A new report from cyber risk management company Black Kite finds 136 unique major incidents, affecting 719 companies, however, an estimated 26,000 additional impacted companies were not officially named in breach reports.
In 2025, the report shows an average of 5.28 downstream victims per third-party breach, the highest level observed to date (2.56 in 2024, 3.09 in 2023, 4.73 in 2022, and 2.46 victims per incident in 2021). This uptick reflects a sharp increase in the scale and coordination of attacks, driven by threat actors targeting shared platforms, centralized services, and high-dependency vendors. As attackers move upstream, single compromises increasingly translate into multi-company impact.
“Traditional third-party risk management is not keeping pace with the reality of today’s threats,” says Ferhat Dikbiyik, chief research and intelligence officer at Black Kite. “Over the past year, these risks have transformed from a series of isolated accidents into a systematic crisis. The Black Kite Research Group took a deep dive into the supply chain, and from our findings, we can forget about the ‘weakest link.’ Supply chains are actually most fragile at their highest points of connection. Knowing this, it’s imperative that security teams understand where risk enters, where it concentrates, and how it propagates, and to get there, they need to shift toward active intelligence and systematic awareness.”
The visibility gap is further heightened by a persistent ‘silent window’ — while the median time to detect an intrusion was 10 days, the median delay to disclose that breach to the public was 73 days. This delay represents a massive transfer of risk from the vendor to the unsuspecting downstream customer.
Across nearly 200,000 monitored organizations, the software ecosystem appears healthy on paper, with an average Cyber Grade 90.27 (A), yet failure signals are widespread — 53.77 percent have at least one critical vulnerability, and 23.34 percent have corporate credentials circulating on the dark web.
The Risk isn’t uniform across sectors, with manufacturing and professional services sitting in the pressure zone with high Ransomware Susceptibility and weak patch discipline, while finance trends toward a more controlled profile.
Reliance on third-parties means the top 50 vendors shared by the Forbes Global 2000 represent not only a concentrated point of failure, but also, threat actors know they are the ‘master keys’ to some of the world’s largest organizations, so they are hunting them aggressively.
You can get the full report from the Black Kite site.
Image credit: photonphoto/depositphotos.com
![the-coming-challenge-of-ai-deception-—-what-security-teams-must-change-now-[q&a]](https://thetechbriefs.com/wp-content/uploads/2026/02/107248-the-coming-challenge-of-ai-deception-what-security-teams-must-change-now-qa.jpg)
