Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more
blog

The 2026 DBIR Is a Verdict on Traditional Third-Party Risk Programs

Published

Jun 11, 2026

Authors

Jeffrey Wheatman

In this article

In this article

See Black Kite in action

Book a Demo

Introduction

Let's give everyone the benefit of the doubt: your organization's defenses are solid. Your team is doing the right things. Your internal security posture is as strong as it's ever been.

It doesn't matter. Because nearly half of confirmed breaches now trace back to a vendor, a supplier, or a third party in your ecosystem — one you don't control, and in many cases, one you're not watching closely enough.

That's not a prediction. That's what the 2026 Verizon Data Breach Investigations Report found, analyzing more than 22,000 confirmed breaches across 145 countries. Third-party involvement hit 48% of all confirmed breaches, a 60% jump over the prior year. And for the first time in the report's 19-year history, the number one initial access vector isn't stolen credentials or phishing. It's vulnerability exploitation.

From where I’m sitting, this is not just a threat briefing. The DBIR is a forensic audit. And what it's auditing, whether it says so explicitly or not, is how traditional TPCRM programs were designed. And here’s the breakdown on what has failed in those traditional programs that brought these numbers into the daylight.

Traditional Programs Assumed a Snapshot Was Enough

The most commonly used third-party risk management tools were designed for a world that no longer exists.

Questionnaires, periodic assessments, annual (or less frequent) reviews. These approaches were built on  the only practical premise at the time: ask vendors about their controls, document the answers, revisit next year. The problem is that the threat environment doesn't wait for your next review cycle.

Bad actors act like water. They take the easiest path, which is increasingly through a vendor, partner, or supplier that isn't watching the same threats you are. Many third parties, especially smaller ones, simply do not have the resources or the visibility to keep pace with a threat landscape that is moving faster every quarter.

A questionnaire tells you what a vendor believed about their security posture on the day they filled it out. It tells you nothing about what happened the day after. And in an environment where mean time to exploitation now sits at negative seven days, meaning attackers are exploiting vulnerabilities before most organizations even know those vulnerabilities exist, a point-in-time snapshot isn't risk management. It's a liability.

The DBIR confirms what those of us in the TPCRM space have been saying for years: continuous monitoring isn't a nice-to-have upgrade to the traditional model. It's the replacement for it.

Attackers Studied Your Vendor Ecosystem Better Than You Did

The second failure isn't a tooling problem. It's a targeting problem traditional programs weren't built to see.

There's an old story about Willie Sutton, the infamous bank robber, who was asked why he robbed banks. His answer: "Because that's where the money is." Threat actors have applied the same logic to your supply chain, and the math is straightforward. Compromising a single vendor that serves hundreds of enterprise customers is exponentially more valuable and much less work than attacking any one of those customers directly.

These concentration points, vendors and suppliers at the center of multiple enterprise ecosystems, are exactly where attackers are investing their effort. And traditional TPRM programs, which evaluate vendors individually and in isolation, were never designed to surface that kind of systemic exposure.

The DBIR data reflects the outcome of that blind spot. The 60% year-over-year surge in third-party breach involvement isn't random. It's the result of deliberate targeting by adversaries who understand the architecture of enterprise supply chains better than many of the programs designed to protect them. Niche vendors serving specific verticals, shared infrastructure providers, software vendors embedded across entire industries. These are the concentration points that attract sophisticated attackers, and they are precisely the vendors that traditional risk programs often underscope or deprioritize.

A single vendor breach now reaches an average of 5.28 downstream organizations, meaning the breach at the concentration point is also your incident.

The Vulnerability Prioritization Framework Was Measuring the Wrong Thing

The third failure is the one that's hardest to hear, because it's baked into how the entire industry was trained to think about risk.

Traditional TPCRM programs inherited their vulnerability prioritization logic from internal security: focus on critical-severity CVEs first, work down from there, and if you're behind on medium-severity issues, that's a manageable gap. That framework made reasonable sense when the volume of vulnerabilities was manageable and when AI-enabled attack chaining wasn't a factor.

Neither of those conditions holds today.

The DBIR found that organizations are fully remediating only 26% of CISA (KEVs) Known Exploited Vulnerabilities, with a median patch time that has stretched to 43 days, up from 32 days the prior year. The instinctive response is to say organizations need to move faster. But volume is the real problem. In 2025, more than 48,000 CVEs were published. Filtering to CVSS 9.0 and above still leaves approximately 4,000 vulnerabilities to manage. No cybersecurity program has that bandwidth, time, or money.

More critically: CVSS score is a measure of technical severity. It is not a measure of active exploitability, OSINT discoverability, or business impact. For example, a medium-severity vulnerability that enables remote access to data stored by a vendor holding your customer records could be more dangerous to your organization than a critical-severity vulnerability that requires local access to exploit. Traditional programs weren't built to make that distinction, and attackers increasingly equipped with AI-powered tools for chaining and automating exploitation have learned to take advantage of the gap.

The focus needs to shift from vulnerabilities that look dangerous on paper to vulnerabilities that pose real business risk: data theft, system downtime, operational disruption. That reframe requires different intelligence, not just faster patching. And our 2026 Supply Chain Vulnerability Report lays out this filtering process in detail.

What to Tell Your Executives

The DBIR gives security leaders something valuable: an independent, data-backed document that confirms the inadequacy of the status quo. The conversation with executives isn't "we need more budget to do the same things faster." It is:

  • Our current vendor risk program was designed for point-in-time assessment. The threat environment requires continuous intelligence.
  • Attackers are targeting the vendors we share with hundreds of other enterprises. Our scoping needs to account for concentration, not just individual vendor posture.
  • We are prioritizing the wrong vulnerabilities. Technical severity ratings don't map to business impact, and our remediation efforts need to reflect actual exploitability and exposure.

Internal defense has never been sufficient on its own. The DBIR makes that case with 22,000 data points behind it. The next question is whether the programs designed to manage third-party risk are built to respond to the threat environment the data actually describes.

See how Black Kite helps security teams move from point-in-time assessments to continuous third-party cyber risk intelligence and surface the vendor exposures that matter before they become breach statistics.