Next Steps
What TPCRM Leaders Must Do Now to Defend the Supply Chain from Vulnerabilities
OVERVIEW
The data from 2025 is definitive: traditional, reactive vendor risk management is obsolete. To secure the modern supply chain, organizations must operationalize the intelligence gathered over the past year and fundamentally shift their defensive posture.
Key Lessons from 2025
Prioritization is non-negotiable
With 48,000+ CVEs published globally in a single year, attempting to track and patch everything is mathematically impossible.
Third-Party Cyber Risk Management (TPCRM) programs must abandon raw volume and focus ruthlessly on what actually matters: real-world exploitability, OSINT discoverability, and direct vendor exposure.
Speed is the new battlefield
The remediation window has collapsed. An average time-to-exploitation of -7 days proves that attackers are actively weaponizing flaws before patches even exist. Periodic, point-in-time vendor assessments are no longer sufficient to defend against this velocity.
Continuous monitoring consistently outperforms periodic assessments and is the only way to detect and outpace imminent threats.
AI is a new variable, not a replacement
Artificial intelligence is actively expanding the attack surface and introducing massive blind spots, such as Shadow AI and exposed agentic infrastructure. However, traditional vulnerabilities still dominate active exploitation.
Update your vendor assessments to account for the AI supply chain by adding AI-specific questions, but do not let novel threats distract from core vulnerability hygiene.
Collaboration beats interrogation
Mass emails and generic compliance questionnaires guarantee low response rates, vendor friction, and delayed mitigation.
Providing vendors with actionable, evidence-based risk intelligence consistently outperforms adversarial interrogation. Organizations must focus on tracking actual remediation metrics rather than simply measuring questionnaire response rates.
Recommended Actions
Immediate
(Next 30 Days)
- Review vendor exposure: Immediately assess your ecosystem's exposure to the Top 20 CVEs ranked by company match rate to identify widespread systemic risks.
- Update vendor assessments: Add the three mandatory AI supply chain questions to all new and recurring assessments to uncover undisclosed generative AI use and agentic infrastructure.
- Identify critical exposure: Pinpoint specific vendors currently running systems afflicted with OSINT-discoverable, critical vulnerabilities.
Short-Term
(Next Quarter)
- Review vendor exposure: Immediately assess your ecosystem's exposure to the Top 20 CVEs ranked by company match rate to identify widespread systemic risks.
- Update vendor assessments: Add the three mandatory AI supply chain questions to all new and recurring assessments to uncover undisclosed generative AI use and agentic infrastructure.
- Identify critical exposure: Pinpoint specific vendors currently running systems afflicted with OSINT-discoverable, critical vulnerabilities.
Strategic
(Next 12 Months)
- Shift to continuous risk hunting: Fully replace periodic compliance checklists with a proactive, continuous risk-hunting methodology.
- Integrate AI visibility: Embed complete AI supply chain tracking into the core of your TPCRM program to eliminate shadow risk blind spots.
- Benchmark remediation: Track, measure, and actively require improvements in the time it takes your vendors to remediate critical flaws.
Cyber risks do not exist in isolation, and neither should your vulnerability management strategy. The organizations that thrive in 2026 and beyond will be those that move from reactive patching to proactive intelligence, from generic questionnaires to targeted collaboration, and from siloed assessments to continuous visibility across their entire supply chain.
Black Kite was built for this threat landscape.
The platform continuously monitors your entire vendor ecosystem, surfaces exploitable vulnerabilities before they become incidents, and gives your team the evidence-based intelligence to drive real vendor remediation, not just questionnaire responses.
In a world where attackers move faster than disclosure, waiting is no longer a strategy. Black Kite gives your team the edge to stay ahead.
Understand the methodology of this report and dig into the deeper data.