being targeted — is compressing rapidly.

This dynamic creates what the BeyondTrust report describes as "a widening gap between vulnerability disclosure and exploitation, where organizations may be exposed before traditional defenses can respond." The standard playbook of patch-on-Tuesday, deploy-by-Friday is being rendered obsolete by AI-assisted exploit development.

Why the Old Scorecard No Longer Works

The deeper lesson of BeyondTrust's report is not about any single vulnerability class or product category. It is about the limitations of how the security industry has historically measured and communicated risk.

CVE counts have always been an incomplete picture. Identity misconfigurations, over-privileged machine accounts, and AI agents with unconstrained access do not get CVEs, but they carry the same critical consequences. A security team that is solely focused on patching disclosed vulnerabilities is, in effect, fighting last year's war.

Sami Laiho, Senior Technical Fellow at Adminize and Microsoft MVP, argued that the true risk in modern environments is not the presence of vulnerabilities but the presence of unnecessary privilege — and that organizations embracing least privilege as a foundational design principle will not eliminate vulnerabilities, but will dramatically reduce their ability to cause harm.

That insight points toward the core strategic shift BeyondTrust is advocating: moving from a vulnerability-centric model of security to a privilege-centric one. The question is no longer simply "how many flaws exist?" but "how many paths to privilege exist, and how quickly can we close them?"

Maude framed the stakes this way: "A ninefold increase in Azure and Dynamics 365 critical vulnerabilities shows where that concentration is happening. Combined with the rising tide of identity compromise attacks that exploit standing privilege, patching alone will not close this gap. The organizations that weather this are the ones treating every vulnerability and every identity, human or machine, as a potential path to privilege in their most critical systems, and shrinking those paths before an attacker reaches them."

What Organizations Need to Do Differently

The BeyondTrust report is not simply a catalog of bad news. It is also a directional guide for how security posture needs to evolve. Four priorities emerge clearly from the findings.

Patch faster, and assume it is not enough: The acceleration of AI-assisted exploit development means the window for safe remediation is shorter than ever. Organizations need to compress their patching cycles significantly while simultaneously operating under the assumption that some percentage of attacks will succeed despite best efforts.

Apply least privilege universally: With 40% of all vulnerabilities classified as Elevation of Privilege, removing unnecessary administrative access is the single highest-leverage defensive action available. If there is no elevated privilege to escalate to, the exploit hits a dead end.

Extend identity security to non-human identities: Service accounts, machine credentials, and AI agents represent a rapidly growing attack surface that is largely invisible to traditional security tools. The report notes that AI agents inherit identity, access, and privilege, making the governance of those identities as critical as the governance of human user accounts.

Think in paths, not points: Individual vulnerabilities are points. Attackers think in paths. The organizations best positioned to weather this threat environment are those that map the routes from initial compromise to critical systems and systematically eliminate or monitor each step along the way.

The Bottom Line

The 2026 BeyondTrust Microsoft Vulnerabilities Report is, at its core, a story about a transition. The era of managing cybersecurity risk primarily through vulnerability volume and patch cycles is ending. The era of privilege-centric, identity-first security is beginning — driven by the reality that AI has changed both sides of the offense-defense equation simultaneously.

A 6% drop in total vulnerabilities is, in that context, close to meaningless. A doubling of critical vulnerabilities, concentrated in the cloud infrastructure that powers modern enterprise operations, is the number that demands attention.

As the report concludes, adversaries are getting more surgical. They are not looking for more ways in; they are looking for the best ways in. Security strategy needs to follow the same logic.

Big Tech

Apr 23, 2026

Microsoft's Vulnerability Numbers Went Down, That's Actually the Scary Part

A new cybersecurity report reveals that fewer bugs doesn't mean less danger. It means the bugs that remain are far more lethal, and AI is making them weaponizable at unprecedented speed.

by Kasun Illankoon, Editor in Chief at Tech Revolt

[For more news, click here]

Every year, the security industry holds its breath for the annual tally of Microsoft software vulnerabilities. The assumption is straightforward: fewer vulnerabilities equals a safer digital environment. So when BeyondTrust released the 13th edition of its Microsoft Vulnerabilities Report this week, the headline number looked almost reassuring. Total vulnerabilities dropped 6%, from 1,360 in 2024 to 1,273 in 2025. Progress, right?

Not remotely.

Buried beneath that surface-level decline is one of the most alarming findings in the report's 13-year history: critical vulnerabilities doubled year-over-year, surging from 78 to 157. For the first time in several years, the severity trend reversed direction. And in a threat landscape increasingly shaped by artificial intelligence, that reversal carries consequences that go well beyond patching schedules.

This is not a story about a company releasing more flawed software. It is a story about a fundamental shift in how digital risk is being created, discovered, and exploited — one that the security industry's traditional measurement tools are no longer equipped to fully capture.

The Number That Actually Matters

To understand why a drop in total vulnerabilities can coexist with a surge in danger, it helps to think about vulnerabilities not as a uniform category but as a spectrum. A low-severity vulnerability might require significant effort to exploit and yield limited access if successfully compromised. A critical vulnerability, by contrast, typically allows an attacker to execute code remotely, seize system control, or impersonate a privileged user, often with minimal effort, and sometimes with no user interaction required at all.

When critical vulnerabilities jumped from 78 to 157 in a single year, reversing a multi-year downward trend, the practical implication is that the flaws being discovered are significantly more severe and exploitable than in previous years. For a security team, each of those 157 flaws represents a fire that could burn through an entire enterprise if not extinguished quickly and correctly.

James Maude, Field CTO at BeyondTrust, put it plainly: "Don't be distracted by the dip in total vulnerabilities. Critical vulnerabilities doubled. This is a warning that risk is not decreasing, it is concentrating, and it is concentrating around privilege. Elevation of Privilege made up 40% of all vulnerabilities again this year because that is exactly what attackers need to reach critical systems."

Photo: James Maude, Field CTO at BeyondTrust

The phrase "concentrating around privilege" is the key to reading this report correctly. The security community has long understood that most cyberattacks follow a predictable arc: initial access, privilege escalation, lateral movement, and finally, exfiltration or destruction. Elevation of Privilege vulnerabilities are closely watched because they allow attackers to gain broader access inside systems after an initial breach. When 509 out of 1,273 vulnerabilities fall into that single category, it signals that attackers are consistently finding the one class of flaw that lets them go from a foothold to full control.

The Cloud Is Where the Danger Is Concentrating

If one data point from BeyondTrust's report should cause enterprise IT leaders to lose sleep, it is this: Microsoft Azure and Dynamics 365 experienced a ninefold rise in critical vulnerabilities, climbing from just 4 to 37 in a single year. That is not a gradual trend. That is a cliff edge.

The significance of that number extends far beyond the cloud platforms themselves. Azure is the infrastructure layer where AI services live, authenticate, and interact with sensitive data. A critical flaw in that environment does not just threaten a single application. It threatens every service, every automated process, and every AI agent operating within it.

Jane Frankland, founder of the IN Security Movement and a BeyondTrust report contributor, noted that the Azure critical vulnerability spike matters because this is the infrastructure layer where AI services authenticate and interact with enterprise data — a near-tenfold increase in critical vulnerabilities in that environment, combined with ungoverned machine identities operating autonomously within it, represents a converging risk, not a theoretical one.

The productivity layer is under pressure too. Microsoft Office vulnerabilities surged to 157 in 2025, more than tripling compared to 2024, while critical vulnerabilities within Office increased tenfold. This is particularly significant because Office applications represent one of the most universally deployed software suites in the world. Researchers at BeyondTrust's Phantom Labs found that attackers are using this vector to execute malicious code the moment a user highlights an attachment, requiring no further interaction. The barrier to exploitation, in other words, has nearly disappeared.

On the more optimistic end, Microsoft Edge vulnerabilities fell to 50 in 2025, an 83% year-on-year drop, suggesting risk levels varied widely across the company's software estate. The browser wars of the vulnerability world appear to be calming. But that bright spot should not distract from the broader pattern of risk migrating toward cloud infrastructure and productivity tools.

AI Is Playing Both Sides

Perhaps the most consequential dimension of this year's report is the role artificial intelligence is now playing in shaping the vulnerability landscape — not just as a target, but as a tool in the hands of both defenders and attackers.

Attackers are using generative AI to analyze patches and reverse-engineer exploits in hours, where that process once took days or weeks. The time between a vulnerability being disclosed and a working exploit being deployed in the wild — historically a window in which organizations could patch before being targeted — is compressing rapidly.

This dynamic creates what the BeyondTrust report describes as "a widening gap between vulnerability disclosure and exploitation, where organizations may be exposed before traditional defenses can respond." The standard playbook of patch-on-Tuesday, deploy-by-Friday is being rendered obsolete by AI-assisted exploit development.

Why the Old Scorecard No Longer Works

The deeper lesson of BeyondTrust's report is not about any single vulnerability class or product category. It is about the limitations of how the security industry has historically measured and communicated risk.

CVE counts have always been an incomplete picture. Identity misconfigurations, over-privileged machine accounts, and AI agents with unconstrained access do not get CVEs, but they carry the same critical consequences. A security team that is solely focused on patching disclosed vulnerabilities is, in effect, fighting last year's war.

Sami Laiho, Senior Technical Fellow at Adminize and Microsoft MVP, argued that the true risk in modern environments is not the presence of vulnerabilities but the presence of unnecessary privilege — and that organizations embracing least privilege as a foundational design principle will not eliminate vulnerabilities, but will dramatically reduce their ability to cause harm.

That insight points toward the core strategic shift BeyondTrust is advocating: moving from a vulnerability-centric model of security to a privilege-centric one. The question is no longer simply "how many flaws exist?" but "how many paths to privilege exist, and how quickly can we close them?"

Maude framed the stakes this way: "A ninefold increase in Azure and Dynamics 365 critical vulnerabilities shows where that concentration is happening. Combined with the rising tide of identity compromise attacks that exploit standing privilege, patching alone will not close this gap. The organizations that weather this are the ones treating every vulnerability and every identity, human or machine, as a potential path to privilege in their most critical systems, and shrinking those paths before an attacker reaches them."

What Organizations Need to Do Differently

The BeyondTrust report is not simply a catalog of bad news. It is also a directional guide for how security posture needs to evolve. Four priorities emerge clearly from the findings.

Patch faster, and assume it is not enough: The acceleration of AI-assisted exploit development means the window for safe remediation is shorter than ever. Organizations need to compress their patching cycles significantly while simultaneously operating under the assumption that some percentage of attacks will succeed despite best efforts.

Apply least privilege universally: With 40% of all vulnerabilities classified as Elevation of Privilege, removing unnecessary administrative access is the single highest-leverage defensive action available. If there is no elevated privilege to escalate to, the exploit hits a dead end.

Extend identity security to non-human identities: Service accounts, machine credentials, and AI agents represent a rapidly growing attack surface that is largely invisible to traditional security tools. The report notes that AI agents inherit identity, access, and privilege, making the governance of those identities as critical as the governance of human user accounts.

Think in paths, not points: Individual vulnerabilities are points. Attackers think in paths. The organizations best positioned to weather this threat environment are those that map the routes from initial compromise to critical systems and systematically eliminate or monitor each step along the way.

The Bottom Line

The 2026 BeyondTrust Microsoft Vulnerabilities Report is, at its core, a story about a transition. The era of managing cybersecurity risk primarily through vulnerability volume and patch cycles is ending. The era of privilege-centric, identity-first security is beginning — driven by the reality that AI has changed both sides of the offense-defense equation simultaneously.

A 6% drop in total vulnerabilities is, in that context, close to meaningless. A doubling of critical vulnerabilities, concentrated in the cloud infrastructure that powers modern enterprise operations, is the number that demands attention.

As the report concludes, adversaries are getting more surgical. They are not looking for more ways in; they are looking for the best ways in. Security strategy needs to follow the same logic.

Big Tech

Apr 23, 2026

Microsoft's Vulnerability Numbers Went Down, That's Actually the Scary Part

A new cybersecurity report reveals that fewer bugs doesn't mean less danger. It means the bugs that remain are far more lethal, and AI is making them weaponizable at unprecedented speed.

by Kasun Illankoon, Editor in Chief at Tech Revolt

[For more news, click here]

Every year, the security industry holds its breath for the annual tally of Microsoft software vulnerabilities. The assumption is straightforward: fewer vulnerabilities equals a safer digital environment. So when BeyondTrust released the 13th edition of its Microsoft Vulnerabilities Report this week, the headline number looked almost reassuring. Total vulnerabilities dropped 6%, from 1,360 in 2024 to 1,273 in 2025. Progress, right?

Not remotely.

Buried beneath that surface-level decline is one of the most alarming findings in the report's 13-year history: critical vulnerabilities doubled year-over-year, surging from 78 to 157. For the first time in several years, the severity trend reversed direction. And in a threat landscape increasingly shaped by artificial intelligence, that reversal carries consequences that go well beyond patching schedules.

This is not a story about a company releasing more flawed software. It is a story about a fundamental shift in how digital risk is being created, discovered, and exploited — one that the security industry's traditional measurement tools are no longer equipped to fully capture.

The Number That Actually Matters

To understand why a drop in total vulnerabilities can coexist with a surge in danger, it helps to think about vulnerabilities not as a uniform category but as a spectrum. A low-severity vulnerability might require significant effort to exploit and yield limited access if successfully compromised. A critical vulnerability, by contrast, typically allows an attacker to execute code remotely, seize system control, or impersonate a privileged user, often with minimal effort, and sometimes with no user interaction required at all.

When critical vulnerabilities jumped from 78 to 157 in a single year, reversing a multi-year downward trend, the practical implication is that the flaws being discovered are significantly more severe and exploitable than in previous years. For a security team, each of those 157 flaws represents a fire that could burn through an entire enterprise if not extinguished quickly and correctly.

James Maude, Field CTO at BeyondTrust, put it plainly: "Don't be distracted by the dip in total vulnerabilities. Critical vulnerabilities doubled. This is a warning that risk is not decreasing, it is concentrating, and it is concentrating around privilege. Elevation of Privilege made up 40% of all vulnerabilities again this year because that is exactly what attackers need to reach critical systems."

Photo: James Maude, Field CTO at BeyondTrust

The phrase "concentrating around privilege" is the key to reading this report correctly. The security community has long understood that most cyberattacks follow a predictable arc: initial access, privilege escalation, lateral movement, and finally, exfiltration or destruction. Elevation of Privilege vulnerabilities are closely watched because they allow attackers to gain broader access inside systems after an initial breach. When 509 out of 1,273 vulnerabilities fall into that single category, it signals that attackers are consistently finding the one class of flaw that lets them go from a foothold to full control.

The Cloud Is Where the Danger Is Concentrating

If one data point from BeyondTrust's report should cause enterprise IT leaders to lose sleep, it is this: Microsoft Azure and Dynamics 365 experienced a ninefold rise in critical vulnerabilities, climbing from just 4 to 37 in a single year. That is not a gradual trend. That is a cliff edge.

The significance of that number extends far beyond the cloud platforms themselves. Azure is the infrastructure layer where AI services live, authenticate, and interact with sensitive data. A critical flaw in that environment does not just threaten a single application. It threatens every service, every automated process, and every AI agent operating within it.

Jane Frankland, founder of the IN Security Movement and a BeyondTrust report contributor, noted that the Azure critical vulnerability spike matters because this is the infrastructure layer where AI services authenticate and interact with enterprise data — a near-tenfold increase in critical vulnerabilities in that environment, combined with ungoverned machine identities operating autonomously within it, represents a converging risk, not a theoretical one.

The productivity layer is under pressure too. Microsoft Office vulnerabilities surged to 157 in 2025, more than tripling compared to 2024, while critical vulnerabilities within Office increased tenfold. This is particularly significant because Office applications represent one of the most universally deployed software suites in the world. Researchers at BeyondTrust's Phantom Labs found that attackers are using this vector to execute malicious code the moment a user highlights an attachment, requiring no further interaction. The barrier to exploitation, in other words, has nearly disappeared.

On the more optimistic end, Microsoft Edge vulnerabilities fell to 50 in 2025, an 83% year-on-year drop, suggesting risk levels varied widely across the company's software estate. The browser wars of the vulnerability world appear to be calming. But that bright spot should not distract from the broader pattern of risk migrating toward cloud infrastructure and productivity tools.

AI Is Playing Both Sides

Perhaps the most consequential dimension of this year's report is the role artificial intelligence is now playing in shaping the vulnerability landscape — not just as a target, but as a tool in the hands of both defenders and attackers.

Attackers are using generative AI to analyze patches and reverse-engineer exploits in hours, where that process once took days or weeks. The time between a vulnerability being disclosed and a working exploit being deployed in the wild — historically a window in which organizations could patch before being targeted — is compressing rapidly.

This dynamic creates what the BeyondTrust report describes as "a widening gap between vulnerability disclosure and exploitation, where organizations may be exposed before traditional defenses can respond." The standard playbook of patch-on-Tuesday, deploy-by-Friday is being rendered obsolete by AI-assisted exploit development.

Why the Old Scorecard No Longer Works

The deeper lesson of BeyondTrust's report is not about any single vulnerability class or product category. It is about the limitations of how the security industry has historically measured and communicated risk.

CVE counts have always been an incomplete picture. Identity misconfigurations, over-privileged machine accounts, and AI agents with unconstrained access do not get CVEs, but they carry the same critical consequences. A security team that is solely focused on patching disclosed vulnerabilities is, in effect, fighting last year's war.

Sami Laiho, Senior Technical Fellow at Adminize and Microsoft MVP, argued that the true risk in modern environments is not the presence of vulnerabilities but the presence of unnecessary privilege — and that organizations embracing least privilege as a foundational design principle will not eliminate vulnerabilities, but will dramatically reduce their ability to cause harm.

That insight points toward the core strategic shift BeyondTrust is advocating: moving from a vulnerability-centric model of security to a privilege-centric one. The question is no longer simply "how many flaws exist?" but "how many paths to privilege exist, and how quickly can we close them?"

Maude framed the stakes this way: "A ninefold increase in Azure and Dynamics 365 critical vulnerabilities shows where that concentration is happening. Combined with the rising tide of identity compromise attacks that exploit standing privilege, patching alone will not close this gap. The organizations that weather this are the ones treating every vulnerability and every identity, human or machine, as a potential path to privilege in their most critical systems, and shrinking those paths before an attacker reaches them."

What Organizations Need to Do Differently

The BeyondTrust report is not simply a catalog of bad news. It is also a directional guide for how security posture needs to evolve. Four priorities emerge clearly from the findings.

Patch faster, and assume it is not enough: The acceleration of AI-assisted exploit development means the window for safe remediation is shorter than ever. Organizations need to compress their patching cycles significantly while simultaneously operating under the assumption that some percentage of attacks will succeed despite best efforts.

Apply least privilege universally: With 40% of all vulnerabilities classified as Elevation of Privilege, removing unnecessary administrative access is the single highest-leverage defensive action available. If there is no elevated privilege to escalate to, the exploit hits a dead end.

Extend identity security to non-human identities: Service accounts, machine credentials, and AI agents represent a rapidly growing attack surface that is largely invisible to traditional security tools. The report notes that AI agents inherit identity, access, and privilege, making the governance of those identities as critical as the governance of human user accounts.

Think in paths, not points: Individual vulnerabilities are points. Attackers think in paths. The organizations best positioned to weather this threat environment are those that map the routes from initial compromise to critical systems and systematically eliminate or monitor each step along the way.

The Bottom Line

The 2026 BeyondTrust Microsoft Vulnerabilities Report is, at its core, a story about a transition. The era of managing cybersecurity risk primarily through vulnerability volume and patch cycles is ending. The era of privilege-centric, identity-first security is beginning — driven by the reality that AI has changed both sides of the offense-defense equation simultaneously.

A 6% drop in total vulnerabilities is, in that context, close to meaningless. A doubling of critical vulnerabilities, concentrated in the cloud infrastructure that powers modern enterprise operations, is the number that demands attention.

As the report concludes, adversaries are getting more surgical. They are not looking for more ways in; they are looking for the best ways in. Security strategy needs to follow the same logic.