The innovations, which are all free add-ons to Black Kite’s platform, include the ability to parse using a cyber-specific database rather than the general Internet, with parsing of data specific to individual companies coming very soon.
At the recent Black Hat cybersecurity event in Las Vegas, Boston-based cyber risk intelligence Black Kite introduced three new features to their platform. Black Kite Enterprise Frameworks, Black Kite Compliance Gap Analysis, and Black Kite Parser 2.0 all reduce the time needed to meet third party compliance assessments, by facilitating scalability and eliminating much of the manual effort required for third-party compliance assessments. The company says that the reduction in manual work cuts the time required from days or weeks down to minutes.
Black Kite is a 2016 startup which has been focused on what they do now since before the company formally came into existence.
“I was doing a similar thing even before Black Kite,” said Candan Bolukbas, co-founder and CTO of Black Kite. “I was working for NATO, checking vulnerabilities for the national agencies that were part of NATO, and typically stopping threats at the back door. But we couldn’t scale that. We could do around four per year and each NATO country had 100 agencies. So we needed to collect cyberdata from the Internet to make it work, and we started Black Kite to do this.”
While Black Kite is not the only provider of automated risk, they see an important differentiation with their technology.
“We eliminate the process of talking to vendors if there is an issue,” Bolukbas said. “Instead, you just ingest the document to the Black Kite platform, and it will parse the document. That’s the core of this operation. We released this four years ago, so while our language model is trained on cyber data, and we are now in our fourth generation, it is not built on LLM. It thus avoids LLM third party security issues.”
The market for this tends to be companies for whom compliance is important – meaning regulated industries – but it is broader than that.
“Our customers are primarily regulated ones, but a lot of companies have standard questions for vendors,” Bolukbas indicated. “IBM can send a vendor 100 questions. So this is applicable for all industries where people answer questions.”
The new announcements include Black Kite Parser 2.0, which can parse, analyze and map results to all cybersecurity controls within the Black Kite platform within minutes to measure third-party compliance. It recognizes more than 130 different languages and was trained to be cyber-aware. The big advance here is more granularity in the analysis through more focused parsing, which is concentrated around the industry involved rather than the general Internet.
“We have had these language models for a long time, but as the technology evolved, it is necessary to retrain the model,” Bolukbas noted. “Most models on market train on public data, which is something that needs to evolve. If your data is specific to cybersecurity, then a word like ‘port,’ which in the general Internet could pull in references to a harbour, will have the IT-specific meaning of the term. Our analysis is now focused on cybersecurity documents, so the results are specific to cyber.” It lets Black Kite’s compliance module correlate vendor cybersecurity findings to 15 industry regulations and standards.
The logical extension is to complete this move away from training on public data, to IT-specific training to ultimately train focusing on the data from a single vendor, and Bolukbas says that the latter is extremely close.
“We are doing internal data on this third case, documents provided by a specific vendor, right now,” he indicated. “We are about 30 days away from being able to make that available.”
These proprietary Parser capabilities were built in-house by the company’s cybersecurity research and development team, and there is currently a patent pending on the technology.
Another innovation was the announcement of the ability to parse documents against an enterprise framework, something that Black Kite says is unique among third-party risk providers.
“Large organizations tend to follow their own standards, and the control list that they have is the Enterprise Framework,” Bolukbas said. “IBM is a good example. They have 1000,000 suppliers. We created this custom framework for them and it is applied automatically, to automate compliance for vendor-specific standards and controls, using the vendor’s own assessment criteria.”
This lets companies more quickly and easily perform assessments by automating the measurement of the compliance rating based on industry regulations and standards that are important to them, substantially simplifying third-party risk efforts.
The third innovation announcement is Compliance Gap Analysis, which provides a report of the controls that don’t meet a specified level of satisfactory compliance.
“When we do our analysis, we sometimes find that the results may not have all the controls we are looking for,” Bolukbas indicated. “This tells you if something couldn’t be answered, so you can go back to the supplier and get a more comprehensive document.”
All of this is provided free as part of the Black Kite platform.
“It’s part of the existing license, and we aren’t charging extra for it,” Bolukbas said.
This will all be a significant benefit for Black Kite’s channel, who are their sole route to market.
“We don’t do direct,” Bolukbas stated. “All our transactions are through partners, both MSSPs and reseller partners. We recommend a partner if a customer doesn’t have one already. We have over 500 MSSPs now, who benefit from this because many of their customers don’t have the resources to do it themselves. They make nice services money from that today.”