Concentration risk is the danger of depending too much on one supplier, cloud platform, software stack, network service, or other critical dependency. In cyber security, this matters because a single failure can affect many systems at once. If an organization centralizes identity, hosting, updates, or communications with one provider, a vulnerability, outage, or compromise in that provider can quickly spread into the organization’s own environment.
Attackers look for concentration points because they offer high leverage: one compromised vendor account, shared management tool, or widely used component can open access to many downstream targets. Defenders reduce this risk by mapping critical dependencies, diversifying where possible, segmenting trust, and planning for fallback options. They also assess supplier security and recovery capability, because resilience depends not only on internal controls but on how much damage one external dependency can cause.