The IT Nerd

Black Kite today released its newest report, 2026 State of Financial Services: The Dual Storm of Ransomware and Vendor Ecosystem Risk, which explores how direct attacks and supply chain risk are now rising together. The report found that direct ransomware attacks are escalating again and occurring concurrently with a massive surge in vendor vulnerabilities, shifting the industry from a single-direction tactical problem to a two-front structural crisis.

The financial sector’s 2024 relief, which was largely fueled by law enforcement disruptions of major ransomware groups like LockBit and Clop, was short-lived. In 2025, direct attacks rebounded as operators restructured under new banners. This fracturing ecosystem saw the number of distinct threat groups targeting finance climb from 37 in 2023, to 45 in 2024, and to 48 in 2025, led by threat actors Qilin, Akira, and Kill Security.

Ransomware targeting within finance has shifted significantly since 2023. In 2023, banks were the primary ransomware target with 71 disclosures compared to 44 disclosures reported by investment firms. By 2025, those positions reversed, banking incidents fell to 36 disclosures, and investment firm disclosures nearly doubled, as they became the most-targeted segment with 84 disclosures (41.6% of all incidents). This investment-sector surge was driven by a September 2025 campaign against South Korean asset managers, which accounted for 32 disclosures (38.1% of the subindustry’s total).

The CVE Volume Problem Is Accelerating, and the Gap is Widening

Over 48,000 CVEs were published globally in 2025 alone, an 18% year-on-year increase. Growing AI adoption is expected to further increase that volume through both AI-assisted vulnerability discovery and the widespread use of AI systems as new attack surfaces. In the 2026 Supply Chain Vulnerability Report, Black Kite Research Group identified 1,240 CVEs as high-priority for third-party risk in 2025, a 59% increase since 2024. 

Across all financial services vendors, 50.2% carry high-severity CVEs. As CVE volume increases and exploitation timelines compress globally, the operational impact on financial institutions is becoming increasingly direct. According to Verizon’s latest Data Breach Investigations Report (DBIR), vulnerability exploitation overtook phishing as the leading initial access vector for breaches for the first time in the report’s history. In this environment, visibility into the supply chain vulnerabilities that can introduce the greatest operational risk is essential.

Key findings from the report:

• Ransomware returns to finance: Direct ransomware attacks on financial institutions resumed their upward trajectory in 2025 after a brief decline the year before. Reported incidents increased by 30% from 2024 to 2025, while early 2026 data indicates the trend is accelerating further, with Q1 incidents rising 76% year-over-year.
• Vendor risk is a sector-wide threat: In September 2025, Qilin’s compromise of a single South Korean MSP cascaded into 32 financial institutions and over 2 terabytes of stolen data, making South Korea the second-most-targeted country for finance ransomware that year.
• A reorganized threat ecosystem: The number of distinct threat groups targeting finance climbed to 48 in 2025, led by emerging threat actors Qilin, Akira, and Kill Security. The dismantlement of major ransomware groups did not reduce the threat; it rerouted it. Operators from disrupted groups have rebuilt under new banners. Emerging actors have rapidly filled the vacuum, with Qilin alone responsible for 59 finance-sector incidents in the past year.
• Vendor vulnerabilities multiply: From 2024 to 2025, the number of critical vulnerabilities carried across vendors serving the financial sector increased 387%. Among the 140 vendors whose client base is meaningfully concentrated in finance, critical vulnerabilities increased 181%.
• Active exploitation at scale: 54% of the 140 vendors whose client base is meaningfully concentrated in finance carry at least one vulnerability listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, meaning those vulnerabilities are actively being exploited in the wild.
• Patch management gaps are widespread across the financial supply chain: Critical-level patch management failures are present in 78% of the 140 vendors whose client base is meaningfully concentrated in finance. As exploit timelines compress and vulnerability exploitation overtakes phishing as a leading breach vector, the ability to identify, prioritize, and drive remediation of the most critical exposures across the vendor ecosystem is becoming increasingly essential.

Financial institutions now face simultaneous pressure from direct ransomware targeting and the growing volume of exploitable vulnerabilities carried across their vendor ecosystem. While the sector itself operates under extensive regulatory scrutiny, many third-party vendors face far less pressure to mature at the same pace, widening the exposure gap across the financial supply chain.

As vulnerability exploitation becomes a leading initial access vector and exploit timelines continue to compress, resilience increasingly depends on the ability to continuously identify, prioritize, and respond to critical exposures across both internal environments and third-party relationships. In this environment, capabilities such as continuous monitoring, predictive analytics, and quantified risk are no longer differentiators, but operational requirements.

To read the report, visit https://blackkite.com/reports/2026-financial-services-report.

Black Kite today released its 2026 Supply Chain Vulnerability Report, revealing that of the 48,000+ CVEs published in 2025, only 58 represented a genuine, discoverable, and exploitable threat to enterprise supply chains.

This finding reinforces a critical shift in how organizations must approach cyber risk. The challenge is no longer just scale; it’s precision. Vulnerability volume continues to surge, driven by rapid AI adoption and advances in AI-powered vulnerability discovery. At the same time, exploit timelines are compressing, with attackers moving faster than ever, exploiting vulnerabilities an average of seven days before public disclosure, a window expected to shrink further as AI technologies accelerate scanning and exploitation capabilities.

Yet despite the surge in CVE volume, the number of vulnerabilities that pose meaningful risk remains remarkably small, making the ability to quickly identify and act on what truly matters more essential than ever to defending the supply chain.

AI Changed and Expanded the Attack Surface

AI adoption is reshaping the supply chain risk landscape, creating a widening gap between organizations with advanced security capabilities and those without.

Large enterprises that have adopted AI-powered vulnerability scanning have reduced detection timelines to an average of 14 days and remediation cycles to 21 days. In contrast, mid-market vendors, smaller software providers, and open-source maintainers that often lack these advanced defenses, still average 197 days for detection and down from 60 days for remediation.

As enterprise perimeters harden through AI-driven security, threat actors are increasingly shifting their focus to these “Tier 2” suppliers, driving risk to concentrate around the smaller vendors that enterprises depend on. For TPCRM programs, this means mid-market vendors now carry a significantly higher systemic threat profile.

Key findings from the report:

• AI is driving vulnerability growth: 2,130 AI-related vulnerabilities were reported in 2026, a more than 200% increase since 2023.
• Volume is rising, but risk remains concentrated: More than 48,000 CVEs were published in 2025 (an 18% increase year-over-year), yet just 58 posed a genuine supply chain threat.
• Exploitation timelines are compressing: According to Mandiant, attackers exploited vulnerabilities an average of seven days before public disclosure in 2025, a window expected to shrink further as AI accelerates exploitation capabilities. Anthropic’s 2026 Project Glasswing demonstrated that AI models can autonomously identify zero-day flaws at scale. This means the volume and velocity of zero-day exploitation may accelerate far beyond what any reactive program can absorb.
• AI is expanding the attack surface: AI coding assistants and agentic frameworks are emerging as actively targeted attack vectors, with high-severity CVEs on the rise. Prompt injection is also gaining recognition as a weaponizable vulnerability class, effectively acting as the “new RCE” (Remote Code Execution) for agentic systems.
• Risk is shifting to less mature vendors: As larger enterprises improve average time to detection and response with AI, the share of exploited vulnerabilities targeting mid-market and smaller vendors are expected to rise significantly in the near future.
• Proactive prioritization is critical: In modern TPCRM, time is the ultimate metric. Organizations relying solely on the CISA KEV catalog are reacting to threats that may already be actively exploited.

The report, based on analysis of more than 1,240 manually reviewed high-priority CVEs published in 2025, details a five-stage prioritization framework that filters raw vulnerability data through discoverability, exploitability, and vendor exposure to surface only the threats that demand immediate action. In 2025, that process produced 329 FocusTags^® (asset-level threat signals that link a global vulnerability directly to a specific vendor’s confirmed exposure), and identified just 58 highest-priority designations representing the vulnerabilities most likely to impact supply chains.

Black Kite applied a FocusTag^® for 95.2% of OSINT-discoverable vulnerabilities before they were added to the KEV or within 24 hours of their addition, enabling customers to take a proactive approach to supply chain risk and mitigate threats before vulnerabilities are widely exploited.

Designed for TPCRM leaders, CISOs, security operations teams, and vendor risk managers, Black Kite’s report provides the definitive data and methodology for organizations seeking to secure their extended vendor ecosystem and transition from reactive patching to proactive risk mitigation. To download the report, visit https://blackkite.com/reports/2026-supply-chain-vulnerability-report.

Methodology

The findings within the 2026 Supply Chain Vulnerability Report are founded on a rigorous manual analysis process conducted by the Black Kite Research Group. While automated scanners track the raw volume of disclosures, raw CVSS data alone is insufficient for effective TPCRM. To extract actionable intelligence, Black Kite researchers manually analyzed 1,240 high-priority CVEs published in 2025. The criteria for designating a vulnerability as “high-priority” requires the flaw to extend beyond theoretical severity. The Black Kite Research Group evaluates vulnerabilities based on real-world exploitability, the prevalence of the affected product within enterprise supply chains, and the active interest of threat actors. Vulnerabilities that are strictly internal, highly theoretical, or confined to obscure hardware are filtered out of this high-priority dataset.

Black Kite today announced a strategic partnership and integration with Sayari, a leading provider of global corporate transparency and supply chain risk intelligence. Together, the two companies are enabling organizations to gain a unified view of third-party risk by combining deep visibility into global corporate and trade networks with continuous cyber risk monitoring.

As organizations face increasing pressure to manage risk across complex, global supply chains, many struggle with fragmented data spread across multiple tools and teams. This partnership addresses that challenge by bringing together Sayari’s unmatched insight into corporate ownership, trade activity, and hidden commercial relationships with Black Kite’s objective, standards-based cyber risk ratings and real-time threat intelligence.

Through the integration, customers can enrich third-party risk assessments with both who an entity is connected to and how exposed they are from a cyber perspective—providing a more complete and actionable understanding of risk across the extended enterprise.

Sayari’s platform delivers visibility into complex commercial relationships using one of the world’s largest collections of corporate and trade data, spanning over 250 jurisdictions worldwide. By integrating this intelligence directly into Black Kite’s platform, customers can more easily identify hidden ownership structures, upstream supply chain dependencies, and potential exposure to financial crime or geopolitical risk—while simultaneously assessing cyber posture.

The combined solution supports a wide range of use cases, including:

• Enhanced due diligence through enriched corporate ownership and cyber risk insights
• Supply chain risk management with visibility into N-tier suppliers and their vulnerabilities
• Financial crime and compliance by correlating beneficial ownership with cyber posture
• Government and national security applications requiring both transparency and cyber resilience
• M&A and third-party onboarding with faster, more comprehensive risk assessments

By reducing manual research and connecting previously siloed data, the Black Kite and Sayari integration enables organizations to prioritize risk more effectively, accelerate investigations, and strengthen resilience across their third-party ecosystem.

The partnership reflects a shared commitment to helping organizations navigate the growing complexity of global risk with greater clarity, speed, and confidence.

There is a related webinar that was done in April called From Fragmented Signals to Connected Risk Intelligence, available to watch on-demand.

Black Kite today announced the release of Open FAIR™-Based Risk Assessments, which extends its CRQ capabilities to its AI-powered cyber assessment offering. Black Kite fully automates the calculation of probable financial impact in the event of a data breach, ransomware attack, or business disruption scenario using the industry-leading Open FAIR™ methodology, eliminating the complexity and manual effort typically associated with CRQ analysis. This latest release brings CRQ directly into the cyber risk assessment workflow, enabling customers to instantly calculate financial risk during onboarding and periodic risk reviews.

As the industry’s first provider to automate Cyber Risk Quantification (CRQ) for third party risk management, Black Kite has long delivered real-time CRQ through its continuous monitoring offering. These insights help them prioritize remediation efforts and vendor outreach, and clearly communicate risk and program success to executive and business stakeholders.

By introducing Open FAIR™-based risk quantification into the assessment workflow, customers can model onboarding decisions through  “what-if” analysis. For example, they can simulate  how sharing more or fewer records with a vendor impacts financial risk so that they can set clear vendor approval conditions. Additionally, customers are able to view real-time CRQ alongside assessment-based CRQ captured at onboarding and during periodic risk reviews to track how vendor risk is trending over time.

Customer key benefits include:

• Turn risk decisions into business decisions: Instantly quantify a company’s financial risk during onboarding and annual assessments to inform vendor selection, renewal decisions, and even insurance underwriting.
• Clearer vendor comparisons: Use a consistent financial risk language (e.g., “Are we willing to accept $10M vs. $2M of cyber risk in a ransomware scenario?”) to objectively compare vendors and select the best option.
• Understand risk trends over time: Track how a vendor’s financial risk changes by comparing point-in-time CRQ from assessments with real-time CRQ from continuous monitoring to get a high-level understanding of vendor maturity, remediation progress, and the impact of outreach campaigns over time.
• Model scenarios with full customization: Adjust model inputs to test different decision conditions, like onboarding a vendor only if data access is limited, and see how each scenario changes probable financial impact.

Open FAIR™-Based Risk Assessments key features include:

• Automated FAIR model population: Never start with a blank model with Open FAIR™ factors that are automatically populated and enhanced by assessment responses, uploaded documentation, and insights from continuous monitoring.
• Assessment-based private modeling: Run private, assessment-specific analysis to estimate probable financial risk impact at key moments, such as onboarding, renewal, post major outreach campaign, and more. 
• Full customization: Customize exposure metrics and FAIR inputs across key scenarios or entirely custom scenarios to test different assumptions.

For more information, visit https://blackkite.com/platform/financial-impact.

Black Kite today announced the release of its seventh annual Third-Party Breach Report, which analyzes third-party data breaches in 2025, including how they occurred, organizational impact, and structural conditions shaping third-party cyber risk at scale. The report found 136 unique major incidents, affecting 719 companies, plus an estimated 26,000 additional impacted companies that were not officially named.

Black Kite’s report examines the supply chain’s interconnectedness and vulnerabilities by evaluating last year’s key third-party breach events and dominant trends, the cyber posture of approximately 200,000 monitored companies on the Black Kite platform, and the concentration risk among the top 50 most relied upon third parties within the Forbes Global 2000 ecosystem.

2025 Incidents and Impact

2025 saw a surge in verified incidents with 136 major events. However, what stood out is not that companies were breached, but rather, a significant “shadow layer” emerged behind aggregate disclosures. In fact, while 719 companies were publicly named as victims, approximately 26,000 additional impacted companies were affected but never officially named.  At the individual level, publicly disclosed figures point to 433 million impacted people.

In 2025, we saw an average of 5.28 downstream victims per third-party breach, the highest level observed to date (2.56 in 2024, 3.09 in 2023, 4.73 in 2022, and 2.46 victims per incident in 2021). This uptick reflects a sharp increase in the scale and coordination of attacks, driven by threat actors targeting shared platforms, centralized services, and high-dependency vendors. As attackers move upstream, single compromises increasingly translate into multi-company impact.

The visibility gap is further exacerbated by a persistent “Silent Window”: while the median time to detect an intrusion was 10 days, the median delay to disclose that breach to the public was 73 days. This delay represents a massive transfer of risk from the vendor to the unsuspecting downstream customer.

Key findings include:

• Verified incidents surged to 136 events, with 719 named victim companies, and a much larger hidden layer behind aggregate disclosures
• Publicly disclosed impact reached 433 million people, while vendors reported approximately 26,000 additional affected companies without naming them
• Detection is slow, disclosure is slower, with median detection at 10 days (79 events with timeline data) and median disclosure lag of 73 days (average 117)

What the Third-Party Ecosystem Looks Like

Across a baseline of approximately 200,000 monitored organizations, randomly selected to understand the current state of the industry, the ecosystem appears healthy on paper with an average Cyber Grade of 90.27 (A). While a high average grade indicates that many organizations meet standard control expectations and compliance checklists, it does not guarantee that the ecosystem is resilient under real-world pressure. Third-party risk scales through common failure modes and dependency structures, so ecosystems can look strong in aggregate while remaining fragile in the specific places attackers repeatedly exploit.

For instance, the reality of the terrain is defined by repeatable weaknesses. Over 53% of organizations have at least one critical vulnerability, and 23% have corporate credentials circulating on the dark web. This creates “Pressure Zones,” particularly in manufacturing and professional services, where high susceptibility and weak discipline overlap. Notably, these sectors have been the top two hit by ransomware for four consecutive years. Education is another high-pressure sector. This is not driven by attack sophistication, but by chronic exposure. High credential leakage, inconsistent patch discipline, and operational constraints combine to create environments where compromise is easier to initiate and harder to contain.

On the other hand, finance presents a different pattern. Ransomware Susceptibility Index® (RSI™) scores remain materially lower because sustained governance pressure forces tighter control over identity, patching, and exposure management. Regulatory frameworks and continuous audit expectations raise the cost of negligence and shorten tolerance for unresolved weaknesses.

Key findings include:

• Across nearly 200,000 monitored organizations, the ecosystem appears healthy on paper, with an average Cyber Grade 90.27 (A), yet failure signals are widespread – 53.77% have at least one critical vulnerability, and 23.34% have corporate credentials circulating on the dark web.
• The ecosystem is not uniformly risky, with manufacturing and professional services sitting in the pressure zone with high Ransomware Susceptibility and weak patch discipline, while finance trends toward a more controlled profile.

The Concentration Risk Crisis: Top 50 Shared Vendors

The top 50 vendors shared by the Forbes Global 2000 represent not only a concentrated point of failure, but also, threat actors know they are the “master keys” to some of the world’s largest organizations, so they are hunting them aggressively.

Of utmost concern is that these vendors maintain a lower average Cyber Grade (83.9, B) than the ecosystem at large, and a staggering 70% of them have at least one vulnerability currently listed in the CISA KEV catalog. With 62% of them showing corporate credentials in stealer logs, this sensitive information is already circulating on the dark web.

Key findings include:

• 70% have at least one CISA KEV exposure, and 84% have critical vulnerabilities(CVSS ≥ 8)
• 80% show phishing URL exposure, and 40% show active targeting signals
• 62% have corporate credentials exposed in stealer logs, and 30% have breached credentials in the last 90 days
• 52% have a breach history, with 18% in the last year

To read the report, visit https://content.blackkite.com/ebook/2026-third-party-breach-report/.

Methodology

The findings in this report are the result of a multi-source, intelligence-led investigation conducted by the Black Kite Research Group. Black Kite combined verified public breach disclosures with the company’s external cyber risk telemetry and supply chain intelligence to analyze how third-party data breaches emerged, propagated, and concentrated across the ecosystem throughout 2025. The report covers third-party data breach events disclosed between January 1, 2025, and December 31, 2025. The breach dataset is limited to verified, publicly disclosed incidents and is designed to reflect what can be substantiated from reliable reporting and primary disclosures.

Black Kite, the leader in third-party cyber risk management, today announced the release of ThreatTrace™, its new capability that improves threat detection using NetFlow and DNS telemetry to strengthen an organization’s visibility into third-party cyber risk. Black Kite is the first TPCRM vendor to incorporate this deep level of visibility into third-party cyber risk monitoring and ratings, enabling teams to proactively take targeted action with their vendors.

NetFlow and DNS telemetry have long been valuable data sources in the SecOps world for detecting suspicious activity and deepening cyber investigations. With the release of ThreatTrace™, risk teams can detect new IOCs and anomalies to act faster and stay ahead of third-party threats through: 

• Stronger cyber intelligence with a new set of controls added under the IP Reputation risk category, informed by NetFlow and DNS telemetry
• Broader IOC and anomaly detection, including botnet-related activity, reconnaissance/C2 communication, potential data exfiltration, and more
• Greater supply chain visibility by uncovering new subdomains and connected third-party service providers.

With ThreatTrace™, TPRM teams can now proactively detect new indicators of compromise (IOCs) and anomalies, including:

• Botnet Infection: Identifies IP addresses that have been blacklisted by multiple threat intelligence sources, indicating that an internal asset, like a server, IoT device, or workstation, is likely compromised and actively participating in malicious activity, such as spamming, DDoS attacks, or C2 operations.
• Suspicious Outbound Activity: Detects active compromises by correlating DNS queries to high-risk domains (e.g., Tor sites, hacker forums, or C2 servers) with corresponding network traffic from the company’s IPs.
• Active Threat Actor Targeting: Detects when known malicious IP addresses, such as botnets or C2 servers, are actively interacting with a company’s digital assets, indicating an organization is being targeted for reconnaissance or attack.
• Traffic Baseline Deviation: Flags significant deviations from established traffic patterns, including unusual data volume spikes, connections to previously unseen high-risk IPs, and the use of abnormal ports, which are potential markers of data exfiltration.
• Geopolitical and Service Risks: Identifies unauthorized services and suspicious data flows directed toward high-risk or sanctioned countries to detect both potential data leakage and compliance violations.

ThreatTrace™ leverages NetFlow and DNS telemetry to strengthen cyber intelligence, helping teams detect threats earlier and stay ahead of third-party cyber risk. To learn more, visit https://blackkite.com/solution-briefs/black-kite-threattrace.

Black Kite today announced the release of its 2026 Wholesale & Retail Report: Cyber Exposure in the Age of Digital Supply Chain Attacks, which delves into the cyber risk for retail and wholesale companies that rely on many of the same essential vendors, including IT service providers, software platforms, and financial services. The report found a significant overlap in threat actors actively targeting these two sectors, confirming that they see wholesale and retail not as separate markets but rather as one large, interconnected system of targets.

The interconnectedness between wholesale and retail is aggressively exploited by threat actors that view the landscape as a single, lucrative target likely to pay out to minimize supply chain disruption. Additionally, with attackers seeing wholesale and retail as one target, they have developed universal attack tools and malware, such as Stealer Logs and MFT exploits, capable of working across both. Their goal is simply to find the easiest entry point into the system, regardless of which sector that entry point belongs to. For defenders, this tactic means their defense strategies must be unified. For instance, a successful breach into a wholesaler can create an easy entry point leveraged by the same group to be used against a major retailer that uses that particular wholesaler.

One of the report’s most critical findings is the widespread presence of compromised credentials, meaning that initial access has already been granted to a majority of the industry. In fact, over 70% of major retailers, nearly 60% of wholesalers, and 52% of the supply chain have exposed credentials.

Additional key findings include:

• 17% of retail ransomware victims had revenue over $1B, demonstrating that threat actors prioritize ‘big game hunting’ in the retail sector – a specific target for high-value extortion.
• 39% of wholesale ransomware victims had revenue in the mid-market range of $20M–$100M as attackers play a ‘volume game’ on smaller enterprises.
• 42% of critical supply chain vendors are exposed to at least one vulnerability from the CISA Known Exploited Vulnerabilities (KEV) Catalog, listing flaws currently under active attack.
• 2 vendor categories – Professional & Technical Services (793) and Information (705) –  totaling 1,498 companies, dominate the supply chain, outnumbering physical categories by a significant margin.

The report’s findings are conclusive. The shared supply chain is the new threat, and credential theft is the dominant access vector. In order to protect themselves, wholesalers, retailers and their vendors must urgently prioritize patching the specific vulnerabilities listed in the CISA KEV catalog, particularly those granting Remote Code Execution (RCE), which are the exact flaws active ransomware groups are weaponizing today.

Black Kite’s report empowers cybersecurity leaders and business executives to understand today’s emerging threats and learn how to proactively manage their third-party cyber risk to protect their organizations from supply chain disruptions.

To read the report, visit https://content.blackkite.com/ebook/wholesale-retail-tprm-report-2026/.

Black Kite today announced the release of its new Product Analysis module, which allows security teams to evaluate the risks of third-party software products at a granular level. As the first TPRM platform to offer this capability, Black Kite delivers a more detailed view of exposure and supports better decision-making around specific products and vendor outreach. The new module delivers intelligence on software supply chain risk through deep downloadable software analysis (CPE), SaaS subdomain analysis, and SBOM analysis.

With Black Kite’s Product Analysis, teams can go one step beyond vendor analysis by assessing individual products to gain deeper insight into supply chain risks associated with third-party software, improving both the speed and accuracy of product evaluations.

The new module combines multiple intelligence sources and analysis methods to deliver clear, product-level insight into vulnerabilities, exploitability, and risk posture:

• Downloadable Software Analysis (CPE): Maps software products to their producing vendors and calculates risk levels (low, medium, high) based on CVEs, exploits, certifications, and end-of-life status.
• SaaS Subdomain Analysis: Identifies SaaS subdomains, associates them with the correct company, and evaluates vulnerabilities and potential exploits for each.
• SBOM Analysis & Mapping: Analyzes open-source components and dependencies within third-party software to uncover hidden vulnerabilities and nested dependencies.

The Product Analysis module gives TPRM teams and security leaders a clear, accurate understanding of product-level risk exposure. Key benefits include:

• More confident decisions during software evaluation and onboarding.
• Stronger ongoing monitoring through precise insights that drive mitigation actions such as upgrades or configuration changes.
• Compliance support for federal and regulated industries that must perform SBOM analysis and broader risk assessments in alignment with EO 14028.

Product Analysis enables TPRM teams to seamlessly evaluate the risks associated with both the software they use and the software used by their third parties, helping them prioritize mitigation actions and vendor outreach to reduce potential exposure and impact from software vulnerabilities and other risks.

To learn more, visit https://blackkite.com/solution-briefs/product-analysis-with-black-kite

Black Kite today announced the release of Black Kite AI Agent, a super agent that automatically investigates, assesses, and reports on third-party risk. Black Kite has achieved record growth, with a 5-year Compound Annual Growth Rate (CAGR) of 70%, driven by customer success and satisfaction scores that exceed industry standards. These results are quantitative proof that organizations see Black Kite as an indispensable partner. Building on this momentum, the newly released Black Kite AI Agent empowers security teams to be more effective and automated in managing third-party risk.

Super Agent Investigates, Assesses, and Reports on Third-Party Risk

Black Kite was founded with a mission to give security professionals a complete and accurate view of their cyber ecosystem risk. From the very beginning, AI has played a central role in achieving that mission. The Black Kite AI Agent exposes these advanced AI capabilities directly to customers, enabling security teams to investigate, assess, and report on third-party risk more efficiently. With this new capability, Black Kite continues to set itself apart and lead the future of Third-Party Cyber Risk Management (TPCRM).

Fully embedded across the platform, Black Kite AI Agent enables users to ask questions in the context of any page or use pre-built “Blueprints” to launch deep investigations, generate custom reports, and more. Black Kite AI Agent is powered by a network of sub-agents so that when a user asks a question or uses a Blueprint, the appropriate sub-agents are automatically launched to handle the task.

Key features and benefits include:

• Deep Investigations: Investigates vendor findings, changes in risk scores, cyber ratings, RSI™, and the impact of breaches on third-party networks.
• Executive and Board Reporting: Generates custom reports and board communication packages with risk trends, concentration areas, and impact with charts and metrics.
• Procurement Decision Support: Benchmarks prospective vendors with side-by-side risk scores, RSI™, breach history, and financial impact analysis to support onboarding decisions and contract negotiations. 
• Navigation Guidance: Provides instant answers, guidance, and navigation tips based on best practices, help articles, and support tickets to maximize platform utilization and value.
• Build and Scale TPRM: Gives expert TPRM advice to guide in building and scaling a third-party risk management program, such as key processes, team structure, and R&Rs.
• Vendor Prioritization: Ranks vendors by severity and business impact, analyzing findings, FocusTags™, score changes, RSI™, and more to highlight the most urgent cases for action.
• Document Q&A: Enables the ability to query vendor documents (e.g., SOC 2 reports, ISO certifications, policies) by asking plain-text questions (e.g., “Do they require MFA?”) to extract control-specific information. 

The Trusted Choice for Third-Party Cyber Risk Intelligence

Black Kite has achieved a 5-year Compound Annual Growth Rate (CAGR) of 70%. Further fueling Black Kite’s momentum, the company surpassed key milestones, including expansion of its leadership team, high customer satisfaction scores that go beyond industry standards, recognition by leading industry analysts, and winning prestigious cybersecurity awards for innovation and excellence.

Key highlights include:

• Achieved a 5-year Compound Annual Growth Rate (CAGR) of 70%.
• Achieved record high industry standards in customer satisfaction, including: NPS score of 74-plus; 93% Customer Satisfaction Score (CSAT) for onboarding; and consistently receiving a 100% CSAT in customer support for 12 months with a 96% first call resolution rate.
• A 100% channel-first organization, Black Kite has a powerful network that includes 300-plus partners. From global resellers and managed services providers to GRC leaders and technology integrators, partners include Aravo, Guidepoint, Optiv, Onspring, Avertium, ServiceNow, LogicGate, CGS CyberDefense, and Carahsoft, to name a few.
• Black Kite Bridge™, the industry’s first solution enabling customer-vendor collaboration, has built a strong community of thousands of third parties, growing over 100% quarter over quarter.
• Expanded its leadership with Jack Jones, originator of the industry’s standard risk measurement model known as Factor Analysis of Information Risk (FAIR) and the FAIR Controls Analytics Model (FAIR-CAM), who joined as Strategic Advisor. Additionally, appointed Jessica Stanford as Chief Marketing Officer (CMO) and David Sauer as Vice President of Strategic Alliances to drive growth, enhance brand positioning, and expand strategic partnerships in the cybersecurity industry. 
• Recognized as a Sample Vendor in the Gartner® Hype Cycle™ for Cyber-Risk Management, 2025, which we feel validates that Black Kite’s focus on evidence-based, quantifiable, and transparent risk intelligence is precisely where industry analysts see the market heading. 

For more information on Black Kite AI Agent, visit https://blackkite.com/ai.

Black Kite today announced the release of its Global Adaptive AI Assessment Framework™, BK-GA³™. Designed to keep pace with evolving AI security threats, BK-GA³™ is the first truly global framework for assessing AI risk. BK-GA³™ was developed by the Black Kite Research Group and in consultation with Shared Assessments LLC, the member-driven leader in third-party risk assurance.

When developing BK-GA³™, hundreds of unique requirements across over 50 assessment frameworks were evaluated and best practices were synthesized to create a unified standard capable of evolving with the threat landscape. As a result, BK-GA³™ enables teams to apply a single, focused AI risk framework to efficiently identify vendor control gaps across their third-party ecosystem efficiently.

Key capabilities include:

• Continuous Adaptation: Regularly updated by the BK-GA³™ working committee to reflect evolving standards and emerging AI threats.
• Global Assurance Alignment: Maps to established frameworks, such as ISO, NIST, and more.
• Unified Best Practices: Synthesizes best practices from hundreds of unique requirements across 50+ assessment frameworks into a single standard.
• Built-in Intelligence: Considers OSINT and insights from the Black Kite Research Group to stay aligned with the latest trends and emerging AI threats.

BK-GA³™ is available both publicly and through the Black Kite platform. The publicly available component is a freely accessible AI risk framework developed with input from industry leaders and supported with continued collaboration from Shared Assessments. Black Kite customers can access the new framework through the Black Kite platform, where they can automatically access vendor AI risks.

To access BK-GA³™, visit https://content.blackkite.com/ebook/black-kite-global-adaptive-ai-assessment-framework/