Go from noise to signal: Why focusing on malware matters 

Although more than 48,000 Common Vulnerabilities and Exposures (CVEs) were published in 2025, only 58 posed a genuine, discoverable, and exploitable threat to enterprise supply chains, according to a new report from Black Kite.

This finding reinforces a critical shift in how organizations must approach cyber risk, Black Kite said in a statement. The challenge is no longer just scale. It’s precision.

Vulnerability volume is surging, Black Kite said, driven by rapid adoption of AI to both produce software and discover vulnerabilities. At the same time, it wrote, attackers are exploiting vulnerabilities faster than ever, on average seven days before public disclosure, and they are expected to get even faster as AI technologies accelerate scanning and exploitation capabilities.

As vulnerability volumes increase, the “patch everything” approach becomes mathematically and operationally impossible, said Black Kite’s chief research and intelligence officer, Ferhat Dikbiyik.

Instead, the report advises, patch with precision. Here’s what you need to know — and why the key is to shift to focusing on malware over vulnerabilities.

[ Learn: Why RL Built Spectra Assure Community | Join: RL's free Community ]

Why the CVE overload matters

Security teams need to stop drowning in raw CVE volume and static CVSS scores, Dikbiyik said. “That 58-to-48,000 ratio proves teams must filter the noise using real-world exploitability, like dynamic EPSS predictions and OSINT discoverability.”

“If a vulnerability isn’t externally discoverable and actively targeted, it shouldn’t be at the top of the triage list.”
—Ferhat Dikbiyik 

Tim Mackey, head of software supply chain risk strategy at Black Duck Software, said that addressing the flood of CVEs requires prioritization and triage from the outset. First, he said,  you need to know whether the library or software impacted by the CVE in question is even used in your products or IT-managed environment.

“The next step is to determine which CVEs are known to have an exploit path. Those CVEs are the priority, and for most organizations they’re a small subset of the total number of CVEs per day.”
—Tim Mackey 

Overcoming vulnerability noise

Derek Fisher, executive director of product security at JPMorgan Chase & Co., said Black Kite’s findings back up what most security teams realized years ago.

“There is a lot of noise in vulnerability management. There has been a continuing effort to determine reachability or exploitability when new findings are discovered, to reduce the burden on security teams that have limited time and resources.”
—Derek Fisher 

Roger Grimes, a CISO advisor at KnowBe4, said it isn’t news that less than 1% of reported CVEs are ever used by any real-world criminal against any real-world organization. “It has always been that way,” he said.

“Only a few dozen account for most of the real-world exploits. What that fact tells me is that defenders need to concentrate on the exploits most likely to be used against them. CISA’s Known Exploited Vulnerability Catalog [KEV] list is a good place to start.”
—Roger Grimes 

However, Brian English, product security lead at SAS, countered that for organizations managing large enterprise environments, it’s often more efficient, and lower risk, to remediate known vulnerabilities than to spend excessive time trying to determine theoretical exploitability. 

“From a product security perspective, it is often safer and more responsible to address known vulnerabilities than to assume they pose no practical risk.”
—Brian English 

But he does agree that exploitability analysis can help teams prioritize limited resources and avoid treating every CVE as equally urgent. Just don’t rely solely on tools such as software composition analysis (SCA) and the detection and patching of CVEs, he said, because that can provide a false sense of security.

Mind the (security) gap

The Black Kite report also noted that AI is widening the gap between organizations that can afford its advanced security capabilities and those that can’t. “While resource gaps have always existed, AI makes the divide exponentially faster and more concentrated,” Black Kite’s Dikbiyik said.

Anthropic’s Claude Mythos, for example, offers the opportunity to cut vulnerability detection time from 197 days to just 14, but “midmarket software publishers and open-source projects simply cannot afford these enterprise-grade AI defenses,” Dikbiyik said — which is putting them at even greater risk.

“Attackers are adapting to hardened enterprise perimeters by aggressively shifting their focus to these Tier 2 softer targets, meaning risk is migrating directly into the dependencies that large enterprises rely on.”
—Ferhat Dikbiyik

Dependencies are at risk

The report reinforces what a soft spot software dependencies are, especially with open-source components. Dikbiyik stressed that 82% of company-to-CVE matches involve vulnerabilities from outside the top 20 vendors.

“For software security teams, this means you cannot secure your perimeter just by monitoring a handful of big tech providers. You need continuous, automated visibility across your entire fragmented vendor ecosystem, because your risk often begins long before a commercial product is ever deployed.”
—Ferhat Dikbiyik

JPMorgan’s Fisher said software security teams have been aware for years that open-source security vulnerabilities are a big problem and have largely deployed the tools such as SCA that can spot them. 

“However, these teams do not need more ways to find vulnerabilities in dependencies. They need practical ways to identify vulnerabilities that have impact through exploitability metrics like CISA KEV, EPSS, or OSINT to confirm discoverability and visibility.”
—Derek Fisher

Time is not on our side

Dikbiyik illustrated the time crunch facing supply chain security defenders: “The median time from an attacker gaining initial access to handing it off to a secondary threat actor, like a ransomware cartel, has plummeted from over eight hours in 2022 to an astonishing 22 seconds.”

“When you combine that hand-off speed with the seven-day exploitation window, the reality cannot be clearer: Once a vendor in your supply chain is compromised, escalation is practically instantaneous.”
—Ferhat Dikbiyik

All of this is happening while the next generation of frontier AI such as Claude Mythos is poised to turn the CVE noise up to 11. But maybe it’s the signal that really matters.

Time to focus on malware

The reality of vulnerability management in the age of sophisticated supply chain attacks is that it diverts attention from addressing malware, tampering, and other modern threats. Cracks in the National Vulnerability Database (NVD) have also emerged, making the CVE system less useful.

Because modern vulnerability management relies on working from the discovery of flaws, security practitioners are likely to scramble to catch up on everything that needs to be patched. While they are doing that, they are probably not investing time and energy in proactive security measures that can spot software supply chain security threats before they become reality. 

Application security (AppSec) teams trying to figure out how to go about security despite the massive changes with the NVD should consider investing in efforts that will broaden their ability to find all kinds of software supply chain security threats — not just exploitable vulnerabilities. 

A recent study adds force to the argument that it pays to shift from a vulnerability-centric approach. The study, by a Purdue University researcher, shows that the newer Exploit Prediction Scoring System (EPSS), which many organizations are now using to prioritize vulnerability remediation given the NVD/CVE’s decline, is not as effective as previously assumed.

The study demonstrates that, like other vulnerability risk-assessment frameworks, the EPSS is useful but not a completely predictive mechanism for protecting against vulnerability-related threats.

AppSec teams that use a modern software supply chain security solution that harnesses the power of binary analysis and reproducible builds are able to instead focus on actionable information such as active malware, software tampering, secrets exposure, and more. These tools allow organizations to become proactive and better manage risk in an age of increasingly complex software.

Learn how RL’s free Spectra Assure Community offers binary analysis-based protection for your open-source software development.