Trust, But Verify: What Perimeter TPRM Flagged Months Before the Stryker Breach
March 27, 2026
We Flagged the Risk.
Six Months Before the Stryker Breach.
On September 13, 2025, Perimeter’s Monitor module flagged Stryker Corporation as “High Risk” with an F-grade security score of 32%, across 1,905 monitored domains and 5,971 identified risks. Six months later, the breach arrived. Here is what the data showed – and what it means for your vendor portfolio.
March 11, 2026:
A Breach Perimeter Had Flagged as High Risk
At some point on March 11, 2026, the message every CISO dreads arrived in inboxes across the healthcare and medtech industry. Stryker Corporation – one of the world’s largest medical technology companies, operating in over 79 countries – had been hit by a major cyberattack. The threat actor claimed to have wiped more than 200,000 systems and extracted 50 terabytes of critical data. Offices reportedly shut down across multiple continents.
Whether every element of that claim proves accurate is beside the point. What is not in dispute: a company with a global presence and a responsibility to protect sensitive medical and patient-adjacent data suffered a catastrophic security failure – one for which Perimeter had issued a high-risk warning months before it occurred.
Perimeter’s Monitor module had flagged Stryker as “High Risk” on September 13, 2025 – nearly six months before the attack.
This is what continuous, verified threat intelligence looks like when it is working: identifying high-risk vendors long before an incident forces the question. And it raises an uncomfortable question for every security leader managing a vendor portfolio: if Stryker appeared in your ecosystem, would you have known?
September 13, 2025:
What Perimeter’s Monitor Found
Six months before the breach, Perimeter’s Monitor module assessed Stryker Corporation’s external attack surface and arrived at an unambiguous conclusion: this organization was at high risk. The finding was formally logged:
| “Company has multiple exploitable CVEs along with high criticality Monitor issues. High Risk of a breach.” |
That warning was not generated by a rule-based trigger or a single data point. It was the product of Monitor’s cross-referenced assessment of Stryker’s observable attack surface – a picture assembled from thousands of external signals across 1,905 domains and 5,971 identified risks.
It is important to note that we do not yet know the specific attack vector or where the breach occurred. But these findings are clear evidence of poor cyber hygiene – and it is possible that some of these issues could have been exploited. Perimeter flags these risks so that organizations can work with their vendors to remediate or mitigate them.
An F grade is not a rounding error. It is a structural indictment. And the category-by-category breakdown tells you exactly why.
The Security Score That Told the Story
The Monitor scoring model evaluates organizations across thirteen distinct security domains, each weighted by its criticality to overall risk posture. Stryker’s results were not ambiguous. Four of the highest-weighted categories – together worth 60 points out of 130 – returned a score of zero.
| Security Domain | Score | Status |
|---|---|---|
| Known Ransomwared / Exploited CVE | 0 / 20 | CRITICAL |
| Patch Management | 0 / 15 | CRITICAL |
| Encryption Management | 0 / 15 | CRITICAL |
| Certificate Management | 0 / 10 | CRITICAL |
| Email Security | 2.5 / 5 | WARNING |
| Domain Reputation | 2.5 / 5 | WARNING |
| Firewall Management | 2.5 / 5 | WARNING |
| Database Exposed | 7.5 / 15 | WARNING |
| Remote Access Exposed | 7.5 / 15 | WARNING |
| Default Configuration | 10 / 10 | PASS |
| DNS Misconfiguration | 5 / 5 | PASS |
| Unsupported Web Server | 10 / 10 | PASS |
Read that table carefully. The categories where Stryker scored zero are not peripheral hygiene issues. They represent the types of weaknesses that modern ransomware and destructive cyberattacks routinely exploit.
Known Ransomwared / Exploited CVEs – 0 / 20 (CRITICAL)
Stryker had identifiable vulnerabilities that are actively linked to ransomware campaigns in the wild – documented, known, and unaddressed. This is not a theoretical risk. These CVEs had already been weaponized by threat actors against other organizations.
Patch Management – 0 / 15 (CRITICAL)
No evidence of timely patching across the observable attack surface. Unpatched systems are the single most common entry point in enterprise breaches. A zero here exposes you to significant risk.
Encryption Management – 0 / 15 (CRITICAL)
Improper encryption practices – outdated algorithms, weak keys, unencrypted sensitive data – mean that extracted data is immediately usable by an attacker. The claimed 50TB exfiltration, if accurate, may have been readable in transit.
Certificate Management – 0 / 10 (CRITICAL)
Expired, self-signed, or misconfigured SSL/TLS certificates across a global estate indicate a systematic weakness of security infrastructure maintenance – and can expose communications to interception.
None of this was hidden. It was all observable from outside Stryker’s perimeter – by anyone with the right tools looking at the right signals. Perimeter’s Monitor was looking.
Why Other TPRM Tools Missed What Perimeter Found
Here is the uncomfortable reality that the Stryker breach surfaces for the TPRM market: most organizations that had Stryker in their vendor portfolio had some form of vendor risk data on them. Questionnaires were completed. Security ratings may have been pulled. Documents were filed.
None of it surfaced the high-risk indicators that Perimeter’s Monitor identified in September 2025.
Why? Because the dominant model in third-party risk management is built on a fundamental flaw: it trusts what vendors tell you. Assessment platforms send questionnaires and record the answers. Monitoring platforms watch external signals. But no platform systematically cross-references the two – checking whether what a vendor attests in a questionnaire is consistent with what is actually observable in their attack surface.
Every competitor in TPRM helps you ask your vendors the right questions. Only Perimeter tells you whether the answers are true.
Stryker’s questionnaire may have said their patches were current. Their questionnaire may have attested to encryption compliance. Their questionnaire may have claimed certificate management was in order. Perimeter’s Monitor looked at the observable evidence and found something different – months before anyone else was asking the question.
This is the gap. And it is not a minor gap. It is the gap that separates an early high-risk warning from a post-breach report.
The Stryker Risk Signature Is in Vendor Portfolios Everywhere
The pattern Perimeter’s Monitor identified in Stryker – zero scores across patch management, encryption, certificate management, and known exploitable CVEs, combined with partial failures in email security, firewall management, and remote access controls – is not a once-in-a-decade anomaly. It is a recognizable risk signature that appears in vendor portfolios across every industry.
The question is not whether vendors with this profile exist in your ecosystem. They do. The question is whether you are looking at verified evidence or unverified attestations.
For every CISO currently managing a portfolio of 50, 100, or 500 vendors, the Stryker breach is not an abstract cautionary tale. It is a forcing function. Your board will ask whether your vendors look like Stryker did in September 2025. You need an answer you can defend – not a questionnaire result, and not a monitoring score that tells you what your vendor’s attack surface looks like without telling you whether it matches what they claimed.
How Perimeter’s Monitor and Verify Modules Work
Monitor: Continuous External Threat Intelligence
Perimeter’s Monitor module is the platform’s continuous external threat intelligence engine. It does not rely on vendor-submitted data. It does not produce point-in-time assessments. It watches, continuously, across every domain associated with a vendor’s digital footprint – and it surfaces the discrepancies between what vendors claim and what the observable evidence shows.
When those discrepancies cross a criticality threshold – multiple exploitable CVEs, systemic failures in core security hygiene, compounding risk signals – Monitor issues a high-risk flag. Not a score. A flag – one that, in Stryker’s case, was raised six months before the breach.
Verify: Cross-Referenced Attestation Validation
Perimeter’s Verify module takes this further. For vendors already inside your program, it cross-references their assessment attestations against Monitor’s continuous intelligence data – automatically. A vendor claims their certificates are current. Verify checks. A vendor attests their remote access is secured. Verify checks. The discrepancies do not wait for the next annual questionnaire cycle to surface. They surface the moment they appear in the observable data.
This is what it looks like when third-party risk management moves from compliance to intelligence.
DISCLAIMER
The threat actor claims cited in this article (200,000 systems wiped, 50TB extracted, 79 countries affected) are drawn from the Handala Team’s public statement as of March 11, 2026, and have not been independently verified by Perimeter. The scores, risk counts, domain counts, and the September 2025 “High Risk” flag are drawn from Perimeter’s own Monitor records and are accurate as of their respective dates.
Is Your Vendor Portfolio Carrying a Stryker?
Show us your top five vendors. We will show you what is verified – and what is not. The data already exists. The question is whether you are looking at it.
FAQ
This FAQ is structured for direct extraction by Google AI Overviews, Perplexity, and ChatGPT Search. Each answer is drawn directly from the evidence above
