Threatonomics

The seven places you should be looking when building your vendor list

by Emma McGowan , Senior Writer
Published

How to find all of your vendors--even the hidden ones

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems.

The key insight is to start with data you already have rather than surveys or questionnaires. Your organization produces a continuous stream of digital evidence about vendor relationships through financial transactions, system access, network traffic, and more. Mining these data streams systematically will reveal vendor relationships you never knew existed.

Stream 1: Follow the money trail

Your financial systems hold the most complete record of vendor relationships, but they’re messier than they appear. While accounts payable seems like the obvious starting point, the reality is more complicated—vendor names are inconsistent, the same company appears under multiple entries, and generic invoice descriptions hide the true nature of services. Even dormant vendors who no longer provide active services might still have lingering system access. The real value comes from looking beyond annual spend to understand the full scope of who you’re actually doing business with.

Accounts payable and vendor master files serve as your starting point for the most authoritative list of organizations you pay. Extract legal entity names, tax IDs, addresses, GL codes, business owners, and purchase order numbers to establish the legal framework of your vendor relationships.

“Many organizations focus primarily on accounts payable systems and annual spend metrics, but this approach provides an incomplete view of vendor relationships,” Chuck Norton, Senior Intelligence Analyst at Resilience, warns. “There are multiple data sources within financial systems that reveal different aspects of these relationships beyond simple expenditure totals.”

Next, check out corporate card and expense systems, which reveal shadow SaaS purchases that bypass formal procurement. These systems capture recurring monthly charges to cloud services, payments to popular tools like Notion, Figma, Miro, Zapier, or Canva, software subscriptions purchased by individual teams, and domain registration and hosting services. Corporate card data often captures vendor relationships in their earliest stages, before they become significant enough to warrant formal procurement processes.

Finally, purchase orders and invoice line items should be mined for service-related keywords such as “subscription,” “SaaS,” “cloud,” “hosting,” “data enrichment,” “analytics,” “support,” “maintenance,” “consulting,” or “professional services.” Line-item descriptions often reveal the nature of vendor relationships that aren’t obvious from vendor names alone.

Stream 2: Identity and access goldmine

Your identity systems tell you what’s actually happening right now—not what happened months ago when someone signed a contract. Unlike payment records that reflect past decisions, identity platforms capture real usage patterns and show you which services employees are actively using and how deeply they’re integrated into daily workflows. This is where you’ll find the shadow IT that finance never sees and discover that “small” vendors might be more critical to operations than their contract value suggests.

Stream 3: Network and DNS intelligence

Network traffic doesn’t lie. While contracts and financial records can be outdated or incomplete, your network infrastructure captures every connection your organization makes with external services in real-time. This stream often reveals vendor relationships before they even hit the procurement radar—as teams start evaluating new tools or existing vendors quietly expand their services. The challenge is separating meaningful vendor signals from the noise of routine internet browsing, but the payoff is worth it.

Stream 4: Cloud and SaaS telemetry

Modern SaaS applications are like digital swiss army knives—they connect to everything. A single platform might integrate with dozens of other services, each representing a separate vendor relationship you might not even know exists. Unlike traditional software that required IT approval, SaaS integrations can be activated with a simple click, creating a web of vendor relationships that bypass traditional procurement entirely. This is where vendor discovery gets really complicated, but also where you’ll find some of your biggest blind spots.

Consider a typical scenario: your marketing team uses HubSpot, which connects to Zoom for video calls, Slack for notifications, DocuSign for contracts, Calendly for scheduling, and dozens of analytics tools for campaign tracking. Each integration creates a separate data flow to a different vendor, often with its own privacy policy, data retention rules, and security controls. Your procurement team sees one HubSpot contract, but your organization might actually be sharing data with 20+ vendors through that single platform.

The integration marketplace model has made this exponentially worse. Salesforce’s AppExchange has over 7,000 apps. Microsoft’s marketplace offers thousands more. Each app installation potentially introduces new vendors, and many employees don’t realize that clicking “Install” or “Allow” creates a binding data sharing agreement with a third party. What’s particularly challenging is that these integrations often happen at the user level—a sales rep can connect their personal productivity tools, a marketer can add new analytics pixels, or a support agent can integrate their favorite helpdesk widget, all without IT visibility.

This creates a cascade effect where vendor relationships multiply invisibly. That “simple” expense management tool your team adopted might integrate with your bank (vendor #2), connect to your accounting system via a third-party connector (vendor #3), use a separate payment processor for reimbursements (vendor #4), and leverage cloud storage from yet another provider (vendor #5). What looked like one vendor relationship has suddenly become five, each with different risk profiles and data handling practices.

Stream 5: Endpoint and mobile intelligence

Every laptop, phone, and tablet in your organization is collecting evidence of vendor relationships. Endpoint systems give you ground truth about what software is actually installed and running, often revealing gaps between what was purchased and what’s being used. Mobile devices add another layer of complexity since they blur the lines between corporate and personal services. Don’t overlook this stream—some of your riskiest vendor relationships might be remote access tools or agents that only show up in endpoint data.

Endpoint detection and response systems maintain comprehensive application inventories showing installed vendor agents for remote support, backup, and security tools, along with desktop applications and launchers, browser plugins and extensions, and scheduled tasks and services.

Mobile device management systems track installed mobile applications, enterprise app store deployments, VPN configurations, and email and calendar integrations. Mobile applications often represent separate vendor relationships even when they’re connected to existing desktop services.

Stream 6: Procurement and contracts

While other data streams show you operational reality, contracts tell you what you’re legally committed to—and what rights you have when things go wrong. This is where you’ll find service level agreements, data processing terms, and termination clauses that matter for risk assessment. The tricky part is that contracts often lag behind operational changes, and legal entity names rarely match the service names employees actually use. Don’t forget about the vendors you almost chose—failed evaluations can provide valuable intelligence about your pipeline.

Contract lifecycle management systems should be mined for executed agreements and amendments, data processing addenda and business associate agreements, statements of work and service level agreements, renewal dates and termination clauses, and vendor subprocessor lists, which are critical for fourth-party mapping.

Stream 7: Cloud infrastructure

Your cloud environment is the foundation that makes everything else work, but it also creates its own vendor relationships that are easy to miss. A single application deployment might depend on multiple cloud services, each from different vendors, creating a chain of dependencies that extends far beyond your primary contract. Cloud marketplaces have made it even easier to add new vendors without traditional procurement oversight. The key is connecting infrastructure components back to business services so you understand what actually matters.

Cloud provider billing and resource tags should be analyzed for managed services including email relay, CDN, logging, and monitoring, marketplace purchases and subscriptions, data transfer charges indicating external integrations, and reserved instances and long-term commitments. Resource tags can reveal business context and ownership information for cloud-based vendor relationships.

Infrastructure monitoring and CMDB systems identify external service endpoints, third-party managed infrastructure, API dependencies and integrations, and performance monitoring targets.

Bringing it all together

The key to effective vendor discovery is systematically mining all seven streams and then consolidating the results. Here’s a practical process: ingest each stream into a staging database or spreadsheet, normalize vendor names by converting to lowercase and stripping corporate suffixes, resolve entities by mapping DBAs to parent companies using tax IDs or D-U-N-S numbers, deduplicate using fuzzy matching algorithms, and enrich with domains, URLs, and service categorization.

Don’t aim for perfection in the first iteration. The goal is to build a comprehensive superset that you can refine over time.

What’s next

In our next post, we’ll explore the vendor categories that most discovery programs miss entirely: physical vendors, independent contractors, and the challenge of shadow IT. We’ll also dive into fourth-party risk and why understanding your vendors’ vendors is becoming critical.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

The vendors you’re probably missing

While the seven data streams from our previous post will capture the majority of your vendor relationships, they’re primarily designed to find digital services and traditional procurement relationships. Today, we’re exploring the vendor categories that fall through the cracks of most discovery programs, as well as why they often represent some of your highest-risk relationships. […]

How to prepare your organization for a post-quantum world

Quantum computing is on the horizon, and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections, what we call quantum decryption, could undermine the trust, confidentiality, and resilience of digital business. This briefing series distills a highly technical topic […]

When will quantum decryption become practical?

As part of Cybersecurity Awareness Month, we’re publishing this three-part series that distills a highly technical topic into strategic insights for leaders. Part 1 explained why quantum decryption poses a threat to current encryption systems. Part 2 lays out credible timelines for when the disruption may arrive. Part 3 will offer practical guidance on how […]

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]