Supply Chain Security Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility New vulnerabilities are being discovered too fast, the time-to-exploitation is too short, and our visibility into them is largely lacking. By Kevin Townsend | May 21, 2026 (4:14 AM ET) Flipboard Reddit Whatsapp Whatsapp Email New vulnerabilities are being discovered too fast, the time-to-exploitation is too short, and our visibility into them is largely lacking. The global interconnectivity of business, and the systems and software it uses, has elevated the supply chain and supply chain threats to a preeminent cybersecurity concern. A particular issue is that many organizations are unaware of their position within a supply chain and can be victimized through no active fault of their own. The 2026 supply chain vulnerability report from Black Kite leads with the statement, ‘velocity without visibility is the new supply chain crisis’. Its analysis offers three primary takeaways: more than 48,000 CVEs were published in 2025 the time to exploitation is now a negative number only 58 of the CVEs are identified as posing a genuine, discoverable, and exploitable threat to enterprise supply chains. The first takeaway is a matter of record. The second is a conclusion reached by both Black Kite and, separately, Mandiant (M-Trends 2026: “The mean time to exploit vulnerabilities dropped to an estimated -7 days, meaning exploitation is routinely occurring before a patch is even released.”). Together, these two facts illustrate that firms cannot possibly maintain security through patching CVEs. This explains Black Kite’s concern over ‘velocity’. The third takeaway indicates the need for ‘visibility’ into the vulnerabilities in order to reduce their number to a manageable figure. The approach taken by Black Kite was to select a subset of high priority CVEs (amounting to 1,024) based on their EPSS scores, KEV inclusion, and third-party relevance. From these, however, only 58 CVEs were easily discoverable to attackers through OSINT and were therefore the most critical. Finding those most critical CVEs is a primary visibility issue in supply chain security – but if they can be found, the velocity can be better managed. Advertisement. Scroll to continue reading. While this velocity and visibility was a problem in 2025, it is likely to get worse in the future – and AI is both a direct and indirect causal factor. Firstly, we can be certain that during 2026, frontier model AI will find more vulnerabilities than were discovered in previous years. Secondly, the rapid growth of easily vibe coded new applications is introducing more apps with more weaknesses. Thirdly, the increased AI-influenced frequency of software updates are more likely to include malicious npm-created software weaknesses that can be exploited later. To these, Jeffrey Wheatman, SVP and cyber risk strategist at Black Kite, adds a fourth. “I think much of the agentic growth we’re seeing is leading to additional exposures, because these tools are granted authorization, authentication, and access.” This increases the visibility problem because the IT and security departments are unaware of the agentic systems being used in their infrastructure: they can be hidden and undisclosed in downloaded web apps , or quietly introduced through shadow AI. The number of vulnerabilities will continue to rise, and the time to exploitation will continue to shrink. “I think the numbers just keep rising,” continues Wheatman. But he adds one hopeful point. “The good news is much of this is effectively background noise. For example, in all the hubbub over the vulnerabilities found by Mythos, there was some focus on finding a 27-years old bug in OpenBSD. Okay, that’s true. But can it be compromised? Not really, in any practical way.” So, we come back to Black Kite’s initial premise. The number of vulnerabilities will continue to rise, and the time to compromise will continue to shrink. The velocity of vulnerabilities will worsen, and organizations will be more unable to cope – unless they are able, through visibility, to determine the relatively few really critical vulnerabilities to focus on. Wheatman is also optimistic that defensive AI can assist. The biggest issue here is whether the increasing velocity of threats will cause an increased reliance on completely autonomous defensive AI, too soon. The answer, as so often happens in cybersecurity questions, is it depends. “Remember the CrowdStrike incident ,” he suggests. A faulty configuration update to the Falcon Sensor on Windows systems was automatically deployed through CrowdStrike’s Rapid Response Content system – causing around 8.5 million Windows systems to crash. “The big question I heard,” he continues, “was ‘should we turn off automated updates?’, because that is what caused that problem. The decision I heard is that those automatic updates, while they do lead to some risk, not updating signatures, those definitions, that discovery, that identification capability, is a significantly higher risk.” But it still depends. “A bank will be less inclined to allow automatic shutdown of their trading system than their payroll system because it could cost millions of dollars for every hour of the shutdown.” Such situations may demand a human in the loop to make the final decision. Smaller firms with fewer manpower resources and lower security budgets may be more likely to move toward fully autonomous defense, simply to cope with the velocity of vulnerabilities and lack of visibility into their criticality. Again, a major problem is a lack of visibility into the software being used. This should be provided via SBOMs delivered by the software supplier, but their completeness, accuracy and value is currently debatable. SBOMs should provide details of any vulnerabilities in the software – but do they? “We’re starting to hear more about AI SBOMs, which are a bit of a holy grail – but they’re still a year or more in the future,” adds Wheatman. In the end, it all comes down to Black Kite’s original premise. Velocity without visibility is the new supply chain crisis and gaining that visibility will help provide the solution. Related : OpenAI Hit by TanStack Supply Chain Attack Related : TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack Related : Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack Related : Vendor Says Daemon Tools Supply Chain Attack Contained Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’ Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware Build Application Firewalls Aim to Stop the Next Supply Chain Attack Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking AI Coding Agents Could Fuel Next Supply Chain Crisis Hacker Conversations: Joey Melo on Hacking AI Latest News Quantum Bridge Raises $8 Million for Quantum-Safe Key Distribution Solution Microsoft Rolls Out Mitigations for ‘YellowKey’ BitLocker Bypass AI-Powered App Attacks Are Faster, More Frequent and Harder to Stop 1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials Anthropic Silently Patches Claude Code Sandbox Bypass Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack Caught Off Guard: Securing AI After It Hits Production Real-World ICS Security Tales From the Trenches Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the Move Tim Byrd has been appointed Chief Information Security Officer at First Citizens Bank. IRONSCALES has named Steve McKenzie as Chief Operating Officer. Silvio Pappalardo has joined AuthMind as Chief Revenue Officer. More People On The Move Expert Insights Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, wi