While AI-speed vulnerability discovery is accelerating the disclosure burden across critical infrastructure supply chains, Fortress already operates the platform, data exchanges, and shared intelligence network built to stay ahead of it.
ORLANDO, FL - June 18, 2026 - Fortress Information Security today announced it has been named the Most Innovative Critical Infrastructure Platform at The Hacker News Cybersecurity Stars Awards 2026 - recognition awarded by The Hacker News, the world's number one cybersecurity publisher, to companies that have demonstrated excellence in the field. The award cites Fortress for its singular focus on securing the software and cyber supply chains that support critical infrastructure - assessing and mitigating risk across the hardware and vendor ecosystems that critical infrastructure operators depend on every day.
The recognition arrives at an inflection point. As AI-assisted research tools compress the time between vulnerability discovery and exploitation, the volume of disclosures hitting critical infrastructure supply chains is accelerating faster than any manual program can absorb. Fortress built its platform ahead of that curve - not in response to it.
"This recognition reflects the work our team has done to build the only platform purpose-made for critical infrastructure supply chain security - and the foresight to build it at a scale the industry is only now beginning to demand. The organizations that will manage the coming surge in vulnerability disclosures are the ones that already know their vendors, their products, and their risk exposure before the disclosures hit. That is exactly what the Fortress Platform delivers - today, not eventually." - Alex Santos, CEO, Fortress Information Security
The attack surface is no longer just the perimeter - it is every vendor, every hardware component, and every software bill of materials across the supply chain. Fortress has been processing risk at machine scale for years. That head start is the difference between programs that walk into the disclosure surge with proof and those that scramble to catch up.
2M+ vulnerabilities identified across critical infrastructure products and partners in the past year alone
18,000+ SBOMs compiled in the North American Energy Software Assurance Database (NAESAD)
12,000+ vendor assessments in the Asset to Vendor (A2V) network
7,600+ products actively monitored - with more than 50,000 risks surfaced for assessment
7 of 10 largest publicly owned U.S. utilities served
3 of 6 U.S. military branches protected
Unlike point solutions that find vulnerabilities and stop there, Fortress fixes them - delivering regulator-defensible risk reduction through built-in remediation workflows and optional managed services.
The Fortress Platform operates the only critical infrastructure industry data exchanges of their kind. Risk identified for one operator becomes a shared signal for all - accelerating resolution for every operator connected to NAESAD and A2V. As AI-speed discovery increases disclosure volume, that collective intelligence layer is what keeps triage tractable at scale. This is supply chain cybersecurity built for the way critical infrastructure actually works: collaborative, regulated, and high-stakes.
Fortress Information Security is the supply chain cybersecurity company built exclusively for critical infrastructure. The Fortress Platform delivers automated third-party risk management, SBOM analysis, vulnerability intelligence, continuous monitoring, and vendor risk management across the full cyber supply chain - covering cybersecurity, foreign influence, operational, regulatory, and financial risk. As AI-speed vulnerability discovery reshapes the threat landscape, Fortress operates the only shared intelligence network in critical infrastructure built to absorb that volume at scale. Fortress supports 7 of the 10 largest publicly owned utilities and three of the six U.S. military branches.
Learn more at fortress.ai or request a platform demo.
Third-party risk management for critical infrastructure is the continuous process of identifying, assessing, and mitigating cybersecurity, operational, regulatory, and foreign influence risks introduced by the vendors, suppliers, and technology partners that critical infrastructure operators depend on every day. Unlike general enterprise TPRM, critical infrastructure TPRM must account for the hardware and software embedded in operational technology environments — components that cannot be patched on IT timelines and whose compromise can cascade into physical safety and reliability failures. Effective programs go beyond annual questionnaires to deliver continuous vendor monitoring, software bill of materials (SBOM) analysis, and actionable remediation mapped to each operator's specific asset profile.
Critical infrastructure operators face three compounding challenges that most enterprise TPRM frameworks were not built to solve. First, the vendor ecosystems are deep — utilities, defense contractors, and energy companies rely on hundreds of specialized hardware and software suppliers, many of whom share common components that create systemic concentration risk. Second, operational uptime requirements make rapid patching impossible; a vulnerability in an OT-connected vendor is not just a compliance risk, it is a potential entry point into industrial control systems. Third, regulatory obligations — spanning NERC CIP, NIST SP 800-161r1, CMMC, and the incoming CIRCIA requirements — demand documented, continuous, regulator-defensible risk reduction, not periodic self-assessment. Generic TPRM platforms built for financial services or healthcare do not address these realities.
AI-speed vulnerability discovery refers to the acceleration of vulnerability disclosures driven by AI research tools that find flaws faster than human teams can triage them. Where traditional security research might surface dozens of critical vulnerabilities in a given product category over months, AI-assisted analysis can identify hundreds within days. For critical infrastructure operators, whose vendor ecosystems contain thousands of products with embedded software components, this compression of the discovery-to-exploitation window changes the math on manual TPRM programs entirely. Organizations that enter this environment without continuous monitoring, pre-mapped vendor inventories, and shared intelligence infrastructure will face a triage backlog that no team can clear at human speed.
Annual vendor assessments produce a point-in-time snapshot of a vendor's security posture. Continuous TPRM monitoring tracks vendor risk in real time — surfacing new vulnerabilities, regulatory changes, financial instability signals, and foreign influence indicators as they emerge. The operational difference is response time. When a significant vulnerability is disclosed, organizations running continuous monitoring programs identify affected vendors within hours. Organizations relying on annual assessments may not know their exposure until their next review cycle. As AI-speed discovery shortens the window between disclosure and exploitation, annual assessments are no longer a viable risk management strategy for critical infrastructure operators.
NAESAD — the North American Energy Software Assurance Database — is an industry-wide data exchange operated by Fortress Information Security that compiles software bills of materials (SBOMs) and product security assessments across the energy sector. With more than 18,000 SBOMs compiled, NAESAD transforms what would otherwise be duplicative, per-operator assessment work into shared intelligence. Risk identified for one utility becomes a signal for all operators connected to the network — accelerating triage and resolution across the sector when new vulnerabilities are disclosed. NAESAD is the only collaborative of its kind purpose-built for critical infrastructure.
The Fortress Platform delivers end-to-end supply chain visibility by combining SBOM analysis, continuous vendor monitoring, third-party risk assessments, and shared intelligence through NAESAD and the Asset to Vendor (A2V) network. Fortress AI Monitoring (AIM) proactively monitors products across their lifecycle, identifying security and compliance risks at machine scale — with more than 7,600 products actively monitored and more than 50,000 risks surfaced for assessment. Critically, Fortress does not stop at finding vulnerabilities. Built-in remediation workflows and optional managed services ensure identified risks are resolved, producing regulator-defensible documentation of risk reduction rather than a growing queue of unaddressed findings.
Fortress Information Security is built exclusively for critical infrastructure — not adapted from a horizontal TPRM framework to serve utilities, energy companies, and defense contractors as a secondary market. That focus produces differences that matter operationally: the platform is designed around the hardware and OT vendor ecosystems that critical infrastructure depends on, the regulatory frameworks it addresses are sector-specific (NERC CIP, NIST SP 800-161r1, CMMC, CIRCIA), and the shared intelligence infrastructure — NAESAD and A2V — exists only because Fortress built it within and for the critical infrastructure community. Fortress currently supports 7 of the 10 largest publicly owned U.S. utilities and three of the six U.S. military branches.