Threatonomics

The seven places you should be looking when building your vendor list

by Emma McGowan , Senior Writer
Published

How to find all of your vendors--even the hidden ones

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems.

The key insight is to start with data you already have rather than surveys or questionnaires. Your organization produces a continuous stream of digital evidence about vendor relationships through financial transactions, system access, network traffic, and more. Mining these data streams systematically will reveal vendor relationships you never knew existed.

Stream 1: Follow the money trail

Your financial systems hold the most complete record of vendor relationships, but they’re messier than they appear. While accounts payable seems like the obvious starting point, the reality is more complicated—vendor names are inconsistent, the same company appears under multiple entries, and generic invoice descriptions hide the true nature of services. Even dormant vendors who no longer provide active services might still have lingering system access. The real value comes from looking beyond annual spend to understand the full scope of who you’re actually doing business with.

Accounts payable and vendor master files serve as your starting point for the most authoritative list of organizations you pay. Extract legal entity names, tax IDs, addresses, GL codes, business owners, and purchase order numbers to establish the legal framework of your vendor relationships.

“Many organizations focus primarily on accounts payable systems and annual spend metrics, but this approach provides an incomplete view of vendor relationships,” Chuck Norton, Senior Intelligence Analyst at Resilience, warns. “There are multiple data sources within financial systems that reveal different aspects of these relationships beyond simple expenditure totals.”

Next, check out corporate card and expense systems, which reveal shadow SaaS purchases that bypass formal procurement. These systems capture recurring monthly charges to cloud services, payments to popular tools like Notion, Figma, Miro, Zapier, or Canva, software subscriptions purchased by individual teams, and domain registration and hosting services. Corporate card data often captures vendor relationships in their earliest stages, before they become significant enough to warrant formal procurement processes.

Finally, purchase orders and invoice line items should be mined for service-related keywords such as “subscription,” “SaaS,” “cloud,” “hosting,” “data enrichment,” “analytics,” “support,” “maintenance,” “consulting,” or “professional services.” Line-item descriptions often reveal the nature of vendor relationships that aren’t obvious from vendor names alone.

Stream 2: Identity and access goldmine

Your identity systems tell you what’s actually happening right now—not what happened months ago when someone signed a contract. Unlike payment records that reflect past decisions, identity platforms capture real usage patterns and show you which services employees are actively using and how deeply they’re integrated into daily workflows. This is where you’ll find the shadow IT that finance never sees and discover that “small” vendors might be more critical to operations than their contract value suggests.

Stream 3: Network and DNS intelligence

Network traffic doesn’t lie. While contracts and financial records can be outdated or incomplete, your network infrastructure captures every connection your organization makes with external services in real-time. This stream often reveals vendor relationships before they even hit the procurement radar—as teams start evaluating new tools or existing vendors quietly expand their services. The challenge is separating meaningful vendor signals from the noise of routine internet browsing, but the payoff is worth it.

Stream 4: Cloud and SaaS telemetry

Modern SaaS applications are like digital swiss army knives—they connect to everything. A single platform might integrate with dozens of other services, each representing a separate vendor relationship you might not even know exists. Unlike traditional software that required IT approval, SaaS integrations can be activated with a simple click, creating a web of vendor relationships that bypass traditional procurement entirely. This is where vendor discovery gets really complicated, but also where you’ll find some of your biggest blind spots.

Consider a typical scenario: your marketing team uses HubSpot, which connects to Zoom for video calls, Slack for notifications, DocuSign for contracts, Calendly for scheduling, and dozens of analytics tools for campaign tracking. Each integration creates a separate data flow to a different vendor, often with its own privacy policy, data retention rules, and security controls. Your procurement team sees one HubSpot contract, but your organization might actually be sharing data with 20+ vendors through that single platform.

The integration marketplace model has made this exponentially worse. Salesforce’s AppExchange has over 7,000 apps. Microsoft’s marketplace offers thousands more. Each app installation potentially introduces new vendors, and many employees don’t realize that clicking “Install” or “Allow” creates a binding data sharing agreement with a third party. What’s particularly challenging is that these integrations often happen at the user level—a sales rep can connect their personal productivity tools, a marketer can add new analytics pixels, or a support agent can integrate their favorite helpdesk widget, all without IT visibility.

This creates a cascade effect where vendor relationships multiply invisibly. That “simple” expense management tool your team adopted might integrate with your bank (vendor #2), connect to your accounting system via a third-party connector (vendor #3), use a separate payment processor for reimbursements (vendor #4), and leverage cloud storage from yet another provider (vendor #5). What looked like one vendor relationship has suddenly become five, each with different risk profiles and data handling practices.

Stream 5: Endpoint and mobile intelligence

Every laptop, phone, and tablet in your organization is collecting evidence of vendor relationships. Endpoint systems give you ground truth about what software is actually installed and running, often revealing gaps between what was purchased and what’s being used. Mobile devices add another layer of complexity since they blur the lines between corporate and personal services. Don’t overlook this stream—some of your riskiest vendor relationships might be remote access tools or agents that only show up in endpoint data.

Endpoint detection and response systems maintain comprehensive application inventories showing installed vendor agents for remote support, backup, and security tools, along with desktop applications and launchers, browser plugins and extensions, and scheduled tasks and services.

Mobile device management systems track installed mobile applications, enterprise app store deployments, VPN configurations, and email and calendar integrations. Mobile applications often represent separate vendor relationships even when they’re connected to existing desktop services.

Stream 6: Procurement and contracts

While other data streams show you operational reality, contracts tell you what you’re legally committed to—and what rights you have when things go wrong. This is where you’ll find service level agreements, data processing terms, and termination clauses that matter for risk assessment. The tricky part is that contracts often lag behind operational changes, and legal entity names rarely match the service names employees actually use. Don’t forget about the vendors you almost chose—failed evaluations can provide valuable intelligence about your pipeline.

Contract lifecycle management systems should be mined for executed agreements and amendments, data processing addenda and business associate agreements, statements of work and service level agreements, renewal dates and termination clauses, and vendor subprocessor lists, which are critical for fourth-party mapping.

Stream 7: Cloud infrastructure

Your cloud environment is the foundation that makes everything else work, but it also creates its own vendor relationships that are easy to miss. A single application deployment might depend on multiple cloud services, each from different vendors, creating a chain of dependencies that extends far beyond your primary contract. Cloud marketplaces have made it even easier to add new vendors without traditional procurement oversight. The key is connecting infrastructure components back to business services so you understand what actually matters.

Cloud provider billing and resource tags should be analyzed for managed services including email relay, CDN, logging, and monitoring, marketplace purchases and subscriptions, data transfer charges indicating external integrations, and reserved instances and long-term commitments. Resource tags can reveal business context and ownership information for cloud-based vendor relationships.

Infrastructure monitoring and CMDB systems identify external service endpoints, third-party managed infrastructure, API dependencies and integrations, and performance monitoring targets.

Bringing it all together

The key to effective vendor discovery is systematically mining all seven streams and then consolidating the results. Here’s a practical process: ingest each stream into a staging database or spreadsheet, normalize vendor names by converting to lowercase and stripping corporate suffixes, resolve entities by mapping DBAs to parent companies using tax IDs or D-U-N-S numbers, deduplicate using fuzzy matching algorithms, and enrich with domains, URLs, and service categorization.

Don’t aim for perfection in the first iteration. The goal is to build a comprehensive superset that you can refine over time.

What’s next

In our next post, we’ll explore the vendor categories that most discovery programs miss entirely: physical vendors, independent contractors, and the challenge of shadow IT. We’ll also dive into fourth-party risk and why understanding your vendors’ vendors is becoming critical.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]

Why vendor discovery matters now (and how most organizations get it wrong)

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to […]

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]

A complete guide to domain spoofing

Domain spoofing is a cyberattack technique most commonly used in phishing and fraud, where criminals impersonate a legitimate organization’s domain name to deceive users. Think of it as digital identity theft at scale: Attackers make fraudulent emails or websites appear as if they originate from your trusted company domain, tricking victims into revealing sensitive data, […]

The 3 types of CISOs: How to succeed in any version – and what to do when you’re misaligned

As the CISO, are you and your organization in alignment? The CISO role has evolved dramatically over the past decade, but organizational cybersecurity programs have not always kept pace.  If you think about CISOs like software versions, version 1.0 is your first generation of CISOs, focused on structure and technical architecture. Version 2.0 moves beyond […]