The email arrives from procurement. Your new cloud platform vendor has attached their SOC 2 Type II report. ISO 27001 certified. Penetration tested annually. The security questionnaire comes back clean — all green. The contract is signed. The integration goes live.
Six months later, a threat actor uses a credential exposed in a breach from two years ago to access a legacy API endpoint the vendor forgot existed. It was never in scope for the audit. It never appeared in the pen test. It was not listed in the security questionnaire. But it was sitting on public infrastructure indexes, visible to anyone who looked, running software with a published CVE rated 9.1.
The cert did not protect you. The cert was never designed to.
What Certifications Actually Measure
SOC 2, ISO 27001, and maturity frameworks like the ASD Essential Eight are valuable. They establish that a vendor has implemented a set of controls, documented their processes, and submitted to an audit against a defined standard at a point in time. That is genuinely useful information.
But it is important to understand precisely what they do not measure, because the gap between what they assess and what attackers actually exploit is where most successful breaches occur.
| What You're Evaluating | What the Cert Covers | What OSINT Finds |
|---|---|---|
| Infrastructure exposure | Systems in scope at audit time | Everything publicly visible right now — including what's been forgotten |
| Software vulnerabilities | Pen test findings within defined scope | Live CVEs on externally facing systems, version-specific and exploitable today |
| Credential exposure | Password policy and access controls | Staff credentials in breach databases — irrespective of current policy |
| Legacy systems | Typically excluded from audit scope | Fully visible externally, often running unpatched software |
| Third-party integrations | Vendor's primary stack only | All third parties visible in the technology stack — their risk is your risk |
| Currency of information | Point in time — often 12+ months old | Real time — what is exposed at this moment |
The Score Is Not the Surface
Here is the problem in plain terms: a vendor can achieve a high maturity score, maintain ISO 27001 certification, and pass your security questionnaire — while simultaneously running a forgotten subdomain on an unpatched server with a credential exposure in a public breach database pointing directly at it.
None of that contradicts the certification. The certification assessed what it was asked to assess, within the scope it was given, at the time of the audit. The legacy subdomain was not in scope. The breach data postdated the audit. The CVE was published after the pen test.
This is not a criticism of certifications. It is a description of their structural limitation — one that procurement teams, Boards, and IT managers consistently fail to account for when making vendor risk decisions.
What Attackers Actually Do
A threat actor approaching a certified vendor does not request their SOC 2 report. They run an OSINT scan. In fifteen minutes, using freely available tools, they have a complete picture of the vendor's external footprint — every public-facing system, every software version, every known vulnerability, every credential in breach databases, every subdomain the vendor forgot about. The certification tells them nothing. The footprint tells them everything.
This is the asymmetry that most organisations have not internalised: attackers assess vendors the way OSINT analysts do, not the way procurement teams do. The gap between those two views is where successful attacks begin.
What OSINT Finds That Certs Miss
- Legacy infrastructure excluded from audit scope — still publicly visible and exploitable
- Published CVEs on software versions identified from public-facing systems
- Credential exposures from breaches that postdate the last certification audit
- Third-party integrations in the technology stack not covered by the vendor's cert
- Subdomains and services that have never appeared in any security assessment
- Email security gaps that enable impersonation of the vendor's domain — your risk by extension
What This Means for Procurement and Boards
The practical implication is straightforward. Certifications and maturity scores should remain part of your vendor assessment process — they establish baseline hygiene and indicate process maturity. But they cannot be the entirety of that process, and they cannot substitute for an actual view of what the vendor exposes to the outside world.
A passive OSINT assessment of a vendor takes the same approach an attacker would: look at what is actually visible from the outside, without any access to the vendor's systems or documentation. What it surfaces is not what the vendor believes is exposed. It is what is actually exposed — right now, to anyone looking.
For Boards approving vendor relationships, this distinction matters. You are not just approving a vendor's security controls. You are accepting their external footprint as part of your risk surface. A vendor's forgotten subdomain running a vulnerable application is your supply chain risk. Their credential exposure is a vector into your environment. Their legacy infrastructure is your problem if it is integrated into your operations.
The cert on the wall tells you they passed an audit. OSINT tells you what an attacker sees today. Both pieces of information are necessary. Most organisations only have one of them.