For years, financial institutions have invested heavily in cyber defences designed to protect their own perimeters. Firewalls hardened, endpoints secured, and internal monitoring intensified. But many of the most disruptive recent incidents have propagated through third-party providers, software supply chains, or shared infrastructure. They are aimed at the firms banks depend on.
The exploitation of the MOVEit Transfer vulnerability exploitation in 2023 offers a clear example. Attackers targeted a widely used managed file transfer platform embedded deep within operational workflows across financial services and adjacent industries. Rather than breaching institutions directly, the campaign exploited a single software vulnerability to access sensitive data across hundreds of organisations, including banks, insurers, pension entities and service providers.In effect, a compromise in shared infrastructure propagated across the financial ecosystem, exposing how data exchange channels and third-party platforms can act as systemic risk vectors.
Frameworks such as the Digital Operational Resilience Act (DORA) and the UK operational resilience regime place strong emphasis on understanding and managing risks embedded in digital supply chains and third-party dependencies – not just firms’ internal systems.
Against that backdrop, cybersecurity intelligence is beginning to intersect with RegTech in new ways. Blackwired, a cyber-intelligence firm is positioning its ThirdWatch platform as part of that shift. CEO Jeremy Samide argues that the industry needs to rethink how it identifies and prioritises cyber risk across increasingly complex ecosystems.
From Threat Feeds to Contextual Intelligence
Traditional cyber threat intelligence has long struggled with a fundamental problem: volume without context.
Security teams are inundated with alerts, indicators and vulnerability data, much of it generic and difficult to prioritise. That model breaks down further when applied to third-party risk, where firms must assess exposures across hundreds – or thousands – of external dependencies.Samide’s view is blunt: “Today’s threat landscape is fast-moving and complex. To keep up, organisations need more than just alerts – they need context.”
ThirdWatch is designed to provide that context through what Blackwired calls Direct Threat Intelligence (DTI) – a model focused on identifying threats that are specifically relevant to a given organisation and its ecosystem, rather than aggregating generalised threat feeds.
The platform collects and analyses artefacts such as malicious domains, malware signatures and adversarial infrastructure, using AI and machine learning models to map how those threats relate to a particular firm and its third parties.
The objective is not simply detection, but relevance.
Scoring Risk in Real Time
At the core of the platform is a scoring model intended to translate cyber signals into actionable risk insight.
ThirdWatch assigns scores to threats based on factors such as proximity to the organisation, observed activity and severity. These signals are validated through Blackwired’s proprietary intelligence sources and combined with vulnerability and sector-specific data.
The result is a unified risk score ranging from 0 to 10, designed to reflect the impact of threats across both the organisation and its third-party ecosystem.
Crucially, the scoring model is dynamic rather than static. It incorporates rolling datasets over multiple time horizons and adjusts weightings based on what Samide describes as “momentum shifts” in threat activity. This introduces an additional dimension that is increasingly relevant for resilience teams: risk velocity – how quickly a threat is evolving and escalating.In practice, that allows firms to move beyond point-in-time assessments toward a more continuous view of exposure.
From Intelligence to Evidence
For regulated institutions, insight alone is not enough. It must be explainable, attributable and defensible.
Under DORA and related regimes, firms need documented, auditable ICT-risk and third-party-risk processes, which raises the importance of explainable and attributable cyber intelligence. Samide emphasises that each threat identified by ThirdWatch is supported by verifiable data:
“We show the actual cyber weapon data and provide attribution to its sources such as the threat actor itself, adversarial campaign data and the tools, tactics and procedures used.”
This includes mapping adversarial infrastructure and linking it directly to the organisation’s digital footprint. The platform also enables correlation with internal systems such as Security Information and Event Management (SIEM) tools, allowing firms to validate external intelligence against internal signals.
The goal is to bridge a long-standing gap between cyber operations and governance – turning technical signals into evidence that can be consumed by risk, compliance and audit functions.
Cutting Through the Noise
One of the persistent criticisms of threat-intelligence platforms is that they generate too much noise. Samide argues that this is largely a consequence of relying on aggregated intelligence feeds that are not tailored to specific organisations.
“Each organisation has its own DTI footprint, containing the threats that specifically matter to this organisation.” By focusing only on threats that are directly relevant – and mapping those threats to known vulnerabilities – ThirdWatch aims to reduce false positives and improve prioritisation.
This becomes particularly important in a resilience context, where the objective is not to catalogue every possible threat, but to identify those most likely to disrupt important business services.
Beyond TPRM: Toward Continuous Resilience Monitoring
Traditional third party risk management (TPRM) frameworks are built around periodic assessments – onboarding checks, annual reviews, and questionnaire-based due diligence. But incidents such as the MOVEit attack demonstrate how quickly risk can materialise between those checkpoints.
Samide believes the industry is moving toward a fundamentally different model:
“Humans cannot process the ever-increasing number of threats that are facing not only the organisation itself but its third-party vendors and suppliers.”
ThirdWatch is designed to continuously monitor both the organisation and its extended ecosystem, identifying what Samide describes as “sideways risks” – threats that originate in third-party environments but have the potential to propagate inward.
The platform’s visualisation layer maps relationships across suppliers, subsidiaries and partners, enabling firms to analyse risk across multiple tiers of dependency.
A Convergence Taking Shape
The lesson from incidents like MOVEit is not simply that cyber-attacks are increasing but that the locus of risk has shifted – it is about understanding how disruption can enter through the digital supply chain – and how quickly it can spread. In that context, cyber-threat intelligence is more than a security function. It is evolving into a core input for resilience oversight.
Platforms like ThirdWatch sit at this intersection, translating external threat signals into operational risk insight.
Subscribe to our newsletter
