You've scoped your penetration test. You've mapped your assets, defined your IP ranges, and identified your web applications. Your team did everything right and then you got breached through a vendor you never tested.
This is not a hypothetical. It's the pattern behind some of the most damaging breaches of the past five years. The attack surface your organization owns is only part of the story. The vendors, integrations, and third-party connections that touch your data and your network are just as much your problem even if they're not on your asset list.
For security leaders, this creates a real and urgent question: if your vendor is the weak link, are you even testing the right things?
The Third-Party Risk Reality
Sources: Security Scorecard & Cyentia Institute, 2024 Third-Party Cyber Risk Study; Verizon 2024 Data Breach Investigations Report; IBM Cost of a Data Breach Report 2024The Third-Party Attack Surface Is Growing Fast
Modern enterprises don't operate in isolation. The average organization shares sensitive data or network access with hundreds of vendors, SaaS platforms, and technology partners. Each one of those connections is a potential entry point for an attacker.
According to SecurityScorecard and the Cyentia Institute's 2024 Third-Party Cyber Risk Study, 98% of organizations have a relationship with at least one third party that experienced a breach in the past two years. That's not a fringe scenario — that's the baseline reality for virtually every company doing business today.
Verizon's 2024 Data Breach Investigations Report (DBIR) found that 29% of all breaches involved a third-party or supply chain component, more than doubling the figure from just two years prior. The trend is clear: attackers have figured out that vendors are often easier targets than the organizations they serve.
Attackers have figured out that vendors are often easier targets than the organizations they serve.
Why? Because vendors frequently have:
- Less mature security programs than their enterprise customers
- Broad access to customer environments that isn't regularly reviewed
- Inconsistent patching and vulnerability management practices
- APIs and integrations that weren't built with security as a first principle
And because your vendor's security posture changes constantly — new code shipped, new integrations enabled, new team members onboarded — a point-in-time assessment of their security is outdated before it's finished.
Vendor Risk Questionnaires Aren't Testing
The standard approach to third-party risk management is the vendor questionnaire. You send a spreadsheet. They fill it out. You add them to a register and move on. This process is ubiquitous — and almost completely useless as an actual security control.
Questionnaires measure what vendors say about their security, not what their security actually looks like. They don't identify unpatched CVEs, misconfigured cloud assets, or exposed APIs. They don't show you what an attacker would find if they targeted your vendor specifically to reach you.
The 2024 Ponemon Institute Third-Party Risk Management Study found that only 41% of organizations say they have sufficient information to assess the security practices of their third parties, despite 82% of respondents rating third-party risk as a critical priority. There's a gap between the concern and the actual validation.
Questionnaires measure what vendors say about their security — not what their security actually looks like.
Real vendor risk validation requires testing. Not a checkbox. Not a self-attestation. Actual penetration testing of the attack paths that flow through your vendor relationships.
What "Vendor in Scope" Actually Means
When we say vendors need to be in your testing scope, we don't mean you need to run a full pentest of every third-party environment. What we mean is that your testing should reflect the actual attack paths an adversary would use — and those paths go through your vendor ecosystem.
In practice, this looks like:
- Testing vendor-facing network segments and the trust relationships that connect them to your core environment
- Assessing APIs and integrations that vendors use to access your systems
- Evaluating the access controls, authentication mechanisms, and privilege levels associated with vendor accounts
- Testing what lateral movement looks like from a compromised vendor connection inward
- Reviewing M&A-inherited infrastructure that came with legacy vendor relationships baked in
Rethinking What "Scope" Covers
Old Testing Scope | Modern Testing Scope |
|---|---|
Your internal network | Your internal network + vendor-accessible segments |
Your external IPs and domains | Vendor-exposed APIs and portals |
Your web applications | Third-party integrations and data pipelines |
Your endpoints | M&A inherited infrastructure |
Your cloud assets | Shadow IT and unmanaged vendor connections |
The right pentest scope isn't just your perimeter. It's everything an attacker could use to reach your data — including the vendor-shaped doors you've left open.
The SolarWinds Effect: Why This Is a Leadership Issue
The 2020 SolarWinds supply chain attack didn't compromise SolarWinds customers through their own perimeters. It compromised them through a trusted update mechanism from a vendor they had every reason to believe was secure. Over 18,000 organizations were affected. The U.S. government, Fortune 500 companies, critical infrastructure providers — all reached through a vendor.
That event changed how the security industry thinks about third-party risk. But it didn't change how most organizations test. Annual pentests of internal and external assets, with vendor relationships treated as a separate compliance track, remains the dominant model.
The MOVEit breach in 2023 followed the same pattern. Attackers exploited a zero-day in a widely-used managed file transfer tool and reached hundreds of downstream organizations — including government agencies, financial institutions, and healthcare providers. Again: the entry point was a trusted vendor, not the organizations themselves.
IBM's Cost of a Data Breach Report 2024 found that breaches involving supply chain or third-party access took an average of 294 days to identify and contain — significantly longer than breaches originating from other attack vectors. Extended dwell time means more damage, more data exfiltrated, and higher remediation costs.
How Continuous Testing Changes the Equation
The fundamental problem with annual pentesting isn't just scope — it's timing. A one-time test of your environment, even a comprehensive one, creates a snapshot that goes stale the moment it's complete. And vendor ecosystems change constantly.
Your vendors onboard new cloud services. They push code updates. They add new integrations with other third parties. They hire new staff who spin up systems outside your awareness. Each of these changes can introduce new attack paths into your environment — paths that an annual test would never catch because they didn't exist when the test was run.
Gartner now recognizes Continuous Offensive Security Testing (COST) as a distinct capability category. The core principle: security testing should be triggered by change, not by the calendar. When your environment changes — or when your vendor's does — testing should follow.
For vendor risk specifically, this means:
- Continuous attack surface monitoring that tracks changes in vendor-exposed assets
- Automated testing triggers when new integrations or access paths are detected
- Ongoing validation of the trust relationships between your environment and your vendors
- Real-time findings, not a PDF delivered six weeks after testing ends
Sprocket Security's platform is built on this model. Our Attack Surface Management (ASM) capability continuously maps your environment including the shadow IT and vendor-connected assets that traditional scoping misses. When something changes, testing triggers. Human-validated findings flow into your workflows in near real time.
This isn't about testing your vendors for them. It's about testing the parts of your environment where your vendors have access, and making sure that testing keeps pace with how quickly those relationships evolve.
The Compliance Argument Isn't Enough
Many organizations approach third-party security through a compliance lens: SOC 2 Type II, ISO 27001, PCI DSS, HIPAA. These frameworks all require some form of vendor risk management, and they've driven meaningful adoption of third-party risk programs.
But compliance frameworks are written for the past. They're built on annual assessment cycles, point-in-time evidence, and self-attested controls. They weren't designed to validate whether a vendor's API, integrated last quarter, creates an exploitable path into your cardholder data environment.
Compliance tells you that a vendor has a security program. It doesn't tell you whether that program would actually stop an attacker from using that vendor to reach your data.
Security leaders who rely on compliance as their primary third-party risk control are accepting a gap and most of them know it. The Ponemon study cited earlier found that 61% of organizations experienced a data breach caused by a third party in 2024. These are organizations with vendor risk programs. Programs that satisfied their compliance requirements and still left them exposed.
Compliance tells you that a vendor has a security program. It doesn't tell you whether that program would stop an attacker.
What to Do Now
If you're a CISO, VP of Security, or security director looking at your current testing program, here are the immediate questions to ask:
- Does your current penetration testing scope include vendor-facing network segments and API integrations?
- When was the last time you tested what lateral movement looks like from a compromised vendor connection?
- Are your vendor access controls validated through actual testing, or through questionnaires and certifications?
- Does your security posture reflect changes your vendors made last month — or just what your environment looked like at last year's test?
- If a vendor was compromised tomorrow, do you know what they could access in your environment?
If the honest answers are uncomfortable, that's useful information. It means your current testing program has a structural gap — and that gap is exactly where attackers look.
The fix isn't a bigger questionnaire or a more comprehensive vendor audit checklist. It's testing that reflects the actual attack surface, including the parts of it that your vendors occupy.
Want to Know What an Attacker Sees About Your Vendor Attack Surface?
Sprocket Security's free Attack Surface Management (ASM) tool gives you continuous, attacker-eye visibility into your exposed assets — including vendor-connected infrastructure and shadow IT that most organizations don't even know exists.
No sales pitch. No commitment. Just visibility.
Get Your Free Attack Surface Assessment → sprocketsecurity.com/attack-surface-management
References
- *SecurityScorecard & Cyentia Institute. (2024). 2024 Third-Party Cyber Risk Study. https://securityscorecard.com/research/2024-third-party-cyber-risk-study*
- *Verizon. (2024). 2024 Data Breach Investigations Report (DBIR). https://www.verizon.com/business/resources/reports/dbir/*
- *IBM Security. (2024). Cost of a Data Breach Report 2024. https://www.ibm.com/reports/data-breach*
- Ponemon Institute. (2024). Third-Party Risk Management Study 2024. https://www.ponemon.org
- Gartner. (2024). Market Guide for Continuous Threat Exposure Management. https://www.gartner.com
- *CISA. (2021). SolarWinds and Active Exploitation of Orion Software. https://www.cisa.gov/supply-chain-compromise*
- *Progress Software. (2023). MOVEit Transfer Vulnerability Disclosure. https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability*
