Eliminate Supply Chain Risk Through Physical Path Governance
Supply chain attacks exploit the persistent connections that organisations maintain with vendors, managed service providers, and software suppliers. When these paths are physically severed between active sessions, the attack vector ceases to exist.
Threat Response
Every vendor connection is a doorway into your organisation. If that doorway remains open when no one is walking through it, you are inviting risk without gaining value.
62%
Of breaches originate through third-party access
Zero
Persistent vendor paths outside maintenance windows
100%
Third-party sessions recorded on tamper-proof storage
4.5x
Faster containment when vendor paths are physically severed
Third-party connections are the most exploited entry point.
Persistent Vendor Access
Managed service providers and equipment vendors maintain always-on VPN connections and remote access tools. These paths remain active 24/7, regardless of whether maintenance is being performed.
Trust Chain Exploitation
Attackers compromise a vendor with weaker security and use their legitimate access to pivot into the target organisation. The connection is trusted, the credentials are valid, and the activity appears routine.
Software Supply Chain
Compromised software updates delivered through trusted channels bypass perimeter security entirely. The malicious payload arrives through the same path as legitimate updates.
The Scenario
Scenario: Managed Service Provider Compromise
A mid-size manufacturer uses a managed IT service provider for patch management and monitoring. The MSP maintains a persistent VPN connection to the manufacturer's network for 24/7 support. Attackers compromise the MSP's RMM platform and use the existing VPN connection to deploy ransomware across all of the MSP's clients simultaneously. With Firevault Control, the MSP's access path is physically severed outside scheduled maintenance windows. The Relay module activates the connection for a four-hour patch window each Tuesday, with all activity recorded. When the MSP is compromised on a Thursday evening, there is no path for the attackers to traverse.
"Our MSP had a VPN into our network that was active 168 hours a week. They used it for about 6 hours. That left 162 hours where an attacker had a trusted path into our core infrastructure."
How Control contains a trusted-vendor compromise.
Supply chain attacks turn a trusted maintenance route into a breach path. Firevault Control treats vendor access as a temporary, governed event rather than a standing trust, so a compromised supplier cannot ride straight into production.
Mapped to MITRE ATT&CK T1195 Supply Chain Compromise, ENISA Threat Landscape for Supply Chain Attacks and NCSC supply chain guidance.
-
ST 01
Vendor Compromise
T1195
◤ Attacker
Attackers breach a software vendor, MSP or update server that customers already trust.
◢ Control breaks it
Vendor reach into the protected zone is severed by default. There is no permanent trust to ride.
FirebreakUnlink✕ Break here -
ST 02
Trusted Delivery
T1078.004
◤ Attacker
Pushes a tainted update or piggy-backs on a legitimate support session into customer environments.
◢ Control breaks it
Maintenance windows open only as time-bound Relay sessions. The connection closes on schedule, every time.
RelayLock✕ Break here -
ST 03
Execution in Production
TA0002
◤ Attacker
Runs the malicious payload against production assets, often with privileges granted to the vendor.
◢ Control breaks it
Vendor-initiated changes are routed through Execute with multi-party approval and Validate before they reach the asset.
ExecuteValidate✕ Break here -
ST 04
Onward Movement
TA0008
◤ Attacker
Pivots from the vendor-managed system into the wider estate.
◢ Control breaks it
Isolate enforces the zone boundary. The compromised system cannot reach into adjacent zones without a fresh, approved path.
IsolateFirebreak
Outcome · outcome block
A compromised vendor reaches only what the time-bound session allowed, for only as long as it was open. The wider estate stays out of reach.
Modules & symbols
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Scheduled Access Windows
Vendor connections activate only during defined maintenance windows. Between windows, the physical path does not exist and cannot be established remotely.
Multi-Party Session Approval
Every vendor session requires approval from both the vendor team and internal security before the physical path is activated.
Complete Session Recording
All vendor activity during active windows is captured on physically disconnected storage that neither the vendor nor an attacker can access or modify.
Instant Vendor Disconnection
When a supply chain compromise is detected, all vendor paths are physically severed within seconds, regardless of which vendor is affected.
Vendor Zone Isolation
Third-party access is confined to a physically separated zone with no path to production systems, backup infrastructure, or management planes.
Vendor Compliance Evidence
Automated logging provides the evidence required for ISO 27001 supplier assessments, NIS2 supply chain requirements, and contractual SLA compliance.
Demo to Live
Adoption Guide
Third-Party Path Audit
Map every vendor, MSP, and software supplier connection into your infrastructure, documenting active hours, data flows, and the systems each path can reach.
Window and Zone Design
Define maintenance windows, vendor zones, and multi-party authorisation requirements for each third-party relationship based on operational need and risk profile.
Pilot with Primary MSP
Deploy Relay-governed access for your primary managed service provider, testing scheduled windows, emergency access procedures, and session recording.
Full Vendor Governance
Extend to all third-party connections with automated window management, vendor zone isolation, and continuous compliance evidence generation.
Third-Party Path Audit
Map every vendor, MSP, and software supplier connection into your infrastructure, documenting active hours, data flows, and the systems each path can reach.
Window and Zone Design
Define maintenance windows, vendor zones, and multi-party authorisation requirements for each third-party relationship based on operational need and risk profile.
Pilot with Primary MSP
Deploy Relay-governed access for your primary managed service provider, testing scheduled windows, emergency access procedures, and session recording.
Full Vendor Governance
Extend to all third-party connections with automated window management, vendor zone isolation, and continuous compliance evidence generation.
Explore More
Questions