Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more
blog

The End of Cyber Risk Ratings: Why TPCRM is the Future of Third-Party Risk

Published

Apr 2, 2026

Authors

Jessica Stanford

In this article

In this article

See Black Kite in action

Book a Demo

Introduction

You’ve probably heard of Cyber Risk Rating (CRR) platforms, also known as Security Ratings Services (SRS), and if you have, you’re familiar with their limitations. They tried to solve an important problem over a decade ago by providing a snapshot into a vendor’s public security posture, much like a credit score. However, these solutions were built for a different era, focused on point-in-time security ratings and scores that lack critical context into what exactly is actually driving risk, making them difficult to operationalize as part of modern TPRM programs.

Key CRR/SRS Limitations

  • Limited transparency behind scores: Lack of clarity into how ratings are calculated and how high risk is defined reduces confidence in risk scores.
  • No risk context: Scores alone do not provide enough detail on what is truly driving risk and business impact, making it difficult to guide vendors on specific remediation actions.
  • Point-in-time visibility: Ratings provide a snapshot of risk at a given moment, while cyber risk is dynamic and continuously evolving. Update frequency varies by vendor and may lag by days.
  • Inefficient assessment processes: TPRM teams remain heavily burdened by manual vendor security assessments, a core TPRM function that traditional CRR does not address.
  • Limited visibility beyond 3rd parties: CRR platforms lack insight into broader supply chain dependencies, aka nth-party risk.

As the market, customer expectations, and TPRM programs have evolved, it has become clear that traditional CRR/SRS are no longer enough, driving the need for new solutions that better align to the needs of security and TPRM teams today. 

Organizations Demand More Than a Rating

The demands on TPRM teams have expanded far beyond what ratings alone can support. To effectively tackle third-party risk, organizations now require broader use case support, including continuous monitoring, security questionnaire automation, Cyber Risk Quantification (CRQ), and capabilities aligned to External Attack Surface Management (EASM) and Continuous Threat Exposure Management (CTEM).

These expanding requirements have given rise to a new category that supplants, replaces, and kills off CRR/SRS: Third-Party Cyber-Risk Management (TPCRM). This market represents a more comprehensive approach to addressing the full scope of third-party risk. 

It is within this emerging category that meaningful differentiation, breakthrough innovation, and long-term market leadership will be established.

Market Validation: Gartner Perspective

The transition away from CRR/SRS to TPCRM is reflected in Gartner’s latest research. In one short year, Gartner sunsetted SRS/CRR and replaced it with TPCRM. 

In the 2024 Gartner® Hype Cycle™ for Cyber-Risk Management, Security Rating Services had reached the Slope of Enlightenment and was approaching the Plateau of Productivity (< 2 years), indicating that the market had a clear understanding of its practical value: what it can reliably solve, and what it cannot. By 2025, Security Rating Services was off the wave entirely and replaced by Third-Party Cyber-Risk Management (TPCRM), an emerging market positioned in the Innovation Trigger phase, with a projected maturity horizon of more than 10 years. This placement reflects the growing complexity of managing cyber risk across the extended supply chain, far beyond what CRR/SRS alone could address. 

Core TPCRM Capabilities Enable Expanded Use Cases

TPCRM delivers deeper intelligence and a broader set of use cases that enhance an organizations’ ability to continuously manage risk across the extended supply chain. Key capabilities include:  

  • Intelligence beyond the score: Delivering multi-dimensional insight into risk, including vulnerability exposure, threat activity, and ransomware susceptibility.
  • Trust and transparency: Aligning findings to recognized frameworks (e.g., MITRE, Open FAIR™) and providing clear visibility into how risk is measured.
  • Cyber Risk Quantification (CRQ): Translating technical risk into financial impact for executive and board-level decision-making.
  • AI scale and speed: Enabling continuous monitoring and rapid response to active threats across hundreds of thousands of vendors, while significantly reducing assessment timelines.
  • Vendor collaboration and remediation: Bridging the gap between identifying risk and actually reducing it through improved vendor engagement. 
  • Extended supply chain visibility: Expanding beyond third parties to include fourth-, fifth-, and nth-party risk.

The Future is TPCRM

The end of CRR/SRS and the emergence of TPCRM represents a fundamental evolution in how organizations approach third-party risk and what the market has demanded. Security ratings are not the end all be all – they are just the tip of the iceberg. As third-party ecosystems grow more complex and threats become more dynamic, organizations need more than CRR/SRS can deliver. 

Black Kite is aligned with this shift, recognized as a Sample Vendor for Third-Party Cyber-Risk Management in Gartner® Hype Cycle™ for Cyber-Risk Management, 2025, reflecting the market’s move toward more transparent, evidence-based, and quantifiable risk intelligence. This is further supported by customer validation: Black Kite holds a 4.8 rating on Gartner® Peer Insights™, with 98% of customers willing to recommend the platform, the highest among its competitors.

To learn more about Black Kite's approach to TPCRM, reach out.