Actionable Intelligence
How FocusTags® Work in the Real World
What Are FocusTags®?
A FocusTag® links a global threat to a specific vendor's asset-level exposure. It signals that a vulnerability is discoverable, exploitable, and impacts your supply chain. A FocusTag® is not another score. It is a signal to act.
FocusTags® cover four categories of risk events:
Data Breach Tags
Ransomware Tags
High-Profile Cyber Event Tags
KEV Tags
Each tag is assigned only when a vulnerability clears strict discoverability and exploitability thresholds, ensuring that what reaches your team is signal, not noise.
Why FocusTags® Matter
Traditional TPRM has long relied on vendors to self-report vulnerabilities and incidents. FocusTags® eliminate that dependency. Rather than asking a vendor "Are you affected?", FocusTags® allow you to say: "We've identified a high-risk vulnerability on your systems. Here is the evidence, and here are the steps to remediate it." That shift — from question to assertion, from reactive to declarative — is what makes FocusTags® operationally different from a rating or score.
2025 FocusTag Summary
In 2025, the Black Kite Research Group applied 158 FocusTags covering more than 329 related Common Vulnerabilities and Exposures (CVEs). To ensure actionable precision, each tag is categorized by confidence level: Very High (50), High (93), and Medium (15).
From CVEs Analyzed to FocusTags Applied: Monthly Breakdown (2025)
CVEs with Applied FocusTags
Speed: FocusTag Release vs. Exploitation Timeline
In modern Third-Party Cyber Risk Management (TPCRM), time is the ultimate metric. Relying solely on the CISA Known Exploited Vulnerabilities (KEV) catalog means reacting to threats that are already compromising networks. Black Kite’s intelligence provides a measurable head start.
FocusTag Release Time vs. Exploitation Timeline
In 2025, Black Kite applied a FocusTag for 95.2% of OSINT-discoverable vulnerabilities before they were added to the KEV or within 24 hours of their addition to KEV. This proactive approach gives organizations a head start, allowing them to mitigate risks before vulnerabilities are widely exploited. of FocusTags were applied before or on the day of KEV addition, or within 24 hours of their inclusion. For organizations utilizing this intelligence, the implication is clear. You gain advance warning to secure your perimeter and mandate vendor remediation long before a vulnerability becomes a globally recognized crisis.
Accuracy: Beyond CVSS and EPSS
Relying exclusively on standard scoring systems leaves blind spots. The Black Kite Research Group routinely tagged CVEs even when their initial CVSS was rated medium, or when their initial EPSS score was low, because real-world threat actor interest indicated an imminent escalation. Accuracy is achieved by tracking multiple dynamic attributes rather than static scores.
The Four Signals Behind Every FocusTag®
Community/underground mentions
Public PoC availability
Observed threat actor exploitation
KEV catalog inclusion
Transparency: Confidence Levels
Confidence levels help Third-Party Cyber Risk Management (TPCRM) teams calibrate their response strategies, because not all exposure carries the same degree of certainty.
FocusTag® confidence differs from individual CVE confidence, as a single tag often covers multiple related CVEs. The Black Kite Research Group assigns these levels using AI-powered automation to collect intelligence, combined with rigorous human researcher validation. When standard Open-Source Intelligence (OSINT) techniques do not suffice, our vulnerability researchers identify special digital signatures to definitively detect exposed versions.
The final confidence level is assigned by evaluating three distinct inputs:
Version Depth
Compares how much version detail Black Kite can see via OSINT against the exact depth required to identify the vulnerable iteration.
Configuration Dependency
Assesses whether exploitation requires a non-default setup.
Access Requirement
Determines if the attacker needs prior system access to execute the exploit.
If exploitation requires specific, non-default configurations or prior system access, the overall confidence level is automatically lowered. Based on these combined inputs, FocusTags are categorized into three action-oriented levels:
- Very High:
- Evidence: The vulnerable version is directly confirmed via OSINT.
- Action: Initiate immediate vendor outreach.
- High:
- Evidence: The product is definitively identified, most deployed versions are vulnerable, and there are no restrictive configuration or access requirements.
- Action: Prioritize the vendor in the next assessment cycle.
- Medium:
- Evidence: The product is identified but version confirmation is limited, or exploitation requires a specific configuration or prior system access.
- Action: Monitor the situation and confirm exposure before engaging.
FocusTag® Confidence Levels: Quick Reference
Medium
Product identified, subset vulnerable
Monitor, confirm
High
Product identified, most versions vulnerable
Prioritize next cycle
Very High
Vulnerable version confirmed
Immediate outreach
Confidence Level Distribution of FocusTags in 2025
This intelligence-driven methodology revealed a highly volatile threat landscape in 2025, punctuated by a significant surge in high-priority vulnerabilities during the second half of the year. September (19), October (28), November (15), and December (19) all demonstrated elevated activity. October marked the absolute peak for the year, demonstrating the critical need for automated, high-confidence alerts to cut through sudden spikes in supply chain risk.
Product and Vendor Concentration
Mapping the 2025 FocusTags reveals exactly where attackers are finding success. The top product clusters targeted by high-priority, discoverable vulnerabilities heavily involve infrastructure and edge devices:
Microsoft
F5
Ivanti
Tridium
OT/ICS
SonicWall
of total
Long Tail
(Others)
A critical emerging trend is the appearance of Operational Technology (OT) and Industrial Control System (ICS) products, notably Tridium and Sauter AG, proving that supply chain risk is rapidly extending into physical infrastructure. Despite major vendor dominance, 36.7% of tagged risk lies in the Long Tail (niche products and smaller vendors).
FocusTags identify the exposure. The next step is getting vendors to act.
The next section outlines how to transform intelligence into remediation through targeted vendor engagement.