Surface 08

Third-party / Supply chain

What lives here

Vendor relationships, software dependencies, SBOM contents, build artifacts from upstream.

Primary threats
  • supply-chain compromise
  • fourth-party risk
  • dependency exploits
  • vendor breach with shared blast radius
Defensive categories
  • TPRM
  • vendor risk ratings
  • SBOM / software attestation
  • ASM