Risk Matrix
The Checklist presents security controls grouped by domain (Product Security, Endpoint Security, DevSecOps, etc.). That view is useful for building teams, ownership, and roadmaps — but it does not answer the question every executive eventually asks: "What are we actually defending against, and which controls reduce that specific risk?"
This page provides that second lens: a risk-based view of the same controls.
How to read this matrix
- Risk — A high-level adverse outcome the organization wants to avoid (e.g. Supply Chain Attack, Account Takeover). Risks are business-impact oriented.
- Threat — A concrete way the risk can materialize (e.g. malicious dependency, phishing). One risk usually has several threats. Threats are attacker- or scenario-oriented.
- Controls — The mitigations from the checklist that reduce the likelihood or impact of that threat. The same control may appear under several threats — defense in depth is intentional.
Controls are not ranked within a threat. Picking which ones to invest in first depends on your organization's maturity, industry, and existing posture (see Using This Guide).
This matrix is intentionally non-exhaustive. It covers the most common risks faced by modern organizations and maps them to the controls described in this guide. Adapt it — add risks specific to your industry (PCI, HIPAA, critical infrastructure, etc.), remove what does not apply.
Risk Summary
| # | Risk | Threats covered |
|---|---|---|
| 1 | Supply Chain Attack | Malicious dependency · Compromised vendor · Compromised container image · Compromised build pipeline |
| 2 | Account Takeover & Credential Compromise | Phishing · Credential stuffing & brute force · Leaked secrets & credentials · Session hijacking |
| 3 | Application Vulnerability Exploitation | Code-level vulnerabilities · Vulnerable dependencies · Zero-day & unknown vulnerabilities · Insecure defaults |
| 4 | Data Breach & Data Leakage | Unauthorized data access · Endpoint exfiltration · Misconfiguration exposure · Shadow IT/AI exposure |
| 5 | Infrastructure & Cloud Compromise | Cloud misconfiguration · Public-facing service attacks · Lateral movement |
| 6 | Endpoint Compromise | Malware & ransomware · Lost or stolen device · Unmanaged software |
| 7 | Insider Threat | Malicious insider · Negligent insider |
| 8 | SCM, CI/CD & Developer Environment Compromise | Compromised source code platform · Malicious pipeline changes · Compromised developer workstation |
| 9 | AI Based Attacks | Shadow AI usage · Compromised or misbehaving AI agents |
| 10 | Brand & Reputation Attack | Brand impersonation · Uncontrolled vulnerability disclosure |
| 11 | Operational Disruption | Ransomware impact · System outage · Poor incident handling |
| 12 | Compliance & Regulatory Failure | Regulatory non-compliance · Audit failure |
1. Supply Chain Attack
Modern software is assembled, not written. The vast majority of code running in production comes from third parties — open-source libraries, container base images, SaaS vendors, build tools. A compromise anywhere upstream of you propagates into your systems. Supply chain attacks are particularly dangerous because they bypass perimeter controls: the malicious code arrives through a trusted channel.
Threat: Malicious or compromised library / dependency
An attacker publishes a malicious package, takes over an abandoned package, or compromises a maintainer account. Your build pulls it in and executes it.
Controls:
- SCA Scans
- SBOMs
- Supply Chain Management
- Secure Development Environment
- Vulnerability Management Program
Threat: Compromised third-party vendor
A SaaS provider or critical vendor is breached and the blast radius reaches your data, your customers, or your infrastructure.
Controls:
Threat: Compromised container base image
Public registries host images that may contain vulnerabilities, backdoors, or outdated components. Pulling them directly into production extends your trust boundary.
Controls:
Threat: Compromised build pipeline
The build itself is part of the supply chain. Tampered build tools, plugins or runners can inject code that never appears in your source repository.
Controls:
2. Account Takeover & Credential Compromise
Identity is the new perimeter. Most modern breaches do not start with an exploit — they start with valid credentials used by the wrong person. Once an attacker has a working identity, every downstream control has to assume that identity is legitimate.
Threat: Phishing
The most common entry vector. An attacker tricks an employee into entering credentials on a fake page or approving an MFA prompt.
Controls:
Threat: Credential stuffing & brute force
Attackers replay credentials leaked from other breaches, or systematically guess weak passwords against your login surfaces.
Controls:
Threat: Leaked secrets and credentials
API keys, tokens, or service credentials end up in source code, logs, screenshots, or public repositories.
Controls:
Threat: Session hijacking and token theft
A valid session token is stolen from a workstation, browser, or intercepted in transit, allowing the attacker to bypass authentication entirely.
Controls:
3. Application Vulnerability Exploitation
Code your team writes is the most direct attack surface you have. Even mature programs ship vulnerable code — the goal is to detect it early, reduce how much of it reaches production, and shrink the time to fix what slips through.
Threat: Code-level vulnerabilities (injection, XSS, auth flaws, business logic)
Bugs in the application itself that allow attackers to bypass intended behavior — read other users' data, escalate privileges, run code.
Controls:
- SAST Scans
- DAST Scans
- Secure Coding Training
- Code Review Process
- Threat Modeling
- Pentests
- Vulnerability Management Program
- Security Champions
Threat: Vulnerable third-party dependencies
A known CVE exists in a library you depend on and an exploit is published before you patch.
Controls:
Threat: Zero-day and unknown vulnerabilities
A vulnerability exists in your code or stack that no scanner knows about yet. You will not find it with automated tooling alone.
Controls:
- Responsible Vulnerability Disclosure
- Pentests
- Red Teaming Exercises
- Threat Modeling
- Invariants Monitoring
Threat: Insecure defaults
A feature ships configured in a way that is convenient but unsafe — public buckets, permissive CORS, debug endpoints enabled.
Controls:
4. Data Breach & Data Leakage
Data is what most attackers actually want and what regulators care about most. Leakage doesn't require a sophisticated attacker — a misconfigured bucket, a wrong sharing setting, or an employee using an unsanctioned tool is enough.
Threat: Unauthorized data access
A user or service accesses data they should not be able to see, either due to broken authorization, over-permissioned accounts, or stolen credentials.
Controls:
Threat: Exfiltration through the endpoint
Data leaves the company through a corporate laptop — copied to USB, uploaded to personal cloud storage, shared in a chat tool, or emailed externally.
Controls:
Threat: Misconfiguration exposure
Cloud resource is unintentionally exposed to the internet — open S3 bucket, public database, permissive IAM policy.
Controls:
Threat: Shadow IT / Shadow AI exposure
Employees paste sensitive data into unsanctioned SaaS apps or AI tools, where it ends up in third-party logs or training data.
Controls:
5. Infrastructure & Cloud Compromise
Cloud accounts are the new datacenter — and they have a much larger and more dynamic configuration surface. A single mis-scoped IAM role can be the difference between a contained incident and a full takeover.
Threat: Cloud misconfiguration
Resources are provisioned in an insecure way — overly broad IAM, missing encryption, no network restrictions.
Controls:
Threat: Attacks on public-facing services
DDoS, bot traffic, scraping, application-layer abuse against internet-facing endpoints.
Controls:
- WAF, DDoS & Bot Protection
- Infrastructure Scanning & Monitoring
- SIEM & Threat Detection and Response
Threat: Lateral movement after initial foothold
An attacker who lands on one host or one account pivots through the environment to reach high-value systems.
Controls:
- Access Management
- Hardened Containers
- EDR
- SIEM & Threat Detection and Response
- Invariants Monitoring
6. Endpoint Compromise
Employee laptops and phones are the front line. They run untrusted content (websites, attachments, third-party apps) and they hold credentials, source code, and customer data. A compromised endpoint is often the first step in a larger intrusion.
Threat: Malware & ransomware
A device is infected via a malicious download, attachment, or drive-by; the attacker gains persistence and access to whatever the user can reach.
Controls:
Threat: Lost or stolen device
A laptop or phone is lost, stolen, or sold without being properly wiped — exposing whatever data and credentials were on it.
Controls:
Threat: Unmanaged or unsanctioned software on endpoints
Employees install software the security team has not vetted — risky browser extensions, pirated tools, AI assistants with broad permissions.
Controls:
7. Insider Threat
Not every attacker is external. Insiders already have credentials, context, and trust — which makes them simultaneously the hardest threat to detect and the easiest to overlook.
Threat: Malicious insider
A current or former employee deliberately abuses their access to steal data, sabotage systems, or sell credentials.
Controls:
Threat: Negligent insider
An employee causes a security incident through carelessness, not malice — clicking a phishing link, mishandling data, misconfiguring a resource.
Controls:
8. SCM, CI/CD & Developer Environment Compromise
The path from a developer's keyboard to production is itself a high-value target. Compromise anywhere along it — IDE, repo, build, deploy — and the attacker reaches production without ever touching production.
Threat: Compromised source code management platform
GitHub / GitLab / similar is compromised through stolen tokens, OAuth app abuse, or a malicious member with elevated rights.
Controls:
Threat: Malicious pipeline changes
A pull request, a workflow file, or a self-hosted runner is used to inject malicious behavior into builds and deployments.
Controls:
Threat: Compromised developer workstation
A developer's machine is compromised — giving the attacker access to source code, signing keys, cloud credentials, and the ability to push code.
Controls:
9. AI Based Attacks
AI introduces a new class of risk that does not map cleanly onto existing controls. Models reason over untrusted input, agents take actions on behalf of users, and sensitive data flows into systems the security team often does not own.
Threat: Shadow AI usage
Employees use AI tools the organization has not approved — pasting source code, customer data, or strategic plans into systems that may log, retain, or train on it.
Controls:
Threat: Compromised or misbehaving AI agents
An autonomous agent is manipulated through prompt injection, given excessive permissions, or behaves unpredictably — taking actions the user did not intend.
Controls:
10. Brand & Reputation Attack
Not every attack targets your infrastructure. Some target your customers, your name, or your stock price — and your security team is still the one expected to respond.
Threat: Brand impersonation
Phishing domains, fake social media accounts, fraudulent apps, or counterfeit websites trick customers into handing over credentials or money.
Controls:
Threat: Uncontrolled vulnerability disclosure
A researcher (or attacker) discloses a vulnerability publicly without a coordinated process, putting customers and the company's reputation at risk.
Controls:
11. Operational Disruption
Confidentiality gets the headlines, but availability gets the pager. An outage — caused by an attack or a self-inflicted change — has direct business cost, and how the organization handles it shapes both customer trust and regulatory exposure.
Threat: Ransomware impact on operations
Beyond data loss, ransomware halts the business: systems are encrypted, customer-facing services go down, and recovery becomes a multi-week project.
Controls:
Threat: System outage
A critical service becomes unavailable due to attack, dependency failure, or operational error.
Controls:
Threat: Poor incident handling
The incident itself is recoverable, but slow response, miscommunication, or missing runbooks make it dramatically worse.
Controls:
12. Compliance & Regulatory Failure
Regulatory failure is rarely the result of a single missing control — it is the result of not being able to show a control. The risk is as much about evidence and documentation as it is about technology.
Threat: Regulatory non-compliance
The organization is found in violation of a regulation it is subject to (GDPR, PCI, SOC 2, HIPAA, DORA, etc.).
Controls:
Threat: Audit failure
A scheduled audit fails — not necessarily because controls don't exist, but because evidence cannot be produced.
Controls: