Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One.

This article from Recorded Future discusses the evolution of third-party risk management from traditional compliance-based approaches to intelligence-driven operations. It emphasizes that threat actors increasingly target supply chain weak points as paths to larger targets, with ransomware groups listing compromised vendors on extortion sites and stolen credentials surfacing on dark web forums. The article promotes Recorded Future's platform combining hygiene ratings (RiskRecon) with real-time threat intelligence for continuous vendor monitoring. Key capabilities highlighted include alerting on ransomware extortion activity, dark web exposures, credential leaks, and active vulnerability exploitation—often before vendors are aware. The piece reflects broader market recognition that cyber risk ratings alone are insufficient, requiring integrated intelligence for proactive third-party risk mitigation.

Recorded Future sees its inclusion in the 2026 Forrester Wave™ for Cybersecurity Risk Ratings Platforms as a reflection of a broader truth: the era of ratings-only vendor risk management is over.

This article from Recorded Future discusses the evolution of third-party risk management from traditional compliance-based approaches to intelligence-driven operations. It emphasizes that threat actors increasingly target supply chain weak points as paths to larger targets, with ransomware groups listing compromised vendors on extortion sites and stolen credentials surfacing on dark web forums. The article promotes Recorded Future's platform combining hygiene ratings (RiskRecon) with real-time threat intelligence for continuous vendor monitoring. Key capabilities highlighted include alerting on ransomware extortion activity, dark web exposures, credential leaks, and active vulnerability exploitation—often before vendors are aware. The piece reflects broader market recognition that cyber risk ratings alone are insufficient, requiring integrated intelligence for proactive third-party risk mitigation. Recorded Future sees its inclusion in the 2026 Forrester Wave™ for Cybersecurity Risk Ratings Platforms as a reflection of a broader truth: the era of ratings-only vendor risk management is over. For years, the cybersecurity industry has treated third-party risk management as a compliance exercise. Assess your vendors. Assign a score. File the report. Move on. That model was built for a different era. One where supply chains were smaller, threat actors were less sophisticated, and a quarterly questionnaire could reasonably approximate a vendor's security posture. That era is over. Today, the average enterprise works with hundreds of third parties. Threat actors actively target the weakest links across those supply chains, not because the vendors themselves are the prize, but because they're the path of least resistance into larger, more valuable targets. Ransomware groups list vendors on extortion sites before those vendors even know they've been compromised. Stolen employee credentials surface on dark web forums undetected. Critical vulnerabilities are weaponized in hours, not months. In this environment, a security rating is necessary. But it is nowhere near sufficient. Recognized in the 2026 Forrester Wave™ Recorded Future was recently included in The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2026. (The report is available online to Forrester customers or for purchase here ). We see this recognition as a reflection of the market's evolution — and as an acknowledgement of the direction we've been building toward. We believe the cybersecurity risk ratings market is at an inflection point. Analysts and practitioners alike recognize that the category is moving beyond standalone ratings toward integrated intelligence and actionable insights. We see our inclusion in this evaluation as confirmation that the convergence of hygiene data and threat intelligence isn't a niche play — it's where the market is heading. In light of where the ratings market is today, let’s dive into where Recorded Future is going and how Recorded Future envisions the future of securing the third-party ecosystem. The Gap Between Hygiene and Intelligence Cyber risk ratings have earned their place in the security stack. They provide a standardized, scalable way to evaluate a vendor's external security posture — patching cadence, encryption practices, DNS configuration, exposed services. That hygiene baseline matters. It's a correlative signal for breach potential, and it gives risk teams a common language for comparing vendors and benchmarking against industry peers. But hygiene ratings only answer part of the problem: How well is this vendor maintaining their defenses? They don't tell you whether anyone is actively trying to breach those defenses. They don't surface the dark web chatter on a specific vendor. They don't alert you when a vendor's credentials are leaked or has an active malware infection. This is the gap that has left third-party risk programs perpetually reactive. Teams learn about vendor compromises from news headlines or from the vendors themselves — often days or weeks after the initial breach. By then, the window for proactive response may have closed. From our own customer conversations, we hear that security and risk teams have shifted from wanting ratings and accuracy alone to demanding intelligence that reveals real cybersecurity risk, with prioritized findings and actionable remediation guidance. Ratings are increasingly commoditized. The differentiation now lies in what you do with the data, and what additional signals you bring to the table. Third-Party Risk Management Is an Intelligence Operation If you accept that ratings alone aren't enough, the logical next step is clear: third-party risk management must be treated as an intelligence operation. That means combining the hygiene baseline — the outside-in view of a vendor's security posture — with real-time threat intelligence that tells you who is being targeted, how, and what you should do about it. It means shifting from periodic assessments to...