Analyst(s): Fernando Montenegro
Publication Date: October 17, 2025

The complexity, volume, and regulatory requirements surrounding modern software development have elevated the importance of securing the software supply chain. This domain has rapidly transformed from a niche technical task into a systemic business risk that demands C-level attention. Futurum examines this evolution, analyzing the market dynamics, vendor strategies, and critical role of AI in addressing what has become a foundational “cyber hard” problem.

Key Points:

• Securing the software supply chain is now a systemic business risk and a foundational cyber challenge, demanding a strategic, cross-functional response beyond isolated technical teams.
• The market shows a strong preference for vendor consolidation and integrated security platforms, compelling specialist vendors to pursue deep integration or a defensible niche.
• The scale of the modern supply chain makes AI an essential capability for both attackers and defenders, necessary for automating high-volume tasks such as vulnerability analysis and triage.

Overview:

The declaration that “software is eating the world” has fully materialized, making the integrity of the software substrate a matter of economic and societal resilience. Securing the software supply chain is no longer just a technical concern but a core business imperative, a reality reflected in its identification as a “cyber hard problem.”

This complex challenge involves distinct but related perspectives: software producers must secure their development lifecycles to protect IP and meet customer demands, while consumers focus on managing the inherited third-party risk from every vendor and open-source project they use. Organizationally, this has fueled the rise of Product Security teams, sometimes within engineering and sometimes reporting to the CISO, highlighting the need for a cross-functional approach.

Process and technology have evolved to meet this challenge.

Producers are embedding security deeper into the development lifecycle, vetting open-source components, and using tools such as Software Composition Analysis (SCA) and Policy as Code to secure the CI/CD pipeline. The output is not just code but also attestations such as Software Bills of Materials (SBOMs).

Consumers, driven by stricter Third-Party Risk Management (TPRM) mandates, are building capabilities to ingest and analyze these artifacts at scale, correlating them with vulnerability databases and threat intelligence to manage risk across their environment.

Futurum’s research indicates the market is still in early stages, with only 13% of organizations reporting widespread deployment of supply chain security capabilities. However, there is a clear and strong preference for integrated approaches, with 49% favoring a platform from a major cybersecurity vendor and 33% preferring native features from their development platforms.

This trend toward “platformization” creates strategic dilemmas. Smaller, specialized vendors must position themselves as essential partners that integrate seamlessly, not as platform alternatives. Large platform vendors, meanwhile, must demonstrate rapid time-to-value to overcome the friction of complex implementations.

The sheer scale of this problem makes AI a necessity, not an option. It is an essential tool for automating analysis and response, but vendors should frame its value in terms of tangible outcomes rather than the technology itself. This message is amplified by growing regulatory pressure, which elevates the conversation from a technical need to a compliance and business-level mandate.

What to Watch:

• How will enterprises progress from deploying point tools to holistically re-architecting software pipelines for systemic security?
• Will AI’s application in security mature beyond hype to deliver measurable, tangible results in risk reduction and operational efficiency?
• Can large platform vendors maintain innovation velocity to address emerging threats, or will their scale create strategic openings for more agile specialists?

The full report is available via subscription to Futurum Intelligence’s Cybersecurity & Resilience IQ service—click here for inquiry and access.

Futurum clients can read more in the Futurum Intelligence Platform, and non-clients can learn more here: Cybersecurity & Resilience Practice.

About the Futurum Cybersecurity & Resilience Practice

The Futurum Cybersecurity & Resilience Practice provides actionable, objective insights for market leaders and their teams so they can respond to emerging opportunities and innovate. Public access to our coverage can be seen here. Follow news and updates from the Futurum Practice on LinkedIn and X. Visit the Futurum Newsroom for more information and insights.

Declaration of Generative AI and AI-assisted Technologies in the Writing Process: While preparing this work, the author used Google Gemini to summarize the original report. After using this service, the author reviewed and edited the content as needed. The author takes full responsibility for the publication’s content.