Application security firm Black Duck has been named a Leader in Gartner’s first-ever Magic Quadrant for Software Supply Chain Security, the company announced today. The inaugural report assessed 18 vendors against two axes, Completeness of Vision and Ability to Execute, and placed Black Duck firmly in the Leaders quadrant.
The timing of the report reflects a broader shift in the threat landscape. Software supply chain attacks have surged in recent years, prompting regulators on both sides of the Atlantic to act. The EU’s Cyber Resilience Act now mandates rigorous software component transparency, while US federal guidance continues to push for software bill of materials (SBOM) adoption across critical infrastructure sectors.
Greg Hughes, CEO of Black Duck, framed the recognition in the context of that accelerating regulatory and technological pressure. He pointed to two forces in particular: the obligations introduced by the EU Cyber Resilience Act and the widening impact of AI on how software is written and how vulnerabilities are discovered. “Software supply chain security is now a board-level priority, driven by regulations like the EU Cyber Resilience Act and the transformative impact of AI on software development and vulnerability discovery,” Hughes said.
Hughes added that Black Duck is embedding AI across its platform, combined with what he described as decades of domain expertise and deep contextual intelligence, to give organisations visibility and automation capable of keeping pace with attackers.
The announcement was accompanied by details of several recent product innovations across the platform:
- AI Model Risk Insights. Uses signature-based analysis to detect embedded open source and hybrid AI models, supporting licence governance and AI-BOM workflows.
- Risk-Based Vulnerability Prioritisation. Extends exploitability and reachability analysis across source code, binaries, and containers to cut remediation noise.
- AI-Driven Dependency Remediation. Leverages large language models and curated security intelligence to generate minimal patches for vulnerable dependencies, including where no upstream fix exists.
- SBOM & Vulnerability Disclosure Maturity. Enhances SBOM lifecycle management with expanded VEX export in CSAF 2.0 format, targeting EU CRA alignment.
- Expanded Support for Hardened Container Images. Ingests supplier-provided VEX data for hardened images such as Chainguard, Docker, and Minimus to reduce false positives.
The creation of a dedicated Software Supply Chain Security Magic Quadrant is significant in itself. Gartner’s move to carve out this category signals that analysts now regard SSCS as a mature, standalone discipline rather than a subset of application security testing or DevSecOps tooling.
For practitioners, the Gartner framing is a useful anchor when building internal business cases. The research firm noted that engineering teams can use SSCS tools to automate the enforcement of security and compliance policies and to meet regulatory and government mandates, language that will resonate with CISOs facing audit and procurement scrutiny.
Black Duck also holds a Leader position in the Gartner Magic Quadrant for Application Security Testing, a designation it has held for eight consecutive years, making it one of the few vendors to simultaneously lead in both quadrants.
