New vulnerabilities are being discovered too fast, the time-to-exploitation is too short, and our visibility into them is largely lacking.
The global interconnectivity of business, and the systems and software it uses, has elevated the supply chain and supply chain threats to a preeminent cybersecurity concern. A particular issue is that many organizations are unaware of their position within a supply chain and can be victimized through no active fault of their own.
The 2026 supply chain vulnerability report from Black Kite leads with the statement, ‘velocity without visibility is the new supply chain crisis’. Its analysis offers three primary takeaways:
- more than 48,000 CVEs were published in 2025
- the time to exploitation is now a negative number
- only 58 of the CVEs are identified as posing a genuine, discoverable, and exploitable threat to enterprise supply chains.
The first takeaway is a matter of record. The second is a conclusion reached by both Black Kite and, separately, Mandiant (M-Trends 2026: “The mean time to exploit vulnerabilities dropped to an estimated -7 days, meaning exploitation is routinely occurring before a patch is even released.”).
Together, these two facts illustrate that firms cannot possibly maintain security through patching CVEs. This explains Black Kite’s concern over ‘velocity’.
The third takeaway indicates the need for ‘visibility’ into the vulnerabilities in order to reduce their number to a manageable figure.
The approach taken by Black Kite was to select a subset of high priority CVEs (amounting to 1,024) based on their EPSS scores, KEV inclusion, and third-party relevance. From these, however, only 58 CVEs were easily discoverable to attackers through OSINT and were therefore the most critical. Finding those most critical CVEs is a primary visibility issue in supply chain security – but if they can be found, the velocity can be better managed.
While this velocity and visibility was a problem in 2025, it is likely to get worse in the future – and AI is both a direct and indirect causal factor. Firstly, we can be certain that during 2026, frontier model AI will find more vulnerabilities than were discovered in previous years. Secondly, the rapid growth of easily vibe coded new applications is introducing more apps with more weaknesses. Thirdly, the increased AI-influenced frequency of software updates are more likely to include malicious npm-created software weaknesses that can be exploited later.
To these, Jeffrey Wheatman, SVP and cyber risk strategist at Black Kite, adds a fourth. “I think much of the agentic growth we’re seeing is leading to additional exposures, because these tools are granted authorization, authentication, and access.” This increases the visibility problem because the IT and security departments are unaware of the agentic systems being used in their infrastructure: they can be hidden and undisclosed in downloaded web apps, or quietly introduced through shadow AI.
The number of vulnerabilities will continue to rise, and the time to exploitation will continue to shrink. “I think the numbers just keep rising,” continues Wheatman. But he adds one hopeful point. “The good news is much of this is effectively background noise. For example, in all the hubbub over the vulnerabilities found by Mythos, there was some focus on finding a 27-years old bug in OpenBSD. Okay, that’s true. But can it be compromised? Not really, in any practical way.”
So, we come back to Black Kite’s initial premise. The number of vulnerabilities will continue to rise, and the time to compromise will continue to shrink. The velocity of vulnerabilities will worsen, and organizations will be more unable to cope – unless they are able, through visibility, to determine the relatively few really critical vulnerabilities to focus on.
Wheatman is also optimistic that defensive AI can assist. The biggest issue here is whether the increasing velocity of threats will cause an increased reliance on completely autonomous defensive AI, too soon. The answer, as so often happens in cybersecurity questions, is it depends.
“Remember the CrowdStrike incident,” he suggests. A faulty configuration update to the Falcon Sensor on Windows systems was automatically deployed through CrowdStrike’s Rapid Response Content system – causing around 8.5 million Windows systems to crash.
“The big question I heard,” he continues, “was ‘should we turn off automated updates?’, because that is what caused that problem. The decision I heard is that those automatic updates, while they do lead to some risk, not updating signatures, those definitions, that discovery, that identification capability, is a significantly higher risk.”
But it still depends. “A bank will be less inclined to allow automatic shutdown of their trading system than their payroll system because it could cost millions of dollars for every hour of the shutdown.” Such situations may demand a human in the loop to make the final decision. Smaller firms with fewer manpower resources and lower security budgets may be more likely to move toward fully autonomous defense, simply to cope with the velocity of vulnerabilities and lack of visibility into their criticality.
Again, a major problem is a lack of visibility into the software being used. This should be provided via SBOMs delivered by the software supplier, but their completeness, accuracy and value is currently debatable. SBOMs should provide details of any vulnerabilities in the software – but do they? “We’re starting to hear more about AI SBOMs, which are a bit of a holy grail – but they’re still a year or more in the future,” adds Wheatman.
In the end, it all comes down to Black Kite’s original premise. Velocity without visibility is the new supply chain crisis and gaining that visibility will help provide the solution.
Related: OpenAI Hit by TanStack Supply Chain Attack
Related: TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack
Related: Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack
Related: Vendor Says Daemon Tools Supply Chain Attack Contained
