Cyber Risk Redefined: Just 58 Flaws Posed a True Threat in a Year of 48,000

BOSTON, MA – May 19, 2026 – In a year that saw the publication of more than 48,000 new Common Vulnerabilities and Exposures (CVEs), a new report from cybersecurity firm Black Kite asserts that only 58 of them represented a genuine, discoverable, and exploitable threat to enterprise supply chains. The finding challenges the long-held belief that security teams must contend with an ever-growing mountain of critical alerts, suggesting instead that the real challenge has shifted from managing volume to achieving precision.

The 2026 Supply Chain Vulnerability Report, released today, argues that the escalating flood of vulnerability disclosures, driven largely by the rapid adoption of artificial intelligence, is creating a dangerous amount of noise. This noise obscures the handful of threats that can actually bring a company's operations to a halt via a compromised supplier. For CISOs and risk managers, the message is clear: the era of chasing every high-severity alert is over, replaced by an urgent need for intelligence that can pinpoint the true dangers.

The Deluge of Data and the Search for Signal

The sheer volume of vulnerabilities is staggering. The more than 48,000 CVEs published in 2025 represent an 18% increase year-over-year and contributed to a total that now exceeds 300,000 unique entries. This surge has placed immense strain on the entire security ecosystem, including the U.S. National Institute of Standards and Technology (NIST), which has struggled to enrich data for its National Vulnerability Database (NVD) amidst the flood.

While thousands of these flaws are technically rated 'Critical' based on scoring systems like CVSS, the Black Kite report's manual analysis of 1,240 high-priority vulnerabilities found that very few translate into a practical risk for a third-party ecosystem. The research filtered for real-world exploitability, the prevalence of the affected software in enterprise supply chains, and active interest from threat actors.

“As AI accelerates both defense and exploitation, we expect risk to become even more concentrated, particularly among mid-market vendors and open-source maintainers that may not have the resources to invest in advanced, AI-driven security capabilities,” said Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite. “In the near future, these smaller suppliers are likely to account for a growing share of exploited vulnerabilities, raising the stakes for the entire ecosystem.”

AI: The Double-Edged Sword of Cyber Risk

Artificial intelligence is the primary force behind this paradigm shift, acting as both a powerful accelerant for attackers and a revolutionary tool for defenders. The report highlights a more than 200% increase in AI-related vulnerabilities since 2023, with 2,130 reported in 2025 alone.

On the offensive side, AI is dramatically compressing attack timelines. Citing data from Mandiant, the report notes that attackers exploited vulnerabilities an average of seven days before public disclosure in 2025. This window is expected to shrink further as AI models, like those demonstrated in Anthropic's 2026 Project Glasswing, become capable of autonomously identifying and weaponizing zero-day flaws at scale. The attack surface is also expanding in novel ways, with AI coding assistants and agentic frameworks becoming new, actively targeted vectors. The report goes so far as to call prompt injection—a technique for manipulating AI models—the “new RCE” (Remote Code Execution) for this emerging class of systems.

Conversely, AI is also empowering defenders. Large enterprises leveraging AI-powered security tools have slashed their detection and remediation timelines to an average of 14 and 21 days, respectively. This creates a stark divide between the cyber-haves and have-nots.

The Downstream Shift: Risk Concentrates in the Mid-Market

The growing chasm in defensive capabilities is forcing a dangerous shift in the threat landscape. As large, well-resourced enterprises harden their perimeters with AI, threat actors are pivoting to softer targets: the mid-market vendors, smaller software providers, and open-source projects that form the backbone of modern supply chains.

These smaller organizations, often lacking the budget and expertise for advanced security, represent a critical weak point. Black Kite’s research shows they still average a staggering 197 days for threat detection and another 60 days for remediation. This massive exposure window makes them an ideal entry point for attackers seeking a foothold into the networks of their larger, more secure customers.

This 'downstream shift' of risk means that the systemic threat profile of a mid-market vendor is now significantly higher. A single breach at a smaller supplier can have cascading effects, disrupting operations and exposing sensitive data across the entire ecosystem. This reality is forcing a re-evaluation of third-party cyber risk management (TPCRM), where the security posture of the smallest vendor can determine the resilience of the largest enterprise.

A New Playbook for Proactive Defense

To combat this concentrated risk, the report advocates for a proactive, intelligence-driven approach that moves beyond traditional, reactive vulnerability management. Relying solely on public alerts, such as those from the CISA Known Exploited Vulnerabilities (KEV) catalog, is no longer sufficient. By the time a vulnerability appears on the KEV list, it is, by definition, already being actively exploited in the wild.

The report details a five-stage prioritization framework designed to filter raw vulnerability data and surface only the threats that demand immediate action. This methodology produced 329 asset-level threat signals, called FocusTags®, which link a global vulnerability to a specific vendor's confirmed exposure. Out of these, just 58 were elevated to the highest priority, representing the most imminent supply chain threats of 2025.

Crucially, Black Kite states it applied a FocusTag® for over 95% of discoverable vulnerabilities before they were added to the KEV catalog or within 24 hours of their addition. This ability to act ahead of public disclosure is becoming the defining metric of success in modern TPCRM. As regulatory frameworks like Europe's NIS2 and DORA, alongside SEC disclosure rules in the U.S., place greater emphasis on supply chain security, the ability to demonstrate such a proactive and precise risk management strategy is transitioning from a best practice to a core business and compliance necessity.