Security teams are facing a new and accelerating threat: attackers armed with sophisticated AI models that can chain together multiple application vulnerabilities into fully formed exploits within minutes. That is the stark reality underpinning a raft of new capabilities announced today by Black Duck for its Polaris Platform.
The company is positioning the enhancements around what it calls ‘Mythos readiness,’ a reference to advanced AI models now being used by threat actors. The urgency is not theoretical. Black Duck reports that Polaris scan volumes more than doubled in the first five months of 2026 alone, as organisations scrambled to keep pace with the threat landscape.
“The window between vulnerability discovery and exploitation has collapsed, turning software risk into an immediate and potentially existential business risk,” said Dipto Chakravarty, Chief Product & Technology Officer at Black Duck. The company says its goal is to shift organisations from slow, manual remediation cycles towards what it describes as a VulnOps model, fast, automated vulnerability operations.
Closing the gaps that attackers exploit
A key thrust of the update is eliminating blind spots in application security testing. Black Duck’s own audit data suggests that most teams are tracking only about half of the open source software they actually use, leaving unpatched components as easy targets for AI-powered attacks.
New capabilities in the Polaris fAST SCA tool now extend to full binary and container analysis, alongside source and package manager detection, enabling teams to generate complete Software Bills of Materials (SBOMs). The platform also introduces continuous source code management (SCM) monitoring, meaning every repository and branch is automatically tracked and tested, including so-called shadow AI projects that may have been started without security oversight.
Event-driven static analysis (SAST) and software composition analysis (SCA) testing can now be triggered automatically on pull requests and merges, with results fed directly back to developers as pull request comments to speed up remediation.
Bracing for the vulnerability flood
Perhaps the most alarming projection in Black Duck’s announcement is around the sheer volume of vulnerabilities expected in the coming years. As open source maintainers increasingly use AI to find and patch flaws in widely used components, the number of new vulnerability disclosures is expected to exceed 50,000 in 2026, potentially rising to nearly 200,000 by 2028.
To help teams cope, Polaris now layers reachability analysis with exploitability data from Black Duck Security Advisories and CISA’s Known Exploited Vulnerabilities catalogue to help organisations go beyond raw CVSS scores and prioritise the vulnerabilities that pose the greatest genuine risk. New automated fix pull requests allow high-priority vulnerabilities to be fast-tracked for remediation, keeping a human in the loop for final approval before any code change is merged.
AI working for the defender
The update also brings AI capabilities directly into developer workflows. A new AI False Positive Detection feature delegates the research and de-prioritisation of false positive findings to a built-in agent drawing on Black Duck’s ContextAI model, reducing noise for security analysts.
A new Polaris MCP server allows teams using agentic coding tools, including Claude Code and GitHub Copilot, to query Polaris scan results, prioritisation data, and remediation guidance using Model Context Protocol, integrating security insight directly into AI-assisted development pipelines.
The latest Code Sight IDE plug-in update, meanwhile, enables developers to access AI-based security analysis and apply one-click code fixes from within their existing development environment, powered by Black Duck Signal.
