Real-world breach analysis, third-party risk management strategy, and GRC compliance insights from the security community. Learn from the incidents that shaped modern vendor risk programs.
Vendor due diligence is shifting from trust to proof. Why a growing number of TPRM teams are asking suppliers whether they continuously run autonomous penetration testing — and how to add the question to your own assessments.
Read article → May 13, 2026 FrameworkOne of the highest-signal data sources in third-party risk is free, public, and machine-readable. How to use the CISA KEV catalog to assess and monitor vendor risk.
Read article → May 6, 2026 FrameworkThe most prescriptive third-party risk regulation yet is now live. A practical guide to registers of information, critical-provider oversight, and threat-led testing.
Read article → April 27, 2026 Breach AnalysisA single domain takeover weaponized JavaScript loaded by more than 100,000 websites. Why third-party code is third-party risk — even when no contract exists.
Read article → April 18, 2026 Breach AnalysisA patient campaign socially engineered control of a critical open-source project and nearly backdoored Linux. The supply chain near-miss that no questionnaire could have caught.
Read article → April 15, 2026 StrategyEight trends transforming vendor risk management, from AI-powered analysis and continuous monitoring to SBOM requirements and open-source democratization.
Read article → April 1, 2026 StrategyA practical step-by-step guide for 1-3 person security teams to build a vendor risk program using free tools and smart prioritization.
Read article → March 20, 2026 FrameworkSEC, GDPR, and HIPAA notification requirements, plus the contract clauses every TPRM program needs for vendor breach obligations.
Read article → March 5, 2026 FrameworkAs vendors adopt AI, organizations need to assess AI-specific risks. How to incorporate NIST AI RMF into your TPRM program.
Read article → February 10, 2026 StrategyCommercial TPRM tools price out SMBs. Open-source alternatives are closing the gap with transparency, data sovereignty, and zero licensing fees.
Read article → January 18, 2026 Breach AnalysisIBM data shows third-party breaches cost 12% more than internal ones. The hidden costs of vendor incidents and why prevention is cheaper.
Read article → December 15, 2025 Breach AnalysisA retrospective on the improvements and persistent gaps in vendor risk management since the SUNBURST attack.
Read article → December 8, 2025 FrameworkWhy qualitative H/M/L ratings fail and how FAIR methodology converts vendor risk into Annualized Loss Expectancy that boards understand.
Read article → October 20, 2025 StrategyWhy treating vendors as partners instead of adversaries leads to better security outcomes, with practical collaborative TPRM approaches.
Read article → August 12, 2025 FrameworkAn honest assessment of SRS platforms, their strengths and limitations, and how to combine them with other TPRM controls.
Read article → June 5, 2025 StrategyWhen all your vendors share the same cloud provider, one failure cascades everywhere. How to identify and manage concentration risk.
Read article → April 10, 2025 StrategyAnnual reviews create 364-day blind spots. Continuous monitoring with Security Rating Services provides real-time vendor risk visibility.
Read article → February 15, 2025 StrategyOnly 4% of organizations trust questionnaire accuracy. Why point-in-time self-reported assessments fail and what to do instead.
Read article → August 20, 2024 Breach AnalysisHow credential stuffing against Snowflake led to the exposure of nearly all AT&T cellular customer call and text metadata.
Read article → August 5, 2024 StrategyA faulty software update crashed 8.5 million systems worldwide, exposing the dangers of single-vendor dependency in critical infrastructure.
Read article → July 15, 2024 Breach AnalysisTicketmaster, AT&T, Santander, and 160+ others breached through stolen credentials and missing MFA on Snowflake accounts.
Read article → April 8, 2024 Breach AnalysisALPHV/BlackCat ransomware hit a UnitedHealth subsidiary, disrupting healthcare nationwide and costing $2+ billion in response.
Read article → November 10, 2023 Breach AnalysisAll Okta support customers affected after attackers stole session tokens. BeyondTrust and Cloudflare detected it before Okta did.
Read article → July 20, 2023 Breach AnalysisA single SQL injection vulnerability in a file transfer tool led to the largest mass-exploitation event in history.
Read article → July 15, 2023 Breach AnalysisChinese APT persistence survived firmware updates, forcing an unprecedented recommendation to physically replace compromised appliances.
Read article → April 12, 2023 Breach AnalysisNorth Korean hackers compromised Trading Technologies, which infected a 3CX employee, which trojanized the 3CX app used by 600,000+ companies.
Read article → March 15, 2023 Breach AnalysisA third-party media software vulnerability on a DevOps engineer's home computer led to encrypted vault theft and massive crypto losses.
Read article → October 20, 2022 Breach AnalysisStolen contractor credentials and MFA fatigue gave an attacker full access to Uber's internal systems, Slack, and HackerOne reports.
Read article → April 5, 2022 Breach AnalysisA third-party support contractor compromise exposed 366 Okta customers and raised questions about identity provider supply chain risk.
Read article → January 8, 2022 FrameworkA CVSS 10.0 vulnerability in Apache Log4j exposed millions of applications and highlighted the hidden risk of transitive software dependencies.
Read article → July 15, 2021 Breach AnalysisREvil exploited a zero-day in Kaseya's VSA platform, cascading ransomware through MSPs to 800-1,500 downstream businesses.
Read article → June 10, 2021 Breach AnalysisDarkSide ransomware shut down 5,500 miles of pipeline for 6 days via compromised VPN credentials, causing gas shortages across the US East Coast.
Read article → March 20, 2021 Breach AnalysisChinese state-sponsored hackers exploited four zero-days in on-premises Exchange Server, compromising 250,000 organizations globally.
Read article → March 1, 2021 Breach AnalysisFIN11/Cl0p chained four zero-days in Accellion's legacy file transfer appliance to steal data from Kroger, Singtel, and dozens more.
Read article → January 15, 2021 Breach AnalysisRussian intelligence inserted a backdoor into Orion updates, compromising 18,000+ organizations including US government agencies for 9+ months.
Read article → October 8, 2020 Breach AnalysisA CRM vendor breach affected 400+ organizations, followed by misleading disclosures that led to SEC charges and a $49.5M settlement.
Read article → August 8, 2019 Breach AnalysisA former AWS engineer exploited a misconfigured WAF to steal 106 million credit applications, resulting in an $80M fine and $190M settlement.
Read article → July 25, 2019 Breach AnalysisAn 8-month breach at billing vendor AMCA exposed 20 million Quest patients and bankrupted the vendor within months.
Read article → December 10, 2018 Breach AnalysisA breach that originated in Starwood's systems in 2014 was inherited by Marriott in 2016 and discovered in 2018. 500 million guest records exposed.
Read article → September 25, 2018 Breach AnalysisMagecart Group 6 injected data-skimming code into BA's payment page via a modified JavaScript library, stealing 380,000+ card details.
Read article → April 10, 2018 Breach AnalysisA third-party app harvested 87 million Facebook users' data for political profiling, leading to a historic $5 billion FTC fine.
Read article → September 20, 2017 Breach AnalysisA patch was available for months. Equifax didn't apply it. 147.9 million records and a $700 million settlement later, it became the definitive patching failure case study.
Read article → July 18, 2017 Breach AnalysisRussian military malware spread via a Ukrainian tax software update, destroying IT infrastructure at Maersk, Merck, FedEx, and hundreds more.
Read article → October 5, 2016 Breach AnalysisThe largest breach in history — 3 billion accounts — cost Verizon a $350 million price reduction and taught the industry about inherited M&A risk.
Read article → January 16, 2014 Breach AnalysisStolen HVAC vendor credentials led to 110 million compromised records and $200+ million in costs. The incident that launched modern TPRM.
Read article →