Written by: Ferhat Dikbiyik, Chief Research & Intelligence Officer

With over 40,000 vulnerabilities disclosed last year—a 38% jump from the year prior—the real challenge for third-party risk management (TPRM) professionals isn’t knowing which risks exist. It’s knowing which ones to act on and how—a task made particularly difficult when managing risk across hundreds of vendors.

In Part 1 of our series, I introduced a three-dimensional approach to cybersecurity vulnerability management in TPRM—detailed in our 2025 Supply Chain Vulnerability Report—to help teams prioritize vulnerabilities in the supply chain based on severity, exploitability, and exposure. This dramatically narrows the field from tens of thousands of Common Vulnerabilities & Exposures (CVEs) to a much more manageable number.

But identifying risk is only half of the process. Acting on it is the other half.

In this second video, I walk through how TPRM teams can operationalize vulnerability intelligence, moving beyond theoretical prioritization to real-world application. Using tools like Black Kite’s FocusTags™, teams can gain clear visibility into which vulnerabilities are most urgent, which vendors might be exposed, and what steps to take for remediation.

View this video on YouTube.

Act On the Right Vulnerabilities With FocusTags™

A vulnerability’s CVSS score can clue you into potential severity, while its EPSS score can help predict the likelihood of exploitation. But neither tells the full story. Some vulnerabilities look dangerous on paper but are rarely exploited, while others fly under the radar until they become the entry point for a major breach. 

Black Kite’s FocusTags help security teams tell the difference, surfacing the CVEs that are highly likely to be exploited, regardless of their severity level. It does this by layering in real-world signals that indicate whether bad actors are likely to attack.

How to Filter CVEs by Real-World Exploitability:

  1. CISA KEV inclusion: Has the vulnerability already been exploited in the wild?
  2. Public exploit availability: Are proof-of-concept (PoC) exploits readily available?
  3. Threat actor interest: Has it been mentioned in underground forums or used in attack campaigns?
  4. Community discussions: Is there a surge in security researchers analyzing it?
  5. Zero-day status: Is it newly disclosed with limited patches available?
  6. Supply chain impact: Does it affect widely used products with third-party exposure?

Analyzing these risk factors, FocusTags help TPRM teams detect not just the most severe vulnerabilities, but also the ones most likely to be weaponized. Instead of reacting to every “critical” CVE, teams can focus on the ones that pose the greatest risk to their supply chain.

Risk Hunting, Not Just Monitoring

Most TPRM programs still depend on slow, reactive processes—waiting for vendor disclosures, following up on questionnaires, and hoping for timely responses. But the gap between disclosure and exploitation is shrinking fast: In 2021, attackers took 42 days on average to exploit a new CVE. By 2023, that window dropped to just 5 days. 

When exploitation moves that quickly, speed matters.

FocusTags enable a more proactive approach, helping security teams shift from passive monitoring to active risk hunting. Through Black Kite’s Risk Intelligence page, teams can identify which vendors are likely exposed, track changes in exposure over time, and access vendor-specific guidance to drive faster remediation.

To make action even more precise, we recently introduced Vulnerability Intelligence Briefs (VIBs) which offer detailed views of each CVE and where they are found in our customers’ supply chains. Think of them like baseball cards, but for vulnerabilities: each one gives you the essential stats you need to understand the risk and act fast.

If a CVE affects a vendor in your ecosystem, the brief tells you who’s likely running it and what questions to ask to confirm and resolve it. With these insights, you can act early, armed with the data needed to initiate informed, targeted vendor outreach.

The Future of TPRM Is Intelligence in Action

Third-party risk management isn’t about chasing every vulnerability—it’s about knowing which ones warrant your attention and moving quickly. And that requires more than static scores or vendor questionnaires. 

As exploitation timelines shrink and supply chains become more complex, security teams need context on which they can act. Tools like FocusTags help meet that need, highlighting the vulnerabilities that require immediate attention due to exposure, exploitability, and third-party risk.

This kind of actionable vulnerability assessment is what defines the future of TPRM. By understanding attacker behavior, identifying vendor exposure, and prioritizing action based on real-world signals, security teams can move beyond reactive patching and toward a more strategic defense of their third-party ecosystem.

Read the full 2025 Supply Chain Vulnerability Report for more insights on how to apply vulnerability intelligence across your vendor ecosystem.



Read our full 2025 Supply Chain Vulnerability Report: Navigating a New Era of Managing Vulnerability Risk in Third Parties – accessible instantly, no download required.




Read Now