I have spent more than two decades building companies in cyber threat intelligence. In 2002, when Iacquired iDEFENSE, threat intelligence was a term almost no one used. By 2007, when I foundediSIGHT Partners, the category had a name and a market but still operated like a library. It told you whatthe adversary had already done. At Mandiant, through the FireEye divestiture and the Googleacquisition, we compressed that lag. But we never closed it.
The gap between intelligence and action is where the modern adversary lives. Today that gap hasbecome untenable.
Third-party risk is where this shows up first. Every CISO I talk to manages vendor risk with tools thatwere built for a different decade: annual questionnaires, static posture scores, and compliance programsthat tell you whether controls exist, not whether a critical vendor is actively being targeted. The dataconfirms the mismatch. According to the 2026 Verizon Data Breach Investigations Report, 48 percentof breaches now involve a third party. Attackers are increasingly targeting vendors, suppliers, partners,and Saas providers as the easiest path into the enterprise. The average cost of a third-partycompromise is now $4.91 million. Only 4 percent of organizations believe their own vendorquestionnaires accurately reflect real security posture.
We built iCOUNTER to close the gap. Our Counter Threat Operating System, CTOS, went generallyavailable on March 24, 2026, with a dedicated Third-Party Risk module as its first application. This guideexplains the thinking behind that launch: what has changed in the threat environment, why the statusquo cannot hold, and what a program built for 2026 actually looks like.
Read it as a Counter Threat Operating System/ Guide, not a white paper. The framework is directlyapplicable, the data is sourced, and the calls to action are concrete. The adversary has compressedtheir timeline. It is time we compressed ours.
Three numbers tell the story. According to the 2026 Verizon Data Breach Investigations Report, 48 percent of breaches now involve a third party. Attackers are increasingly targeting vendors, suppliers, partners, and Saas providers as the easiest path into the enterprise. The average cost of a third-party compromise reached $4.91 million. Only 4 percent of organizations have high confidence that their vendor questionnaires reflect real security posture.
These are not isolated data points. They are three expressions of the same structural problem: vendor risk programs built to measure hygiene cannot detect targeting. Questionnaires document stated intentions. Security ratings measure static posture. Neither tells you whether an adversary is reconnoitering a vendor environment right now.
This guide is written for CISOS, TPRM leaders, security operations teams, and executive leadership who recognize that the current model has run out of runway. It covers 2025 to 2026 threat data, the regulatory shifts that have moved TPRM from recommendation to mandate (DORA, NIS2, SEC disclosure), the operational gap between posture measurement and compromise detection, and a phased roadmap for rebuilding TPRM around a system of action rather than a system of record.
For most of the last decade, third-party risk management was a governance function. Periodicassessments, compliance documentation, and risk registers measured vendor hygiene at scheduledintervals. The model was built for a world where threats moved slowly and vendor ecosystems weresimple. That world is gone. The 2026 Verizon Data Breach Investigations Report found that 48 percentof breaches now involve a third party. Attackers are increasingly targeting vendors, suppliers, partners, and Saas providers as the easiest path into the enterprise. This is not a gradual trend. It is a step change.
Average enterprises manage roughly 286 vendor relationships today. At Fortune 500 scale, the figureruns into the thousands. At the largest global enterprises, it reaches tens of thousands. Eachrelationship is a potential entry point: direct network access, shared credentials, Saas integrations, APIconnections, or data-processing agreements. The KPMG 2026 Global TPRM Survey, based on 851organizations, found cyber risk and information security (48 percent) and regulatory compliance (45percent) are now the dominant drivers of TPRM strategy.
Traditional programs do four things well: measure posture, conduct periodic assessments, produce risk scores, and record compliance state. They were never built to do four things that now matter most: detect real-time compromise, determine risk at the point of collection, route risk into operational action, and enable counter-threat execution across vendor environments. The median time to remediate leaked secrets discovered in a GitHub repository is 94 days. That is longer than the typical dwell time of a ransomware operator.
The assessment tool that the majority of TPRM teams rely on is the same one only 4 percent believe delivers accurate results. This is not a process problem. It is an architectural one.
To understand where third-party risk management must go, it helps to understand where cybersecurity as a discipline has been. The industry has moved through three distinct eras, each defined by how organizations collect intelligence and turn it into action.
The transition from Wave 2 to Wave 3 is a category change, not an incremental improvement. Wave 2 solved the aggregation problem: organizations could finally see their threat data in one place. Wave 3 solves a different problem entirely. It turns that data into action without a human analyst queue in the middle. Risk determination must move to the edge of collection. Instead of ingesting data, analyzing it manually, and then deciding whether to act, the system itself determines relevance, assigns priority, and routes prescriptive remediation to the right operational owner, in real time.
If your program was built during Wave 1 or Wave 2, it is out of step with the current threat environment. Existing investments are not wasted. They form the foundation for a necessary evolution. Posture data remains valuable. Questionnaires still inform governance. But without a detection layer, you are managing risk based on assumptions rather than evidence.
Traditional TPRM programs were built for a narrower world. Vendor ecosystems were smaller. Threat actors moved more slowly. Regulators asked for due diligence, not operational resilience. In 2026, every one of those conditions has changed.
Questionnaires capture what vendors say about their security controls, not what they actually do. They are self-reported, point-in-time snapshots. Between assessments, anything can change: staff turnover, configuration drift, expired certifications, or active compromise. Only 4 percent of organizations have high confidence that questionnaire responses accurately reflect actual security posture.
This is the critical distinction that separates legacy TPRM from modern counter-threat operations. Posture scoring answers one question: does this vendor have good security hygiene? Compromise detection answers another: is this vendor being actively targeted by an adversary right now? Both questions matter. They are not interchangeable.
A Tier 1 SaaS vendor (payroll, CRM, or identity) holds an A rating on every major security rating platform. Their SOC 2 Type Il is current. Their most recent questionnaire response is thorough. At the same moment, a ransomware affiliate is running credential-stuffing against their externally exposed admin console, using leaked credentials from an unrelated breach. The security rating sees none of this. The questionnaire captures none of this. An enterprise relying on those tools has zero visibility into a targeting event that will, within days, become a vendor compromise. Shortly after, it becomes an enterprise incident.
A vendor with mediocre posture scores may face no active targeting at all. Conversely, a vendor with immaculate posture can be compromised by a zero-day, a supply chain attack on their software provider, or a credential exposure they have not yet detected. Risk programs that rely exclusively on posture are managing probability without measuring intent. In an Al-compressed threat landscape, intent moves faster than hygiene assessments can track.
The regulatory environment for third-party risk has tightened. What was best practice a few years ago is now a legal requirement across multiple jurisdictions. Enforcement actions and penalties have moved vendor oversight onto board agendas.
DORA designated 19 Critical ICT Third-Party Providers in November 2025, including AWS, Google Cloud, Microsoft, hyperscalers, data center operators, and specialist fintechs. Financial entities relying on these providers are now under enhanced ESA oversight. The UK is expected to follow a parallel path within twelve months. The SEC rule treats third-party origin as a material disclosure: if the incident is material to the registrant, it must be reported within four business days of materiality determination.
The contract clauses that matter most in 2026: breach notification timeframes aligned with regulation, incident response obligations with vendor deadlines, right-to-audit for independent verification, security and privacy obligations specific to data types accessed, and termination rights tied to material security failures.
A modern TPRM framework requires four foundations: clear vendor risk tiering, defined cross-functional governance, continuous monitoring capability, and documented evidence trails. Most programs treat these as independent. They are not. A risk-tiering model without continuous monitoring is aspirational. Monitoring without governance is noise.
Effective tiering considers four dimensions: data access (type, volume, sensitivity), system integration depth (network access, API connections, SSO), business criticality (operational dependency and revenue impact), and regulatory exposure (whether the vendor falls under DORA, NIS2, or sector-specific requirements).
01
Data access: type, volume, sensitivity of data the vendor touches
02
System integration depth: network access, API connections, SSO
03
Business criticality: operational dependency and revenue impact
04
Regulatory exposure: DORA, NIS2, or sector-specific requirements
The mistake most programs make is tiering exclusively on data volume or contract value. A vendor with minimal data but deep integration may pose greater operational risk than a large data processor with limited system access. Tiering must incorporate adversary targeting probability. A vendor that rates low on traditional criteria but is being actively reconnoitered by a targeted threat actor may, in that moment, be your highest-priority exposure.
First-line business units own the vendor relationship and initial risk identification. Second-line risk and compliance set standards and monitor aggregate exposure. Third-line internal audit provides independent assurance. The most effective programs use a hybrid operating model, which surged to 52 percent of organizations in 2025, a 41 percent increase over 2024 (Venminder).
A modern TPRM framework requires four foundations: clear vendor risk tiering, defined cross-functional governance, continuous monitoring capability, and documented evidence trails. Most programs treat these as independent. They are not. A risk-tiering model without continuous monitoring is aspirational. Monitoring without governance is noise.
The most significant conceptual shift in TPRM is the transition from posture measurement to compromise detection. This is not about replacing one tool with another. It is about adding detection-layer control that has never existed in the TPRM stack.
Compromise intelligence is not threat intelligence, attack surface management, or security ratings, though it sits adjacent to all three. Threat intelligence reports on adversary activity in the world. Attack surface management maps an organization's externally visible infrastructure. Security ratings score vendor hygiene. None of them can answer the question: is this specific vendor in my ecosystem being actively targeted, right now, by an adversary whose behavior intersects with my business?
That question is what compromise intelligence was built to answer. It detects whether adversary infrastructure is actively targeting a vendor's environment, identifies targeting in real time, and routes prescriptive remediation to the right operational owner.
¡COUNTER's Counter Threat Operating System (CTOS) operationalizes this model through four integrated components.
01
Threat Collection Edge. Collects signals from adversary infrastructure, compromise activity, exposed credentials, dark web sources, and ecosystem telemetry.
02
Risk Determination Engine. Correlates intelligence against enterprise context to determine what represents real risk now, rather than routing everything into analyst queues.
03
Enterprise Digital Twin. Maps vendors, suppliers, identities, assets, and relationships. The architectural differentiator: every incoming signal is tested against a live model of your extended enterprise.
04
Counter-Threat Operations. Routes intelligence into operational workflows, interventions, and response actions across the enterprise ecosystem.
The initial COS release includes a dedicated Third-Party Risk module, CTOS-TPR, which detects adversary reconnaissance, campaign staging, and targeting activity directed at vendors, suppliers, and technology partners. Five capabilities define the module.
The threat landscape your organization operates in is no longer confined to your perimeter. It runs across your vendor ecosystem, and Al has changed how fast it moves. Criminal infrastructure like WormGPT and FraudGPT lowers the cost of high-quality phishing. Al voice cloning has industrialized vishing against specific executives. Automated reconnaissance at machine speed finds vulnerabilities faster than humans can patch them. Every one of these capabilities is being turned against vendors with privileged access to your environment.
Traditional TPRM cycles run on human timescales: quarterly assessments, annual reviews, manual triage. Adversary operations increasingly run on machine timescales. That is the core mismatch.
Posture-based programs cannot keep pace, because the clock they run on is the wrong one. Al lets threat actors probe thousands of vendor environments at once, pick the weakest link in a supply chain, and exploit it before the enterprise even knows targeting has started. When adversary operations run 24/7 at machine speed, the enterprise that relies on periodic assessment is not just under-resourced. It is out-clocked.
That question is what compromise intelligence was built to answer. It detects whether adversary infrastructure is actively targeting a vendor's environment, identifies targeting in real time, and routes prescriptive remediation to the right operational owner.
The pattern is not theoretical. Change Healthcare (Feb 2024) originated through a third-party access vector. UnitedHealth later disclosed total incident costs exceeding $2.9 billion. The Snowflake customer-tenant campaign of 2024 propagated through compromised credentials to hit Ticketmaster, AT&T, and Santander. The MOVEit / ClOp supply-chain attack is still generating downstream disclosures eighteen months after initial exploitation. In each case, the breached organization's own posture scores were irrelevant. The exposure lived in the vendor relationship.
An emerging dimension of TPRM is assessing how vendors themselves use Al. Third-party due diligence now routinely includes assessment of vendor Al use, data inputs, governance controls, and model risk, particularly where vendor Al systems touch regulated data or customer-facing decisions. Per Venminder's 2025 State of TPRM Survey, 40 percent of organizations added contract language addressing Al risk in 2024, and the share of organizations not monitoring vendor Al usage at all dropped from 37 percent to 23 percent year over year.
The metrics that defined TPRM success in previous years (assessment completion rates, questionnaire response times, compliance scores) measure program activity, not risk reduction. In 2026, security leaders need metrics that quantify ecosystem exposure and demonstrate measurable improvement to boards, regulators, and operational teams.
Board reporting should answer three questions. What is our current ecosystem exposure? Is it improving or deteriorating? What are we doing about the highest-priority risks? The most effective programs use risk quantification models such as FAIR to express exposure in financial terms. This transforms the board conversation from "Are we compliant?" to "Are we reducing exposure at a rate that justifies our investment?"
A TPRM transformation is not a single initiative. It is a sequence. Each phase builds capability while the program keeps running. Establish a truth baseline, build operational capability against the highest-priority vendors, then operationalize the feedback loops that make the program self-improving.
The direction is clear. The industry is moving from governance to operations, from posture to detection, and from documentation to action. Organizations that make this transition reduce breach exposure.
They also turn TPRM from a cost center into a strategic capability.
The end state is an operating model that collapses the distance between intelligence and action. When adversary infrastructure targets a vendor in your ecosystem, the system detects it, determines relevance, routes prescriptive remediation to the right owner, tracks resolution, and reports outcomes.
All without waiting for a human to triage an alert queue. This is not theoretical. As of March 24, 2026, the technology is generally available. What separates leaders from laggards is organizational will.
The most forward-looking organizations are beginning to treat third-party risk not as a peripheral governance function, but as an extension of their own security operations. This means feeding vendor risk signals into the enterprise SOC so analysts can act on ecosystem threats with the same urgency as internal threats. It means holding vendors accountable for measurable security outcomes rather than compliance documentation. The Al threat landscape runs across the whole ecosystem whether a security team watches it or not. The programs that will function in 2026 are the ones that accept that reality and counter ecosystem threats before they become enterprise incidents.
Questionnaires and posture scores become risk determination at the edge of collection.
Manual triage becomes machine-driven counter-threat operations. Internal infrastructure as the primary security boundary becomes ecosystem-wide coverage. Alert overload becomes earlier signal detection. Intelligence separated from operations becomes intelligence routed directly into action.
¡COUNTER protects enterprises from the fastest-growing attack vector in cybersecurity: their ecosystem. According to the 2026 Verizon Data Breach Investigations Report, 48 percent of breaches now involve a third party. Attackers are increasingly targeting vendors, suppliers, partners, and Saas providers as the easiest path into the enterprise. Our platform delivers real-time ecosystem risk intelligence at scale, identifying active threats like stolen credentials, ransomware activity, and adversary targeting across your third-party ecosystem before they impact your business.
Instead of relying on static scorecards and delayed assessments, COUNTER provides actionable intelligence and near-real-time remediation that helps security teams close visibility gaps, reduce operational strain, improve TPRM effectiveness, and counter threats before they strike. This is the shift from passive risk management to operationalized ecosystem defense. Founded by John Watters and veterans of DEFENSE, iSIGHT Partners, and Mandiant, COUNTER was recognized as a TAG 2025
Distinguished Vendor and launched CTOS in general availability in March 2026.
01
Risk determination at the edge of intelligence collection.
02
Intelligent routing to operational owners across the enterprise ecosystem.
03
Counter-threat action that replaces dashboard backlog with automated response.
04
Measurable reductions in ecosystem exposure, evidence-backed and board-ready.
