Real-world breach analysis, third-party risk management strategy, and GRC compliance insights from the security community. Learn from the incidents that shaped modern vendor risk programs.
NIS2 turns supplier security into a legal obligation across the EU, with penalties up to €10 million or 2% of global turnover. A practical guide to its third-party risk and incident-reporting requirements as enforcement ramps up in 2026.
Read article → June 3, 2026 Breach AnalysisA May 2026 ransomware attack took a quiet but essential link in the global drug supply chain offline worldwide. Why vendor concentration and availability risk is a third-party risk problem no questionnaire score will fix.
Read article → May 26, 2026 StrategyThe 2026 Verizon Data Breach Investigations Report found a third party involved in 48% of breaches — up 60% year over year. What the data means for your TPRM strategy.
Read article → May 19, 2026 StrategyVendor due diligence is shifting from trust to proof. Why a growing number of TPRM teams are asking suppliers whether they continuously run autonomous penetration testing — and how to add the question to your own assessments.
Read article → May 13, 2026 FrameworkOne of the highest-signal data sources in third-party risk is free, public, and machine-readable. How to use the CISA KEV catalog to assess and monitor vendor risk.
Read article → May 6, 2026 FrameworkThe most prescriptive third-party risk regulation yet is now live. A practical guide to registers of information, critical-provider oversight, and threat-led testing.
Read article → April 27, 2026 Breach AnalysisA single domain takeover weaponized JavaScript loaded by more than 100,000 websites. Why third-party code is third-party risk — even when no contract exists.
Read article → April 18, 2026 Breach AnalysisA patient campaign socially engineered control of a critical open-source project and nearly backdoored Linux. The supply chain near-miss that no questionnaire could have caught.
Read article → April 15, 2026 StrategyEight trends transforming vendor risk management, from AI-powered analysis and continuous monitoring to SBOM requirements and open-source democratization.
Read article → April 1, 2026 StrategyA practical step-by-step guide for 1-3 person security teams to build a vendor risk program using free tools and smart prioritization.
Read article → March 20, 2026 FrameworkSEC, GDPR, and HIPAA notification requirements, plus the contract clauses every TPRM program needs for vendor breach obligations.
Read article → March 5, 2026 FrameworkAs vendors adopt AI, organizations need to assess AI-specific risks. How to incorporate NIST AI RMF into your TPRM program.
Read article → February 10, 2026 StrategyCommercial TPRM tools price out SMBs. Open-source alternatives are closing the gap with transparency, data sovereignty, and zero licensing fees.
Read article → January 18, 2026 Breach AnalysisIBM data shows third-party breaches cost 12% more than internal ones. The hidden costs of vendor incidents and why prevention is cheaper.
Read article → December 15, 2025 Breach AnalysisA retrospective on the improvements and persistent gaps in vendor risk management since the SUNBURST attack.
Read article → December 8, 2025 FrameworkWhy qualitative H/M/L ratings fail and how FAIR methodology converts vendor risk into Annualized Loss Expectancy that boards understand.
Read article → October 20, 2025 StrategyWhy treating vendors as partners instead of adversaries leads to better security outcomes, with practical collaborative TPRM approaches.
Read article → August 12, 2025 FrameworkAn honest assessment of SRS platforms, their strengths and limitations, and how to combine them with other TPRM controls.
Read article → June 5, 2025 StrategyWhen all your vendors share the same cloud provider, one failure cascades everywhere. How to identify and manage concentration risk.
Read article → April 10, 2025 StrategyAnnual reviews create 364-day blind spots. Continuous monitoring with Security Rating Services provides real-time vendor risk visibility.
Read article → February 15, 2025 StrategyOnly 4% of organizations trust questionnaire accuracy. Why point-in-time self-reported assessments fail and what to do instead.
Read article → August 20, 2024 Breach AnalysisHow credential stuffing against Snowflake led to the exposure of nearly all AT&T cellular customer call and text metadata.
Read article → August 5, 2024 StrategyA faulty software update crashed 8.5 million systems worldwide, exposing the dangers of single-vendor dependency in critical infrastructure.
Read article → July 15, 2024 Breach AnalysisTicketmaster, AT&T, Santander, and 160+ others breached through stolen credentials and missing MFA on Snowflake accounts.
Read article → April 8, 2024 Breach AnalysisALPHV/BlackCat ransomware hit a UnitedHealth subsidiary, disrupting healthcare nationwide and costing $2+ billion in response.
Read article → November 10, 2023 Breach AnalysisAll Okta support customers affected after attackers stole session tokens. BeyondTrust and Cloudflare detected it before Okta did.
Read article → July 20, 2023 Breach AnalysisA single SQL injection vulnerability in a file transfer tool led to the largest mass-exploitation event in history.
Read article → July 15, 2023 Breach AnalysisChinese APT persistence survived firmware updates, forcing an unprecedented recommendation to physically replace compromised appliances.
Read article → April 12, 2023 Breach AnalysisNorth Korean hackers compromised Trading Technologies, which infected a 3CX employee, which trojanized the 3CX app used by 600,000+ companies.
Read article → March 15, 2023 Breach AnalysisA third-party media software vulnerability on a DevOps engineer's home computer led to encrypted vault theft and massive crypto losses.
Read article → October 20, 2022 Breach AnalysisStolen contractor credentials and MFA fatigue gave an attacker full access to Uber's internal systems, Slack, and HackerOne reports.
Read article → April 5, 2022 Breach AnalysisA third-party support contractor compromise exposed 366 Okta customers and raised questions about identity provider supply chain risk.
Read article → January 8, 2022 FrameworkA CVSS 10.0 vulnerability in Apache Log4j exposed millions of applications and highlighted the hidden risk of transitive software dependencies.
Read article → July 15, 2021 Breach AnalysisREvil exploited a zero-day in Kaseya's VSA platform, cascading ransomware through MSPs to 800-1,500 downstream businesses.
Read article → June 10, 2021 Breach AnalysisDarkSide ransomware shut down 5,500 miles of pipeline for 6 days via compromised VPN credentials, causing gas shortages across the US East Coast.
Read article → March 20, 2021 Breach AnalysisChinese state-sponsored hackers exploited four zero-days in on-premises Exchange Server, compromising 250,000 organizations globally.
Read article → March 1, 2021 Breach AnalysisFIN11/Cl0p chained four zero-days in Accellion's legacy file transfer appliance to steal data from Kroger, Singtel, and dozens more.
Read article → January 15, 2021 Breach AnalysisRussian intelligence inserted a backdoor into Orion updates, compromising 18,000+ organizations including US government agencies for 9+ months.
Read article → October 8, 2020 Breach AnalysisA CRM vendor breach affected 400+ organizations, followed by misleading disclosures that led to SEC charges and a $49.5M settlement.
Read article → August 8, 2019 Breach AnalysisA former AWS engineer exploited a misconfigured WAF to steal 106 million credit applications, resulting in an $80M fine and $190M settlement.
Read article → July 25, 2019 Breach AnalysisAn 8-month breach at billing vendor AMCA exposed 20 million Quest patients and bankrupted the vendor within months.
Read article → December 10, 2018 Breach AnalysisA breach that originated in Starwood's systems in 2014 was inherited by Marriott in 2016 and discovered in 2018. 500 million guest records exposed.
Read article → September 25, 2018 Breach AnalysisMagecart Group 6 injected data-skimming code into BA's payment page via a modified JavaScript library, stealing 380,000+ card details.
Read article → April 10, 2018 Breach AnalysisA third-party app harvested 87 million Facebook users' data for political profiling, leading to a historic $5 billion FTC fine.
Read article → September 20, 2017 Breach AnalysisA patch was available for months. Equifax didn't apply it. 147.9 million records and a $700 million settlement later, it became the definitive patching failure case study.
Read article → July 18, 2017 Breach AnalysisRussian military malware spread via a Ukrainian tax software update, destroying IT infrastructure at Maersk, Merck, FedEx, and hundreds more.
Read article → October 5, 2016 Breach AnalysisThe largest breach in history — 3 billion accounts — cost Verizon a $350 million price reduction and taught the industry about inherited M&A risk.
Read article → January 16, 2014 Breach AnalysisStolen HVAC vendor credentials led to 110 million compromised records and $200+ million in costs. The incident that launched modern TPRM.
Read article →