In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by Patrick Garrity, Security Researcher at VulnCheck, and RunSafe Security CEO Joe Saunders for a deep dive into the hidden lifecycle of vulnerabilities—and why many threats are exploited long before public disclosure.

As embedded systems grow more complex, attackers are moving faster, exploiting flaws before most organizations even know they exist. Patrick shares research on how frequently vulnerabilities are weaponized prior to disclosure and what that means for defenders across critical infrastructure, OT environments, and embedded technologies.

Together, the group explores how hidden software dependencies, insufficient supply chain visibility, and outdated components create long-term blind spots for security teams. They also discuss actionable strategies, from Software Bills of Materials (SBOMs) to proactive disclosure, that help organizations build more resilient systems.

Topics covered:

• Why exploitation often occurs before vulnerabilities are publicly disclosed
• The hidden risks in embedded systems and opaque supply chains
• How SBOMs and build-time visibility can help mitigate inherited risk
• The importance of security maturity in long-lifecycle product environments
• What organizations can do today to reduce risk and increase resilience

Whether you're in cybersecurity, product development, or managing legacy infrastructure, this episode will reshape how you think about vulnerability intelligence and embedded system security.