Vendor

A vendor is a type of third party that provides a finished product or service that an organization consumes to maintain its daily operations. Vendors deliver ready-to-use outputs: software platforms, cloud services, managed services, payment processing, identity management. Because vendors are deeply embedded in an organization's operating environment, a compromised vendor is one of the most common and damaging sources of cyber risk.

How is a vendor different from a supplier or contractor?

The distinction comes down to what they provide and how closely integrated they are with your operations. A vendor delivers a finished, consumable product or service. A supplier provides inputs that go into something you produce. A contractor performs defined work, often on-site or with direct system access.

In practice, the risk profile of a vendor is shaped by depth of access, not the label. A SaaS vendor with an API integration into your CRM system has a fundamentally different risk posture than a vendor who only invoices you quarterly. The questions that matter in cybersecurity are specific: What data does this vendor access? Which of your systems connect to theirs? What happens to your operations if they are compromised or go offline?

Manufacturing and retail organizations often use "vendor" specifically to mean IT vendor, because in their industries the word is typically associated with technology products rather than physical goods. Public sector organizations may use "contractor" where other industries would say vendor.

Why are vendors a primary vector for third-party cyber risk?

Vendors sit at the intersection of access and trust. When an organization onboards a vendor, it grants that vendor a degree of access to systems, data, or networks. That access is usually necessary for the vendor relationship to function. It also means that if the vendor is breached, that access becomes a pathway into your environment.

The MOVEit breach made this visible at scale. A single file-transfer vendor used by hundreds of organizations across government, finance, healthcare, and retail was exploited through a zero-day vulnerability. The supply chain attack did not target the downstream organizations directly. It targeted the vendor they trusted.

This pattern repeats regularly: an attacker compromises a vendor, and the vendor's access becomes the attacker's access. Black Kite research shows the average compromised vendor creates downstream exposure for 5.28 additional organizations. At enterprise scale, where an organization might have hundreds of active vendors, the cumulative risk is substantial.

What makes a vendor high-risk versus low-risk?

Vendor risk is not uniform. A vendor with read-only access to non-sensitive data is categorically different from a vendor with administrative privileges over your production systems or access to your customers' personal data. Risk tiering is the practice of classifying vendors by the potential impact a compromise would create for your organization.

The factors that typically elevate a vendor's risk tier include access to sensitive or regulated data, integration depth (API connections, network access, system administration), criticality to business continuity, whether the vendor relies on high-risk fourth parties, and the vendor's own security posture. Vendor risk assessment tools evaluate these factors before a vendor is onboarded and track them continuously afterward.

A vendor's risk tier determines how much scrutiny they receive: how often they are assessed, what documentation is required, and what remediation is expected before or after an issue is identified.

How do organizations assess and monitor vendor cyber risk?

The traditional approach to vendor cyber risk relies on annual questionnaires and point-in-time assessments. It is no longer sufficient. A vendor's security posture changes continuously. A configuration error, an unpatched vulnerability, or a credential appearing on the dark web can create material exposure overnight, well before any scheduled review cycle. Vendor risk monitoring addresses this by providing ongoing, automated visibility into the technical security posture of each vendor in your ecosystem.

Effective vendor cyber risk management combines outside-in technical assessment with inside-out documentation review. The outside-in view captures what can be observed about a vendor's security posture from external signals. The inside-out view collects evidence of controls directly from the vendor. Black Kite's platform uses technical signals across hundreds of risk categories to produce a continuous picture of each vendor's risk posture, without relying solely on what vendors self-report.

When a vendor shows elevated risk, vendor risk response workflows enable the downstream organization to act: notify the vendor, request remediation, or escalate based on predefined risk thresholds.

What does vendor risk look like at scale?

Enterprise organizations routinely manage hundreds or thousands of active vendor relationships. At that scale, manual review of every vendor is not feasible. The programs that work at scale share several characteristics: they use risk tiering to concentrate oversight on the highest-impact vendors, they automate continuous monitoring so that emerging issues surface without waiting for a scheduled review, and they use standardized workflows to handle vendor communication and remediation tracking consistently.

The core question is not just how to assess each vendor. It is how to know when something changes and how to respond faster than the attacker can move. That is what continuous third-party cyber risk management is designed to answer.