This glossary covers the terms that security practitioners, risk managers, procurement teams, and executives encounter across the TPRM/TPCRM ecosystem, from foundational concepts to advanced risk intelligence.
Loading glossary...
An Advanced Persistent Threat is a sophisticated, prolonged cyberattack in which an adversary gains unauthorized access to a network and remains undetected for an extended period. APT actors are typically nation-states or highly organized criminal groups targeting high-value organizations. In third-party cyber risk management, APT activity against a vendor represents a significant risk to any organization connected to that vendor's systems or data.
The Adversary Susceptibility Index is Black Kite's threat-actor monitoring capability. It maps specific threat actors and their known tactics, techniques, and procedures against a vendor's digital footprint to identify whether and how a named adversary could target that organization. Where the Ransomware Susceptibility Index® (RSI™) quantifies ransomware likelihood broadly, the ASI zeroes in on specific threat groups.
Artificial intelligence in third-party risk management refers to the application of machine learning, natural language processing, and automation to accelerate and improve vendor risk workflows. AI capabilities in TPCRM include automated document parsing, control gap analysis, risk scoring, questionnaire ingestion, and continuous monitoring at scale. Black Kite embeds AI throughout its platform, including the Black Kite Global Adaptive AI Assessment™ (BK-GA³™) framework, AI-powered document parsing in Cyber Assessments, and the AI Agent for autonomous TPCRM workflows.
An attack surface is the sum of all digital entry points an adversary could exploit in a target organization: exposed IP addresses, open ports, web applications, DNS records, subdomains, email servers, and more. In third-party cyber risk management, an organization's effective attack surface includes not just its own assets but those of every vendor with access to its systems or data.
Attack Surface Management is the continuous discovery, classification, and monitoring of an organization's externally exposed digital assets. In third-party cyber risk management, it is applied to vendors, identifying exposures in their external-facing infrastructure without requiring access to their internal systems. Black Kite performs outside-in Attack Surface Management across vendor portfolios on a continuous basis.
An attestation is a formal declaration by a vendor confirming that specific security controls are in place. Attestations are a standard component of questionnaire-based assessments but are self-reported, unlike outside-in technical ratings, which are independently observed.
The Bridge™ is Black Kite's vendor engagement product, a central location within the platform for managing collaboration across your entire vendor ecosystem. Users can send documents or assign tickets to third parties to gather additional information or resolve specific findings. The Bridge™ provides a single, auditable location to track and manage all vendor interaction.
A Business Continuity Plan is a documented framework defining how an organization will maintain or rapidly resume critical operations during and after a disruption, such as a cyberattack, natural disaster, or vendor failure. In third-party cyber risk management, evaluating a vendor's business continuity plan is a standard component of due diligence, as vendor failures can directly disrupt first-party operations. Also referenced as Business Continuity Planning.
Business interruption risk is the risk that a vendor failure, whether from a cyberattack, natural disaster, or operational failure, disrupts the first party's own business operations. It is one of three Factor Analysis of Information Risk (FAIR) model scenarios supported by Black Kite's Financial Impact Rating, alongside Data Breach and Ransomware, calculated using Environmental, Social, and Governance (ESG) factors and supply chain ransomware susceptibility.
Business resilience is the organizational capacity to anticipate, absorb, and recover from disruptions, including third-party cyber events. A mature third-party cyber risk management program is a prerequisite for genuine business resilience.
Cascading risk is the domino effect when a compromise at a fourth or fifth party travels downstream through supply chain relationships to your organization. Supply chain attacks targeting widely used software, such as SolarWinds, MOVEit, and Log4j, are textbook cascading risk events.
The California Consumer Privacy Act is a U.S. state privacy law granting California residents rights over the collection and use of their personal data. Organizations that share consumer data with third-party vendors must ensure those vendors handle data in compliance with CCPA requirements. It is one of the growing body of U.S. state-level privacy regulations that drive third-party risk management obligations.
In the Black Kite platform, the Compliance Score is a percentage reflecting how many recognized controls a company complies with out of the total number of controls identified through internet-facing documents, user-uploaded documents, and technical scans. The score increases when controls are found to be compliant, either through document review or technical scan detection. A higher score indicates fewer compliance gaps; a lower score highlights areas that need improvement. It can be calculated across all frameworks or for a specific selected framework.
The Completeness Score indicates the percentage of recognized controls, derived from internet-facing documents, user-uploaded documents, and technical scans, relative to the total expected controls in a given framework. It measures how comprehensive the data coverage is and highlights any gaps in control identification. A higher score means fewer gaps, as more controls are accounted for across both document analysis and technical scanning.
Compliance management is the organizational process of ensuring that a company and its vendors adhere to applicable laws, regulations, standards, and internal policies. In third-party cyber risk management, compliance management encompasses mapping vendor security controls to required frameworks, tracking remediation of compliance gaps, and maintaining documentation for audits and regulatory reviews. Black Kite's Compliance Rating automates much of this process by correlating technical findings and parsed documentation to controls across more than 20 frameworks.
A compliance rating is a measure of how well an organization's security posture aligns with established regulatory frameworks and industry standards such as the NIST Cybersecurity Framework, ISO 27001, PCI-DSS, HIPAA, SOC 2, GDPR, NIS2, and DORA. In third-party cyber risk management, compliance ratings help organizations evaluate whether vendors meet the regulatory and contractual obligations relevant to the business relationship. Black Kite's Compliance Rating correlates technical findings and parsed documentation to specific controls across mapped frameworks, providing both percentage scores and control-level gap analysis.
Concentration risk is the risk of overreliance on a single vendor, technology provider, or geographic region across your vendor ecosystem. When multiple critical operations depend on one underlying provider, such as a single cloud platform or one payment processor, any disruption to that provider creates a single point of failure with broad organizational impact.
Continuous monitoring is the ongoing, automated surveillance of a vendor's external security posture, as opposed to relying on point-in-time assessments. It surfaces new vulnerabilities, configuration changes, and emerging threats in near real time, replacing the inadequate "assess once a year" model that leaves organizations blind to changes between review cycles. Black Kite rescans vendor portfolios on a rolling basis and surfaces changes through FocusTags® and automated workflow alerts.
A contractor is a third party that provides services under a contractual engagement. The term is widely used in government and defense contexts, where contractors are often tiered as 1st-, 2nd-, 3rd-, and Nth-tier subcontractors.
A control gap analysis is the process of comparing an organization's or vendor's actual security controls against the requirements of a specific framework or standard, identifying where controls are absent, insufficient, or unverified. Traditionally performed manually through questionnaire review, control gap analysis is increasingly automated using AI-driven document parsing. Black Kite's Cyber Assessment module automates control gap analysis by parsing uploaded compliance documentation and mapping findings to frameworks.
Country risk is the risk arising from the geographic location of a vendor or supplier, encompassing factors such as geopolitical instability, conflict, sanctions regimes, natural disaster exposure, and the regulatory environment of the vendor's operating jurisdiction. Black Kite incorporates geopolitical mapping and Environmental, Social, and Governance (ESG) data into its risk assessments, enabling organizations to identify and monitor country-level risk across their vendor portfolio.
A critical vendor or critical third party is an external organization whose failure, compromise, or disruption would have a material impact on the first party's operations, revenue, regulatory standing, or data security. Identifying and classifying critical vendors is a foundational step in any third-party cyber risk management program, as these relationships require the most rigorous assessment, the most frequent monitoring, and the most detailed contractual protections.
Criticality tiering is the practice of classifying vendors into risk tiers, typically Critical, High, Medium, and Low, based on factors such as data access, system integration depth, regulatory scope, and potential business impact. Criticality tier determines assessment depth, monitoring frequency, and escalation thresholds. Also referred to as Vendor Tiering.
A Common Vulnerability and Exposure (CVE) is a standardized identifier for a publicly disclosed software vulnerability, maintained by MITRE and widely used across the security industry. Each CVE entry includes a description, severity score, and affected software versions, enabling organizations to identify and prioritize remediation. Black Kite maintains a CVE database and maps CVEs to specific vendors' digital footprints to identify which organizations are running vulnerable software versions and how exploitable those instances are.
The Common Vulnerability Scoring System is an open industry standard for assessing the severity of software vulnerabilities, maintained by the Forum of Incident Response and Security Teams (FIRST). CVSS scores range from 0 to 10, with higher scores indicating greater severity. Black Kite uses CVSS scores in calculating findings severity within its Cyber Rating and in prioritizing remediation guidance across vendor assessments.
A cyber ecosystem is the full network of organizations, systems, and data flows connected to your business, including your own infrastructure, your third parties, and their third parties. The entire planet’s cyber ecosystem is interconnected.Also referred to as Ecosystem or Vendor Ecosystem.
A cyber rating is a standardized measure of an organization's external cybersecurity posture, derived from observable data rather than self-reporting. Cyber ratings are used in third-party risk management to screen vendors, monitor posture over time, and prioritize remediation efforts. Black Kite's Cyber Rating expresses posture as letter grades (A through F) across 20 technical categories organized into four groups: Safeguard, Privacy, Resiliency, and Reputation. It is built on open standards including MITRE's Cyber Threat Susceptibility Assessment, Common Weakness Scoring System (CWSS), Common Weakness Risk Analysis Framework (CWRAF), and Common Vulnerability Scoring System (CVSS), making every output transparent, auditable, and defensible.
of digital systems, data security, or technology infrastructure. In third-party cyber risk management, cyber risk encompasses not only an organization's own exposure but also the risk introduced by vendors, suppliers, and other external parties with access to its systems or data.
A cyber risk assessment is a structured evaluation of an organization's cybersecurity exposures, controls, and vulnerabilities to identify and prioritize risks requiring remediation or mitigation. In third-party cyber risk management, cyber risk assessments are conducted on vendors to establish baseline risk, inform vendor tiering, and guide ongoing monitoring. Black Kite's Cyber Assessment module combines outside-in technical scanning with AI-powered document analysis to deliver rapid, comprehensive vendor assessments.
Cyber risk intelligence is the application of threat intelligence to a specific organization's ecosystem, producing findings that are actionable and directly relevant to that organization's vendor relationships and risk profile. Where threat intelligence describes the global threat landscape, cyber risk intelligence answers: which of my vendors are affected by this threat, and what is the probable business impact? Black Kite's risk intelligence outputs, including FocusTags®, the Vulnerability Intelligence Brief™ (VIB™), the Ransomware Susceptibility Index® (RSI™), and the Adversary Susceptibility Index™ (ASI™), are all forms of cyber risk intelligence.
Cyber Risk Quantification is the process of expressing cyber risk in financial terms, translating technical exposure into probable dollar-denominated loss. It enables security teams to communicate risk in the language of business, supporting executive decision-making and resource prioritization. Black Kite uses the Open FAIR™ (Factor Analysis of Information Risk) methodology to produce Financial Impact Ratings across three scenarios: Data Breach, Ransomware, and Business Interruption.
A cyber supply chain is the cybersecurity dimension of the broader supply chain, encompassing the digital dependencies, software components, managed services, and technology providers that flow through it. Also referred to as "digital supply chain."
Cyber Supply Chain Risk Management is the cybersecurity-specific dimension of supply chain risk management, focusing on threats and vulnerabilities that affect the technology and services flowing through contractor and supplier relationships. It is widely used in government and defense contexts and referenced in NIST Special Publication 800-161.
A cyber threat is any potential malicious act that could damage, disrupt, or gain unauthorized access to computer systems, networks, or data. Cyber threats include ransomware, phishing, data exfiltration, distributed denial-of-service attacks, insider threats, and supply chain attacks. In third-party cyber risk management, understanding the cyber threats most likely to affect vendor ecosystems is foundational to prioritizing assessments and monitoring.
Dark web monitoring is the practice of surveilling dark web forums, marketplaces, and hacker communities for intelligence relevant to an organization's security posture, such as leaked credentials, stolen data, ransomware group activity, and discussions of specific targets or vulnerabilities. In third-party cyber risk management, dark web monitoring provides early warning of threats that may not yet be visible through technical scanning. Black Kite's data collection includes dark web and deep web sources, and FocusTags® surface dark web intelligence relevant to specific vendors in a portfolio.
A data breach is a security incident in which unauthorized parties gain access to, steal, or expose sensitive, confidential, or protected information. In third-party cyber risk management, vendor data breaches are a primary concern because vendors with access to first-party systems or customer data can become the vector through which that data is compromised. Black Kite's Data Breach Index (DBI) tracks vendors' historical breach records as part of a complete risk picture.
The Data Breach Index is a Black Kite index that provides a historical performance score based on a company's past data breach events. It measures breach severity using the volume of records compromised and the recency of each incident, giving organizations a clear signal of a vendor's breach track record alongside forward-looking technical ratings.
Data breach risk is the risk that a vendor incident results in unauthorized access to or exposure of sensitive data belonging to the first party or its customers. It is one of the three Factor Analysis of Information Risk (FAIR) model scenarios in Black Kite's Financial Impact Rating.
Data exfiltration is the unauthorized transfer of data from an organization's systems to an external destination controlled by a threat actor. It is a common objective in targeted cyberattacks and a frequent outcome of ransomware and advanced persistent threat campaigns. In third-party cyber risk management, vendors with access to sensitive first-party data represent a potential exfiltration pathway if their systems are compromised.
A digital footprint is the complete set of externally observable digital assets associated with an organization: IP addresses, domains, subdomains, DNS records, open ports, web applications, and cloud infrastructure. Establishing an accurate digital footprint is the first step in any outside-in vendor risk assessment, as it defines the scope of what is monitored. Black Kite establishes a vendor's digital footprint from a single top-level domain, automatically discovering associated assets before assessing them.
The Digital Operational Resilience Act is a European Union regulation effective January 2025 requiring financial services firms to manage information and communications technology (ICT) third-party risk systematically, including concentration risk, contractual requirements, and incident reporting for critical technology providers. DORA has elevated third-party cyber risk management from best practice to regulatory obligation for European financial institutions and their global supply chains.
Due diligence is the process of thoroughly investigating a vendor's security posture, compliance status, financial health, and operational practices before entering a contractual relationship, and on a recurring basis thereafter. It has traditionally relied on questionnaires; modern third-party cyber risk management combines questionnaire-based and outside-in technical evidence for a complete, independent picture.
External Attack Surface Management is the discipline of assessing and managing only the assets visible from outside an organization's perimeter. The "external" qualifier distinguishes it from broader ASM programs that may include internal network scanning or agent-based monitoring. In vendor risk management, EASM is the enabling methodology behind outside-in assessments, as it requires no credentials or internal access from the vendor being assessed.
Within the Black Kite platform, Ecosystems are also used to organize collections of monitored companies into logical groups, for example by risk tier ("Critical Vendors") or business function ("Finance," "IT"). By default, Black Kite provides a "My Companies" Ecosystem. See: Cyber Ecosystem.
In the Black Kite platform, a Company or Entity is a specific real-world organization tracked by its associated top-level domain. The top-level domain initiates the external scanning process that discovers and builds the organization's digital footprint. Companies and Entities are the core unit of the Black Kite platform.
ESG risk refers to Environmental, Social, and Governance factors that can affect a vendor's operational continuity, including climate-related disruptions, geopolitical instability, labor disputes, and governance failures. ESG risk is increasingly incorporated into third-party risk assessments alongside cybersecurity posture. Black Kite incorporates ESG risk data into its Business Interruption Factor Analysis of Information Risk (FAIR) scenario to model non-cyber disruption factors alongside technical cyber risk.
The extended enterprise is the full network of vendors, partners, contractors, and Nth parties whose performance and security posture affect the first party's risk profile. Managing the extended enterprise requires visibility beyond direct vendor relationships into the supply chain beneath them.
Factor Analysis of Information Risk is the only internationally recognized standard quantitative model for information security and operational risk. It provides a framework for expressing cyber risk in financial terms by modeling Loss Event Frequency and Probable Loss Magnitude. Unlike qualitative risk frameworks that rely on color charts or weighted scales, FAIR produces dollar-denominated outputs that support direct business comparisons and decision-making. Black Kite integrates FAIR-based financial quantification directly into the platform, producing probable financial impact ratings across Data Breach, Ransomware, and Business Interruption scenarios. Open FAIR™ is an industry standard, not proprietary to any single vendor.
A financial impact rating is a measure of a vendor's probable financial risk exposure, expressed in dollar terms using the Factor Analysis of Information Risk (FAIR) methodology. Financial impact ratings translate technical cyber risk into business-language outputs that executives and boards can act on. In Black Kite, the Financial Impact Rating is displayed on the Company Summary Dashboard alongside the Cyber Rating and Compliance Rating.
A finding is a specific vulnerability, misconfiguration, or control gap identified during a security scan or review. Findings are the granular building blocks of risk assessments, typically categorized by severity and mapped to remediation guidance. In the Black Kite platform, a Finding is a specific cybersecurity control item or vulnerability identified during scanning and monitoring, categorized and assessed for impact, severity, and output status (passed or failed), typically scored using industry standards like the Common Weakness Scoring System (CWSS) or Common Vulnerability Scoring System (CVSS).
The first party is your own organization, the entity bearing ultimate legal and financial responsibility for what happens within your cyber ecosystem. To your customers and partners, you are their third party.
First-party risk management is the practice of assessing and managing cybersecurity risks within your own organization's systems and infrastructure, as distinct from the risks introduced by external vendors and partners. Black Kite supports first-party risk management as a secondary use case, enabling organizations to scan their own external-facing assets and see exactly what an attacker or potential third-party assessor would observe.
FocusTags® are dynamic risk intelligence tags within the Black Kite platform that bridge global threats to your specific vendor ecosystem, down to the asset level. They are automatically assigned in the wake of significant cyber events like ransomware campaigns or newly disclosed Common Vulnerabilities and Exposures (CVEs), immediately surfacing which vendors in your portfolio are exposed. Users can also create custom tags to organize vendors by criteria such as personally identifiable information (PII) access or system integration depth. FocusTags® are a critical component of continuous monitoring, transforming raw threat intelligence into actionable, contextualized risk intelligence.
A fourth party is a vendor's vendor, an organization that provides services to your third parties, creating an indirect dependency for your organization. Fourth-party risk is difficult to manage because there is typically no direct contractual relationship with these entities. See also: Nth Party.
Fourth-party risk management is the practice of identifying, mapping, and monitoring the vendors that your direct third parties rely on. Effective fourth-party risk management requires contractual flow-down requirements, Nth-party visibility tools, and continuous monitoring of the extended supply chain.
The General Data Protection Regulation is a European Union regulation governing the collection, storage, and processing of personal data of EU residents. Under GDPR, organizations are responsible for ensuring that their processors (vendors) handle personal data lawfully. Third-party data breaches can trigger GDPR liability for the first party. GDPR compliance mapping is one of the frameworks supported in Black Kite's Compliance Rating.
Governance, Risk, and Compliance is the broader organizational discipline of which third-party cyber risk management is a part. GRC platforms such as ServiceNow and OneTrust often integrate with TPCRM tools to embed cyber risk ratings and compliance data into enterprise risk workflows.
The Health Insurance Portability and Accountability Act is a U.S. federal law establishing national standards for the protection of sensitive patient health information. Organizations that share protected health information (PHI) with third-party vendors are required to execute Business Associate Agreements (BAAs) and verify that those vendors maintain appropriate safeguards. HIPAA compliance is a critical dimension of third-party risk management for healthcare organizations and their supply chains. Black Kite's Compliance Rating maps vendor security controls to HIPAA requirements.
Incident response is the structured process an organization follows to detect, contain, eradicate, and recover from a cybersecurity incident. A mature incident response program includes defined roles, escalation paths, communication protocols, and post-incident review processes. In third-party cyber risk management, evaluating a vendor's incident response capabilities is a standard due diligence consideration, as a vendor's ability to detect and respond to breaches directly affects the first party's risk exposure. Black Kite supports incident-driven reassessment workflows, enabling organizations to rapidly evaluate vendor exposure following a significant cyber event.
Inherent risk is the level of risk a vendor poses before any security controls are applied, determined by factors like data access, system criticality, regulatory scope, and integration depth. It is the starting point for vendor assessment and tiering, establishing how much risk a relationship introduces before any mitigating measures are considered. See also: Residual Risk.
An insider threat is a security risk originating from within an organization, typically from current or former employees, contractors, or business partners who have authorized access to systems or data. Insider threats may be malicious, such as data theft or sabotage, or unintentional, such as accidental data exposure. In third-party cyber risk management, insider threats at a vendor organization represent a risk pathway that external scanning alone cannot fully address.
An Indicator of Compromise is observable evidence that an organization's systems may have been compromised, such as known malicious IP addresses, domains, file hashes, or network signatures. Indicators of Compromise are used by security teams to detect breaches, investigate incidents, and block known threats. Black Kite's ThreatTrace™ product delivers Indicator of Compromise detection capabilities across vendor portfolios.
ISO 27001 is an internationally recognized standard for information security management systems, published by the International Organization for Standardization. Certification demonstrates that an organization has implemented a structured, audited approach to managing information security risks and is a common compliance benchmark in vendor due diligence. Black Kite's Compliance Rating maps observed technical controls to ISO 27001 requirements.
The Known Exploited Vulnerabilities catalog is maintained by the Cybersecurity and Infrastructure Security Agency (CISA) and lists Common Vulnerabilities and Exposures (CVEs) that have been confirmed as actively exploited in real-world attacks. Known Exploited Vulnerability status significantly elevates the urgency of a vulnerability, as a CVE that attackers are actively using demands faster remediation than one that is merely disclosed. Black Kite surfaces KEV-tagged findings in vendor assessments.
Key Risk Indicators are measurable metrics used to provide early warning signals of increasing risk exposure, enabling organizations to take proactive action before risks materialize into incidents. In third-party cyber risk management, KRIs might include a vendor's Ransomware Susceptibility Index® (RSI™) score, the number of critical unpatched vulnerabilities, changes in compliance rating, or financial impact thresholds. Tracking KRIs across a vendor portfolio supports continuous monitoring and escalation workflows.
Leaked credentials are username and password combinations or authentication tokens that have been exposed through data breaches and are available on dark web forums, paste sites, or criminal marketplaces. They are a primary ransomware and account takeover entry vector. Assessed in Black Kite's Privacy group under the Leaked Credentials category.
Loss Event Frequency is a Factor Analysis of Information Risk (FAIR) model component representing how often a loss event is expected to occur within a given timeframe. It is one of two core inputs to financial risk quantification, alongside Loss Magnitude. In Black Kite's Business Interruption scenario, Loss Event Frequency incorporates Environmental, Social, and Governance (ESG) risk scores and supply chain ransomware susceptibility across the vendor portfolio.
Malware is malicious software designed to disrupt, damage, or gain unauthorized access to computer systems. Common categories include viruses, worms, trojans, ransomware, spyware, and adware. Malware delivered through compromised vendor systems or software updates is a primary supply chain attack vector in third-party cyber risk management.
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and procedures based on real-world observations of cyberattacks, maintained by MITRE. It is widely used across the security industry for threat modeling, detection engineering, red team exercises, and vendor risk assessment methodology.
The NIS2 Directive is the European Union's updated Network and Information Systems directive, expanding cybersecurity obligations to more sectors and requiring organizations to address supply chain security practices. NIS2 compliance is driving third-party cyber risk management investment across EU-regulated industries and their global supplier networks.
The NIST Cybersecurity Framework is one of the most widely adopted voluntary frameworks for managing cybersecurity risk, published by the National Institute of Standards and Technology. It defines five core functions, Identify, Protect, Detect, Respond, and Recover, and is a standard reference point for third-party cyber risk management programs. Black Kite maps compliance findings to NIST CSF controls.
NIST Special Publication 800-161 is the National Institute of Standards and Technology's dedicated guidance on Cyber Supply Chain Risk Management practices, widely referenced in government and defense procurement contexts.
Non-intrusive scanning is a vendor assessment methodology that collects information about an organization's external security posture using only passive, publicly available data sources — without sending traffic directly to the target's systems or requiring any credentials or cooperation from the vendor. This approach enables continuous, scalable monitoring of large vendor portfolios without risk of disruption or the need for vendor permission. Black Kite's assessments are entirely non-intrusive, relying on internet-wide scanners, DNS records, Open Source Intelligence (OSINT), and proprietary data sources to build a complete picture of each vendor's external exposure.
An Nth party is an entity that provides services to your third parties, encompassing fourth parties, fifth parties, and beyond. Nth-party risk refers to the cumulative exposure created by the extended ecosystem of vendors your vendors depend on. Software-as-a-service (SaaS) companies often refer to an Nth party as a "sub-processor."
Offboarding is the formal process of ending a vendor relationship in a controlled manner: revoking access to systems and data, fulfilling contractual obligations, and assessing residual risk. A defined offboarding process is a critical and frequently overlooked component of the third-party cyber risk management lifecycle.
Onboarding is the process of formally introducing a new vendor into an organization's risk management program, including initial due diligence, risk tiering, baseline assessment, and contract execution. Efficient onboarding is a key measure of third-party cyber risk management program maturity.
Open FAIR™ is the publicly available version of the Factor Analysis of Information Risk standard, maintained by The Open Group as an international standard for cyber risk quantification. It provides a taxonomy and measurement model for analyzing and quantifying information risk in financial terms. Black Kite's Financial Impact Rating is built on Open FAIR™, making its risk quantification methodology transparent, standards-based, and independently verifiable rather than a proprietary black box.
An open standards-based cyber rating is Black Kite's approach to vendor risk assessment. Ratings are built on publicly documented open standards, including MITRE frameworks, Common Vulnerability Scoring System (CVSS), Common Weakness Scoring System (CWSS), and Factor Analysis of Information Risk (FAIR), making every output transparent, auditable, and defensible. Contrast with proprietary "security scores," which rely on black-box methodologies that can be difficult to explain or act on.
Operational risk is the risk of loss resulting from inadequate or failed processes, people, or systems, including failures caused by third-party vendors. It is distinct from but connected to cybersecurity risk in a comprehensive third-party risk management program.
Open Source Intelligence is publicly available information gathered from internet-wide scanners, DNS records, web archives, dark web forums, hacker forums, and other open sources. It is the foundation of outside-in vendor risk assessment, enabling security teams to evaluate a vendor's exposure without direct access to their systems. Black Kite's data lake is continuously updated by a network of collectors, crawlers, and honeypots aggregating Open Source Intelligence at scale.
An outside-in assessment is a vendor risk assessment approach that evaluates an organization's security posture using only externally observable data, without requiring access to internal systems or relying on self-reported answers from the vendor. Outside-in assessments provide independent, continuously updated evidence of actual security posture. Contrast with inside-out assessment, which is questionnaire-based and self-reported. Black Kite's Cyber Rating is built entirely on outside-in methodology.
Patch management is the organizational practice of identifying, acquiring, testing, and deploying software updates to remediate known vulnerabilities. Effective patch management is consistently cited as one of the highest-impact controls for preventing ransomware and data breaches. It is one of Black Kite's 20 technical assessment categories and one of the most heavily weighted, as unpatched systems are a primary ransomware and breach entry vector.
The Payment Card Industry Data Security Standard is the security standard governing organizations that handle credit card data, maintained by the Payment Card Industry Security Standards Council. It places explicit requirements on third-party service providers and is a common compliance framework in vendor assessments for financial and retail organizations.
Phishing is a social engineering attack in which an adversary impersonates a trusted entity to deceive individuals into revealing credentials, clicking malicious links, or transferring funds. Phishing is one of the most common initial access vectors in both ransomware attacks and data breaches. In third-party cyber risk management, vendor employees are frequent phishing targets, making email security controls a key dimension of outside-in vendor assessment.
A probable financial impact rating is a dollar-denominated measure of a vendor’s probable loss exposure, calculated using Open FAIR™ methodology across Data Breach, Ransomware, and Business Interruption scenarios. See: Financial Impact Rating.
A security questionnaire is a structured set of questions sent to a vendor to collect self-reported information about their security controls, compliance status, and risk practices. Security questionnaires are a foundational tool in vendor due diligence, though their accuracy depends on honest and complete vendor responses. Common frameworks include the Standardized Information Gathering questionnaire (SIG) and the Cloud Security Alliance's Consensus Assessments Initiative Questionnaire (CAIQ). Best practice combines questionnaire evidence with outside-in technical ratings for a complete, independently verified picture.
Ransomware Ransomware is a category of malware that encrypts a victim's data or systems and demands payment for restoration. It is the most operationally destructive form of cyberattack targeting third-party ecosystems, with supply chain attack vectors that can propagate from a compromised vendor to multiple downstream organizations simultaneously.
The Ransomware Susceptibility Index® is Black Kite's proprietary predictive index for the likelihood of a specific organization being successfully hit by a ransomware attack. It correlates technical control findings, dark web intelligence, ransomware entry method modeling, company size, industry, and country of operation. RSI outputs range from 0 to 1, with higher values indicating greater susceptibility.
Regulatory risk is the risk that a vendor's noncompliance with applicable laws and regulations exposes the first party to regulatory penalties, enforcement actions, or reputational harm. Key regulations driving third-party cyber risk management programs include the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Digital Operational Resilience Act (DORA), NIS2, U.S. Securities and Exchange Commission cybersecurity disclosure rules, and U.S. state-level data breach notification laws.
Remediation is the process of correcting a security finding or control gap: patching a vulnerability, tightening a configuration, or implementing a missing control. In third-party cyber risk management, remediation may occur at the vendor level or through compensating controls at the first-party level. Black Kite supports remediation tracking and vendor collaboration through The Bridge™.
Reputational risk is the risk of damage to an organization's standing with customers, partners, investors, and regulators resulting from a third-party security incident or compliance failure. It is one of four category groups in Black Kite's Cyber Rating, covering Reputation, Web Ranking, and Fraudulent Domain categories.
Residual risk is the level of risk that remains after security controls have been applied. The difference between inherent risk and residual risk reflects the effectiveness of a vendor's security program. Risk acceptance decisions are made against residual risk, not inherent risk.
Risk acceptance is a formal decision by risk management or executive leadership to acknowledge a known risk and take no further action to mitigate it, typically because the cost of mitigation exceeds the expected value of risk reduction, or the residual risk falls within the organization's defined risk tolerance. Risk acceptance must be documented.
Risk appetite is the level of risk an organization is willing to accept in pursuit of its business objectives. It defines the outer boundary for third-party cyber risk management decisions, including which vendor relationships to enter, what risk tiers to establish, and what residual risk is acceptable.
Risk intelligence is the practice of mapping global threats against a specific organization's ecosystem to produce actionable, contextualized findings, as distinct from broad threat intelligence, which describes the threat landscape in general terms. It answers the question: does this global threat affect my vendors, and if so, how? Black Kite's risk intelligence outputs include FocusTags®, the Vulnerability Intelligence Brief™ (VIB™), the Ransomware Susceptibility Index® (RSI™), the Adversary Susceptibility Index™ (ASI™), and Financial Impact Ratings.
Threat intelligence describes what is happening across the global threat landscape: which adversaries are active, which vulnerabilities are being exploited, and which attack campaigns are underway. Risk intelligence maps that global picture against a specific organization's ecosystem to produce findings that are directly actionable: which of my vendors are exposed to this threat, and what is the probable financial impact? The distinction is the difference between information about the world and information about your world. Black Kite delivers both, with threat intelligence surfaced through dark web monitoring and its CVE database, and risk intelligence delivered through FocusTags®, the Vulnerability Intelligence Brief™ (VIB™), and Financial Impact Ratings.
Risk mitigation is the process of taking actions to reduce the likelihood or impact of an identified risk. In third-party cyber risk management, risk mitigation strategies include requiring vendors to remediate specific vulnerabilities, implementing compensating controls at the first-party level, adjusting the scope of a vendor's access to sensitive systems, or in some cases terminating the vendor relationship. Risk mitigation decisions are typically made in the context of a vendor's inherent risk, residual risk, and the first party's risk appetite.
Risk posture is the current state of an organization's or vendor's cybersecurity controls, vulnerabilities, and exposures at a given point in time. It is dynamic, changing as new vulnerabilities emerge, patches are applied, infrastructure evolves, and the threat landscape shifts. Continuous monitoring is required to maintain an accurate view.
Risk quantification is the practice of converting qualitative risk assessments, typically expressed as high, medium, low, into numerical, financially comparable outputs. It applies across all risk disciplines: operational, financial, reputational, and cyber. See: Cyber Risk Quantification.
Risk tolerance is the maximum level of risk variability an organization is willing to accept before taking action. It defines the day-to-day operating boundaries within which risk management decisions are made.
A Software Bill of Materials is a formal, machine-readable inventory of all software components, libraries, and dependencies included in a software product. SBOMs enable organizations to identify whether specific open-source or third-party components are affected by newly disclosed vulnerabilities. In third-party cyber risk management, SBOM transparency is increasingly requested from software vendors as part of supply chain security due diligence, particularly following high-profile supply chain attacks targeting widely used software components.
Supply Chain Risk Management is the practice of managing risks across the supply chain required to build, deliver, and maintain products or services. It is used widely in manufacturing, wholesale and retail, and government sectors where physical and cyber supply chains intersect.
Security posture is the current state of an organization’s cybersecurity controls, vulnerabilities, and exposures at a given point in time. See: Risk Posture. The two terms are used interchangeably in third-party cyber risk management contexts.
Security ratings are standardized, continuously updated measures of an organization's cybersecurity posture, derived from externally observable data. Black Kite differentiates its approach by building ratings exclusively on open standards — MITRE frameworks, Common Vulnerability Scoring System (CVSS), Common Weakness Scoring System (CWSS), and Factor Analysis of Information Risk (FAIR) — making outputs transparent and defensible rather than based on proprietary, black-box scoring methodologies.
Security ratings and security scores are terms often used interchangeably in the market, but they reflect meaningfully different approaches. Security scores typically refer to proprietary, black-box outputs where the underlying methodology is not publicly documented, making them difficult to explain, challenge, or act on. Security ratings, in Black Kite's definition, are built on open, auditable standards that allow organizations to understand exactly how a rating was derived and what specific findings are driving it. The distinction matters when organizations need to justify risk decisions to auditors, regulators, or boards.
Shadow IT refers to technology, software, or services used by employees or business units without formal approval from IT or security. Shadow IT vendors can exist outside the formal vendor inventory and third-party cyber risk management program, creating unmonitored exposure. Vendor discovery tools surface shadow IT relationships as part of a complete vendor inventory.
The Standardized Information Gathering questionnaire is a comprehensive vendor due diligence tool developed by Shared Assessments, widely adopted across industries as a standard template for collecting self-reported information on a vendor's security controls and risk practices. It is designed to be scalable across vendor tiers and risk levels.
SOC 2 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) evaluating a service organization's controls around security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II reports, covering a defined operating period, are a standard vendor compliance deliverable requested during due diligence.
The Strategy Report is a Black Kite output that provides vendors with a prioritized remediation roadmap of specific, asset-level action items to improve their security posture. It translates findings into an actionable plan, enabling vendors to understand exactly what to fix and in what order.
A sub-processor is a vendor that processes data on behalf of a data processor, the processor's own vendor. The term is widely used in software-as-a-service (SaaS) and cloud contexts. Under the General Data Protection Regulation (GDPR) and similar regulations, organizations are responsible for ensuring their sub-processors comply with applicable data protection requirements. Equivalent to a fourth party in a data processing context.
A supplier is a third party that provides the raw materials, components, or specialized inputs required to create a product or service. While a supplier may provide physical goods, a cyberattack targeting a critical supplier can halt operations even when no digital systems at the first party are directly compromised.
A supply chain is the linear path of third parties required to build, deliver, and maintain a specific product or service. In cybersecurity contexts, supply chain risk refers to threats introduced through compromised components, software updates, managed service providers, or hardware suppliers that flow downstream to dependent organizations.
A supply chain attack is a cyberattack that targets an organization indirectly by compromising a trusted vendor, software update, or component in that organization's supply chain. Notable examples include SolarWinds (2020), Kaseya (2021), and the MOVEit campaign (2023).
Supply chain security is the set of policies, controls, and practices an organization uses to manage cyber risks across its supply chain — including hardware, software, managed services, and data processing relationships. It encompasses vendor due diligence, contractual security requirements, continuous monitoring, and incident response planning for supply chain disruptions. Black Kite's platform supports supply chain security programs through its Supply Chain Module, Nth-party visibility capabilities, and continuous outside-in monitoring of vendor ecosystems.
A third party is any external entity that has a business relationship with your organization. Also referred to as a "vendor," "contractor," or "supplier," depending on the industry context.
A third-party breach is a security incident in which an organization's data, systems, or operations are compromised through a vulnerability or failure at one of its external vendors or partners rather than through a direct attack. Third-party breaches are among the most damaging and costly cyber incidents because they exploit the trust relationships between organizations and their vendors, often bypassing the first party's own security controls entirely. Continuous monitoring and outside-in vendor assessment are the primary defenses against third-party breach exposure.
Third-Party Cyber Risk Management is the specialized discipline of identifying, assessing, monitoring, and managing cybersecurity risks introduced by third-party vendors, suppliers, and service providers. It is Black Kite's primary market category and its named positioning within the Gartner® Hype Cycle™.
Third-Party Risk Management is the broader organizational practice of managing all categories of risk introduced by external vendors and partners, including cybersecurity, operational, financial, compliance, reputational, and geopolitical risk. Third-Party Cyber Risk Management (TPCRM) operates within TPRM. When the conversation is specifically about cyber risk, TPCRM is the more precise term.
A threat is an external or internal force with the potential to exploit a vulnerability and cause harm: a ransomware group, a nation-state phishing campaign, an insider threat, or a natural disaster. Threats cannot be controlled, only anticipated, detected, and responded to.
A threat actor is an individual, group, or nation-state that conducts cyberattacks. Understanding which threat actors are active, what vulnerabilities they prefer, and whether your vendors are exposed to their known tactics, techniques, and procedures is the domain of adversary monitoring. Black Kite's Adversary Susceptibility Index™ (ASI™) maps named threat actors to specific vendor exposures.
Threat intelligence is the collection of data about specific threat actors, active attack campaigns, exploited vulnerabilities, and adversary methods. It describes what is happening across the broader threat landscape and informs defensive strategy, but must be mapped to a specific ecosystem to become actionable. See also: Risk Intelligence vs. Threat Intelligence.
ThreatTrace™ is Black Kite's Indicator of Compromise (IOC) detection product, identifying whether a vendor's infrastructure has been associated with known malicious activity.
3D Risk is Black Kite's approach to measuring vendor risk across three complementary dimensions simultaneously: (1) Cyber Rating, the technical security posture expressed as letter grades across 20 categories; (2) Probable Financial Impact Rating, the likely dollar-denominated loss using Factor Analysis of Information Risk (FAIR) methodology; and (3) Compliance Rating, the degree of alignment with recognized standards and frameworks. Together, these three dimensions provide a complete picture of vendor risk that serves both security practitioners and business executives.
In the Black Kite platform, a Ticket is an assigned finding on a specific asset that requires action from a third party, either through patching their own systems or responding within The Bridge™. Tickets enable structured, trackable remediation workflows across the vendor ecosystem.
The TPCRM Lifecycle is the end-to-end process for managing third-party cyber risk across a vendor relationship, from initial due diligence and onboarding through continuous monitoring, periodic reassessment, remediation, and eventual offboarding. A mature Third-Party Cyber Risk Management lifecycle is systematic, documented, repeatable, and supported by automated tooling.
A vendor is a third party that provides a finished product or service consumed to maintain daily business operations.
A vendor ecosystem is the specific set of third-party relationships an organization actively manages, the vendors under contract, the data flows between them, and the risk each introduces. Where cyber ecosystem describes the full interconnected digital world, a vendor ecosystem is the slice of it your organization is directly responsible for assessing, monitoring, and governing. See: Cyber Ecosystem.
A vendor inventory is a centralized, maintained record of all third-party relationships, including vendor names, services provided, data access levels, contract details, risk tier classifications, and assessment status. A complete vendor inventory is the foundational prerequisite of any third-party cyber risk management program.
Vendor lifecycle management is the organizational capability (people, policies, and technology) that ensures third-party relationships are consistently governed from initiation to termination. Where the TPCRM lifecycle describes the process steps, vendor lifecycle management describes the program infrastructure that makes those steps repeatable at scale. See: TPCRM Lifecycle.
Vendor offboarding is the security-critical discipline of ensuring that a terminated vendor relationship leaves no residual exposure. Incomplete offboarding is one of the most common and least visible sources of third-party risk, as former vendors may retain access to systems or data long after a contract ends without either party recognizing the exposure. See: Offboarding.
Vendor onboarding is the point in the vendor lifecycle where the quality of your risk data is established. The thoroughness of initial due diligence, the accuracy of risk tier assignment, and the completeness of baseline assessment at onboarding determine how well the organization understands the risk it is accepting, and how effectively it can monitor and respond to changes throughout the relationship. See: Onboarding.
A vendor risk assessment is a structured evaluation of a third party's cybersecurity posture, compliance status, and operational practices to determine the level of risk the vendor introduces to the first party's organization. Vendor risk assessments may combine outside-in technical scanning, questionnaire-based evidence collection, and AI-powered document analysis. The depth and frequency of assessment is typically calibrated to the vendor's criticality tier. Black Kite's Cyber Assessment module accelerates vendor risk assessments by automating document parsing, control gap analysis, and framework mapping.
Vendor Risk Management is a term often used interchangeably with Third-Party Risk Management (TPRM), though it typically emphasizes procurement and contracting dimensions more heavily. TPRM and Third-Party Cyber Risk Management (TPCRM) cast a wider net across cybersecurity, compliance, operational, and reputational risk.
Vendor risk response is the set of actions an organization takes after identifying a risk in its vendor ecosystem: requesting remediation from the vendor, implementing compensating controls, adjusting the vendor's access or scope, escalating to executive leadership, or accepting the risk within defined tolerance levels. Effective vendor risk response requires clear ownership, structured communication with the vendor, and auditable tracking of outcomes. Black Kite's The Bridge™ is designed to streamline vendor risk response by providing a centralized, documented channel for remediation workflows between first parties and their vendors.
Vendor risk tiering is the application of criticality classification to risk treatment decisions, determining not just how much assessment effort a vendor receives, but what risk responses are appropriate if that vendor's posture deteriorates. A vendor's risk tier sets the threshold at which findings trigger escalation, remediation requirements, or contract review. See: Criticality Tiering.
Vendor tiering is the mechanism by which third-party cyber risk management programs allocate assessment and monitoring resources proportionally, ensuring that vendors with the greatest potential impact receive the most rigorous scrutiny, while lower-risk relationships are managed efficiently without over-investment. Without tiering, programs either under-assess critical vendors or waste resources on low-risk relationships. See: Criticality Tiering.
A vulnerability is a specific weakness in a system, application, or configuration that could be exploited by a threat actor to cause harm. Vulnerabilities are typically identified as Common Vulnerabilities and Exposures (CVEs) and scored for severity using the Common Vulnerability Scoring System (CVSS). The presence of a vulnerability does not automatically constitute risk; risk is the product of vulnerability, threat likelihood, and potential impact.
A vulnerability assessment is a systematic review of a system, network, or application to identify, classify, and prioritize security weaknesses. Unlike penetration testing, which attempts to actively exploit vulnerabilities, a vulnerability assessment focuses on discovery and cataloging. In third-party cyber risk management, Black Kite's outside-in scanning performs continuous vulnerability assessment across vendor digital footprints without requiring direct system access or vendor cooperation.
The Vulnerability Intelligence Brief is a Black Kite intelligence product that identifies which vendors in a portfolio are running software affected by a specific Common Vulnerability and Exposure (CVE) or vulnerability campaign, and how exploitable those instances actually are. It is your ecosystem view of a broader threat, answering the operational question: of all my vendors, who is actually exposed to this threat right now?
A workflow engine is an automation capability within a third-party cyber risk management platform that detects defined risk conditions and triggers prescribed actions, such as alerts, ticket creation, or notifications to integrated tools, without manual intervention. Workflow automation is essential for scaling continuous monitoring across large vendor portfolios. In the Black Kite platform, the Workflow Engine detects conditions across specific companies or entire ecosystems, such as a Ransomware Susceptibility Index® (RSI™) score crossing a threshold, a new failed finding appearing after a scan, or financial impact exceeding a set value, and takes prescribed actions such as notifying users via email or SMS, opening tickets, or sending webhook messages to integrated tools.
A zero-day vulnerability is one that is actively exploited by attackers before the software vendor has released a patch, meaning there is zero time between discovery and exploitation. Zero-day vulnerabilities represent the highest urgency tier in patch management and continuous monitoring programs because no official fix exists at the time of exploitation.