Third-party cyber incidents are increasing, and most organizations are seeing it firsthand. According to Panorays’ 2026 CISO Survey for Third-Party Cyber Risk Management Priorities, 60% of CISOs report an increase in third-party breaches over the past year. More than half say incidents somewhat increased, while nine percent experienced a significant jump. Not a single respondent reported a significant decrease.

These numbers confirm that supply chain exposure continues to grow, and the attack surface is no longer confined to internal systems or direct suppliers. Instead, it now stretches across a multi-layered landscape of third-, fourth-, and even nth-party relationships.

At the same time, visibility has not kept pace with that growth. The survey showed that only 15% of CISOs report having visibility across third-, fourth-, and nth-party relationships. Most organizations can identify their direct vendors, but visibility drops sharply beyond the first tier. As a result, many security teams are unable to determine where risks originate, how dependencies connect, or how far an incident could spread once it begins.

In practice, this means incidents are often managed without a complete understanding of their full scope. Security teams may know which vendor was compromised, but not which subcontractors were involved, which shared services were affected, or which downstream business processes are exposed next.

This disconnect helps explain why the reporting of third-party incidents continue to rise year after year. Awareness alone does not reduce risk, and without consistent, end-to-end visibility across the supply chain, organizations are forced to respond with partial information and assumptions that rarely hold during real incidents.

Third-Party Incidents Are Rising, Not Stabilizing

The survey data shows a clear trend, as 51% percent of CISOs say third-party incidents somewhat increased over the past year, while another nine percent report a significant increase. No respondents reported a significant decrease. Even organizations that saw improvement in some areas still face a rising baseline of exposure.

This trend points to a structural challenge in how third-party risk is managed. Reliance on external providers continues to grow faster than most oversight programs evolve. New vendors are onboarded quickly to support cloud migration, digital transformation, and operational efficiency – but risk management processes don’t match that pace.

Traditional TPRM approaches struggle to scale in this environment. Point-in-time assessments, spreadsheet-based tracking, and vendor questionnaires that stop at the first tier provide limited insight into how risk accumulates across interconnected suppliers. As a result of this, organizations may meet internal requirements while remaining exposed to hidden dependencies they cannot see or control.
When incidents occur, those gaps become visible. Security teams are left trying to reconstruct dependency chains under pressure, often relying on incomplete records and manual outreach to understand the full impact.

Why Supply Chain Visibility Breaks Down

Third-party ecosystems are complex by design where vendors rely on subcontractors, cloud providers, managed services, and shared infrastructure. Each layer introduces additional risk, but also additional data sources, ownership questions, and accountability gaps.

Visibility and control breaks down when organizations rely on fragmented tools and disconnected processes. Procurement systems capture vendor relationships, but not technical dependencies. Risk platforms store assessments, but not real-time exposure changes. Incident response teams track events, but lack context on which suppliers support which critical services.

What Effective Third-Party Visibility Looks Like

Effective supply chain risk management requires visibility that extends beyond direct vendors. Organizations need to understand not only who their suppliers are, but how those suppliers connect to critical systems, data, and services.

That visibility must be continuously maintained, not reconstructed during an incident. It should allow security teams to answer basic but critical questions quickly:

  • Which vendors support this service?
  • What subcontractors are involved?
  • What data and systems are shared?
  • What would break if this provider became unavailable?

Visibility alone is not enough and without clear answers to these questions, incident response becomes reactive and incomplete. It must be paired with monitoring, risk intelligence, and validation to ensure that changes in the supply chain are detected as they happen, not months later during periodic review,

How Panorays Helps Close the Visibility Gap

As third-party incidents increase, organizations need tools that move beyond snapshot point in time assessments and manual tracking. Panorays addresses this challenge by providing continuous monitoring across third-party ecosystems and the risks that emerge within them.

Panorays centralizes vendor intelligence, assessment data, and risk signals into a single platform. This allows security teams to maintain an up-to-date view of their supplier landscape, including critical dependencies and emerging exposure.

Instead of relying on fragmented spreadsheets or disconnected questionnaires, teams can monitor changes across vendors and subcontractors in real time. Risk scores, alerts, and contextual insights help identify where exposure is increasing and which relationships require closer oversight.

This approach supports faster, more informed incident response, so when an event occurs, teams can quickly determine which vendors are involved, how far dependencies extend, and which business functions may be impacted.

Reducing Blind Spots Before They Become Incidents

The survey data makes it clear that third-party incidents are not slowing down, and limited visibility remains a major contributor to unmanaged exposure.

Organizations that rely on partial views of their supply chain will continue to struggle as ecosystems grow more interconnected. Blind spots do not just increase the likelihood of incidents, but they shape how disruptive those incidents become. Tools that provide continuous visibility, integrated risk intelligence, and clear dependency mapping help organizations move from reactive response to proactive oversight as they allow security teams to identify emerging risks earlier, prioritize remediation, and respond with confidence when incidents occur.

Final Thoughts: Visibility Is Now a Core Security Requirement

The rise in third-party incidents is not an anomaly. It is a reflection of how modern organizations operate. As reliance on external providers increases, so does the need for visibility that extends across the entire supply chain. When only 15% of organizations can see beyond their direct vendors, most are managing risk with an incomplete picture. Closing that gap requires more than awareness. It requires tools and processes designed to surface dependencies, monitor change, and support informed decision-making.
Panorays helps organizations achieve that visibility, reduce blind spots, and manage third-party cyber risk at scale. As incidents continue to rise, understanding the full picture is no longer optional. It is essential for resilience.

Interested in seeing the rest of the survey and benchmarking your security efforts against other security leaders? Check out the full survey here.