New security flaws are emerging at an alarming rate, the window before attackers exploit them is shrinking rapidly, and most organizations have little to no insight into which ones actually matter.
Today’s deeply interconnected business landscape — along with the software and systems that power it — has pushed supply chain risks to the top of the cybersecurity priority list. A key challenge is that many companies don’t even realize they’re part of a supply chain, leaving them vulnerable to attacks that aren’t the result of any direct mistake on their end.
Black Kite’s 2026 supply chain vulnerability report opens with a stark warning: ‘speed without insight defines the modern supply chain crisis.’ The report highlights three core findings:
- over 48,000 CVEs were logged in 2025
- the time to exploitation has now gone into negative territory
- just 58 of those CVEs represent a real, detectable, and exploitable danger to enterprise supply chains
The first finding is well-documented. The second is a conclusion independently reached by both Black Kite and Mandiant (M-Trends 2026: “The average time to exploit vulnerabilities fell to roughly -7 days, meaning attackers are routinely exploiting flaws before a fix is even available.”).
Taken together, these two realities make it clear that organizations simply cannot stay secure by patching CVEs alone. This is precisely what Black Kite means by the problem of ‘velocity.’
The third finding underscores the need for ‘visibility’ — the ability to cut through the noise and narrow the field down to a manageable set of truly critical issues.
Black Kite’s methodology involved filtering a curated set of high-priority CVEs (totaling 1,024) based on their EPSS scores, KEV listings, and relevance to third parties. Yet from that group, only 58 CVEs were readily discoverable by attackers using open-source intelligence — making them the most urgent threats. Pinpointing those critical CVEs represents a fundamental visibility challenge in supply chain security. But once identified, the velocity problem becomes far more manageable.
While velocity and visibility were already serious concerns in 2025, the situation is poised to deteriorate — and AI is a driving force both directly and indirectly. First, it’s virtually certain that cutting-edge AI models in 2026 will uncover more vulnerabilities than ever before. Second, the explosion of quickly ‘vibe coded’ applications is flooding the market with new software riddled with weaknesses. Third, the accelerating pace of AI-driven software updates increases the likelihood of malicious npm-based vulnerabilities being introduced and exploited down the line.
Jeffrey Wheatman, SVP and cyber risk strategist at Black Kite, points to a fourth factor. “I believe much of the growth in agentic AI is creating additional exposure, because these tools are being given authorization, authentication, and access privileges.” This compounds the visibility problem, since IT and security teams often have no awareness of the agentic systems operating within their infrastructure — they may be buried inside downloaded web apps or silently introduced through shadow AI.
The volume of vulnerabilities will keep climbing, and the exploitation window will keep closing. “I think the numbers just keep going up,” Wheatman notes. But he offers a silver lining. “The good news is that much of this is essentially background noise. For instance, amid all the attention around vulnerabilities discovered by Mythos, there was some buzz about a 27-year-old bug in OpenBSD. Sure, it exists. But can it actually be exploited? Not in any practical sense.”
This brings us back to Black Kite’s core argument. Vulnerabilities will keep multiplying, and the time to compromise will keep shrinking. The velocity will intensify, and organizations will struggle even more to keep up — unless they can achieve the visibility needed to isolate the relatively small number of truly critical flaws that demand attention.
Wheatman also sees promise in defensive AI. The central concern here is whether the accelerating threat landscape will push organizations toward fully autonomous defensive AI before it’s truly ready. As is often the case in cybersecurity, the answer is: it depends.
“Remember the CrowdStrike incident,” he says. A flawed configuration update to the Falcon Sensor on Windows systems was automatically pushed through CrowdStrike’s Rapid Response Content system — crashing approximately 8.5 million Windows machines.
“The big question I heard was, ‘should we disable automated updates?’ — because that’s what caused the outage. The consensus I observed was that while automatic updates do carry some risk, failing to update signatures, definitions, and detection capabilities poses a far greater danger.”
But context still matters. “A bank is far less likely to tolerate an automatic shutdown of its trading platform than its payroll system, because every hour of downtime could cost millions.” In such cases, having a human in the loop for final decisions may be essential. Smaller organizations with limited staff and tighter security budgets may lean toward fully autonomous defense simply to keep pace with the speed of vulnerabilities and their lack of visibility into what’s truly critical.
Once again, a root problem is the lack of visibility into what software is actually in use. This information should come through SBOMs provided by software vendors, but their current completeness, accuracy, and usefulness remain questionable. SBOMs are supposed to detail vulnerabilities within the software — but do they actually? “We’re starting to hear more about AI SBOMs, which would be something of a holy grail — but they’re still at least a year or more away,” Wheatman adds.
Ultimately, everything traces back to Black Kite’s foundational premise. Speed without visibility is the new supply chain crisis — and achieving that visibility is the key to solving it.
Related: OpenAI Hit by TanStack Supply Chain Attack
Related: TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack
Related: Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack
Related: Vendor Says Daemon Tools Supply Chain Attack Contained
