Candan Bolukbas. PHOTO: Cybercrime Magazine.

Black Kite: How We Got Here. A Cybersecurity Story.

Former NATO Hacker Tackles Supply Chain Security

Charlie Osborne

London – Jul. 26, 2022

Black Kite has humble beginnings but has the potential to change the way we view supply chain security irrevocably.

The cybersecurity startup’s chief technology officer (CTO) and co-founder, Candan Bolukbas, has extensive experience in information security and incident response. Still, his experience working as a certified ethical hacker (CEH) for NATO provided the concept Black Kite is centered on.

While at NATO, Bolukbas worked on uncovering existing loopholes and weak spots in third-party contracts’ networks that threatened member countries’ national security.

So, why couldn’t the same principle be applied to enterprise organizations and their supply chains?



We’ve already seen massive cybersecurity incidents involving third parties. Kaseya, SolarWinds, and Okta’s security incidents all revealed how organizations today can experience catastrophic breaches when one of their suppliers is targeted.

Even if the organization’s own security is top-notch, it only takes one weakness in their vendor chain to cause everything to unravel.

As Bolukbas says, “Suppliers could be considered a separate system running on your network,” but without visibility and a robust risk vetting process, enterprise firms have their hands tied.

This is where Black Kite, formerly known as NormShield, started its journey. With only three people originally at the helm, the company is now operated by a team of dedicated individuals including the CTO, CEO Paul Paget, SVP of Sales John Sullivan, Chief Customer Officer Chris Bush, VP of Marketing Danielle Lewan, and others.

Black Kite is a vendor risk management service that has developed a scalable platform for determining cybersecurity risks, as well as event susceptibility, such as to ransomware infections. Furthermore, the platform focuses on third-party supply chain vulnerability visibility and awareness.

After being accepted to MACH37, an incubator program funded by the state of Virginia in 2016, it wasn’t long before the cybersecurity startup attracted attention.

Rick Grinnell, founder and managing partner at Glasswing Ventures, was one of the interested parties. His investment firm opened the door for Black Kite to meet leaders at Fortune 2000 companies, and many of them, Grinnell says, were “blown away.”

“Many of them were using solutions from Black Kite competitors and said, “I can’t get this with their solution,” Grinnell commented. “I can’t get the quality of the data, and I can’t get the data in almost real-time format — so this is game-changing and will completely change how the world thinks about this type of technology.”

What also sets Black Kite apart is the adoption of the Open FAIR model. Rather than take the route of using singular, proprietary standards, Open FAIR (Factor Analysis of Information Risk) provides a model “for understanding, analyzing, and measuring information risk.” By aligning itself to this industry standard, customers can assess risk — as well as the solution’s value and potential ROI — accurately.

Black Kite says it is the engineer of the largest data lake in the world, providing visibility into 34 million companies.

The firm’s platform includes over 20 risk categories and 290 countrols, over three times as much as Black Kite’s closest competitors.

According to Black Kite, you need to provide data to customers quickly and with high accuracy. A low false positive and false negative ratio is a must, but you must also provide a high number of controls to add value. After all, there’s no point in delivering data quickly if your customers don’t have the option to monitor their supply chains effectively and in close to real-time.

However, technology alone doesn’t provide the recipe for success. Instead of simply delivering a product and leaving your customer to it, you have to maintain a strong relationship with clients.

As Bush puts it, “They don’t just buy a product with us, they create a partnership with the company,” adding, “I think that’s the biggest and most impactful differentiator.”

Black Kite has attracted interest from investors and now accounts for over 500 customers. The company is dedicated to its mission to provide robust supply chain visibility and monitoring — and the CEO says its task is far from over.

“The next phase for us is to do this at scale,” Paget commented. “Companies are driving toward it [..] but they don’t believe it until they see it. So we have to not just say we’re going to do it, we have to be able to deliver it.

We do that, and this will become the standard in the market for monitoring entire supply chains and ecosystems.”

Charlie Osborne is a journalist covering security for ZDNet. Her work also appears on TechRepublic, Cybercrime Magazine, and other media outlets. 

Go here to read all of Charlie’s Cybercrime Magazine articles. 


Sponsored by Black Kite

Black Kite, Inc. is led by a team of innovative thinkers and cybersecurity experts. Our goal is to provide you with the most accurate and comprehensive cyber rating results, with the fewest false positives.

Our people and platform do the work for you, highlighting risk areas that require attention and automating feedback on how to address them. We’re committed to serving our customers — and we’re proud of our five-star customer service rating.

Black Kite is the only rating system that gives a complete view of cyber risk across three dimensions — technical, financial, and compliance. Companies choose our patented rating technology over legacy rating services every day, as our platform continues to prove superior technically, systematically, and at scale.