Introducing FocusTagsTM
Black Kite’s Approach to Actionable Vulnerability Intelligence
From High-Risk CVEs to Actionable Intelligence
Not every vulnerability warrants the same level of attention. While previous sections focused on prioritization through OSINT discoverability, exploitability, and high-impact zones, this section shifts toward how TPRM professionals can operationalize this intelligence with FocusTagsTM, Black Kite’s approach to surfacing the vulnerabilities that truly demand action (the missing link in TPRM).
By leveraging FocusTags, TPRM professionals cut through the noise, focusing on vulnerabilities that are discoverable, actively exploited, and spreading across their third-party ecosystem. Instead of chasing thousands of CVEs, FocusTags deliver clarity—helping organizations pinpoint and mitigate vendor risks before they become a crisis.
But FocusTags are more than just an intelligence layer—they empower Risk Hunting, a proactive approach to Third-Party Risk Management (TPRM), akin to Threat Hunting in Cyber Threat Intelligence (CTI).
Instead of waiting for an incident, TPRM teams can actively search for vendors exposed to the most exploitable vulnerabilities before attackers do.
Beyond CVSS & EPSS: How Black Kite Prioritizes Risk
A high CVSS score doesn’t always mean a vulnerability is a top priority. Likewise, EPSS predicts exploitation likelihood but can change over time. That’s why Black Kite’s FocusTags go further, analyzing vulnerabilities using multiple dimensions, including:
CISA KEV inclusion
Has the vulnerability already been exploited in the wild?
Public exploit availability
Are proof-of-concept (PoC) exploits readily available?
Threat actor interest
Has it been mentioned in underground forums or used in attack campaigns?
Community discussions
Is there a surge in security researchers analyzing it?
Zero-day status
Is it newly disclosed with limited patches available?
Supply chain impact
Does it affect widely used products with third-party exposure?
These cumulative risk indicators allow TPRM teams to detect not just the most severe vulnerabilities, but also the ones most likely to be exploited in real-world attacks.
Attributes of High-Priority OSINT-Discoverable CVEs
This chart shows that out of 295 high-priority OSINT-discoverable CVEs, 166 have at least one of the following attributes:
- Mentioned in the community
- Public exploit PoC
- Exploitation by threat actors
- In KEV
79 of these vulnerabilities have all four of the attributes, making them highly likely to be exploited by threat actors and posing the most risk. On the other hand, 28 of these vulnerabilities have a single attribute of being mentioned in community discussions of security researchers. We still take them into consideration but their impact on risk will be lower. More attributes, more impact (depending on the nature of the attributes).
Looking at these attributes is part of the filtering process that ensures FocusTags highlight only the vulnerabilities that represent immediate risks to an organization’s vendor ecosystem.
Now let’s look at the CVSS and EPSS (at the time of analysis of a CVE) of high-priority OSINT-discoverable vulnerabilities. Black Kite provided a FocusTag even for a medium-level CVSS and/or low EPSS vulnerability considering its potential of exploitation due to other attributes that we track. Most of these vulnerabilities eventually ended up in CISA’s KEV catalog. Thus, the additional attributes with our own research of vulnerability exploitation helps us to identify a potential high-priority vulnerability proactively.
Initial CVSS Levels of CVEs Covered by Black Kite FocusTags
Initial EPSS Values of CVEs Covered by Black Kite FocusTags
For more information on CVEs, the ability to filter them by CVSS and EPSS, and to see corresponding Black Kite FocusTags, visit blackkite.com/cve-database.
Risk Hunting in TPRM
Traditionally, TPRM has been reactive—organizations rely on vendors to self-report vulnerabilities, assess risks manually, and respond to incidents after the damage is done. That approach is outdated.
Black Kite’s Risk Intelligence page allows TPRM professionals to actively hunt for risks in their ecosystem.
With Black Kite’s Risk Intelligence page, TPRM professionals can actively hunt for risks in their ecosystem, just like CTI teams do with threat hunting:
- See all vulnerabilities across third parties, whether OSINT-discoverable or not.
- Filter vulnerabilities by key attributes (EPSS, CVSS, KEV, exploitability score).
- Track initial vs. current exposure of third parties to determine remediation effectiveness.
- Assess why a CVE did or did not receive a FocusTag with full transparency.
- Initiate vendor outreach directly from the platform, armed with detailed vulnerability insights.
With this level of visibility, TPRM teams can shift from passive risk monitoring to active risk hunting—spotting and mitigating threats before attackers weaponize them.
Black Kite’s Vulnerability Cards show all information related to a specific vulnerability, including which vendors are most susceptible and questions to ask them.
Which Products, Industries, and Regions Are Most at Risk?
A vulnerability’s impact is not just about its technical details—it’s about who is affected. FocusTags map vulnerabilities across 250,000 continuously monitored companies for analysis of product concentration, geographical exposure, and industry breakdown.
Product Concentration: Are Certain Vendors More Vulnerable?
We analyzed the vendors of vulnerable products to see concentration around certain hardware or software vendors with high-priority OSINT-discoverable vulnerabilities.
Vendor-Based Analysis of CVE Counts by Black Kite
Key takeaways:
- Open-source projects accounted for the highest concentration of tagged vulnerabilities, followed by Microsoft, Ivanti, and Apache.
- However, the number of vulnerabilities a vendor has does not indicate which ones should be prioritized.
- Focusing only on one vendor (e.g., Microsoft) is not an effective TPRM strategy—supply chain risks are distributed across multiple software producers.
Who is Most Affected? Geographic & Industry Breakdown
FocusTags are not just about the vulnerability itself—they provide intelligence on who is at risk. Our analysis of 250,000 continuously monitored companies reveals where these high-priority vulnerabilities are concentrated.
Concentration of High-priority Vulnerabilities
Industry Distribution of Companies Suspected to Have High-Priority OSINT-Discoverable Vulnerabilities vs. Industry Distribution of Ransomware Victims in 2024
Key takeaways:
- 56.4% of the affected companies are in the U.S.
- Professional & Technical Services and Manufacturing are the most impacted industries.
- These industries also top the list of 4,900 ransomware victims in 2024, proving that threat actors prioritize exploiting these vulnerabilities in sectors where attacks yield high financial and operational impact.
This is not a coincidence. The overlap between FocusTag vulnerabilities and ransomware victims confirms that attackers strategically target the most exposed and valuable organizations. The top 10 industries in both graphs almost overlap, except for a couple of industries, such as construction.
How TPRM Teams Use FocusTags in Black Kite
FocusTags provide an operational advantage by integrating into Black Kite’s platform, allowing security teams to:
Filter vendors by specific tags to see which third parties are suspected of having critical vulnerabilities. For example, See which vendors have Ivanti Connect Secure RCE, PAN-OS vulnerabilities, or Apache Tomcat RCE.
Assess initial and current exposure to track how a vulnerability propagates across the supply chain. Track exposure over time to assess remediation progress and prioritize vendor outreach based on real-world exploitability.
Get vendor-specific intelligence, including affected assets, risk context, and recommended remediation steps. Each FocusTag provides asset-level details, references, and remediation guidance, giving security teams exactly what they need to act.
Black Kite users can filter vendors by specific FocusTags.
Black Kite’s FocusTags give users detailed intelligence on a vulnerability at a specific company.
Black Kite’s Risk Intelligence page shows FocusTag exposure tracking.
This level of visibility and intelligence is what transforms FocusTags from just another vulnerability score into an essential tool for proactive risk management.
The Future of TPRM: Proactive, Not Reactive
Traditional TPRM has struggled with visibility and speed. FocusTags provide the intelligence needed to prioritize what matters most. But when combined with Risk Hunting, TPRM shifts into a new phase—one where teams don’t just assess risk, they actively reduce it.
FocusTags are not just another risk score. They are a tool to drive action, start vendor conversations, and reduce supply chain risk before it becomes an incident.
Speed, Accuracy, and Transparency in FocusTags
Speed: How Quickly Does Black Kite Issue FocusTags?
In vulnerability management, timing is everything. The faster TPRM professionals are alerted to high-risk vulnerabilities, the better they can mitigate threats before they are actively exploited. Black Kite's FocusTags accelerate this process, often flagging OSINT-discoverable vulnerabilities before they even make it into the CISA KEV catalog.
FocusTag Release Time vs. Exploitation Timeline
Black Kite applied FocusTags to 82.4% of OSINT-discoverable vulnerabilities before they were added to KEV—or within 24 hours of their inclusion. This proactive approach gives organizations a head start, allowing them to mitigate risks before vulnerabilities are widely exploited.
Attackers move fast. But FocusTags enable TPRM professionals to move faster.
Customers use these confidence levels to customize their engagement strategies. Some reach out to all vendors flagged, while others monitor lower-confidence cases without immediate escalation. This level of transparency puts control back into the hands of TPRM professionals.
Accuracy: Prioritizing Actionable Intelligence
Not every high-priority vulnerability gets a FocusTag. Precision matters more than volume.
Black Kite maintains a false positive rate below 3% while ensuring broad coverage across major vulnerabilities. This selective approach ensures that customers are not overwhelmed with noise but instead receive actionable intelligence that truly matters in supply chain risk management.
A FocusTag is a signal, not just data—it highlights vulnerabilities that require immediate attention due to exposure, exploitability, and third-party risk.
Transparency: Confidence Levels in FocusTags
Not all FocusTags carry the same level of certainty. That’s why Black Kite assigns a confidence level to each FocusTag, allowing organizations to gauge the likelihood of vendor exposure before engaging in vendor outreach.
Confidence Level Distribution of FocusTags in 2024
- Very High – Black Kite has direct evidence that the vulnerable version is in use.
- High – The product is identified, but the exact version remains unknown. However, most deployed versions are vulnerable, making exploitation highly likely.
- Medium – The product is identified, but only a subset of versions are vulnerable. This level is used sparingly, and only for highly critical vulnerabilities.
FocusTags: Enabling Smart TPRM Decisions
By combining speed, accuracy, and transparency, Black Kite’s FocusTags ensure that TPRM professionals are equipped with the intelligence needed to act decisively. These tags aren’t just alerts—they enable a risk hunting approach, allowing teams to proactively mitigate threats across their supply chain before they escalate.
With FocusTags, TPRM can be as proactive as Threat Intelligence.