PART II
Third-Party Ecosystem Posture Trends
Analyzing Baseline Cybersecurity Risk Across ~200,000 Vendor Organizations
Part I showed what happened in 2025: the breaches, the hidden victims, and the cascading impact across the supply chain. Part II answers a more fundamental question:
What does the ecosystem look like when no breach headline is required?
In this context, a 'headline' refers to the public announcement of a major security incident that captures media attention. By removing the requirement for a headline, we shift our focus from the high-profile 'event' to the underlying environment that makes such events possible.
This section is built on baseline telemetry from ~200,000 organizations monitored on the Black Kite platform. The companies are selected as a randomized, cross-industry sample, spanning multiple geographies, sectors, and vendor sizes. The objective is not to analyze breached entities, but to understand the steady state security condition of the global supply chain as it exists today.
Industry Breakdown of the ~200,000 Companies Analyzed on the Black Kite Platform
This is not a prediction model. It is not a breach forecast.
It represents the starting condition of the ecosystem in 2025.
Rather than asking who was breached, this data asks a different question: What kind of environment do threat actors operate in right now?
The Baseline Reality
~200,000 Companies Analyzed (Black Kite platform)
Average Cyber Grade (A)
Average Ransomware Susceptibility Index® (RSI™)
at least one critical vulnerability detected
have corporate credentials circulating on the dark web
By examining baseline cyber grades, emerging risk indicators (such as Ransomware Susceptibility), patch failure signals, and stealer log exposure, we assess the ecosystem from a victim-pattern and threat-actor perspective. This approach focuses on the conditions that enable breaches at scale before any incident forces remediation.
Third-party risk does not emerge in a vacuum. Breaches expand fastest in ecosystems where basic controls are inconsistently applied and identity exposure is already widespread. This section maps those conditions.
Breaches are the outcome. The baseline is the terrain.
Cyber Grades: Strong on Paper
Cyber Grades provide a useful baseline snapshot, but they can create false comfort at scale. A high average grade (90.27) indicates that many organizations meet standard control expectations and compliance checklists. However, it does not guarantee that the ecosystem is resilient under real-world pressure.
This distinction matters because third-party risk scales through common failure modes and dependency structures, not through average scores. The ecosystem can look strong in aggregate while remaining fragile in the specific places attackers repeatedly exploit.
Cyber Grades of Vendors by Industry
When we see high grades coexisting with the exposure signals detailed in the following pages, it suggests a "compliance vs. security" gap. Organizations are passing the test, but they are still leaving windows open.
High grades can coexist with weak fundamentals.
Technical Hygiene is Not Immunity
In 2025, ~200,000 companies maintained a high average Cyber Rating of 90.27 (A). To a CISO, this high score might seem at odds with the surge in breaches. However, a Cyber Rating is a measure of external technical hygiene, the baseline "health" of 290+ observable controls.
A high technical grade shows the house is built well, but it doesn't tell you if a threat actor has already stolen the keys.
This is why Black Kite looks beyond the grade:
- The Ransomware Susceptibility Disconnect: We found vendors with 'A' ratings but High Ransomware Susceptibility Index® (RSI™) scores (0.6+), meaning they were maintaining good hygiene while simultaneously exhibiting the specific technical signals (like stealer log exposure or unpatched KEVs) that attract ransomware groups.
- The Intelligence Layer: While the Cyber Rating/Grade tracks the static posture, our Risk Intelligence (FocusTags®) track the active threat. An "A" rating is a snapshot in time; our intelligence surfaces high-priority vulnerabilities and emerging threat actor activity in real-time.
Ransomware Risk: Where the Ecosystem Is Most Susceptible
Ransomware Susceptibility Index Scores by Vendor Industry
Distribution of Ransomware Susceptibility Index Scores by Vendor Industry
The Ransomware Susceptibility Index® (RSI™) is a composite risk signal. It reflects the combined effect of credential exposure, patching weaknesses, externally observable security failures, and operational fragility. Rather than isolating a single control gap, RSI measures how these weaknesses accumulate and reinforce each other across an organization.
In that sense, RSI is predictive but not deterministic. It does not claim that a specific company will be hit next. It shows where risk consistently materializes when pressure is applied. Manufacturing ranking at the top of the RSI spectrum is not incidental. Black Kite’s ransomware reporting has identified Manufacturing as the most targeted sector for four consecutive years. RSI mirrors that reality by capturing the underlying conditions that repeatedly enable ransomware success.
Education appears alongside Manufacturing as another high pressure sector. This is not driven by attack sophistication, but by chronic exposure. High credential leakage, inconsistent patch discipline, and operational constraints combine to create environments where compromise is easier to initiate and harder to contain. In practice, these organizations operate closer to failure conditions by default.
Finance presents a different pattern. RSI scores remain materially lower, not because financial institutions are immune to attack, but because sustained governance pressure forces tighter control over identity, patching, and exposure management. Regulatory frameworks and continuous audit expectations raise the cost of negligence and shorten tolerance for unresolved weaknesses. Regulation does not eliminate risk, but it compresses it. Where accountability is persistent and failure is expensive, baseline susceptibility is reduced.
RSI does not predict incidents. It predicts where pressure turns into impact.
Patch Discipline
Critical Vulnerabilities by Vendor Industry
Average Number of Critical Vulnerabilities per Vendor
Across the ecosystem, patching remains the most repeatable weakness. And repeatability is what allows risk to scale. Today, 53.77% of monitored organizations show patch management failure signals.
At supply chain scale, this is not a marginal issue. It is a structural condition. When half of the ecosystem operates with known vulnerabilities, attackers do not need rare techniques or zero day exploits. They rely on consistency. Weak patch discipline creates exactly that. A stable, renewable attack surface spread across thousands of interconnected organizations.
This matters because modern third party risk is shaped by shared dependencies. Common software platforms and exposed services turn individual patch failures into collective exposure. A vulnerability left unpatched does not remain local. It becomes reusable across the ecosystem.
When patch discipline breaks at scale, exploitation stops being opportunistic. It becomes systematic.
The Ecosystem Map: Stable on Paper, Fragile in Practice
Intersection of Ransomware Susceptibility, Cyber Grade, and Critical Vulnerabilities by Vendor Industry
Note: Bubble size reflects the number of companies represented
This chart represents the central finding of our ecosystem analysis. The ecosystem is not uniformly safe or uniformly exposed. It has pressure zones where ransomware susceptibility and weak operational discipline overlap. In those zones, failure is easier to trigger, harder to contain, and far more likely to spill outward through third party relationships.
The scatter plot makes this visible. Manufacturing and Professional Services are not sitting in the upper right by accident. They combine elevated RSI with patch management weakness, which is exactly the mix that turns baseline risk into disruption when attackers apply pressure. Finance is not in the controlled zone by coincidence either. It consistently shows lower susceptibility and stronger discipline, which aligns with a sector that treats failure as expensive and governance as non optional.
The second chart helps explain the mechanics behind the map. Sectors that sit deeper in the pressure zone also tend to show heavier operational strain in fundamentals like patching, and they carry stronger background exposure signals. The takeaway is simple: systemic risk is not created by the average sector. It is created when the supply chain depends on sectors operating in these pressure zones and assumes stability will hold.
The supply chain doesn’t break at the average.
It breaks in the pressure zones.
Supporting Signal: InfoStealers
Distribution of Vendor Industries with Stolen Credentials
Average Number of Stealer Logs per Vendor
We treat the stealer indicator as a supporting signal, not a headline metric. But it helps explain why credential based entry scales so efficiently. When access is already circulating, compromise becomes easier to initiate and harder to contain.
At baseline, 23.34% of organizations show such indicators, with sharp sector differences. The takeaway is simple: parts of the supply chain are operating with higher levels of “pre-existing access exposure,” which raises the cost of trust and lowers the barrier to credential driven attacks.
This does not mean every exposed credential becomes a breach. It means the ecosystem is operating with a persistent background level of access leakage making downstream compromise cheaper, faster, and harder to attribute.
Note: Only critical stealer log findings were taken into account for this analysis. These include:
- Domain detected in both the username/email and URL fields of a password file.
- Domain detected in the username/email field, but not in the URL,
Less severe findings, such as detections lacking domain correlation or without password exposure were excluded from this summary, as they do not indicate a direct or actionable risk.
The breach often starts before the breach in exposed access.
Conclusion of Part 2
Part 1 documented the fires (the incidents that occured). Part 2 analyzed the environment that allowed them to spread (the susceptibility, discipline gaps, and exposure patterns that make scaling possible).
Our baseline analysis of 200,000 organizations reveals that the global supply chain is not suffering from a lack of "security," but from a lack of active remediation. The intersection of ransomware susceptibility and critical vulnerabilities (CISA KEVs) serves as the definitive map of the current risk. It confirms that the ecosystem's "A" ratings are often a facade that masks systemic failures in patch management and identity protection. This data proves that threat actors do not need to innovate to succeed; they simply need to exploit the repeatable, unaddressed weaknesses found in high-pressure industry zones.
However, the risk is not distributed evenly. While the entire terrain is stressed, the danger is most acute where the most paths cross. In the final section, we move from the broad ecosystem to the center of the third-party ecosystem: the top 50 vendors who anchor the global economy and represent the ultimate point of concentrated failure.