Global software supply chain visibility remains critically low

Only 23% of organizations are confident that they have very high visibility of their software supply chain, according to LevelBlue’s Data Accelerator. The limited visibility reported by organizations significantly impacts their cyber resilience.

Poor risk visibility leaves software supply chains vulnerable

This Accelerator is an in-depth analysis into data from the 2025 LevelBlue Futures Report, comparing risk appetites, investment gaps, and overall preparedness to help organizations secure their end-to-end software supplier ecosystem. It shows software supply chain security as a growing business concern in 2025. This is partly due to regional regulatory framework demands, and because the attack surface is expanding in response to AI adoption and the integration of complex third-party ecosystems.

Research shows that companies are unnecessarily vulnerable to software supply chain threats, with 49% saying they lack the visibility to fully understand, or even identify, the risks. This lack of transparency causes 80% of organizations with “very low visibility” to have suffered a security breach in the past 12 months, a stark contrast to just 6% of those with “very high visibility.”

Additionally, 80% of organizations with low visibility view critical factors like custom code, commercial off-the-shelf software, and API integrations as “very risky” or “somewhat risky.”

“Our Accelerator underscores an immediate need for organizations to prioritize a transparent and secure software supply chain,” said Theresa Lanowitz, Chief Evangelist of LevelBlue. “In an era of increasing AI disruption and evolving threats from nation-states and cybercriminal groups, the ability to withstand and recover from cyberattacks is directly tied to a clear understanding of an organization’s software ecosystem.”

AI seen as growing risk to software supply chain

A total of 68% of organizations report that media attention has elevated cybersecurity on the C-suite agenda, with organizations indicating that third-party risk management is one of the biggest threats they face. Despite this, only 25% of organizations plan to prioritize engaging with software suppliers about security credentials in the next 12 months.

40% of CEOs believe that the biggest security risk the organization faces today is from the software supply chain, compared with 29% of CIOs and 27% of CTOs. 39% of CEOs say AI adoption presents a greater risk to the software supply chain.

Global software supply chain visibility remains low

While visibility is similarly low across regions, readiness for an attack differs. 57% of North American organizations say they are prepared for software supply chain attacks, compared to 44% in Asia-Pacific region (APAC). In Europe and Latin America, 51% and 50% say they are prepared, respectively.

This is concerning, especially since many businesses across all regions believe they’re likely to experience a software supply chain attack in the near future.

Perceived risk factors vary globally

Organizations in Latin America are especially concerned about software supply chain risks, likely due to a strong belief that an attack may happen soon. They are particularly worried about third-party software distribution and third-party risk management.

In the APAC region, concern is also high, likely because organizations there feel the least prepared for an attack. They view third-party risk management and unsupported software as major threats. APAC organizations are also much more cautious about open-source components like code libraries and frameworks.

In North America, top concerns include third-party software distribution, risk management, and unsupported software. European organizations share these concerns but are generally less worried about risks from their own internally developed code. This may be due to more widespread reuse of trusted code across systems.

Regional investment trends

Organizations are aware of the risks to their software supply chains, but they are not doing enough to address them. They will need to commit to continuous investment, even if they feel prepared for an attack.

In North America, 61% of organizations are investing moderately or significantly in software supply chain security. This might reflect confidence, 57% say they feel prepared for an attack, but overconfidence can be risky.

European and Latin American organizations are more proactive, with 67% and 64% respectively committing to moderate or significant investments, even though around half feel prepared. This shows they recognize cybersecurity is an ongoing journey.

In Asia-Pacific, only 54% are investing moderately or significantly, while fewer feel prepared, highlighting a clear need to boost both readiness and investment.