Most organizations spend enormous effort hardening the systems they own and almost none thinking about the systems they merely depend on. That is backwards. Some of the most damaging breaches of the last decade did not start with an attacker breaking through a company’s own defenses at all. They started with a payment vendor, an HVAC contractor, a helpdesk platform, or a build tool that quietly had access to something it should not have. The uncomfortable truth is that your security is only as strong as the weakest supplier you have handed a login, an API key, or a network connection.
Third-party risk assessment is the discipline of measuring and managing that exposure. It answers a deceptively simple question: if this vendor were compromised, or turned out to be negligent, how badly would it hurt us? Everything else is detail.
Why “Third Party” Is a Bigger Circle Than It Looks
When people hear “third party” they picture a handful of large SaaS providers. In reality the circle is far wider. It includes cloud infrastructure, contractors and staffing agencies, open-source dependencies pulled into your build, managed service providers with admin credentials, and even the fourth parties your vendors themselves rely on. That last category — your vendor’s vendors — is where a lot of risk hides, because you have no direct relationship with them and often no idea they exist.
A useful way to think about it: every external party sits somewhere on a spectrum defined by two axes — how much access they have (none, read-only data, sensitive data, network/admin access) and how critical they are to your operations. A marketing analytics tool with read-only access to anonymized data is a very different risk than a payroll processor holding employee bank details, even though both are “vendors.”
What a Real Assessment Actually Looks At
A serious assessment is more than a security questionnaire. It pulls together several distinct signals and weighs them against how the vendor is actually used. The core components usually include:
- Data exposure — what categories of data the vendor touches (PII, PHI, cardholder data, source code, credentials) and where it is stored and processed geographically.
- Access and connectivity — VPN tunnels, API scopes, SSO federation, admin rights, and whether access follows least privilege or is dangerously broad.
- Security posture — the vendor’s own controls: encryption, MFA, patch cadence, logging, and evidence they can respond to incidents.
- Compliance and attestations — SOC 2 Type II reports, ISO 27001 certification, PCI DSS attestation, and how recent and in-scope they are.
- Financial and operational stability — a vendor about to go bankrupt is a continuity risk even if their security is excellent.
- Concentration risk — whether several critical functions all depend on the same underlying provider, creating a single point of failure.
The crucial mindset shift is that none of these numbers mean anything in isolation. A perfect SOC 2 report on a vendor that holds your entire customer database still leaves you with meaningful residual risk. The assessment’s job is to combine likelihood (how exposed and how weak the vendor is) with impact (how much you would lose) into a risk rating you can actually act on.
Working Through the Process
In practice, assessing a vendor tends to flow through a few repeatable stages.
- Inventory and tiering. You cannot assess what you have not catalogd. Build a register of every third party, then tier them by criticality and data sensitivity so you spend your effort where it matters. Most programs use three or four tiers.
- Due diligence and evidence gathering. For higher tiers, collect questionnaires (SIG, CAIQ, or a custom set), audit reports, penetration test summaries, and architecture details. Verify claims rather than taking them at face value.
- External validation. Complement what the vendor tells you with what you can observe from the outside. This is where technical reconnaissance earns its place — you can independently check a vendor’s internet-facing hygiene.
- Risk rating and treatment. Score the vendor, then decide: accept, mitigate (add contractual controls, restrict access, require remediation), transfer (insurance, indemnification), or avoid (walk away).
- Contracting. Bake requirements into the agreement — breach notification windows, right-to-audit clauses, data handling terms, and security SLAs. A control you cannot enforce contractually is a hope, not a control.
The external-validation step is worth expanding, because it is the part teams most often skip. You do not need privileged access to learn a lot about a vendor’s exposure. Passive and lightweight active techniques can reveal exposed services, weak TLS, or leaked credentials.
Certificate transparency logs are a fast way to enumerate a vendor’s subdomains and spot forgotten infrastructure:
# Enumerate subdomains a vendor has issued certificates for
curl -s "https://crt.sh/?q=%25.vendor.com&output=json" | \
jq -r '.[].name_value' | sort -uEach returned hostname is a candidate attack surface. A sprawling, inconsistent list often signals weak asset management.
Shodan lets you see what a vendor exposes to the internet without touching their systems directly:
# What internet-facing services does this org run, and are any obviously stale?
shodan search "org:\"Vendor Inc\"" --fields ip_str,port,product,versionFinding an unpatched web server or an exposed database port here is a strong, verifiable signal that internal hygiene may be poor. For TLS specifically, a quick check tells you whether they are keeping up with basic transport security:
# Grade a vendor's public endpoint TLS configuration
nmap --script ssl-enum-ciphers -p 443 app.vendor.comWeak ciphers, deprecated protocol versions, or an expired certificate on a production login page are small findings that correlate with larger process failures. The point is not to attack the vendor — stay strictly within passive and non-intrusive checks on assets you are entitled to review — but to corroborate the picture their paperwork paints.
The Part Everyone Underinvests in: Monitoring
Here is the failure mode that quietly undoes most programs. A vendor is assessed carefully during onboarding, scores well, and is then never looked at again. But a point-in-time assessment ages instantly. Vendors get breached, let certifications lapse, spin up sloppy new infrastructure, quietly change subprocessors, or get acquired by a company with a worse security culture. The risk you signed off on is not the risk you have a year later.
Effective programs treat third-party risk as continuous, not annual. That means monitoring for external posture changes (new exposed services, expiring certificates, appearance in breach dumps), watching threat intelligence for the vendor being named in incidents, tracking whether attestations are renewed on schedule, and re-triggering a full reassessment when something material changes — a breach, a merger, or an expansion of the vendor’s access. Automated attack-surface monitoring and security rating feeds can carry a lot of this load, but they supplement human judgment rather than replace it.
Making a Program That Actually Holds Up
A few principles separate programs that reduce risk from those that just generate paperwork:
- Tier ruthlessly. Do not put a low-risk vendor through the same gauntlet as one holding your crown jewels. Match diligence depth to actual risk, or you will burn goodwill and miss what matters.
- Enforce least privilege for vendors the same way you would for employees. Scope API keys tightly, prefer time-bound access, and revoke promptly at offboarding — an unused vendor account is a free foothold.
- Verify, do not trust. Corroborate self-reported answers with external evidence and independent attestations.
- Map fourth-party dependencies for your most critical vendors so a shared upstream provider does not blindside you.
- Have an exit plan. Know how you would extract your data and cut a vendor off cleanly before you need to.
- Close the loop. Track findings to remediation with real deadlines, and reassess after material change rather than on a lazy calendar cadence.
The through-line of all of this is a change in perspective. Third-party risk is not a procurement checkbox or a once-a-year questionnaire exercise; it is a live extension of your own attack surface that happens to sit on someone else’s infrastructure. Treat every vendor relationship as a standing question — what would it cost us if this one failed? — and revisit the answer as the relationship, the access, and the threat landscape evolve. The organizations that get breached through a supplier are rarely the ones that asked that question honestly and kept asking it.
