Eliminate Supply Chain Risk Through Physical Path Governance
Supply chain attacks exploit the persistent connections that organisations maintain with vendors, managed service providers, and software suppliers. When these paths are physically severed between active sessions, the attack vector ceases to exist.
Threat Response
Every vendor connection is a doorway into your organisation. If that doorway remains open when no one is walking through it, you are inviting risk without gaining value.
62%
Of breaches originate through third-party access
Zero
Persistent vendor paths outside maintenance windows
100%
Third-party sessions recorded on tamper-proof storage
4.5x
Faster containment when vendor paths are physically severed
Third-party connections are the most exploited entry point.
Persistent Vendor Access
Managed service providers and equipment vendors maintain always-on VPN connections and remote access tools. These paths remain active 24/7, regardless of whether maintenance is being performed.
Trust Chain Exploitation
Attackers compromise a vendor with weaker security and use their legitimate access to pivot into the target organisation. The connection is trusted, the credentials are valid, and the activity appears routine.
Software Supply Chain
Compromised software updates delivered through trusted channels bypass perimeter security entirely. The malicious payload arrives through the same path as legitimate updates.
The Scenario
Scenario: Managed Service Provider Compromise
A mid-size manufacturer uses a managed IT service provider for patch management and monitoring. The MSP maintains a persistent VPN connection to the manufacturer's network for 24/7 support. Attackers compromise the MSP's RMM platform and use the existing VPN connection to deploy ransomware across all of the MSP's clients simultaneously. With Firevault Control, the MSP's access path is physically severed outside scheduled maintenance windows. The Relay module activates the connection for a four-hour patch window each Tuesday, with all activity recorded. When the MSP is compromised on a Thursday evening, there is no path for the attackers to traverse.
"Our MSP had a VPN into our network that was active 168 hours a week. They used it for about 6 hours. That left 162 hours where an attacker had a trusted path into our core infrastructure."
Vendor access that exists only when it is needed.
Firevault Control transforms third-party access from a persistent liability into a controlled, time-bound operation. Vendor connections exist only during authorised windows, are confined to isolated zones, and produce tamper-proof evidence of every action.
- Physical disconnection of all vendor paths outside maintenance windows
- Multi-party authorisation for every vendor session
- Vendor zone isolation with no path to production infrastructure
- Instant physical severance when a supply chain compromise is detected
- Complete session recording on disconnected storage
- Automated compliance evidence for supplier assessments
Relay — Time-Bound Vendor Windows
Module 1 of 4Activates third-party access paths only during scheduled maintenance windows. The connection is physically established at the start of the window and physically severed at the end. Between windows, no path exists.
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Scheduled Access Windows
Vendor connections activate only during defined maintenance windows. Between windows, the physical path does not exist and cannot be established remotely.
Multi-Party Session Approval
Every vendor session requires approval from both the vendor team and internal security before the physical path is activated.
Complete Session Recording
All vendor activity during active windows is captured on physically disconnected storage that neither the vendor nor an attacker can access or modify.
Instant Vendor Disconnection
When a supply chain compromise is detected, all vendor paths are physically severed within seconds, regardless of which vendor is affected.
Vendor Zone Isolation
Third-party access is confined to a physically separated zone with no path to production systems, backup infrastructure, or management planes.
Vendor Compliance Evidence
Automated logging provides the evidence required for ISO 27001 supplier assessments, NIS2 supply chain requirements, and contractual SLA compliance.
Demo to Live
Adoption Guide
Third-Party Path Audit
Map every vendor, MSP, and software supplier connection into your infrastructure, documenting active hours, data flows, and the systems each path can reach.
Window and Zone Design
Define maintenance windows, vendor zones, and multi-party authorisation requirements for each third-party relationship based on operational need and risk profile.
Pilot with Primary MSP
Deploy Relay-governed access for your primary managed service provider, testing scheduled windows, emergency access procedures, and session recording.
Full Vendor Governance
Extend to all third-party connections with automated window management, vendor zone isolation, and continuous compliance evidence generation.
Third-Party Path Audit
Map every vendor, MSP, and software supplier connection into your infrastructure, documenting active hours, data flows, and the systems each path can reach.
Window and Zone Design
Define maintenance windows, vendor zones, and multi-party authorisation requirements for each third-party relationship based on operational need and risk profile.
Pilot with Primary MSP
Deploy Relay-governed access for your primary managed service provider, testing scheduled windows, emergency access procedures, and session recording.
Full Vendor Governance
Extend to all third-party connections with automated window management, vendor zone isolation, and continuous compliance evidence generation.
Questions
Frequently Asked
Ready to take the next step?
See how Control can govern your data paths with physical enforcement no software exploit can bypass.