Safeguard
SBOM

Communicating security posture to customers/investors via...

How to turn SBOMs into a real vendor-risk communication tool for customers and investors, and where Mend.io's scan-first approach falls short.

Marina Petrov
Compliance Analyst
7 min read

Ask a security questionnaire from a Fortune 500 buyer or a Series C due diligence checklist in 2026 and you'll find the same line item that barely existed five years ago: "Provide a current SBOM for the product(s) in scope." Since Executive Order 14028 (May 2021) pushed software bills of materials into federal procurement, and the NTIA's minimum elements followed later that year, SBOMs have migrated from a compliance artifact for government contractors into a default trust signal for enterprise buyers, cyber insurers, and investors. The Linux Foundation's 2024 SBOM readiness survey found 76% of organizations now produce SBOMs somewhere in their pipeline — but a much smaller share can hand one to a customer or investor in a format that actually answers "how exposed are we." Mend.io, one of the more visible players in this space, treats the SBOM primarily as a scanning byproduct. This post breaks down what vendor-risk-ready SBOM communication actually requires, and where the gap sits.

Why are customers and investors suddenly asking for SBOMs?

Because regulators and insurers made "we trust our vendors" an unacceptable answer on its own. The SEC's cybersecurity disclosure rule, effective December 2023, requires public companies to report material incidents within four business days — which pushed enterprise buyers to demand upstream visibility into the software they depend on, since a vendor's breach is now their disclosure risk too. The 2023 MOVEit breach is the reference case: a single zero-day in Progress Software's file transfer tool cascaded into breach notifications from more than 2,600 downstream organizations, including payroll providers, government agencies, and universities, because almost none of them had a component-level map of what was running underneath a "trusted" vendor's product. Investors picked up the same instinct during diligence after watching portfolio companies get blindsided by dependency-level exposure (Log4Shell, December 2021, is still the textbook example — CISA estimated it affected hundreds of millions of devices, and many affected companies took weeks just to determine if they were exposed). An SBOM, shared proactively, is now read as a proxy for engineering maturity, not just a compliance box.

What's missing from a "checkbox" SBOM that vendor risk teams actually need?

The missing piece is context — a raw component list without vulnerability correlation, license data, and freshness metadata is closer to noise than signal. A CycloneDX or SPDX file with 4,000 line items tells a vendor-risk analyst almost nothing on its own; they need to know which of those components have known exploited vulnerabilities (per CISA's KEV catalog), which are end-of-life, and whether the SBOM reflects the version actually running in production or a build from six months ago. Gartner has projected that by 2025, 60% of organizations would use cybersecurity risk as a significant factor in third-party transactions — but that only works if the artifact being reviewed is current. A static PDF SBOM attached to a sales deck, generated once for a SOC 2 audit and never regenerated, is functionally useless to a procurement team trying to answer "are you exposed to the CVE that hit the news this morning."

How does Mend.io approach SBOM generation, and where does it fall short for vendor communication?

Mend.io (rebranded from WhiteSource in 2022) generates SBOMs as an extension of its software composition analysis engine, which means the output is built for internal remediation workflows — flagging vulnerable dependencies to engineering teams — rather than external stakeholder trust. That's a reasonable design choice for its core SCA use case, but it leaves a gap when the audience shifts to a customer security team or an investor's diligence firm: there's no built-in shareable trust portal, no VEX (Vulnerability Exploitability eXchange) layer to tell a reviewer "yes, this CVE is in our SBOM, but it's not reachable in our deployment," and limited support for continuously refreshing the SBOM against production inventory rather than a point-in-time scan. The result is that teams using Mend often still end up hand-assembling a separate communication artifact — a spreadsheet, a slide, a one-off PDF — every time a customer or board member asks for posture evidence, which defeats the purpose of having machine-readable SBOM data in the first place.

What does a vendor-risk-ready SBOM actually look like in practice?

It looks like a living document with four layers: components, exploitability, provenance, and a distribution mechanism a non-engineer can use. Concretely: (1) a full component inventory in CycloneDX 1.6 or SPDX 3.0 format, since both are now recognized by NTIA and CISA guidance; (2) VEX statements attached to every CVE match, because a 2023 CISA analysis found that on average only a small fraction of flagged CVEs in a typical SBOM are actually exploitable in the deployed context — without VEX, every SBOM looks alarming; (3) build provenance (ideally SLSA-aligned) showing the SBOM was generated from the artifact actually shipped, not a source snapshot; and (4) a way to hand it over that doesn't require an email thread — a versioned, timestamped trust page or API endpoint a customer's GRC team can pull from directly during their own quarterly reviews. Companies that can produce this on demand cut the average vendor security review cycle from weeks of back-and-forth PDFs to a single link.

How do SBOMs affect fundraising and M&A due diligence specifically?

They've become a line item that can add weeks to a deal if it's missing, and a credibility signal when it's ready on request. In technical due diligence for growth-stage rounds and acquisitions, buy-side security teams increasingly ask target companies for SBOM coverage across all customer-facing products as part of the first data-room request, alongside SOC 2 reports and pen test results. A startup that can produce an up-to-date SBOM with clean VEX annotations in the first data pull signals the kind of engineering discipline diligence teams are trying to verify indirectly through dozens of other questions. Conversely, a target that has to generate its first-ever SBOM mid-diligence — which still happens, even in 2026 — reads as a red flag about how mature the security program really is, independent of whatever the SBOM ultimately shows.

How Safeguard Helps

Safeguard treats the SBOM as a communication product, not just a scan output. Where tools like Mend.io stop at generating a component list for internal triage, Safeguard continuously generates CycloneDX and SPDX SBOMs from the artifacts you actually ship, correlates every flagged component against CISA's KEV catalog and NVD in real time, and attaches VEX statements automatically so a reviewer sees exploitability, not just presence — cutting the noise that makes most SBOMs unreadable to a non-engineer.

For customer- and investor-facing communication specifically, Safeguard provides a shareable, versioned trust page that external reviewers can pull from directly, with an audit trail showing when each SBOM was generated and against which build. That means when a customer's procurement team or a due diligence firm asks for current posture evidence, the answer is a link with a timestamp, not a scramble to reconstruct a spreadsheet from six months ago. Provenance data is captured at build time, so the SBOM you hand over reflects what's actually running in production rather than a source-tree snapshot that may have drifted.

The net effect is that SBOM requests stop being a fire drill triggered by each new deal or renewal, and become a standing artifact your security, sales, and finance teams can point to on demand — which is what "communicating security posture" is supposed to mean in the first place.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.