Myth vs. Reality: What AI, Project Glasswing, and 48,000 CVEs Actually Mean for TPCRMJoin the Webinar
blog

NCSC Says the Patch Wave Is Coming. But Is Your Supply Chain Ready?

Published

Jun 10, 2026

Authors

Dr. Ferhat Dikbiyik

In this article

In this article

See Black Kite in action

Book a Demo

Introduction

The UK's National Cyber Security Centre just named something the security community has been quietly bracing for: a patch wave.

On 1 May 2026, NCSC Chief Technology Officer Ollie Whitehouse published an advisory with a simple, unsettling argument. Decades of accumulated technical debt across open source, commercial, and proprietary software are about to get stress-tested at scale by frontier AI models capable of finding vulnerabilities faster than any organisation can patch them. 

The NCSC's advisory is addressed to every organisation managing its own technology estate. Patch faster, minimise your internet-facing attack surface, replace legacy systems you can't update. All sound and necessary. But for any organisation that depends on third parties to operate (which is every organisation), the patch wave doesn't stop at your own perimeter.

The Attack Surface You're Not Measuring

Only 6% of UK businesses have assessed cyber risks in their wider supply chain, according to the UK Government's Cyber Security Breaches Survey published on 30 April 2026, one day before the NCSC patch wave advisory dropped. The vulnerability deluge that AI is accelerating will hit your suppliers just as hard as it hits you, yet most UK organisations have no visibility into which of their vendors are already exposed.

Read those two documents side by side and the picture becomes uncomfortable. The NCSC is warning that: 

  • a surge of AI-driven vulnerability disclosures is coming, 
  • that external attack surfaces must be prioritised, and 
  • that the pace of exploitation is accelerating. 

The government's own survey confirms that 94% of UK businesses are not systematically assessing the risks their wider supply chain carries.

An unpatched internet-facing system at a critical supplier is your attack surface. And the window to act on it is shrinking faster than most people realise.

Our 2026 Supply Chain Vulnerability Report reports Mandiant’s finding that attackers are already exploiting vulnerabilities an average of seven days before public disclosure. The traditional patch lifecycle (wait for disclosure, assess, remediate) is functionally broken before it begins. The NCSC patch wave will make that window even narrower.

If your critical vendors are running software with known exploitable vulnerabilities, you are exposed.

The Data on What Your Vendors Actually Look Like

Black Kite's 2026 Third-Party Breach Report analysed the top 50 most shared vendors across the Forbes Global 2000. These are the central nodes: the platforms, services, and infrastructure providers that link a bank in London to a retailer in Manchester to a manufacturer in Birmingham.

The findings are not reassuring:

  • 70% of these critical shared vendors have at least one vulnerability currently listed in the CISA Known Exploited Vulnerabilities catalogue, flaws that are actively being weaponised right now, not theoretically.
  • 84% have active vulnerabilities with a Critical severity score (CVSS 8 or above).
  • 62% have corporate credentials circulating in stealer logs, meaning the "master keys" to their clients' environments are already in circulation on the dark web.
  • 52% have experienced a data breach in their history. For more than half of the most critical vendors in the global economy, this is not theoretical risk. It has already happened.

The most central nodes in the supply chain are often the most exposed, and as we've covered in our analysis of concentration risk, a single shared vendor under pressure doesn't just affect one organisation. It affects everyone depending on it simultaneously.

Our 2026 Third-Party Breach Report has clues on what to expect when the wave lands. In 2025, the median time for a breached vendor to publicly disclose that breach was 73 days; the average was 117. That gap between a vendor knowing they've been compromised and telling the customers who depend on them is where your exposure lives.

The UK's Cyber Security and Resilience Bill, nearing the final stages of Parliament, will eventually make supplier assurance a regulated obligation. That's a step forward. It doesn't help you today.

What helps you today is knowing which vendors in your ecosystem are already running software that matches the patch wave's likely targets, before the wave forces a disclosure, and long before the 73-day clock starts.

What the NCSC Advisory Means for Your Supply Chain

The NCSC advisory, understandably, focuses on speed: patch faster, at scale, across the whole stack. But speed without prioritisation is just expensive chaos. 

Our 2026 Supply Chain Vulnerability Report found that of 48,000+ CVEs published in 2025, only 58 were OSINT-discoverable and exploitable enough to pose a genuine threat to enterprise supply chains. The patch wave isn't a signal to treat every CVE as equal. It's a signal to get your prioritisation framework right before the wave hits, so you're acting on the ones that matter, not drowning in the tens of thousands that don't.

Three immediate actions based on the NCSC guidance and our own data:

  • Map your attack surface, including theirs. Use supply chain visibility tools to identify Nth-party dependencies and surface the vendors who carry the highest concentration of exploitable external exposure. Not just the ones you know about, but the ones your vendors depend on.
  • Move from grades to signals. An "A" cyber rating is a snapshot of hygiene. It doesn't tell you that a vendor with a clean score is running software already on the CISA KEV catalogue. Real-time vulnerability intelligence that maps live disclosures to your specific vendor ecosystem is what the patch wave demands.

Accelerate vendor outreach before disclosures force it. Our research shows that in cases where we detected threats before they hit the KEV catalogue, Black Kite delivered an average 12.6-day head start. That lead time is the difference between a managed remediation conversation and an emergency breach response.

The UK Context: Why Now Matters

The UK government is setting expectations. The Cyber Security and Resilience Bill is coming. The NCSC is warning that the threat velocity is about to increase materially. And the Breaches Survey is establishing the baseline: most UK organisations, including many large ones, are not managing third-party risk with the rigour this environment demands.

UK organisations that get ahead of this now — mapping their third-party attack surface, identifying vendors running vulnerable software, and establishing intelligence-driven monitoring — will be in a materially better position than those who wait for a breach disclosure to force action.

The NCSC said it plainly: prepare now. The data on your supply chain suggests most organisations haven't started. If you want the broader picture of what frontier AI means for enterprise security and supply chain risk, we've laid that out too.

See how Black Kite maps your third-party cyber risk in real time and gives your team the advance warning the patch wave demands.