For every supply chain breach that makes headlines, there are roughly 36 victims you never hear about. Black Kite's seventh annual Third-Party Breach Report reveals a staggering "Shadow Layer" of 26,000 unnamed corporate victims hidden behind 136 verified breaches in 2025 — and most of them still don't know how exposed they are.
The Numbers That Should Alarm Every CISO
Black Kite monitored over 200,000 organizations and compiled verified public breach disclosures from 2025. The findings paint a picture of systemic supply chain risk:
| Metric | Value |
|---|---|
| Verified third-party breaches | 136 |
| Publicly named downstream victims | 719 (5.28 per vendor average) |
| Unnamed corporate victims reported | 26,000 |
| Individuals impacted | 433 million |
| Ratio of hidden to visible victims | ~36:1 |
That 36:1 ratio is the "Shadow Layer" — for every company publicly named in a breach disclosure, 36 more reported being affected but were never publicly identified. They exist in regulatory filings and vendor notifications, invisible to threat intelligence feeds and news coverage.
Who Gets Breached, Who Gets Hurt
The research reveals a critical asymmetry: risk originates upstream in centralized service providers, but impact accumulates downstream in data-rich sectors.
Breach Origins (Where Attacks Start)
| Sector | Breaches | Share |
|---|---|---|
| Software/SaaS vendors | 38 | 28% |
| Professional/technical services | 14 | 10% |
| Healthcare services | 10 | 7% |
Downstream Impact (Who Suffers Most)
| Sector | Named Victims |
|---|---|
| Healthcare | 258 |
| Education | 140 |
| Financial services | 101 |
Software vendors cause the most breaches; healthcare organizations absorb the most damage. This is the supply chain paradox: the organizations with the most sensitive data are the most dependent on third-party services and the least equipped to evaluate their vendor risk.
Detection and Disclosure: An Eternity of Exposure
The timeline from intrusion to customer notification is where the real damage compounds:
Intrusion → [10 days median] → Detection
Detection → [63 days gap] → Customer notification
Total: 73 days median (117 days average)
Black Kite's assessment is blunt: "73 days is not an 'investigation period.' In the context of active exploitation it is an eternity."
During those 73 days, attackers have already exfiltrated data, established persistence, and potentially pivoted into downstream organizations. By the time victims learn they're affected, the damage is done.
Vendor Risk: The Top 50 Are Already Compromised
Black Kite profiled the top 50 breached vendors and found alarming exposure levels:
| Risk Indicator | Percentage |
|---|---|
| CISA KEV vulnerabilities exposed | 70% |
| Critical vulnerabilities present | 84% |
| Exposed to phishing URLs | 80% |
| Corporate credentials in stealer logs | 62% |
| Previous breach history | 52% |
| Breached within past year | 18% |
62% of top breached vendors have corporate credentials circulating in stealer logs. This means attackers don't need zero-days — they can buy valid credentials on dark web marketplaces and walk through the front door.
Detection & Hunting for Supply Chain Compromise
Sigma Rule: Third-Party Vendor Compromise Indicators
title: Suspicious Activity from Third-Party Vendor Integration
id: 4a5b6c7d-8e9f-0a1b-2c3d-4e5f6a7b8c9d
status: experimental
description: Detects unusual access patterns from third-party service accounts
logsource:
product: azure
service: signinlogs
detection:
selection:
AppDisplayName|contains:
- 'vendor'
- 'integration'
- 'api-service'
ResultType: 0
filter_normal:
IPAddress|cidr:
- '10.0.0.0/8' # Expected vendor IP ranges
condition: selection and not filter_normal
level: medium
tags:
- attack.initial_access
- attack.t1195
- attack.t1078
Proactive Measures
- Map your vendor surface — enumerate every third-party with access to your data or systems; most organizations undercount by 40-60%
- Monitor CISA KEV against vendor tech stacks — if your SaaS vendor runs software with known exploited vulnerabilities, your data is at risk
- Check stealer logs — services like Hudson Rock, SpyCloud, or Flare can reveal if your vendors' credentials are compromised
- Enforce notification SLAs — contractual requirement for 48-hour breach notification, not the current 73-day median
- Segment vendor access — zero-trust principles: vendors get minimum required access with full audit logging
The Uncomfortable Truth
Supply chain security has a visibility problem. The 719 publicly named victims get the attention, the incident response budgets, and the regulatory scrutiny. The 26,000 unnamed victims get a form letter months after their data was exfiltrated.
As MITRE T1195 (Supply Chain Compromise) continues to dominate the threat landscape, organizations need to stop asking "have we been breached?" and start asking "which of our vendors has been breached that we don't know about yet?"
The Shadow Layer isn't a future threat — it's already here, and you're probably in it.
Source: Infosecurity Magazine
Need help assessing your exposure? Request a Beta Tester Program — currently in open beta.
Top comments (0)