Sequenxa Intelligence Agency
Back to Intelligence Archive
UNCLASSIFIED // FOR OFFICIAL USE ONLY
Counter-Intelligence

When vendor access becomes adversary access: a counter-intelligence model for third-party risk

The median time between an attacker gaining initial access and handing that access to a second criminal group is now 22 seconds. Your vendor review cycle is twelve months. That gap is not a compliance problem. It is a counter-intelligence problem, and this article lays out what monitoring built for that gap actually watches.

R.J. FinneganJuly 11, 202610 min read
When vendor access becomes adversary access: a counter-intelligence model for third-party risk

In 2022, when a criminal group broke into a network and wanted to sell that access to a ransomware crew, the handoff took about eight hours. Time enough, in theory, for a security team to catch the intrusion before the second group ever showed up.


In 2025, that handoff took a median of 22 seconds.


That number comes from Mandiant's M-Trends 2026 report, built on more than 500,000 hours of incident response work. Initial access brokers no longer advertise stolen access on forums and wait for buyers. They pre-stage the second group's malware inside the initial infection, so the ransomware operator is armed the moment they touch the network. Mandiant saw this division-of-labor pattern in 9% of its 2025 investigations, up from 4% in 2022.


Now hold that number against your vendor risk program. Most third-party reviews run on an annual cycle. Some run quarterly for critical vendors. The adversary's operational tempo is measured in seconds, and yours is measured in fiscal quarters.


That mismatch is the subject of this article. We have already argued that vendor risk assessment is not supply-chain intelligence and that third-party access is a counter-intelligence problem because vendors change after the questionnaire is filed. This piece is about something different: speed.

Even a vendor that never changes is now exposed on a timeline your review cycle cannot see.


The exploitation window did not shrink. It inverted.


For years, the defensive model rested on a quiet assumption: a vulnerability gets disclosed, a patch gets issued, and the race begins. You patch faster than the attacker exploits, you win.


That race no longer exists.


According to Mandiant data cited in Black Kite's 2026 Supply Chain Vulnerability Report, attackers in 2025 exploited vulnerabilities an average of seven days before public disclosure. Not seven days after the patch. Seven days before anyone outside the attacker's operation knew the flaw existed. In 2023, the average gap from disclosure to exploitation was five days. Two years later the figure is negative.


Here's what that actually means for third-party risk. When your vendor tells you they patch critical vulnerabilities within 72 hours, that commitment is sincere and it is also irrelevant. The exploitation happened before the patch was written. A questionnaire that asks about patch cadence is measuring a defense against a timeline that no longer describes how compromise works.


The same Black Kite research offers the other half of the picture. More than 48,000 CVEs were published in 2025, roughly 800 were exploited in the wild, and only 58 posed a genuine, discoverable threat to enterprise supply chains. The problem is not volume. It is knowing which handful of exposures map to the specific vendors holding your access, and knowing it before the disclosure cycle catches up.


Questionnaires cannot do that. Intelligence collection can.


Trusted relationships became the delivery mechanism


The clearest demonstrations of this in 2026 did not involve anyone attacking a target directly. They involved attackers riding trust.

On May 18, 2026, a poisoned version of the Nx Console extension for VS Code went live on the official marketplace. It stayed up for roughly 18 minutes. That was enough. The malicious build reached developers through the extension's automatic update mechanism, meaning nobody had to click anything or install anything. Routine software maintenance was the infection vector. One of those developers worked at GitHub, and the attackers used that single compromised machine to exfiltrate roughly 3,800 internal repositories. CISA's May 28 alert on the incident, and on the parallel Megalodon campaign that injected malicious workflows into public CI/CD pipelines, reads less like a vulnerability notice and more like a counter-intelligence report: audit your automated accounts, assume your pipeline secrets are taken, rotate everything.


Think about what the target's security posture was worth in that scenario. GitHub is one of the most heavily defended software companies on earth. The path in was a developer tool from a trusted publisher, delivered by an update channel that every security team on the planet tells its people to keep enabled. Keeping your tools current is good hygiene right up until the update channel belongs to the adversary.


Nation-state operators run the same play against physical supply chains. CISA's joint advisory on Russian GRU Unit 26165 documents a multi-year espionage campaign against Western logistics and technology companies, in which the unit deliberately identified organizations with business relationships to their primary targets and moved through those relationships: shared credentials, vendor VPN access, manipulated mail rules. The advisory's guidance to executives is blunt. Posture your defenses with a presumption of targeting.


And the freight world shows the identical pattern with trucks instead of tokens. Verisk CargoNet recorded 767 supply chain crime events in Q1 2026 across the US and Canada, with estimated losses of $131.58 million. The headline tactic was not breaking into warehouses. It was impersonating legitimate motor carriers and brokers, sometimes by harvesting their credentials, sometimes by simply buying a legitimate carrier business outright and operating under its authority. We covered the identity mechanics of this in our analysis of supply chain risk intelligence after the cargo-theft surge. The point here is narrower: in freight, in software, and in espionage, the adversary's preferred entry is now a relationship you already trust.

There is one more category worth naming, because it is the one most organizations forget belongs to third-party risk at all: the vendor's infrastructure itself. CISA's Binding Operational Directive 26-02 gave federal agencies twelve months to remove end-of-support edge devices, for a simple reason. M-Trends 2026 found exploitation of internet-facing systems was the leading initial infection vector for the sixth straight year, and espionage actors are deliberately persisting inside edge devices because those devices cannot run standard security tooling. Our breakdown of BOD 26-02 covers the directive itself. The third-party angle is this: your vendor's aging VPN appliance is part of your attack surface, and no questionnaire answer will tell you it is sitting exposed on the public internet. Scanning will.


What intelligence-led monitoring actually watches


So what does third-party risk monitoring look like when it is built for a 22-second adversary instead of an annual audit?


It looks like collection, not correspondence. A counter-intelligence model treats each critical vendor the way an intelligence service treats a source relationship: valuable, ongoing, and continuously assessed for signs the relationship is not what it appears to be.


In practice, the monitoring targets are specific.


Identity drift. The people operating under your vendor's credentials today are not necessarily the people you vetted. Staff turnover, offshore subcontracting, and account sharing all shift who is actually behind an access badge or a service account. M-Trends 2026 documented North Korean IT worker operations averaging 122 days of dwell time inside victim organizations, employed under fabricated identities that passed hiring checks. We have written about the badge-level version of this problem in contractor access as an identity intelligence problem. The monitoring question is not "did this vendor pass vetting." It is "who is using this access right now, and does that match who passed vetting."


Subcontractor and ownership changes. Your contract is with one company. Your exposure is to everyone they quietly delegate to, and to whoever acquires them. CargoNet's finding that criminal networks are purchasing legitimate carriers to inherit their operating authority is the freight version of a general truth: ownership is an attack vector. Corporate registry changes, new beneficial owners, and sudden subcontractor additions are all collectable signals, and none of them will be volunteered on next year's questionnaire.


Credential abuse in the wild. Vendor credentials show up in stealer logs, combo lists, and access-broker listings well before they show up in an incident report. M-Trends 2026 documented attackers compromising SaaS vendors specifically to harvest OAuth tokens and hard-coded keys, then pivoting into downstream customer environments. If a criminal marketplace is selling access tied to your vendor's domain, you want to know that week, not at renewal.


Exposed and end-of-life infrastructure. External scanning of a vendor's internet-facing systems is cheap and legal. It is also revealing. Unsupported edge devices, exposed management interfaces, and unpatched gateways are exactly what both ransomware crews and Unit 26165 look for first.

Behavioral and logistics anomalies. Unusual ordering patterns, rerouted shipments, out-of-cycle data pulls, access at odd hours from odd geographies. Individually, noise. Correlated against the other collection streams, they are often the earliest sign that a trusted relationship has been repurposed.


None of this is exotic. Most of it is open-source collection, disciplined correlation, and a team that treats an anomaly as a lead instead of a ticket. That is the working definition of supply chain intelligence as an operational function rather than a procurement phase, and it is the collection layer that counter-intelligence operations and adaptive defense are built on.


The questions executives should be asking now


If you sit on a board or run a security, risk, or procurement function, you do not need to run the collection yourself. You need to ask the questions that reveal whether anyone is.


Ask which vendors hold standing access to your environment, and when each one was last assessed against anything other than their own answers. Ask how you would learn, this week, that a critical vendor's credentials were being sold, that their ownership had changed, or that their VPN concentrator went end-of-support. Ask who in your organization owns the vendor relationship after the contract is signed, because in most companies the honest answer is nobody. Procurement owns the onboarding, security owns the incidents, and the years in between belong to no one.

And ask what your escalation path is. Monitoring produces signals. Somebody has to decide which signals mean the relationship itself needs to be investigated.


When monitoring becomes investigation


Most anomalies resolve benignly. A subcontractor addition turns out to be a legitimate capacity expansion. A credential in a stealer log belongs to a long-departed employee whose access was already revoked.


But some patterns warrant a shift from watching to digging: ownership changes that trace back to entities with no operating history, personnel who cannot be verified as real, credentials that keep reappearing in criminal channels after rotation, or infrastructure changes that align a vendor with known adversary tooling. At that point the question is no longer "is this vendor risky." It is "has this relationship already been repurposed, by whom, and for how long." That is investigative work with legal, contractual, and sometimes law-enforcement dimensions, and it needs to be scoped and evidenced accordingly. The threshold judgment, deciding when a signal justifies that escalation, is where an experienced intelligence team earns its keep. Escalate everything and you burn trust with your own vendors. Escalate nothing and you are the case study in next year's M-Trends.


The uncomfortable truth underneath all of this: the 22-second handoff and the negative-seven-day exploit window mean some vendor in your ecosystem is probably compromised right now, and neither you nor they know it yet. The annual review will not find it. The questionnaire will not surface it.


Someone has to be watching between the audits. Right now, for most organizations, no one is.


Frequently asked questions

What is third-party risk monitoring?


Third-party risk monitoring is the continuous observation of vendors, suppliers, and contractors after onboarding, tracking signals like credential exposure, ownership changes, subcontractor additions, and vulnerable internet-facing infrastructure. Unlike point-in-time assessments, it is designed to detect when a trusted relationship changes or becomes compromised between formal review cycles.


Why are annual vendor risk assessments no longer enough?


Adversary timelines have collapsed past what periodic review can catch. Per M-Trends 2026, attackers hand off network access to secondary criminal groups in a median of 22 seconds, and exploit vulnerabilities an average of seven days before public disclosure. An annual questionnaire cannot detect a compromise that begins and ends between assessments.


How is supply chain intelligence different from vendor risk assessment?


Vendor risk assessment evaluates documentation a vendor provides about itself, usually during onboarding. Supply chain intelligence independently collects and analyzes external evidence about the vendor: exposed infrastructure, leaked credentials, ownership and personnel changes, and adversary interest. One verifies paperwork. The other verifies reality, continuously.


When should vendor monitoring escalate to a formal investigation?


Escalate when signals suggest the relationship itself may be repurposed: ownership tracing to entities with no operating history, personnel who cannot be verified, credentials repeatedly appearing in criminal marketplaces after rotation, or infrastructure aligning with known adversary tooling. At that point the objective shifts from measuring risk to establishing facts, with evidence handled to an investigative standard.


Sources

When Vendor Access Becomes Adversary Access | Sequenxa