Understanding the commercial surveillance market has become increasingly complex due to the proliferation of intermediaries. These entities—including software resellers, vulnerability brokers, contractors, and regional partners—often enable government and private organizations to bypass transparency regulations and trade restrictions.
A March 18 report from the Atlantic Council details how these intermediaries allow the global distribution of offensive cyber capabilities (OCC). The researchers point to specific instances, such as a South African representative distributing Memento Labs' Dante software locally, and a third-party firm facilitating the sale of Passitora's surveillance technology to Bangladesh. This latter transaction occurred despite a lack of diplomatic relations between the relevant countries and existing trade bans, demonstrating how intermediaries navigate restricted markets.
Jen Roberts, associate director of the Cyber Statecraft Initiative at the Atlantic Council and a co-author of the report, notes that this ecosystem makes market analysis challenging.
"Intermediaries can drive down transparency efforts in the marketplace for offensive cyber capabilities like spyware by muddying supply chains and creating confusion for end buyers as to where a capability or component of a capability has come from," she says. She adds that intermediaries often support procurement for countries lacking strong in-house technical resources.
The broader commercial surveillance ecosystem continues to expand, driven by demand for law enforcement investigations, intelligence gathering, and the monitoring of political opposition. In 2025, a Google Threat Intelligence Group analysis found that, for the first time, commercial surveillance vendors accounted for more zero-day utilization than traditional state-sponsored groups. Recent shifts in US policy, including the reactivation of certain contracts and the removal of specific sanctions, also appear to have eased operational constraints for some surveillance technology vendors.
The structural role of intermediaries
The Atlantic Council's "Mythical Beasts" report series indicates that intermediaries form the operational backbone of this market. By providing specialized procurement channels, they allow nations without domestic development capabilities to acquire gray-market surveillance software while insulating the original vendors from direct oversight.
Collin Hogue-Spears, senior director of solution management at Black Duck, explains that third-party brokers and resellers effectively bypass export controls through careful corporate structuring.
"Their corporate structures exist specifically to make export controls irrelevant," he notes. "The spyware market stopped being a vendor-to-government pipeline years ago. It has evolved into a modular supply chain where intermediaries fill every gap the buyer cannot fill alone: exploit engineering, operational training, deployment infrastructure, and most importantly, a legal paper trail that hides the origin."
Julian-Ferdinand Vögele, a principal threat researcher at Recorded Future, observes that these entities lower the barrier to entry by bundling software with training and support.
"Commercial spyware operates in the shadows by design," Vögele says. "Brokers and resellers enable its spread by connecting vendors and buyers, bundling tools with support or training, and expanding into new markets, while adding opacity, obscuring relationships, and leveraging jurisdictions."
Regulatory efforts and transparency initiatives
Recognizing the risks to affected parties, including journalists, diplomats, and civil society members, international coalitions are working to establish oversight. In February 2024, the United Kingdom and France launched the Pall Mall Process, a multilateral initiative aimed at addressing the proliferation and irresponsible use of commercial cyber intrusion capabilities. This ongoing effort brings together government entities, industry partners, and policy experts to develop standard practices and safeguards.
In response to mounting regulatory pressure, some surveillance vendors have introduced internal compliance measures. For example, NSO Group announced the establishment of a human rights compliance program, though independent researchers remain cautious about the effectiveness of self-regulation in this sector.
Roberts notes that the Pall Mall Process is currently focused on drafting an industry code of practice, meaning comprehensive evaluation of the initiative will take time. In the interim, the Atlantic Council recommends practical defensive steps for organizations and governments: implementing strict "Know Your Vendor" requirements, mandating certification for capability brokers and resellers, and maintaining clear public registries of these entities.
Establishing visibility into the procurement chain is a necessary first step for security practitioners and policymakers attempting to secure environments against these tools.
"Transparency initiatives are key to regulating intermediaries and also the spyware industry more broadly," Roberts says. "It is difficult to ultimately regulate what one cannot observe."