📝 usncan Note: Horizon3.ai And The NSA Sound Alarm On Supply Chain Cyber Threats
Disclaimer: This content has been prepared based on currently trending topics to increase your awareness.
Attackers aren’t breaching the front gates—they’re quietly slipping in through overlooked suppliers.
getty
Black Hat 2025, more affectionately known by those who perennially attend the event as “Hacker Summer Camp” is taking place this week in Las Vegas. It is filled with insightful presentations and training, but one joint keynote from Horizon3.ai and the NSA is drawing attention not just for the pairing, but for the message: cybersecurity strategies must evolve—fast.
The focus isn’t on hypothetical threats. It’s on something both sides say is happening now: attackers exploiting weaknesses not in primary targets, but in the long tail of their supply chains.
Snehal Antani, CEO of Horizon3.ai and a former DoD tech executive, brings first-hand perspective to the conversation. In an exclusive interview ahead of the event, he described how AI is changing the speed and scale of attacks—and why security validation must catch up.
“The bad guys are inventing similar capabilities,” Antani said. “The speed of attack is only getting faster.”
The Growing Threat to the Defense Industrial Base
The keynote centers on a growing risk to national defense: the vulnerability of smaller defense contractors and suppliers. Nation-state actors are no longer just targeting large enterprises or government systems directly. Instead, they’re looking for the easiest point of entry—which is often a small design firm, subcontractor or third-party IT provider.
Antani shared an example where Horizon3’s autonomous pen-testing platform uncovered sensitive CAD files for Nimitz-class aircraft carriers within five minutes of running a simulation at a small ship design firm. “They didn’t have to go after the Pentagon,” he said. “They got the full design—including nuclear submarine specs—from a supplier.”
This approach is consistent with how modern cyber-espionage works. As Richard Stiennon, chief research analyst at IT-Harvest, explains, “When a spy agency picks a new target, the first tool they reach for is exploits against the target’s software infrastructure. Reconnaissance is not about enumerating the target’s attack surface; it is all about enumerating the target’s supplier base.”
And it’s not just a defense-sector issue. Scott Crawford, research director for information security at 451 Research, part of S&P Global Market Intelligence, notes the same pattern across many industries. “It’s no secret that attackers have targeted smaller organizations that make for attractive targets. From healthcare clinics to local agencies, adversaries have found many of these to be more constrained when it comes to security expertise and investment—but in possession regardless of valuable assets, sensitive information or functionality.”
Crawford added, “In the realm of suppliers to critical industries, this issue is amplified by the dependence of those industries on extensive supply chains. Many suppliers in verticals from aerospace and defense to automotive and well beyond depend on networks of thousands of suppliers. Utilities may consist of heavily internetworked facilities in larger grids. When governments step in to step up cybersecurity in these realms, they are recognizing critical societal dependencies that can have an impact well beyond the scale of any one supplier.”
That’s the backdrop for the NSA’s participation. Bailey Bickley, who leads the agency’s Cybersecurity Collaboration Center, will join Antani onstage to discuss how the NSA is working directly with small and mid-size suppliers to raise their baseline defenses—not just enforce compliance. This carrot-and-stick approach complements frameworks like CMMC. “The carrot raises the ceiling of security, and the stick raises the floor,” Antani said.
The Role of AI in Offensive Security
The core of Horizon3.ai’s approach lies in automated adversary emulation. Instead of waiting for an attack or relying on static controls, organizations can simulate real-world threats across their environments. These autonomous pen tests run continuously, surfacing exploitable issues before an attacker can.
Scale is key. “I run more pen tests a day than Big Four consulting firms run in a year,” Antani noted. “That gives us a telemetry advantage—five billion unique events a month.”
With that data, Horizon3.ai builds what Antani calls a “graph of understanding” about an environment, then uses large language models to generate attack scenarios. The company emphasizes cost-effective AI, blending LLMs with custom architectures to avoid the high token costs that make many AI startups economically unviable.
“The problem with most AI companies today is they spend more on token costs than they do the revenue they’re collecting,” he said. “They’re actually all gross margins negative.”
By contrast, Antani says Horizon3.ai meets the “Rule of 40,” a metric that combines growth and profitability, and one Wall Street uses to evaluate sustainable software businesses.
A Rare Public-Private Alignment
The NSA rarely shares a keynote stage with a private startup. Their collaboration with Horizon3.ai reflects a broader trend: traditional agencies working with newer, faster-moving companies to solve complex challenges that span both sectors.
Antani, who helped lead AI initiatives in the U.S. military, sees public-private collaboration as essential—especially as the threat surface expands. What happens to a small defense contractor in Ohio can have ripple effects across military readiness, critical infrastructure and even civilian technology supply chains.
“A lot of those defense industrial base suppliers also supply for companies like GM,” he noted. “The network effect here is huge.”
From Pen Tests to FixOps
Horizon3.ai is also using Black Hat to introduce a new integration: wrapping its autonomous pen testing with Model Context Protocol servers. These systems let users query security issues in plain language—no need for complex dashboards or cross-tool coordination.
Antani calls the result “FixOps,” short for fix operations—a closed-loop process for identifying and remediating security issues with automation.
“The end user doesn’t have to care about all the technical nuances anymore,” he said. “MCP completely simplifies the workflow of remediation.”
Looking Ahead
The Horizon3.ai–NSA keynote is a signal that assumptions about how security should be measured—and how defense is prioritized—are shifting. As AI accelerates the pace of cyberattacks, static controls and annual audits won’t be enough.
The defense industrial base is only as strong as its weakest supplier. If organizations want to be resilient, they’ll need to validate their defenses continuously—and extend that mindset beyond their own perimeter.
Whether or not every organization embraces the model Horizon3.ai is proposing, the core message rings true: in a world of persistent, fast-moving threats, visibility is no longer optional.
If you happen to be in Las Vegas for “Hacker Summer Camp” this week, you can check out the Horizon3.ai and NSA joint keynote on Wednesday, August 6 at 12:50pm local time in Oceanside A on Level 2 at Mandalay Bay.
