ExtraMile by HiTechNectar is a leading interview series featuring tech leaders, senior executives, and innovators globally. We aim to empower our audience with insights and best practices from pioneers pushing new boundaries in Gen AI, cloud, cybersecurity, business, marketing, and diverse domains.
For this brand-new edition, we sit down with Candan Bolukbas, Co-Founder and Chief Technology Officer of Black Kite, the leading AI-native cyber risk management platform trusted by over 3,000 customers to manage every supplier and risk across their extended ecosystem.
Candan, our expert guest, brings a unique perspective to cybersecurity and has worked as a Certified Ethical Hacker (CEH) for NATO. He is the pillar behind the Black Kite’s technical vision and product innovation.
In this dynamic session, Candan walks through his outstanding professional journey. He further discusses Black Kite’s AI-native third-party cyber risk management platform, the importance of always-on vendor monitoring, and MCP servers. Lastly, he sheds light on what’s next in the third-party risk landscape!
So, let us dive into the conversation and explore more!
Welcome to the session, Candan! Wonderful to have you here today!
Q1. What does “AI-Native Third-Party Cyber Risk Management” mean? How does it change the way organizations handle each and every risk and supplier?
Candan. AI-native means that artificial intelligence is built into the core architecture of a product from the very beginning – not something bolted on later. An effective AI strategy requires time, continuous investment, and deep integration with the product’s data and workflows to be optimized for the specific use case.
In TPCRM, an AI-native approach creates a major shift in how organizations identify and manage supplier risk. It allows teams to move beyond manual, reactive processes and instead make faster, more confident, risk-based decisions.
Some examples of how we are leveraging AI/agentic AI:
- Faster risk detection & impact identification: AI analyzes large volumes of data – including dark web activity, hacker forums, encrypted Telegram channels, security advisories, etc. – to detect emerging threats and identify which vendors may be affected. This is foundational to how we deliver Black Kite’s FocusTags®.
- Automated assessments: Instead of relying solely on manual questionnaires and self-attestations, AI can pre-populate frameworks with existing evidence and data. This enables a more intelligence-led approach and allows teams to focus only on areas that require validation.
- Automated Investigations: AI can perform complex investigations into vendor findings, changes in risk scores, cyber ratings, and RSI.
- Reporting: AI can generate custom reports and board communication packages that summarize third-party risk trends, concentration areas, and financial impact with charts and metrics for executive stakeholders.
Q2. How did working across enterprise, government, and startups shape a dynamic and holistic view of cybersecurity? How do you see the landscape evolving?
Candan. As a former ethical hacker, I saw firsthand how attackers were increasingly exploiting third-party vendors as entry points to reach their primary targets. While organizations were heavily investing in securing their own environments, their broader vendor ecosystems were often the weakest link.
At the time, the third-party risk management industry was largely built around black-box scores that lacked transparency and context. Teams were given ratings, but had little understanding of why a vendor was risky or how to actually reduce that risk.
Seeing this gap, I realized that the market was craving a new approach – one that moved beyond static scores and focused on actionable, evidence-based insights. That realization ultimately led to the founding of Black Kite.
Now, working closely with large enterprise customers, I see just how significant this challenge really is and how much the market needed a new approach to managing third-party risk.
Looking ahead, I’m especially excited about how agentic AI is transforming TPCRM. It’s a major step forward in helping organizations manage third-party risk at a scale and speed not previously possible.
Q3. What’s your take on Black Kite’s third-party cyber risk management strategy? What makes it stand apart from typical vendor risk tools?
Candan. Black Kite stands out based on 4 key areas:
- Accuracy: Provides profiles on 40M+ companies, evaluates 300+ unique control items for vendor risk, and validates data three times for 97%-plus accuracy.
- Transparency: Cyber ratings are mapped to industry standards like MITRE/NIST, and technical risk is translated into Probable Financial Loss using OpenFAIR™ modeling.
- Speed: AI has been core to the platform since day one – it’s foundational to digital footprinting, FocusTags™, adversarial intelligence scanning, and document parsing. We’ve since evolved from automation to agentic use cases with the release. Black Kite AI Agent, a super agent deploying subagents to investigate, assess, report like a human analyst.
- Collaboration: Allows users to invite vendors into the platform via The Bridge™ for seamless customer-vendor engagement, including targeted outreach, intelligence sharing, remediation progress tracking, and reporting. Vendors have full access for free.
Q4. In what way does always-on-vendor monitoring help security and TPRM teams to reduce vulnerability and remain a step ahead of third-party threats?
Candan. Security teams have historically relied on periodic assessments to understand a vendor’s cyber posture. However, that approach only provides a snapshot of risk at a single point in time, which isn’t sufficient given how quickly both environments and the threat landscape evolve.
Always-on vendor monitoring shifts this model to a continuous intelligence approach, giving teams real-time visibility into changes in a vendor’s risk posture. This allows organizations to better prioritize their efforts and be more targeted with vendor engagement.
Instead of reassessing every vendor on a fixed schedule, teams can trigger deeper reviews when intelligence signals a potential issue – such as a drop in a security rating, a breach event, a FocusTag® alert, or the expiration of a certification like ISO. This helps organizations stay proactive and address third-party risks before they escalate.
Q5. In today’s cloud-first world, is traditional DLP obsolete? If so, how can it be more thanjust a checkbox?
Candan. DLP is not obsolete – in fact, it’s becoming more important as the use of AI has actually introduced more potential for data leakage. To be more than a compliance checkbox, modern DLP must evolve to account for traditional environments, cloud platforms, and emerging AI tools, ensuring sensitive data is protected everywhere it is stored, accessed, and shared.
Q6. How does Black Kite’s MCP server allow customers to securely plug AI agents’ platforms and orchestration tools into TCRM workflows?
Candan. Black Kite requires all AI Agents & Orchestration tools to have a token generated in order to access data within the Black Kite platform, which is then verified on each call made.
Q7. How does AI-powered intelligence improve the accuracy and actionability of third-party risk insights?
Candan. AI is extremely powerful when it comes to analyzing large volumes of data, which is foundational to how we deliver trusted third-party risk insights. It helps analyze external signals that indicate how attackers may target an organization – such as breach history, exposed data, dark web chatter, hacker forum activity, and broader threat intelligence. It also helps us analyze publicly available information about a vendor’s security program – including trust centers, security documentation, policies, and compliance certifications – to better understand the controls they have in place. This is foundational to the risk profiles we build for each organization.
Q8. In your opinion, as a TPRM trailblazer, what lies ahead for third-party cyber risk?
Candan. From a technical perspective – AI will be fundamental in improving the speed and scale at which TPRM processes and workflows are executed. For example we see Black Kite’s AI Agent evolving to act as an operator, autonomously requesting documentation, validating controls, and negotiating remediation with vendors to move closer to fully autonomous TPCRM.
From a business perspective – financial risk will increasingly drive decision-making. As high-profile third-party and supply chain incidents bring cyber risk into the boardroom, organizations need a way to translate technical findings into business impact. Cyber Risk Quantification (CRQ) helps bridge that gap between security teams and executive leadership.
Explore Our Other Insightful Interviews:
