PART I
Supply Chain Cyber Attacks in 2025
Why Cascading Impact Outpaced Disclosure
With 136 vendors responsible for 719 publicly impacted companies, the "multiplier effect" of third-party risk has reached an all-time high, leaving a massive shadow layer of unnamed victims in its wake.
In 2025, third-party risk stopped knocking and started breaking down doors. The number of verified, publicly disclosed third-party breach events reached 136, breaking the steady pattern of previous years.
But counting events is no longer enough. The blast radius has fundamentally changed. Across these incidents, we identified 719 named victim companies, representing only the portion of impact that was explicitly disclosed.
Behind these verified names lies a much larger shadow. In 27 separate incidents, vendors disclosed downstream impact only in aggregate terms, revealing that approximately 26,000 additional companies were affected* but never named. At the individual level, publicly disclosed figures point to 433 million impacted people, a population roughly equivalent to the entire European Union.
*These numbers come from vendor-disclosed impact statements.
Downstream Victims per Third-Party Vendor Breach Over Time
This shift also explains why 2025 reached an average of 5.28 downstream victims per third-party breach, the highest level observed to date. Compare that to 2.46 victims per incident in 2021, 4.73 in 2022, 3.09 in 2023, and 2.56 in 2024.
This is not the result of random noise. It reflects a sharp increase in the scale and coordination of attacks, driven by more aggressive threat actors targeting shared platforms, centralized services, and high-dependency vendors. As attackers move upstream, single compromises increasingly translate into multi-company impact.
2025 wasn’t just a year of more breaches. It was the year where the scale of impact outpaced our ability to name the victims.
Companies may recover. The data of 433 million people does not.
The "Where" (Industry)
This section looks at where the third-party breach impact appears within the dataset. It is not intended to define absolute global risk levels. Instead, it reflects what is visible based on publicly disclosed incidents and the structure of the data we can observe.
Vendor Industries: Number of Breach Events
Company Industries: Number of Breach Events
A clear separation emerges between where impact accumulates and where it originates.
On the vendor side, breach events are most frequently associated with a small number of highly central service categories. Software Services lead by a wide margin, followed by Technical Services and Health Care Services. These vendors are not numerous, but they operate as shared infrastructure for thousands of organizations. Their position in the ecosystem means a single failure can propagate broadly.
On the company side, impact concentrates in sectors that consume these shared services at scale. Health Care, Educational Services, and Finance appear most frequently among affected organizations. These sectors tend to combine high data sensitivity with heavy reliance on external platforms, placing them downstream in complex dependency chains.
The pattern is consistent. Breach impact accumulates in data rich sectors at the edges of the supply chain, while risk originates upstream, within a smaller set of centralized service providers.
The Visibility Problem
An important constraint in this analysis is the prevalence of unnamed vendors. In a significant portion of incidents, disclosures confirm downstream impact but do not identify the responsible vendor or its industry.
This is not a cosmetic reporting gap. It directly limits the ability of organizations to understand where risk enters the supply chain and how it propagates. Exposure becomes visible, but responsibility remains opaque.
Third-party risk does not scale only because of technical failure. It scales because visibility breaks down at precisely the points where dependency is highest.
What we see is shaped by what is disclosed.
The "Unauthorized" Euphemism (Methods)
Nearly half of all verified breaches in 2025 are labeled as “Unauthorized Network Access.” At first glance, this looks like a clear category. In reality, it tells us very little.
This label explains what happened, but not why it happened. It confirms that someone got in, without explaining which door was left open. Was it credentials, a missed patch, exposed software, or something else entirely? The answer is usually missing.
Attack Methods of Verified Breaches in 2025
As a result, this chart says as much about reporting behavior as it does about attacks. When incidents are described only at the outcome level, the industry loses the ability to learn from them. Patterns blur. Root causes disappear. Everything collapses into a single vague explanation.
The relatively small share of explicitly labeled ransomware events should be read in this context. It does not mean ransomware pressure is fading. It means that many disclosures stop short of describing the mechanics behind the intrusion.
When incidents are reported without detail, risk becomes harder to understand and easier to repeat.
The Silent Window (Detection Timeline)
Time Between Initial Compromise and Detection
Median detection takes 10 days. The most damaging attacks remain hidden far longer.
Time Between Initial Compromise and Detection: Extreme Outliers
The Tail: Top Slowest Detections
- 730 Days (APT)
- 662 Days (Unauthorized Person)
- 628 Days (Malware)
- 383 Days (Insider)
The outliers reveal a disturbing pattern. The longest "Silent Windows" stretching up to 730 days were not random accidents. They were driven by APTs, Insider Threats, and stealth Malware.
For the 79 breach events where timeline data was available, the median time to detect an intrusion was 10 days. Let’s be brutally honest: In cybersecurity, 10 days is not "fast." It is more than enough time for an attacker to fully operationalize an intrusion.
In 10 days, a threat actor doesn't just steal data; they map the network, escalate privileges, plant backdoors, and exfiltrate entire databases. For the "typical" vendor, the attackers had full run of the house for over a week before anyone realized the door was open.
While the median sits at 10 days, the average detection time spiked to 68 days, driven by a long tail of sophisticated attacks that went unnoticed for months or even years.
This proves that while automated attacks like Ransomware might trigger alarms quickly, the quiet, sophisticated attacks the ones that do the most strategic damage are still operating with near impunity.
The 10 day median detection timeline observed in our dataset is consistent with broader industry reporting. For context, Mandiant’s M-Trends 2024 report similarly identified the global median dwell time as 10 days. This parallel suggests that the 'Silent Window' observed in this report reflects a wider operational standard across the current threat landscape, rather than being an anomaly specific to our dataset.
The Disclosure Lag
Time Between Attack Notice and Public Disclosure*
*Outliers have been removed from this chart.
Average Time Between Attack Notice and Disclosure Over Time (Black Kite’s Third-Party Breach Reports)
2022 report (2021 data):
2023 report (2022 data):
2024 report (2023 data):
2025 report (2024 data):
Insufficient data
2026 report (2025 data)
Even after discovering they are breached, vendors wait. And wait. The shorter timelines observed in our 2024 report (76 days) did not hold in this year's dataset. In 2025, the average disclosure time among verified incidents returned to 117 days, suggesting that the previous improvement may have been transient rather than structural. While averages can be skewed by outliers in a limited sample, the median remains a stubborn 73 days.
Let’s be clear: 73 days is not an 'investigation period.' In the context of active exploitation, it is an eternity. This delay denies downstream customers the chance to revoke access, reset credentials, or lock down their own systems. Transparency delayed is risk transferred.
Silence is complicity. A 73 day delay is an operational vulnerability for every customer.
Detection is slow. Disclosure is slower. Discovery does not trigger transparency.
The Anatomy of Failure: Identity, Infrastructure, and Integration
In 2025, we knew who the victims were. We rarely knew who the attackers were. In 72.8% of verified third-party breach events, the threat actor was either unknown or not disclosed. This attribution gap leaves defenders responding to impact without understanding intent, tooling, or playbooks.
Where attribution did exist, three patterns defined the year. Each illustrates a different failure mode of the modern supply chain.
The Salesforce Ecosystem Shock: When Platforms Become the Breach
The Salesforce, Salesloft, and Gainsight incidents did not represent a single breach, but a systemic platform failure pattern. These events demonstrated how deeply embedded SaaS platforms can act as force multipliers for downstream impact.
The issue was not a catastrophic zero-day inside Salesforce itself. It was the density of trust and integration around the platform. Identity relationships, OAuth tokens, CRM integrations, and downstream application access turned a limited compromise into a cascading failure across dozens of organizations.
What made this incident defining was not technical novelty, but structural exposure. When a single platform sits at the center of customer data, sales workflows, and third-party integrations, even a narrow access failure can propagate widely. The Salesforce ecosystem did not fail because it was uniquely insecure. It failed because too many organizations depended on it as a trusted control plane.
This was not a vendor breach in the traditional sense. It was a dependency shock.
Scattered Lapsus$ Hunters: The Converging Faces of Identity Compromise
By 2025, the identity threat no longer belonged to a single name. Scattered Spider, ShinyHunters, and hybrid labels like Scattered Lapsus$ Hunters reflect not one actor, but a closely connected ecosystem sharing tactics, tooling, and access to the same playbooks.
Across incidents, a consistent pattern emerged. Rather than prioritizing software exploits or zero-days, these actors focused on manipulating trust and identity workflows. Phishing, vishing, MFA fatigue, SIM swapping, and help desk impersonation allowed them to bypass mature technical controls without directly attacking infrastructure.
Their objective was the identity layer itself. By abusing MFA resets, account recovery paths, and IT support processes, they repeatedly obtained privileged access. Vulnerabilities, when used, served as accelerators rather than entry points.
These attacks succeeded not because controls were absent, but because identity systems and support workflows were designed for availability over resistance. As a result, modern breach success is increasingly determined at the identity layer, where trust can be manipulated and exploitation becomes optional.
CL0P: Zero-Day Industrialization
CL0P continued to demonstrate that concentration is not just a weakness in the supply chain, but a business model for attackers.
In 2025, CL0P weaponized vulnerabilities in widely deployed enterprise platforms, including Oracle E-Business Suite and Cleo Harmony, to target shared infrastructure rather than individual organizations. These campaigns were not opportunistic. They were deliberate, platform-focused, and designed for leverage at scale.
The Oracle E-Business Suite campaign targeted the financial backbone of enterprises through critical remote code execution vulnerabilities. The Cleo and GoAnywhere campaigns once again exposed Managed File Transfer tools as high-value choke points. By compromising a single dependency, CL0P gained access paths into entire sectors.
This is no longer hacking in the traditional sense. It is zero-day industrialization. CL0P does not behave like a conventional ransomware group. It operates like a software testing team for criminal ecosystems, systematically probing enterprise platforms to identify flaws that unlock hundreds of environments at once.
The objective is not a single victim. The objective is scale. A vulnerable dependency becomes leverage across the supply chain.
These vulnerabilities are not just bugs. They are keys to the kingdom.
The Aftermath (Ratings): Too Big To Fix
Changes to Cyber Ratings After a Breach
Note: Vendors are classified into three size categories based on annual revenue: Small and Medium-sized Businesses (SMBs) with less than $50M, mid-market companies with revenues between $50M and $1B, and large enterprises with revenues exceeding $1B.
Methodology of this chart:
To evaluate post breach change, we applied a simple threshold to separate meaningful movement from normal score noise. A vendor was marked as Improved if its score increased by 3 points or more, and Declined if it dropped by 3 points or more. Changes within ±3 points were classified as No Significant Change, indicating no material shift in security posture. This approach focuses on real, sustained change rather than short-term or marginal adjustments following a breach.
Does a breach change behavior? It depends on vendor size.
Among small and medium sized vendors, breaches still function as a forcing event. After disclosure, improvement is visible across core controls, particularly overall cybersecurity posture and email security. These organizations tend to react by fixing what broke. For them, a breach creates urgency and leads to measurable corrective action.
Mid market vendors sit in between. Some controls improve after an incident, but the response is inconsistent. While critical issues may be addressed, gains are often limited to surface level improvements, with patching and credential related weaknesses showing less reliable recovery.
Enterprise vendors show a fundamentally different pattern. After a confirmed breach, improvement is uneven and often outweighed by stagnation or decline. Patch management in particular deteriorates more often than it recovers, even after public disclosure. Changes tend to be incremental, isolated, and slow.
The issue is not awareness. Large vendors understand what needs to be fixed. The issue is execution. Complexity, scale, fragmented ownership, and competing operational priorities make meaningful remediation difficult. Breaches do not trigger resets. They are absorbed into normal operations.
In practice, many enterprise vendors are not too important to fail. They are too big to fix.
What is the Cyber Score?
The cyber score represents a vendor’s current cybersecurity posture in a holistic way. It reflects how an organization performs across a broad set of externally observable security controls, including patching discipline, email security, endpoint exposure, network hygiene, and configuration practices. Rather than measuring a single control or point-in-time issue, the score captures the overall effectiveness and consistency of security execution as it appears from the outside.
Conclusion of Part 1
We have counted the verified bodies (136 events, 719 victims). We have exposed the hidden bulk layer (26,000+). We have timed the delays (73 days).
The data from 2025 proves that third-party risk is not randomly distributed. It is concentrated in specific nodes, obscured by poor transparency, and accelerated by slow disclosure.
Cascading is the observable outcome. Concentration is the underlying cause.
We have counted the bodies. Now, let's find the weapon