Black Kite’s 2026 Supply Chain Vulnerability Report Delivers A Precision Framework For An Imprecise World

Estimated reading time: 6 minutes

Every year the count grows. In 2025, researchers published more than 48,000 Common Vulnerabilities and Exposures, an 18 percent jump from 2024. The instinct is to treat that as 48,000 problems. But supply chain vulnerability management is about determining which issues matter most. Black Kite’s 2026 Supply Chain Vulnerability Report arrives with a different conclusion. Researchers manually reviewed 1,240 high-priority CVEs and found just 58 that posed a genuine, discoverable, and exploitable threat to enterprise supply chains. Ferhat Dikbiyik, Black Kite’s Chief Research and Intelligence Officer, frames the gap in one sentence: “The noise in the vulnerability landscape is deafening, but the signal is incredibly precise.”

The Year The Supply Chain Cyber Risk Rules Changed

2025 brought major changes in vulnerability management. The CISA Known Exploited Vulnerabilities catalog grew by 32 percent, with 245 new confirmed exploited flaws. The number of tracked zero-days rose 27 percent to 99. High and critical CVEs made up 84 percent of new KEV entries. The biggest change was in timing: on average, attackers now exploit flaws seven days before they are publicly disclosed, instead of one day after. This means attackers strike before patches are available or the flaw is even named.

48,000 Problems, 58 Priorities

Black Kite used a five-step process to narrow down the list: OSINT discoverability, exploitability, vendor exposure, EPSS scoring, and KEV catalog status. Most CVEs don’t make it past the first step. If a vulnerability can’t be found from the outside using open-source intelligence tools, it’s unlikely to be widely exploited. Attackers don’t go after what they can’t see. Out of 48,000 CVEs, 329 received FocusTags, which are Black Kite’s signals linking a vulnerability to a confirmed vendor exposure. Only 58 were marked as highest priority. Black Kite assigned 95.2 percent of FocusTags before or within 24 hours of KEV listing.

What Underwriters Should Do With That Ratio

The 58-to-48,000 ratio directly affects how underwriters should assess third-party risk. Dikbiyik says assessors should stop focusing on the total number of CVEs. What matters is whether an organization is exposed to threats that attackers can actually find and use. Counting vulnerabilities misses the point. A vendor with 10,000 open patches but none in the high-risk category is less risky than one with just three OSINT-discoverable, KEV-listed critical flaws. Exploitability and discoverability are what really count for underwriters.

The Security Divide Is Widening

Large companies using AI-powered scanning find vulnerabilities in about 14 days and fix them in 21. In contrast, mid-market vendors, smaller software providers, and open-source maintainers take an average of 197 days to detect and 60 days to fix issues. Dikbiyik puts it this way, “The risk is migrating to mid-market vendors and open-source projects.” These suppliers often can’t afford advanced AI defenses, so they pose a higher systemic risk. Previous Black Kite research in retail and wholesale found similar patterns, with KEV-listed vulnerabilities common in shared vendor networks. A 2025 WTW supply chain study showed that only 8 percent of enterprises felt they had full control over supply chain risks.

Policy Triggers Built On The Wrong Assumption

The shift in exploitation timing affects more than just patching; it also disrupts how policy triggers work. Dikbiyik explains, “the crisis is often well underway before the public announcement happens.” Notification clauses and policy triggers based on disclosure dates are reactive by nature. A breach may already be happening before there’s any public date to trigger a response. Underwriters and legal teams need to pay attention to this change in timing. According to Panorays’ 2026 CISO survey, 85 percent of organizations still don’t have full visibility into their supply chains, making pre-disclosure attacks even harder to catch.

The KEV Catalog Is A Lagging Indicator

CISA’s KEV catalog is still the main reference for cyber insurance due diligence. Dikbiyik recognizes its value for compliance, but warns against using it as the only defense standard. Programs that rely only on the KEV catalog are, as he says, “reacting to threats that are already actively compromising networks.” Black Kite identified 95.2 percent of these vulnerabilities before or on the day they were added to KEV. For underwriters reviewing security at renewal, relying only on KEV shows a lag, not a proactive approach.

AI’s Fastest-Growing Attack Surface

In 2025, there were over 2,100 AI-related CVEs, a 200 percent jump since 2023. Agentic AI had the biggest increase at 255 percent. Model Context Protocol servers went from zero CVEs in 2024 to 95 in 2025. Dikbiyik points to the main reason: “organizations are rushing these complex integrations into production with highly inconsistent security hardening.” Developers are using AI coding tools to build MCP servers without fully understanding their security models. This leads to cross-site scripting and code injection flaws entering supply chains. Prompt injection now has CVSS scores above 9.0 and acts like the new Remote Code Execution for agentic systems.

Glasswing And The Methodology Shift

Anthropic’s Project Glasswing showed that AI models can find zero-day flaws on their own and at scale. Dikbiyik notes what this means for all prioritization methods, including Black Kite’s: “human triage alone can’t keep up.” In response, the company has expanded its use of AI analysis and now focuses on continuous risk hunting instead of periodic checks. The report recommends the same for others. Organizations that move from periodic compliance checklists to ongoing, intelligence-driven monitoring will be better prepared for the next wave of AI-driven attacks.

FAQ – Supply Chain Vulnerability Management