How to Tackle Third-Party Vulnerabilities Without Breaking the Bank

By: Jeffrey Wheatman, Senior Vice President, Cyber Risk Strategist

Here’s a hypothetical: Imagine you fire off an email to one of your vendors and say: “Hey, we’re big fans of your product, but if you want to keep this deal alive, we need you to make a few updates to your systems—ASAP.”

They dig into what you’re asking, and after a bit of math, your vendor realizes: Those “few updates” are going to cost us millions. Not to mention the time, the people, and the potential downtime.

Maybe your vendor politely declines. Maybe they push back. Or maybe—just maybe—they start thinking twice about working with you altogether.

Sounds dramatic, right? But this is exactly how most organizations approach third-party vulnerability management today. We send our vendors laundry lists of vulnerabilities—hundreds of them—and essentially say: “Fix all of these. Now.”

Look, I get it. Historically, that’s been the default approach. Most third-party risk management (TPRM) programs are reactive, checklist-driven, and heavy on compliance theater. We didn’t have the tools or visibility to do much else.

But the world has changed. Black Kite’s 2025 Supply Chain Vulnerability Report shows that we finally have the visibility to be smarter. Strategic, even. Instead of asking vendors to patch everything under the sun, we can help them focus on the vulnerabilities that actually matter.

The end result? Lower costs, stronger relationships, and a more secure extended ecosystem.

The Old Approach to Third-Party Vulnerability Management Is a Barrier to Collaboration

Back to our thought experiment.

Let’s say a typical vendor has ~470 open vulnerabilities at any given time. Now let’s factor in cost. Most estimates put the price tag to remediate a single vulnerability somewhere between $4,500 and $98,000. (Note: this average number of open vulnerabilities and cost to remediate them are based on my research using ChatGPT’s deep research model as well as eSecurity Planet, Help Net Security, Edgescan Vulnerability Statistics Report, and the Black Kite Research Group. Feel free to plug your own figures into these scenarios.)

If we look at the data, we will use the midpoint of the 2nd quintile and estimate the cost of remediation at $5,500 per enterprise-wide vulnerability.

So what are we really asking when we tell a vendor to fix everything? We’re asking them to invest a more than $2.5 million to stay in our good graces:

That’s not a partnership. That’s a hostage negotiation.

And it’s no way to build trust.

In today’s interconnected world, we rely on our third parties more than ever. But if we keep treating them like punching bags – or worse, like expendable line items – we’re going to struggle to build the kind of collaborative, resilient ecosystems we actually need.

Add Focus, Decrease Costs, Build Business Trust

Here’s where it gets better. According to our new report, there’s a huge opportunity to bring focus and intelligence into the way we manage third-party vulnerabilities. Less scattershot. More scalpel.

With Black Kite, you can quickly narrow down the list of vulnerabilities worth acting on by applying some smart filters.

First let’s get rid of CVSS <6.0 (AKA, the ones that aren’t dangerous). Now we have 250 open enterprise-wide vulnerabilities per vendor at $5,500 a pop. The new cost is $1.375 million:

That’s better, but not good enough. So let’s keep going. Let’s get rid of EPSS <60% (AKA, the ones that aren’t that likely). Now the ask is $660,000:

Now focus on KEVs (AKA, the ones that are ‘real,’ with known exploit code in the wild). Now we’re down to 50 vulnerabilities at a cost of $275,000:

Finally, let’s apply Black Kite’s Intelligence (AKA, the real/dangerous ones that YOU care about because they are likely to impact the most vendors in your supply chain.). Now we’ve whittled it down to 25 vulnerabilities. Not only that, but the cost to remediate has dropped from $5,500 to $3,500 because Black Kite has already done the discovery and helps manage communication through the Black Kite Bridge™:

Here’s the full breakdown at a glance:

Filter	Est. Number of Vulnerabilities	Cost to remediate per vulnerability	Total Cost of Remediation
CVSS >6.0  Or High to critical severity.	250	$5,500	$1,375,000
EPSS >60%  Or, more likely to be exploited.	120	$5,500	$660,000
KEVs Or those with known exploit code in the wild.	50	$5,500	$275,000
Vendor susceptibility  Or vulnerabilities likely to impact the most vendors in your supply chain.	25	$3,500 (The cost to remediate drops because Black Kite has done the discovery and helps manage communication.)	$87,500

By applying these filters, you reduce the noise and zero in on the vulnerabilities that matter. For a typical vendor, that means shrinking your ask from 470 vulnerabilities to about 25. That’s manageable, and a much more reasonable ask.  

And here’s where the win-win comes in. Because Black Kite provides detailed, actionable analysis, you’re not just tossing vendors a problem. Instead, they’re getting a roadmap. That cuts down their time on discovery, validation, testing, remediation, and compliance reporting.

So let’s rerun the math.

Instead of 470 vulnerabilities at $5,500 a pop ($2.585 million), now we’re looking at 25 vulnerabilities at $3,500 each.

That’s $87,500.

Still an investment, but a more realistic one. And far more likely to lead to an actual security improvement for a return on that investment.

Better Cybersecurity Is Better Business

This isn’t just about saving money, though let’s be honest, saving millions of dollars never hurts.

It’s about building better relationships. Stronger ecosystems. Real security improvements. When we stop throwing unrealistic demands at vendors and instead offer a path forward that makes sense, they’re far more likely to engage. To collaborate. To prioritize what matters.

And that’s the whole point. If we make it easier for vendors to be in compliance, if we make it easier for them to want to work with us, everyone wins. That’s how we build trust. That’s how we scale security. And that’s how we win friends and influence our third parties.

Want to see how it’s done? Download the slides shown in this blog that walk you through the process of filtering CVEs to decrease costs. And read the full research in our 2025 Supply Chain Vulnerability Report: Navigating a New Era of Managing Vulnerability Risk in Third Parties.