Gartner® Named RL a Software Supply Chain Security Visionary. Here’s What We See Coming

In the space of a few years, software supply chain security has moved from a niche problem to a major threat and board-level concern for most companies. Every organization depends on software built from code, components, services and AI models created by people they'll never meet and by organizations they'll never be able to directly assess.

That’s why as the CEO of ReversingLabs, I am thrilled that Gartner® has issued its inaugural Magic Quadrant™ for Software Supply Chain Security (SSCS) — and honored that we have been named as a "Visionary" firm by Gartner.

Software Risk: It’s More Than Vulnerabilities

I and my colleagues here at RL spent the last few years working with customers, regulators, standards bodies, and software developers to assess the growing risks to software supply chains and define what effective software supply chain security should look like. The Gartner recognition of ReversingLabs, we feel, validates something we've believed for a long time: software risk extends far beyond vulnerabilities.

We believe that the new Gartner Magic Quadrant™ for Software Supply Chain Security reflects this fast-evolving risk landscape, and the resulting market for software supply chain security technologies for both software producers and consumers. 

The Big Shift: Software Security to Software Safety

The next phase of software supply chain security won't be about finding vulnerabilities. It will be about answering a broader question: Can our software be trusted? 

Here at RL, we see a software supply chain security market that is growing rapidly in its size and scope, fueled by a torrent of attacks targeting both open source and third party software ecosystems and the growing reliance on automated, AI-powered coding agents. 

This big shift in software development is fueling demand for software supply chain security solutions. AI is transforming software development from a human-driven process into one increasingly orchestrated by autonomous systems. As organizations embrace coding agents, the software supply chain expands beyond open-source maintainers and commercial vendors to include AI-generated code, models, prompts, and automated workflows.

For example, in April, RL researchers discovered a campaign in which Anthropic’s Claude Opus large language model (LLM) inserted malicious code into a cryptocurrency trading application after North Korea-linked hackers manipulated Claude to add a malicious package (@validate-sdk/v2) as a dependency. 

Incidents like these are set to fundamentally transform the cybersecurity market, as enterprises and other software purchasers look for ways to assess the safety and integrity of the software they acquire as well as the code they create. 

The fact is: every organization and individual today is exposed to software supply chain risks. The risk is the same whether you are building- or buying software produced by a collection of open-source maintainers and third party engineers that you will never meet.

What’s Next: Software Supply Chain Security

The question is: what comes next? The growing cadence and impacts of software supply chain attacks and compromises will create demand for a wide range of new requirements and assessments, as both software consumers and regulators seek assurances about the safety and integrity of the software they use. Among the changes we should expect to see: 

Reproducible Builds Become Mandatory

Reproducible builds today are a “nice to have” deliverable for the most security conscious and regulated firms. Given the pace of supply chain compromises, however, open source platforms and regulators of all stripes will expect cryptographic proof that software was built exactly as claimed.

Software Buyers Become Safety Assessors

One of the biggest changes we can expect to see is around software procurement. Our current procurement system is largely based on trust and — perhaps — security assurances documented by questionnaires. With the mounting incidents of software supply chain compromises, and the growing list of known exploitable vulnerabilities (KEVs), procurement teams will increasingly demand verifiable proof of software integrity prior to deployment, rather than relying on vendor attestations, vulnerability scans and SBOMs.

AI-Generated Code Requires Governance

As AI-powered code creation rapidly outpaces human developed code, and malicious actors actively target AI development infrastructure, organizations will need to apply security controls for AI-generated software in the same way that they assess the security of open-source- and third party software dependencies. That includes both code- and binary assessments that can spot evidence of compromises or supply chain vulnerabilities and risks. 

Better Buyer Communication

To improve security outcomes and reduce software risks, more information is needed by software buyers. For example, vendors should provide detailed documentation on how to safely deploy and operate software. Looking to the future, it is likely that assets like threat models and detailed guides covering safe software deployment such as instructions on applying compensatory controls to reduce software risk surface will become mandatory. 

Worried About Software Supply Chain Risks? Let’s Talk!

RL provides a comprehensive approach to software supply chain security by combining deep visibility into shipped software artifacts with advanced threat detection, and continuous risk monitoring. The company’s approach is grounded in a simple belief: trust should be verified. That means analyzing software in its final form, validating what actually ships to customers, and continuously monitoring for changes that introduce new risk.

The software industry is entering a new era. Software is no longer built by human teams inside a single organization. It is assembled from open-source projects, commercial components, AI-generated code, and third-party services. 

As those ecosystems become more deeply interconnected, trust and confidence in software safety and security are harder to obtain. That’s why the future of software supply chain security is not simply finding code vulnerabilities and performing auto-remediation. It is providing organizations (both producers and buyers?) with the evidence they need to prove software safety, integrity, and trustworthiness at every stage of the lifecycle.

That's the future RL sees — and the future we're helping build.

Gartner® Magic Quadrant™  for Software Supply Chain Security,  Aaron Lord, Johnny Walters, Jason Gross, 17 June 2026

Gartner and Magic Quadrant™ are trademarks of Gartner, Inc. and/or its affiliates. Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.