New data from Black Kite’s seventh annual Third-Party Breach Report shows that third-party cyber incidents reached unprecedented scale in 2025, with 136 major breaches affecting 719 named companies and an estimated 26,000 additional downstream victims who were never publicly identified. The analysis found an average of 5.28 downstream victims per breach, highest level on record, underscoring how attackers are increasingly targeting shared platforms and high-dependency vendors, turning single compromises into cascading impacts across entire supply chains.
The report also highlights persistent structural weaknesses in the third-party ecosystem despite an overall strong average Cyber Grade among nearly 200,000 monitored organizations. More than half of companies have at least one critical vulnerability, nearly a quarter have corporate credentials circulating on the dark web, and the most relied-upon vendors within the Forbes Global 2000 ecosystem show higher exposure to known exploited vulnerabilities and credential leaks. This concentration risk, coupled with slow detection and disclosure timelines that average 10 and 73 days, respectively, creates fertile ground for large-scale, cascade-style failures that traditional third-party risk management approaches are ill-equipped to address.
“Traditional third-party risk management is not keeping pace with the reality of today’s threats,” Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, said in a media statement. “Over the past year, these risks have transformed from a series of isolated accidents into a systematic crisis. The Black Kite Research Group took a deep dive into the supply chain, and from our findings, we can forget about the ‘weakest link.’”
Dikbiyik added that supply chains are actually most fragile at their highest points of connection. “Knowing this, it’s imperative that security teams understand where risk enters, where it concentrates, and how it propagates, and to get there, they need to shift toward active intelligence and systematic awareness.”
The report identified that in 2025, third-party risk stopped knocking and started breaking down doors. The number of verified, publicly disclosed third-party breach events reached 136, breaking the steady pattern of previous years. “But counting events is no longer enough. The blast radius has fundamentally changed. Across these incidents, we identified 719 named victim companies, representing only the portion of impact that was explicitly disclosed.”
Behind these verified names lies a much larger shadow. In 27 separate incidents, vendors disclosed downstream impact only in aggregate terms, revealing that approximately 26,000 additional companies were affected but never named.
A significant constraint in this analysis is the prevalence of unnamed vendors. In many incidents, disclosures confirm downstream impact but fail to identify the responsible vendor or its industry sector. This is not merely a cosmetic reporting gap. It directly limits organizations’ ability to determine where risk enters the supply chain and how it propagates across interconnected systems. While exposure becomes visible, accountability remains opaque.
Third-party risk does not scale solely because of technical failure. It expands because visibility breaks down precisely at the points where dependency is greatest. Ultimately, the understanding of systemic risk is shaped by what is disclosed and, just as importantly, by what remains undisclosed.
Black Kite reported that “This shift also explains why 2025 reached an average of 5.28 downstream victims per third-party breach, the highest level observed to date. Compare that to 2.46 victims per incident in 2021, 4.73 in 2022, 3.09 in 2023, and 2.56 in 2024.
This is not the result of random noise. It reflects a sharp increase in the scale and coordination of attacks, driven by more aggressive threat actors targeting shared platforms, centralized services, and high-dependency vendors. As attackers move upstream, single compromises increasingly translate into multi-company impact.”
It highlighted that 2025 wasn’t just a year of more breaches. “It was the year where the scale of impact outpaced our ability to name the victims.”
The report detailed distribution of Ransomware Susceptibility Index scores shows that most vendor industries cluster in the lower risk bands, but meaningful exposure remains. Overall, 63% of vendors fall within the 0.2–0.4 range, while 23% sit in the 0.4–0.6 band and 11% in the 0.6–0.8 range. Manufacturing records 18% of vendors in the 0.6–0.8 band and 3% in the highest 0.8–1.0 band. Professional and Technical Services show 16% in the 0.6–0.8 range. Health Care reports 13% in the 0.6–0.8 band, while Educational Services stands out with 36% in the 0.4–0.6 range and 15% in the 0.6–0.8 band. Public Administration has 34% in the 0.4–0.6 band and 9% in the 0.6–0.8 range. Finance shows the highest concentration in the 0.2–0.4 band at 76%, with 16% in 0.4–0.6. Utilities report 73% in 0.2–0.4 and 20% in 0.4–0.6. While the majority of vendors remain in moderate bands, several sectors maintain double-digit percentages in higher-risk categories.
The industry breakdown of approximately 200,000 companies analyzed on the platform is led by Professional and Technical Services with 43,594 organizations, followed by Manufacturing with 30,371 and Finance with 26,760. The Information sector accounts for 23,331 companies, while healthcare represents 12,263. Construction includes 8,860 organizations and Administrative Support 8,374. Wholesale Trade accounts for 7,514 companies and Retail Trade 5,958. Educational Services total 5,674, Real Estate and Rental 5,212, and Transportation 4,270. Accommodation represents 3,375 companies and Public Administration 3,270. Arts and Entertainment includes 2,604 organizations, Utilities 2,231, Mining 1,010, Agriculture 870, and Management of Companies 614. The distribution reflects a heavy concentration in professional services, manufacturing, and finance relative to other sectors.
Time between initial compromise and detection reveals significant outliers across attack types. Advanced persistent threats show the longest detection window at 730 days. Unauthorized person incidents average 662 days before detection, and malware-related compromises 628 days. Insider-related incidents show 383 days between compromise and discovery, while software vulnerability cases average 335 days. The data indicates that certain categories of breaches can remain undetected for well over a year, with advanced persistent threats persisting for nearly two years in extreme cases.
Attack methods in verified breaches during 2025 are dominated by unauthorized network access, which accounts for 47.06% of total incidents. Ransomware represents 13.24% of breaches, while stolen credentials account for 6.62%. Unauthorized person incidents make up 5.88%, and software vulnerability exploits 5.15%. Malware and phishing each account for 3.68%, social engineering represents 2.21%, and other methods total 5.15%. The data shows that nearly half of verified breaches stem from unauthorized network access, with ransomware and credential abuse forming the next most significant categories.
Black Kite reported that the majority of vendors across all industries have at least one critical vulnerability, with 54% of vendors overall having at least one critical vulnerability detected. Public Administration is the most vulnerable industry, with 68% of its vendors having at least one critical vulnerability, more than any other sector. Educational Services ranks second at 65%, followed closely by Transportation at 62%.
Finance is the best-performing industry, with only 43% of vendors showing critical vulnerabilities, meaning 57% are clean, while construction is the second-safest industry, with 54% of vendors free of critical vulnerabilities. Industries tied at 57% vulnerability include manufacturing, agriculture, and utilities, placing them in the middle of the risk spectrum.
Healthcare and real estate sit at 51% vulnerability, just slightly above the overall average. Retail Trade and Arts and Entertainment are slightly below the midpoint, with 49% of vendors showing critical vulnerabilities and 51% reporting none. Construction reports 46% with at least one critical vulnerability and 54% without. Finance has the lowest proportion of vendors with critical vulnerabilities at 43%, while 57% report no critical vulnerabilities detected, making it the least exposed sector in this dataset.
The 2025 data shows that traditional third-party risk management is not keeping up with the threat landscape. With a median disclosure delay of 73 days and more than 26,000 unnamed downstream victims, waiting for breach notifications is no longer viable. Organizations entering 2026 need to shift toward continuous intelligence and systemic visibility rather than reactive response.
First, risk is concentrated at the core of the ecosystem. A small group of highly shared vendors, described as the ‘Elite 50,’ carries disproportionate exposure. Organizations need to map concentration risk across shared platforms and services and identify the central nodes whose compromise would trigger cascading failure. Automated supply chain discovery and Nth party mapping can surface these dependencies and pinpoint where concentration risk is highest.
Second, the gap between breach detection and public disclosure creates a dangerous silent window. Static questionnaires and periodic cyber ratings provide only a snapshot, while the most damaging activity often unfolds in the 73-day disclosure delay. Continuous monitoring focused on active threat signals, such as stealer log exposure and targeting indicators, allows earlier intervention, especially when paired with asset-level visibility into vulnerabilities under active threat.
Third, remediation should focus on high-pressure sectors where ransomware susceptibility intersects with weak patching discipline. A strong letter grade does not eliminate technical exposure. Vendors with unpatched known exploited vulnerabilities or signs of identity compromise may still present elevated ransomware risk. Using a ransomware susceptibility index to prioritize outreach helps concentrate efforts where the probability of attack is highest.
Fourth, identity exposure has become a primary risk vector. With 62% of the most critical vendors showing corporate credentials in stealer logs, vendor identity and access management practices require scrutiny. Continuous monitoring of credential leaks and rapid alerting enable faster containment, including access revocation and downstream lockdown before impact spreads.
Finally, organizations must move beyond compliance-driven oversight toward operational resilience. Large enterprise vendors may be too complex or too embedded to remediate quickly. That reality requires contingency planning for the failure of critical shared services such as CRM platforms or managed file transfer systems. Scenario-based risk assessments that model financial and operational impact can justify investment in internal redundancies and incident response preparedness.
