In June,
Black Kite introduced an AI-powered tool designed to automate processes used by organizations to
assess the cyber risks faced by their third-party vendors. The goal was to do away with – or at least the need for – traditional manual questionnaires for automated intelligence that pulls data directly from vendor documentation and trust centers.
This allows organizations to get a sharper view of the cyber risks facing their supply chain partners so that they can act faster to protect themselves.
At this week’s
Black Hat USA 2025, the Boston-based company took another step in this direction and introduced its
Adversary Susceptibility Index (ASI). This tool doesn’t just identify the types of threats a vendor might face, it goes beyond and flags the threat groups that are most likely to target suppliers and partners.
As threat groups become more sophisticated and targeted in their attacks, it’s important that organizations understand what threats their suppliers likely will face, according to Black Kite.
“Third-party risk management today still leans heavily on questionnaires, point-in-time assessments, and static scores,”
Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, told MSSP Alert. “That’s a problem when threat actors are adaptive and selective. If a group like Scattered Spider is hitting the retail sector, I don’t just want to know my overall vendor risk scores or an assessment made six months ago. I want to instantly see which vendors might be on Scattered Spider’s radar.”
Matching Vulnerabilities and Bad Actors
ASI does this by “matching each vendor’s exposures and technical gaps against the actual TTPs [tactics, techniques, and procedures] and behaviors of real threat actors,” Dikbiyik said. “We’re also factoring in victim profiles, so if an actor historically targets certain industries, geographies, or technologies, that shapes the susceptibility score.”
In the near future, Black Kite will go further, detecting traffic patterns between a vendor’s internet-facing systems and known malicious infrastructure like C2 servers,” he said, adding “that’s the kind of context that turns generic risk lists into actionable intelligence.”
Scattered Spider is a good example to point to. The hacking group is known for targeting a particular sector before moving onto the next. Earlier this year, Scattered Spider operatives targeted retailers in the United States and U.K. before moving onto the insurance industry and then the aviation field. Such targeted operations call for a reworking of how TPRM is done.
Attacks are More Targeted
“Threat actors aren’t just spraying the internet anymore,” Dikbiyik said. “That’s an old tactic. They’re running campaigns that look a lot like targeted marketing. They have preferred industries, technologies, and attack methods, and they reuse what works. When you can tie a vendor to a specific group’s playbook, you can get ahead of the threat.”
As an example, if a ransomware affiliate is known for exploiting a specific VPN vulnerability, a company can check to see if any of their vendors are using that VPN, “you can act before they become a headline. Actor identification isn’t about naming and shaming. We are not after breach attribution. What we provide is knowing whose tactics your vendors are most exposed to so you can defend them in a way that matters,” Dikbiyik emphasizes.
ASI links the known vulnerabilities of a supplier to the tactics used by a specific cybercrime group, such as abusing open Remote Desktop Protocol (RDP) ports, unpatched critical security flaws, or stealer log leaks. With such precise information, an organization can identify which suppliers align most closely to a particular group and help them remediate any vulnerabilities.
MSSPs Bring Scale
Similarly,
MSSPs can use ASI to quickly and accurately scan their customer bases, collect the information, and rather than treating every client the same way, focus on those most likely to be exploited by threat groups that are most active at the moment.
“They can build tailored blueprints if a customer’s suppliers are susceptible to a group like FIN7, the MSSP can deploy specific detections, hardening steps, and awareness campaigns tied to FIN7’s known tactics,” Dikbiyik said. “Channel partners are huge for us because they extend this intelligence to organizations that might not have dedicated cyber threat teams.”
Using ASI provides MSSPs a way to bring precise threat-actor context into TPRM at scale, he said.
