What is third-party risk in cybersecurity?

Third-party risk in cybersecurity is the exposure an organization inherits from vendors, suppliers, and service providers that have access to its systems, data, or infrastructure. When a third party is breached, the attacker may gain a path into every organization that trusts them. According to IBM Cost of a Data Breach 2024, breaches involving third parties cost an average of $4.88M - and the cost rises when the third party holds privileged access.

Why are security vendors targeted by attackers?

Security vendors are high-value targets because breaching one gives attackers leverage across thousands of organizations simultaneously. A security tool sits deep inside a customer environment - it has access to logs, configurations, credentials, and network traffic. Attackers who understand how that tool works - its blind spots, its authentication logic, its integration points - can move inside customer environments without triggering the very detections the tool provides.

How should a CISO assess the risk from a breached security vendor?

Start with access scope: what data and systems does the vendor touch, and what permissions does its software hold? Then assess dwell time risk: how long might the attacker have been in, and what could they have observed? Review the vendor's incident disclosure for specifics on data accessed and timeline. Finally, evaluate whether the vendor's response - forensics, law enforcement notification, customer communication - meets your contractual and regulatory requirements.

What should a third-party risk program for security vendors include?

Beyond SOC 2 review and questionnaires, a TPRM program for security vendors should include: external attack surface assessment of the vendor itself, review of what access permissions the vendor holds in your environment, contractual breach notification SLAs, and a defined response playbook for if the vendor is compromised. Most TPRM programs apply rigorous scrutiny to cloud and payment vendors but treat security vendors as inherently trustworthy. That gap is a real risk.

When Your Security Vendor Gets Breached: Third-Party Risk in the Security Stack

Q: What does a source code breach mean for customers of the affected vendor?

A source code breach means attackers can study the logic of the software at a level that is not visible from outside. For a security product, that means identifying detection gaps, understanding how the tool integrates with customer environments, and finding vulnerabilities before they are patched and disclosed. The risk is not immediate in most cases - but it creates an asymmetric advantage for the attacker over an extended time horizon.

Key Numbers

$4.88M average cost of a data breach in 2024 - rises significantly when a third party is involved (IBM Cost of a Data Breach 2024).
51% of organizations experienced a data breach caused by a third party in the past two years (Ponemon Institute).
98% of organizations have at least one third-party vendor relationship with a company that suffered a breach (SecurityScorecard, 2024).
4 major security vendors breached or significantly compromised in three years: Okta (2023), Microsoft (2024), CrowdStrike (2024), Trellix (2026).
Unknown - how long attackers had access to Trellix's source code repository before detection. Duration not disclosed as of May 2026.

On May 2, 2026, Trellix confirmed that attackers had gained unauthorized access to a portion of its source code repository. Trellix is not a small startup. It is the company formed from the merger of McAfee Enterprise and FireEye - two of the most recognized names in enterprise security. Owned by Symphony Technology Group, it runs inside the networks of thousands of organizations globally.

The company said it found no evidence that its source code was exploited or that the release process was affected. It is working with forensic experts and has notified law enforcement. Additional details will be shared as the investigation progresses.

That statement is honest and responsible. It is also the kind of statement that should make every CISO ask a harder question: if one of the most established security vendors in the world can have its source code accessed by unauthorized parties - how much scrutiny are you actually applying to the vendors whose tools sit inside your environment?

A Pattern the Industry Can No Longer Ignore

Trellix is not an isolated incident. It is the latest point on a line that has been building for years.

In 2023, Okta was breached through its customer support system. Attackers accessed files belonging to 134 customers. Okta is the identity and access management platform that controls who gets into thousands of corporate environments.

In early 2024, Microsoft confirmed that the Midnight Blizzard threat group - a Russian state-sponsored actor - had accessed corporate email accounts and subsequently gained access to source code repositories. Microsoft is the vendor behind Azure Active Directory, Defender, Sentinel, and dozens of other security tools deployed at enterprise scale.

Now Trellix. The duration of attacker access is unknown.

The security stack itself has become an attack surface. Attackers have recognized that breaching the tools that protect organizations gives them leverage that no individual corporate breach can match.

What "Source Code Breach" Actually Means

Most breach disclosures focus on data - records stolen, credentials exposed, customer files accessed. A source code breach is different. The immediate risk is not data loss. The risk is knowledge transfer.

Attackers who study a security product's source code can identify detection logic - which behaviors trigger alerts and which do not. They can find authentication vulnerabilities before they are patched and disclosed. They can map how the tool integrates with customer environments: what API calls it makes, what credentials it stores, what network traffic it generates.

That knowledge does not expire quickly. A threat actor who spent weeks in a source code repository in 2026 may choose to act on what they learned in 2027 or 2028, after organizations have stopped actively monitoring for fallout from the initial disclosure.

"No evidence of exploitation" means no evidence found to date. It does not mean the knowledge gained from the access will never be used. That distinction matters when you are assessing your actual risk exposure - not just your legal disclosure posture.

The TPRM Blind Spot

Third-party risk management has matured significantly over the past decade. Most enterprises now run structured TPRM programs - vendor questionnaires, SOC 2 reviews, annual risk assessments, contractual security requirements. For cloud providers, payment processors, and data sub-processors, the scrutiny is real and ongoing.

But there is a consistent blind spot: security vendors themselves.

The assumption runs something like this: these vendors are in the business of security, they have dedicated security teams, they are subject to their own products' scrutiny. They are safer than the average SaaS vendor. We trust them.

That assumption has never been operationally justified. And four high-profile incidents in three years suggest it is wrong.

Security vendors hold access to your environment that most other vendors do not. Your endpoint detection platform runs with elevated kernel privileges. Your SIEM has read access to every log source in your infrastructure. Your identity provider controls authentication for your entire workforce. Your vulnerability scanner knows every weakness in your external and internal attack surface.

If an attacker breaches any of those vendors and understands what they hold, the risk to your organization is not theoretical. It is structural.

What a Real Vendor Risk Assessment Looks Like

A SOC 2 Type II report tells you whether a vendor's controls were operating as designed during a specific audit window. It does not tell you whether the vendor has exposed assets on the public internet. It does not tell you whether a developer accidentally pushed credentials to a public repository. It does not tell you what access the vendor's software holds in your environment right now.

A real vendor risk assessment for a security vendor should cover four dimensions:

External exposure of the vendor itself. What does the vendor's attack surface look like from the outside? Are there exposed management interfaces, unpatched systems, or misconfigured cloud assets visible to an attacker scanning the internet? The same external exposure assessment you would run against your own perimeter should be applied to your critical security vendors.

Access scope in your environment. What permissions does the vendor's software hold? What data does it touch? What credentials does it store? Most organizations deploy security tools and grant the permissions required at the time - then never revisit whether those permissions are still appropriate or still minimal.

Breach notification SLAs. If your security vendor is compromised tomorrow, when are they contractually required to tell you? What level of detail are they required to provide? Most vendor contracts are weak on this. After Okta's 2023 disclosure - where customers learned about access to their files weeks after the initial incident - many organizations updated their contracts. Many have not.

Response playbook for vendor compromise. If your EDR vendor is breached, what do you do? Most incident response playbooks cover internal breaches, ransomware, and data exfiltration. Very few cover the scenario where a vendor whose tool has kernel-level access to your endpoints is compromised. That playbook should exist before you need it.

Your Perimeter Now Includes Your Security Stack

Zero trust as a model has gained significant traction over the past five years. The core principle - never trust implicitly, always verify - is sound. But in practice, most zero trust implementations focus on internal users and devices. The trusted network perimeter is replaced with identity and device verification. That is an improvement.

It does not extend to vendors. And it rarely extends to the security vendors whose software holds the most privileged access in the environment.

A vendor whose tool runs with elevated privileges on every endpoint in your organization is, in effect, inside your zero trust perimeter. If that vendor is compromised, the attacker is inside your zero trust perimeter. Not by bypassing your controls - by using the trusted path that you deliberately created.

Extending zero trust principles to vendor relationships means treating vendor access as a risk to be managed continuously - not as a trust relationship established once during procurement and reviewed annually in a questionnaire. Most organizations cannot do that today. That gap is the actual risk the Trellix breach surfaces.

Written by

Asaf Levy

Cybersecurity expert with 30+ years of experience across enterprise CISO, CTO, and co-founder roles. Advises boards and security teams on third-party risk management, attack surface reduction, and building vendor risk programs that go beyond the questionnaire.

Work with Asaf Follow on LinkedIn