Skip to content
You can now search across every topic, entity and event.What's new
Trellix
OrganisationUS

Trellix

Cybersecurity vendor formed from McAfee Enterprise and FireEye merger; source code breached April 2026.

Last refreshed: 8 May 2026 · Appears in 1 active topic

Key Question

Could Trellix's leaked source code help attackers evade the very defences it sells?

Timeline for Trellix

#710 Jun

Mentioned in: UK cyber bill drops payment regime

Cybersecurity: Threats and Defences
#411 May

Confirmed unauthorised repository access and stated no evidence source code was altered or weaponised

Cybersecurity: Threats and Defences: RansomHouse posts Trellix internal screenshots as extortion leverage
#38 May

Confirmed unauthorised access to part of its source-code repository on 8 May, 21 days after intrusion

Cybersecurity: Threats and Defences: Trellix discloses 21-day-old breach of source-code repository
View full timeline →
Common Questions
What was stolen in the Trellix data breach?
RansomHouse accessed part of Trellix's source-code repository on 17 April 2026. Trellix confirmed the breach on 8 May but said no data had been publicly released. The full scope of the access was not disclosed.Source: Trellix
Is Trellix the same as McAfee?
Trellix was formed in January 2022 from the merger of McAfee Enterprise and FireEye, after both were acquired by Symphony Technology Group. Trellix is the combined entity; the McAfee consumer business was sold separately.
Why did Trellix take 21 days to disclose the breach?
Trellix did not publicly explain the disclosure timeline. The 21-day gap exceeds the 24-hour initial-notification window proposed by the UK Cyber Security and Resilience Bill, though that legislation has not yet come into force.Source: Trellix / UK CSRB analysis

Background

Trellix is a cybersecurity detection and response vendor formed in January 2022 through the merger of McAfee Enterprise and FireEye, both acquired by private equity firm Symphony Technology Group (STG). On 8 May 2026, Trellix disclosed that an unauthorised party — later identified as RansomHouse — had accessed part of its source-code repository on 17 April, a 21-day intrusion-to-disclosure gap. No data from the breach had appeared publicly as of the disclosure date.

Trellix produces endpoint detection and response (EDR), email security, network detection, and threat-intelligence products. Its customer base includes UK Government departments and critical national infrastructure operators, making source-code access potentially significant for adversaries seeking to understand detection signatures or identify sensor blind spots. The company markets itself as a successor to the threat-intelligence pedigree of FireEye's Mandiant division, though Mandiant itself was sold to Google in 2022 before the Trellix merger completed.

The 21-day disclosure timeline sits outside the 24-hour initial-notification window proposed by the UK Cyber Security and Resilience Bill. The breach raises questions about whether Trellix's own detection tooling flagged the intrusion promptly, given the reputational sensitivity of a security vendor failing to detect an attacker inside its own systems.

More questions
Does Trellix serve UK government?
Trellix products are used by UK Government departments and critical national infrastructure operators, making the source-code breach particularly sensitive for defenders relying on Trellix detection tooling.
Source Material