Most security programmes are built around what you know.

Your applications. Your cloud accounts. Your domains.

But some of the most damaging breaches of the last decade did not come from systems organisations owned. They came from systems they trusted.

• A single third party script.
• A cloud service quietly added to a website.
• A marketing tag that pulls code from somewhere new.
• An API dependency that no one remembers approving.

These are not theoretical risks. They are how modern attacks increasingly start.
That is why we built Trust Monitor.

The hidden layer of the attack surface
Web applications have never been truly self contained. They have always relied on external services, scripts, domains and integrations to function. What has changed is scale. Cloud, SaaS and platform consolidation mean a single application now depends on dozens or hundreds of third parties, many of them shared across thousands of organisations.
Every one of those creates a live trust relationship that runs inside your users’ browsers and applications. That concentration has turned background technical dependencies into high value attack targets.

When one of those trusted services changes, is hijacked, or behaves unexpectedly, that trust can be abused without anyone touching your infrastructure. Attackers do not need to break into your servers if they can slip in through a trusted dependency that runs inside your browser or application.

Traditional vulnerability scanning is excellent at finding weaknesses in what you control.
It is far less effective at showing you what your applications depend on, what they trust, and how that changes over time.
Trust Monitor exists to close that gap.

What is Trust Monitor
Trust Monitor extends AppCheck’s external scanning by continuously identifying, auditing, and tracking third party and supply chain exposure connected to your web estate.

It answers three simple but critical questions:

• What external parties do my applications trust
• Are any of them introducing security risk
• Has anything changed that I need to know about

Rather than treating supply chain risk as a one off audit, Trust Monitor turns it into something you can see, monitor, and be alerted on so you can act before it becomes a breach.

How it works
Trust Monitor is built around three core capabilities.

Discover
Trust Monitor identifies the third party services, domains, scripts, and integrations that are connected to your external web estate. This includes relationships that are often invisible to traditional scanning or asset inventories.
The result is a live view of who and what your applications are trusting.

Audit
Once those relationships are identified, Trust Monitor assesses them for security issues and misconfigurations that could increase risk. This gives you visibility into weaknesses that originate outside your own infrastructure but still affect your security posture.

Track
Trust Monitor does not stop after the first scan. It continuously monitors for change. New third party relationships, unexpected domains, or altered integrations are surfaced and can be reviewed as they appear.
This allows teams to catch problems early rather than discovering them months later after something has gone wrong.

Why this matters now
Supply chain and third-party risk is no longer theoretical. It is now one of the primary ways modern attacks bypass traditional perimeter security.

In 2025, one of the largest cryptocurrency exchanges, Bybit, suffered a massive breach in which attackers manipulated transaction signing and stole around $1.5 billion in Ethereum, making it one of the largest crypto heists on record. The US Federal Bureau of Investigation publicly attributed the theft to North Korean-linked actors, highlighting the increasing scale and sophistication of modern attacks on digital systems. (Paul Hastings)

Bybit’s servers were not the weak point.

The trust relationship was.

This is the new attack surface. It lives in scripts, APIs, SaaS platforms, browser-side code, cloud services, and the invisible connections that modern applications rely on to function.

If you are not continuously tracking and validating those relationships, you are only securing the part of your estate you own, not the part that can be used to attack you.

How Trust Monitor fits with AppCheck
AppCheck already helps organisations identify vulnerabilities across their external applications, APIs, and infrastructure.

Trust Monitor builds on that foundation by adding a layer of context around external dependencies and trust relationships. Together, they provide a more complete view of your real attack surface, not just what you own, but what you rely on.

Getting started
Trust Monitor is available as part of AppCheck and can be used to provide ongoing visibility into third party and supply chain exposure.

If you would like to see what it looks like for your own environment, our team can provide an overview and example outputs based on the technologies and services that matter most to you.