The Risk Brief

Expert video briefings for smarter, faster vendor risk decisions.

Vendor risk isn’t static - and neither are we. The Risk Brief is your go-to video series for fast, focused takes on the most pressing topics in third-party risk, cybersecurity trends, and compliance.

Your Risk Intel Feed

Welcome to The Risk Brief - a curated video series designed to keep security, compliance, and procurement leaders ahead of emerging third-party risks.

We cut through the noise to spotlight what matters most across industries like healthcare, finance, manufacturing, and tech.

No fluff. Just real-time intelligence for real-world decisions.

Visit our YouTube Channel

Your vendor's questionnaire answers only tell you what they want you to know.

Audit rights change that equation. They're one of the few contractual tools that let you verify how a vendor actually operates — their security controls, incident response procedures, compliance posture.

But most teams don't discover the gaps until something goes wrong. The leverage to negotiate broad audit access exists before the contract is signed, not at renewal.

One of the biggest blind spots we see is fourth parties. Organizations are now sending AI-specific assessments to understand what tools their vendors' subcontractors are using. Without audit rights that reach that layer, visibility ends where your risk doesn't.

Enforcement matters just as much as the clause itself. Termination rights, payment holds, and financial penalties need to be spelled out. Otherwise, it's an empty promise.

Watch the video for a closer look at getting this right.

#CyberSecurity #VendorRisk #AuditCompliance

YouTube Video VVVOSkExRllKLWVHSnZiMXFtNDZDQkVnLktOdEx6T3BQcnZZ

Right to Audit: The Contract Clause Most CISOs Forget to Enforce

April 13, 2026

The Ascension Healthcare breach was (from what we understand) the result of a vendor that wasn't properly offboarded.

It's a pattern that plays out more often than most security teams realize. Organizations invest heavily in onboarding vendors but treat offboarding as an afterthought — or skip it entirely.

What gets left behind are open doors: active user accounts, lingering API tokens, unrotated shared credentials, and company data still sitting in vendor systems without certified deletion.

The difference now is that nobody's watching those doors anymore.

Contractual requirements for certified data deletion or return should be defined during onboarding, not scrambled together at exit. And a post-offboarding verification step to confirm all access has actually been revoked shouldn't be optional.

Any vendor no longer under contract should have zero access to your systems and zero possession of your data. If you can't confirm both the day a relationship ends, your attack surface just got bigger.

Watch the video for a closer look at how to close this gap.

#VendorRisk #ThirdPartyRisk #OffboardingSecurity

YouTube Video VVVOSkExRllKLWVHSnZiMXFtNDZDQkVnLnlGUjIyQVFuNmxj

Vendor Offboarding Failures as a Persistent Attack Surface

April 6, 2026

85% of organizations say vendors are part of their incident response plan. And most have never tested that claim.

When a critical vendor gets breached, there's usually no predefined escalation path and no contractual requirement for fast notification. Your team finds out late, then scrambles to negotiate a response in real time.

Regulators have noticed, and FINRA is now citing firms for excluding third-party vendors from IR testing altogether.

The fix starts with treating key vendors as extensions of your response team. That means joint tabletop exercises, shared playbooks with defined roles, and emergency contacts that actually get tested.

If your IR plan doesn't include vendors in a meaningful way, you're only prepared for incidents that don't need outside coordination.

Watch the video for a closer look at closing this gap.

#IncidentResponse #CyberSecurity #VendorIncidentPlanning

YouTube Video VVVOSkExRllKLWVHSnZiMXFtNDZDQkVnLnV6U0dEYXdrbkcw

Integrating Vendors into Incident Response

March 30, 2026

Gartner found that nearly all third-party relationship owners had seen vendor red flags — but only about half ever reported them.

The reason isn't negligence. It's that the people closest to your vendors are also the least likely to raise the alarm about them.

Over time, they build rapport and trust, and involving compliance starts to feel like a threat to a relationship they've worked to maintain. Gartner's data backs this up across the board: whether it's changes in a vendor's risk posture, inaccurate information, or failure to follow through on mitigations, reporting rates hover around 50%.

This is affinity bias, and it's a governance gap that no monitoring platform or questionnaire can close on its own.

You need structural safeguards: anonymous escalation paths, committee-level review of critical vendors that doesn't hinge on a single owner's judgment, regular rotation of relationship owners so the closeness doesn't calcify, and clear training on what actually warrants escalation.

Watch the full video for more on how to account for this bias.

#ThirdPartyRisk #VendorManagement #RiskGovernance

YouTube Video VVVOSkExRllKLWVHSnZiMXFtNDZDQkVnLnloVWs4N1lfNFVR

When Vendor Risk Goes Unnoticed for Fear of Ruining Relationships

March 23, 2026

The SalesLoft Drift breach didn't require a single password or MFA prompt to compromise more than 700 organizations.

Attackers stole OAuth tokens (the persistent digital credentials that authenticate vendor-to-system integrations) and used them to exfiltrate data while looking indistinguishable from trusted apps that had already been approved. Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, and eventually Grubhub all ended up in the blast radius.

When news of the breach broke, our team at Perimeter was able to analyze leading indicators across our customers' vendor environments and flag who might be exposed. We pushed out a targeted assessment so organizations could evaluate their risk before attackers could act on those stolen credentials.

That kind of response requires assessment and continuous monitoring working together in real time — not a questionnaire you send out quarterly. If your TPRM program treats OAuth as an afterthought, you're leaving exactly the kind of silent, long-lived access that makes breaches like this one so effective.

Watch the full video for a deeper look at token-based attack vectors.

#VendorRiskManagement #OAuthSecurity #ThirdPartyRisk

YouTube Video VVVOSkExRllKLWVHSnZiMXFtNDZDQkVnLk85TFRYUWNoVktB

Securing Your Network: The Role of OAuth Tokens and TPRM

March 16, 2026

The 2024 CrowdStrike outage took down 8.5 million systems and cost the Fortune 500 an estimated $5 billion — and it wasn't even a breach.

That's what happens when vendors share critical infrastructure and no one is tracking the overlap.

Most TPRM programs evaluate each vendor in its own silo (questionnaires, policy docs, independent scores), but underneath, those vendors are running on the same cloud regions, authenticating through the same platforms, and relying on the same security tooling.

When one of those shared layers breaks, the failure doesn't stay contained. It fans out across every vendor connected to it.

No questionnaire or SOC 2 review is going to surface that kind of concentration risk. You need visibility into the connective tissue between your vendors — which fourth parties are heavily shared, where the hotspots are, and what the blast radius looks like if something goes wrong.

That's exactly what we build at Perimeter. We map interdependencies across your vendor network so you can see systemic risk before it becomes a systemic failure.

Watch the full video to see why dependency mapping belongs in every serious TPRM program.

#TPRM #CyberSecurity #VendorConcentrationRisk

YouTube Video VVVOSkExRllKLWVHSnZiMXFtNDZDQkVnLmpHMk5BcHhZSFJv

The Importance of Mapping Interdependencies in TPRM

March 9, 2026

FINRA's 2026 guidance puts vendor AI risks squarely on your organization (hallucinations, model misuse, metadata leakage) — even when vendors are the ones deploying the tools.

That's why organizations need assessments covering what data trains vendor models, how they're used, prompt retention policies, subprocessor governance, and whether ethics guidelines actually exist beyond marketing language.

But while AI creates new risks to assess, it also solves an old problem: vendor fatigue from endless questionnaires.

Perimeter uses AI to extract data from policy documents and populate assessment questions automatically. This prevents vendors from contradicting their own SOC 2 reports and catches inconsistencies between what they document and what their attack surface reveals.

Watch the video to see how Perimeter tackles both the risk and efficiency challenges that AI brings to vendor management.

#VendorRisk #ArtificialIntelligence #CyberSecurity

YouTube Video VVVOSkExRllKLWVHSnZiMXFtNDZDQkVnLlVLcEpDTXhyLUc0

Where AI Plays a Role in the TPRM Discussion

February 9, 2026

DORA enforcement isn't just another compliance exercise… it's a fundamental shift from security posture to operational resilience.

Annual vendor assessments, static spreadsheets, and checkbox compliance will result in violations with real penalties attached — DORA requires continuous monitoring as a core component, not an add-on.

If you're a US supplier doing business in the EU, this is your wake-up call.

Organizations need comprehensive due diligence on suppliers, dynamic risk registers that reflect real-time status, mapped ICT dependencies, and embedded exit strategies in every contract. And you need to be audit-ready at any moment, not just during scheduled reviews.

Perimeter has been preparing customers for this since we published on DORA over a year and a half ago. We visualize vendor relationships, maintain role-based registers with real-time visibility, and operationalize these requirements in ways that make sense for your security team without adding complexity.

Watch the video to see how Perimeter handles DORA compliance without the operational burden.

#RegulatoryCompliance #VendorRisk #FinancialServices

YouTube Video VVVOSkExRllKLWVHSnZiMXFtNDZDQkVnLno4cXBNMEJjTno0

Shoring Up Security for DORA Enforcement and Scrutiny

February 2, 2026

Self-attested vendor assessments might come back with glowing reports… but they rarely give the complete picture.

A vendor can pass every questionnaire while still having unrevoked access for former employees, backups that don't actually run, or sensitive data leaking into development environments.

That disconnect between what vendors claim and what's actually happening in their environment is where breaches occur.

Perimeter closes that gap by verifying vendor claims against multiple data sources. We analyze security documents with AI, scan internet-facing attack surfaces in real time, and run assessments that adapt to your compliance requirements. Then, we normalize everything and surface the inconsistencies that matter, with compliance built in across NIST, ISO, DORA, and privacy frameworks for audit-ready responses.

Watch the video to see how Perimeter delivers real-time vendor risk visibility without the overhead, empowering one trained security engineer to manage the platform end-to-end.

#ThirdPartyRisk #VendorManagement #CyberResilience

YouTube Video VVVOSkExRllKLWVHSnZiMXFtNDZDQkVnLldBRndxMGw4eXNN

How Can Perimeter VRM Help Improve My Company's Cybersecurity Posture?

January 26, 2026

What Users Say

Yan S.

Manager of Cybersecurity Operations

Customer Experience is Great!

The Perimeter team has been incredibly receptive to feedback and requests for help. Perimeter has been essential to us being able to track and be able to complete security assessments.

Jaimin P.

Senior Risk Manager

Best Vendor Management Tool!

Perimeter was very fast for our team to implement and start using. They also have an unlimited user model, which works in our favor, and the platform is straightforward to use.

Ryan K.

Principal Consultant

GREAT ASSESSMENT PLATFORM

Perimeter is an extremely easy-to-use and flexible assessment platform. The tool is agnostic to any one methodology. It can be customized to your company’s specific rule sets to measure vendor’s risk or leverage one of Perimeter’s templates. Their support team is super helpful if you want to get more detailed, and the team is always willing to help walk you through something.

Bella R.

Senior Cybersecurity Risk Manager

Perimeter has great features!

Perimeter provides a user-friendly interface, customizable workflows, integration capabilities with other systems, and its ability to centralize and manage vendor information effectively.

Danny F.

Account Executive

I consider Perimeter experts!

Perimeter is intuitive and the knowledge base helps a ton with responding to RFP's and client assessments that we receive. As a salesperson, it is super helpful to have pre-approved responses that we can leverage to respond to questions.

Robert P.

Director of Security

Vendor Risk Management made simple

Perimeter ensures we are answering questions from different clients the same, and also saves us a lot of time to do it.

Omar C.

Information Systems Security Manager

Great tool for our company

The integration with Excel sheets and the ability to work with websites seamlessly has been a tremendous asset for me on audits.

Nupur V.

System Security Analyst

Excellent with Data Processing

The Perimeter team was really proactive in engaging with requirements. I would say very comitted and positive team. They were also flexible with the changing requirements and delivered the product within the project timeline.

Derek P.

Information Security Analyst

I didn't know I needed it, now I have to have it

If you want a tool that comes pre-populated and you can start using day one, get this one. If you want a tool and is highly customizable and can quickly be modified to suit your needs. If you want a tool that has excellent support, use this one. I'm certain there are things that Perimeter doesn't do excellently, but I haven't found them yet.