New vulnerabilities are being found too quick, the time-to-exploitation is just too brief, and our visibility into them is basically missing.
The worldwide interconnectivity of enterprise, and the techniques and software program it makes use of, has elevated the provision chain and provide chain threats to a preeminent cybersecurity concern. A specific subject is that many organizations are unaware of their place inside a provide chain and could be victimized by no energetic fault of their very own.
The 2026 provide chain vulnerability report from Black Kite leads with the assertion, ‘velocity with out visibility is the brand new provide chain disaster’. Its evaluation affords three main takeaways:
- greater than 48,000 CVEs had been printed in 2025
- the time to exploitation is now a adverse quantity
- solely 58 of the CVEs are recognized as posing a real, discoverable, and exploitable risk to enterprise provide chains.
The primary takeaway is a matter of document. The second is a conclusion reached by each Black Kite and, individually, Mandiant (M-Traits 2026: “The imply time to take advantage of vulnerabilities dropped to an estimated -7 days, which means exploitation is routinely occurring earlier than a patch is even launched.”).
Collectively, these two information illustrate that corporations can’t presumably preserve security by patching CVEs. This explains Black Kite’s concern over ‘velocity’.
The third takeaway signifies the necessity for ‘visibility’ into the vulnerabilities in an effort to scale back their quantity to a manageable determine.
The strategy taken by Black Kite was to pick a subset of excessive precedence CVEs (amounting to 1,024) based mostly on their EPSS scores, KEV inclusion, and third-party relevance. From these, nevertheless, solely 58 CVEs had been simply discoverable to attackers by OSINT and had been subsequently essentially the most important. Discovering these most crucial CVEs is a main visibility subject in provide chain security – but when they are often discovered, the speed could be higher managed.
Whereas this velocity and visibility was an issue in 2025, it’s more likely to worsen sooner or later – and AI is each a direct and oblique causal issue. Firstly, we could be sure that in 2026, frontier mannequin AI will discover extra vulnerabilities than had been found in earlier years. Secondly, the fast progress of simply vibe coded new functions is introducing extra apps with extra weaknesses. Thirdly, the elevated AI-influenced frequency of software program updates usually tend to embrace malicious npm-created software program weaknesses that may be exploited later.
To those, Jeffrey Wheatman, SVP and cyber threat strategist at Black Kite, provides a fourth. “I feel a lot of the agentic progress we’re seeing is resulting in extra exposures, as a result of these instruments are granted authorization, authentication, and entry.” This will increase the visibility downside as a result of the IT and security departments are unaware of the agentic techniques getting used of their infrastructure: they are often hidden and undisclosed in downloaded net apps, or quietly launched by shadow AI.
The variety of vulnerabilities will proceed to rise, and the time to exploitation will proceed to shrink. “I feel the numbers simply preserve rising,” continues Wheatman. However he provides one hopeful level. “The excellent news is way of that is successfully background noise. For instance, in all of the hubbub over the vulnerabilities discovered by Mythos, there was some give attention to discovering a 27-years outdated bug in OpenBSD. Okay, that’s true. However can or not it’s compromised? Probably not, in any sensible means.”
So, we come again to Black Kite’s preliminary premise. The variety of vulnerabilities will proceed to rise, and the time to compromise will proceed to shrink. The speed of vulnerabilities will worsen, and organizations can be extra unable to manage – until they’re ready, by visibility, to find out the comparatively few actually important vulnerabilities to give attention to.
Wheatman can also be optimistic that defensive AI can help. The most important subject right here is whether or not the growing velocity of threats will trigger an elevated reliance on utterly autonomous defensive AI, too quickly. The reply, as so usually occurs in cybersecurity questions, is it relies upon.
“Keep in mind the CrowdStrike incident,” he suggests. A defective configuration replace to the Falcon Sensor on Home windows techniques was routinely deployed by CrowdStrike’s Speedy Response Content material system – inflicting round 8.5 million Home windows techniques to crash.
“The massive query I heard,” he continues, “was ‘ought to we flip off automated updates?’, as a result of that’s what precipitated that downside. The choice I heard is that these computerized updates, whereas they do result in some threat, not updating signatures, these definitions, that discovery, that identification functionality, is a considerably larger threat.”
However it nonetheless relies upon. “A financial institution can be much less inclined to permit computerized shutdown of their buying and selling system than their payroll system as a result of it might value tens of millions of {dollars} for each hour of the shutdown.” Such conditions might demand a human within the loop to make the ultimate resolution. Smaller corporations with fewer manpower sources and decrease security budgets could also be extra more likely to transfer towards totally autonomous protection, merely to deal with the speed of vulnerabilities and lack of visibility into their criticality.
Once more, a serious downside is a scarcity of visibility into the software program getting used. This needs to be supplied through SBOMs delivered by the software program provider, however their completeness, accuracy and worth is at the moment debatable. SBOMs ought to present particulars of any vulnerabilities within the software program – however do they? “We’re beginning to hear extra about AI SBOMs, that are a little bit of a holy grail – however they’re nonetheless a 12 months or extra sooner or later,” provides Wheatman.
Ultimately, all of it comes all the way down to Black Kite’s authentic premise. Velocity with out visibility is the brand new provide chain disaster and gaining that visibility will assist present the answer.
