A high-growth payments FinTech processing transactions for small and mid-sized merchants had, by early 2026, reached an operational tipping point with its vulnerability management program. The security team had adopted a traditional open source software composition analysis tool in 2022 and, for two years, watched the weekly CVE queue grow from hundreds of findings to more than 41,000 open items. Every engineer on the platform team had a Jira backlog tagged "security-sca" that they privately admitted they had stopped reading. This is an illustrative account of the kind of reachability-driven remediation program Safeguard.sh runs with FinTech organizations facing exactly this backlog crisis.
Why Does a Traditional SCA Tool Create This Much Noise?
It creates noise because it reports on what your application could contain rather than what it actually executes. A Python web service might bundle the full Django framework because one import statement pulls it in, but 90% of Django's codebase never runs in that service's actual request path. When a CVE is disclosed in Django's admin module and your service does not use the admin module, a traditional SCA tool still flags the finding. Multiply that across hundreds of libraries, and a mid-sized codebase generates tens of thousands of vulnerability findings that have no real exploitability.
The FinTech's Head of Platform Security put it this way in the initial call: "We are spending senior engineering time on CVEs that cannot be exploited in our environment, and we are missing CVEs that can be exploited because they are buried in a queue of 41,000 items." The goal of the engagement was not to add another scanner. It was to cut the noise dramatically, so the team could focus on findings that actually mattered.
What Does Reachability Analysis Do Differently?
Reachability analysis, in Safeguard's implementation, builds a call graph of the application's actual executable code and determines whether a vulnerable function in a vulnerable component is reachable from an entrypoint that an attacker can influence. For a web service, entrypoints include HTTP handlers, queue consumers, scheduled jobs, and any externally-triggered code path. If a CVE-affected function is not reachable from any of these, the finding is marked as not reachable and deprioritized.
The platform performs this analysis at multiple layers. It analyzes the application's source code, its compiled or packaged form, and the runtime behavior if instrumentation is available. For compiled languages, it uses a combination of bytecode analysis and binary symbol mapping. For dynamic languages like Python and Node.js, it combines static call graph construction with optional runtime telemetry that confirms which code paths actually execute in production.
The FinTech's primary stack was Go, Python, and Node.js. Safeguard's reachability analysis supported all three, with the highest-precision analysis available for Go through static binary inspection of the compiled services.
How Was the Rollout Phased Across the FinTech's Services?
The rollout was phased in three layers, mapped to the organization's service criticality tiers. Tier one was the merchant-facing payment processing services — high traffic, high sensitivity, and the smallest number of services (12 in total). Tier two was the internal platform services that supported the merchant tier (roughly 40 services). Tier three was everything else, including internal admin tools and analytics workloads (approximately 180 services).
The team started with tier one because these services had the most active engineering attention and would produce the clearest measurement. Safeguard's CLI integrated into the existing CI pipeline in a single workday for each service. Reachability results surfaced in pull request comments and in a central dashboard keyed to Jira.
The first tier-one service produced a result that, according to the Director of Product Security, "changed the conversation overnight." A service that previously showed 412 SCA findings returned 38 reachable findings. Of those 38, seven were critical or high severity. The team fixed all seven in the next sprint.
How Did the CVE Backlog Numbers Change?
The total open CVE count across the FinTech's monitored services dropped from approximately 41,000 to 8,200 after reachability analysis was applied across all three tiers, an 80% reduction. Critical and high-severity findings dropped from 6,800 to 1,100. Of the remaining 1,100 critical and high-severity findings, 820 had an available upstream patch and 280 did not.
The team committed to closing all patchable critical and high-severity reachable findings within 14 days of disclosure as a formal service-level objective. Within the first 90 days of the new SLO, 94% of findings met the deadline. The previous tracking, based on non-reachability-filtered data, had never exceeded 31% on any meaningful time window.
Importantly, the reduction was not uniform. A few services saw reachability analysis flag issues that the old SCA tool had deprioritized as medium severity. These cases — where a medium-rated CVE was actually reachable and therefore a higher real risk than a critical-rated CVE that was not reachable — were a key argument the security team made to engineering leadership when justifying the platform investment.
What Did Engineering Leadership Think of the New Workflow?
Engineering leadership responded positively for reasons that had as much to do with developer morale as risk reduction. The VP of Engineering had been hearing for over a year that the SCA tooling was producing "alert fatigue at scale." Platform engineers were logging dismissals on tickets without reading them, and the security team had no ability to distinguish a legitimate dismissal from a reflexive one.
Safeguard's workflow changed this. Pull request comments explained not just that a component had a CVE, but why the vulnerable function was or was not reachable, with a path trace from the entrypoint. Engineers reported that the explanations were detailed enough to serve as both a remediation guide and a learning resource. The Director of Engineering Culture noted that the quality of security-engineering interactions in code reviews improved measurably in the first quarter after rollout.
How Did the Platform Handle Third-Party Dependencies With No Source?
Third-party dependencies distributed as compiled binaries — particularly JAR files and a handful of vendor SDKs — were handled through Safeguard's binary reachability analysis. This form of analysis is less precise than source-level analysis because it cannot resolve every dynamic dispatch, but it produces meaningfully better results than assuming all code in a binary is reachable.
For one vendor SDK that the FinTech used for card authorization, binary reachability reduced the flagged CVE count from 87 to 12. The remaining 12 included one critical finding that the FinTech would not have prioritized under the old model and that, on inspection, affected a TLS negotiation path that the FinTech's integration actively used. The vendor shipped a patched version within two weeks of the FinTech's escalation.
What Would the Team Do Differently?
The Director of Product Security identified two lessons. First, they would have started reachability analysis earlier in the program lifecycle rather than waiting for the backlog to become a crisis. Teams that adopt reachability from day one never accumulate the psychological debt of a 41,000-item queue. Second, they would have invested earlier in language-specific tuning. Python reachability analysis, in particular, benefits significantly from runtime telemetry, and the FinTech did not enable runtime instrumentation until the second quarter of the rollout. Doing so earlier would have produced higher-confidence results on the Python services.
How Safeguard.sh Helps
Safeguard.sh provides reachability-aware vulnerability prioritization built specifically for engineering organizations that are drowning in SCA noise. The platform's reachability analysis covers Go, Python, Node.js, Java, .NET, Ruby, Rust, and C/C++, with support for both source-level and binary-level analysis. For FinTech organizations — where PCI DSS and SOC 2 audits put remediation timelines under direct scrutiny — Safeguard's output maps directly to auditor expectations, and the reduction in noise makes real SLO commitments feasible for the first time. FinTech customers typically see backlog reductions between 70% and 85% after the first complete scan cycle.