Trellix
Cybersecurity vendor formed from McAfee Enterprise and FireEye merger; source code breached April 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Could Trellix's leaked source code help attackers evade the very defences it sells?
Timeline for Trellix
Confirmed unauthorised access to part of its source-code repository on 8 May, 21 days after intrusion
Cybersecurity: Threats and Defences: Trellix discloses 21-day-old breach of source-code repository- What was stolen in the Trellix data breach?
- RansomHouse accessed part of Trellix's source-code repository on 17 April 2026. Trellix confirmed the breach on 8 May but said no data had been publicly released. The full scope of the access was not disclosed.Source: Trellix
- Is Trellix the same as McAfee?
- Trellix was formed in January 2022 from the merger of McAfee Enterprise and FireEye, after both were acquired by Symphony Technology Group. Trellix is the combined entity; the McAfee consumer business was sold separately.
- Why did Trellix take 21 days to disclose the breach?
- Trellix did not publicly explain the disclosure timeline. The 21-day gap exceeds the 24-hour initial-notification window proposed by the UK Cyber Security and Resilience Bill, though that legislation has not yet come into force.Source: Trellix / UK CSRB analysis
- Does Trellix serve UK government?
- Trellix products are used by UK Government departments and critical national infrastructure operators, making the source-code breach particularly sensitive for defenders relying on Trellix detection tooling.
Background
Trellix is a cybersecurity detection and response vendor formed in January 2022 through the merger of McAfee Enterprise and FireEye, both acquired by private equity firm Symphony Technology Group (STG). On 8 May 2026, Trellix disclosed that an unauthorised party — later identified as RansomHouse — had accessed part of its source-code repository on 17 April, a 21-day intrusion-to-disclosure gap. No data from the breach had appeared publicly as of the disclosure date.
Trellix produces endpoint detection and response (EDR), email security, network detection, and threat-intelligence products. Its customer base includes UK Government departments and critical national infrastructure operators, making source-code access potentially significant for adversaries seeking to understand detection signatures or identify sensor blind spots. The company markets itself as a successor to the threat-intelligence pedigree of FireEye's Mandiant division, though Mandiant itself was sold to Google in 2022 before the Trellix merger completed.
The 21-day disclosure timeline sits outside the 24-hour initial-notification window proposed by the UK Cyber Security and Resilience Bill. The breach raises questions about whether Trellix's own detection tooling flagged the intrusion promptly, given the reputational sensitivity of a security vendor failing to detect an attacker inside its own systems.