OrganisationUS

Trenchant

L3Harris offensive cyber unit that developed government-only zero-day exploits, eight of which were stolen and sold to Operation Zero.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

What controls failed at Trenchant that let eight government exploits walk out the door?

Timeline for Trenchant

#117 Apr

OFAC turns IP law on Operation Zero

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is Trenchant and who runs it?: Trenchant is the offensive cyber unit inside US defence contractor L3Harris that develops zero-day exploits and hacking tools for US government programmes under classified contracts.Source: DOJ / OFAC
How were Trenchant's exploits stolen?: Former Trenchant executive Peter Williams stole at least eight finished government-only exploits from L3Harris between 2022 and 2025 and sold them to Russian-linked exploit broker Operation Zero, for which he was sentenced to 87 months in prison.Source: DOJ sentencing documents

Background

Trenchant is the offensive cyber operations unit inside US defence contractor L3Harris, responsible for developing zero-day exploits and offensive cyber tools exclusively for US government customers. Former Trenchant executive Peter Williams stole at least eight finished exploits from its repository and sold them to Operation Zero between 2022 and 2025, for which he was sentenced to 87 months on 24 February 2026.

As a classified government-facing unit, Trenchant's work product sits at the intersection of the most sensitive offensive tooling the US government commissions from private contractors. Its exposure through the Williams case illustrates how insider access to finished, government-ready zero-days represents a qualitatively different risk from nation-state tool theft; the tools were never deployed by adversaries to reach L3Harris, but left through an authenticated insider.

For the wider defence industrial base, the Williams case became the reference event for insider-threat controls on offensive cyber repositories. The question of whether technical controls (USB blocking, code access logging, DLP on tool repos) were adequate at Trenchant at the time of the thefts is an open audit item for the defence contractor cyber compliance community.

How the World Sees Them

L3Harris leadership

Trenchant's value proposition rests on exclusive government trust; the Williams case is an operational credibility event that requires visible remediation in security controls.

US Government customers

Government-commissioned offensive tools exfiltrated by an insider and sold to a Russian broker is the direct supply-chain risk defence contractors are contractually obligated to prevent.

Cyber security community

The case signals that offensive tool development units need controls equivalent to classified programme compartmentalisation, not just standard IT security.