Safeguard
SBOM

From Inventory to Insight: Turning SBOM Data Into Priorit...

A complete SBOM often surfaces thousands of CVEs. Here's how reachability, exploitability, and business context turn that noise into a prioritized action plan.

Aman Khan
AppSec Engineer
8 min read

Every security team eventually hits the same wall: they finally have a complete software bill of materials, and it makes things worse before it gets better. A single mid-sized application can pull in 800 to 1,500 open-source components once transitive dependencies are counted. Run that SBOM against the National Vulnerability Database and you don't get a punch list — you get 3,000 to 6,000 flagged CVEs, most of them in libraries nobody on the team has heard of. Engineering leadership asks "what do we fix first?" and the honest answer, for most organizations in 2026, is still "we don't know." The SBOM did its job: it created visibility. But visibility isn't the same as action, and treating every flagged component as equally urgent guarantees that the real threats — the 20 or so components that are actually exploitable, actually reachable, and actually running in production — get lost in the noise. This is the gap between inventory and insight, and closing it is now the central problem in software supply chain security.

Why Doesn't a Complete SBOM Automatically Reduce Risk?

Because an SBOM is a list, not a decision. The NTIA's 2021 minimum elements guidance and the follow-on CISA framework defined what a compliant SBOM must contain — supplier name, component name, version, dependency relationships, and a handful of other fields — but neither said anything about which of those components matter most on a given day. A raw SBOM matched against vulnerability feeds routinely surfaces thousands of CVEs per application, and industry benchmarks put the average enterprise application at somewhere between 60% and 80% of its codebase coming from open-source dependencies it didn't write and rarely audits line by line. When a scan returns 4,000 findings and a security team has capacity to meaningfully investigate maybe 15 to 20 a week, "complete" inventory data doesn't create safety — it creates a backlog. The 2024 case of the NVD's own multi-month analysis slowdown, where tens of thousands of CVEs sat unenriched with no CVSS score or affected-version data, only sharpened this problem: teams that leaned on NVD severity alone as their sole prioritization signal were left flying blind at exactly the moment they needed a decision.

What Actually Makes One Vulnerable Component More Dangerous Than Another?

Reachability and exploitability, not the CVSS base score alone. A CVSS 9.8 vulnerability in a logging function that your application never calls is lower real-world risk than a CVSS 6.5 vulnerability sitting directly behind an internet-facing API endpoint. The Log4Shell disclosure in December 2021 is the textbook case: Log4j was embedded in an estimated hundreds of thousands of applications, but only a fraction of deployments actually invoked the vulnerable JndiLookup class in a way attackers could reach, and those were the ones that got compromised within days. CISA's Known Exploited Vulnerabilities (KEV) catalog — which had grown to well over 1,300 entries by 2025 — exists precisely because the wider CVE list is too broad to act on; KEV narrows the field to vulnerabilities with confirmed in-the-wild exploitation. Combine that signal with EPSS (Exploit Prediction Scoring System) probability data, and you get a much sharper picture: a component can carry a "critical" label and still rank near the bottom of a real prioritization queue if it's unreachable, unexploited in practice, and buried three dependency layers deep in a dev-only tool.

How Should Teams Score and Rank Thousands of SBOM Findings?

By combining exploitability, reachability, and business context into a single weighted score instead of sorting by CVSS alone. A defensible SBOM risk prioritization model typically layers four inputs: (1) whether the vulnerability is in the KEV catalog or has a high EPSS probability, (2) whether the vulnerable function is actually called by the application's code paths, (3) whether the component sits in a production, internet-facing service versus an internal build tool, and (4) whether a fix is available without a breaking major-version bump. A component matching all four high-risk criteria might represent less than 1% of total SBOM findings but account for the overwhelming share of realistic breach exposure — which is the entire point. The 2024 XZ Utils backdoor (CVE-2024-3094), discovered in March 2024 after a Microsoft engineer noticed anomalous SSH login latency, is a useful counter-example: it wasn't caught by severity scoring at all, but by behavioral anomaly detection, which is a reminder that prioritization models need to account for supply chain tampering, not just known-CVE severity, especially as attackers increasingly target build pipelines and maintainer accounts directly.

Why Do Most SBOM Programs Stall Right After the Inventory Stage?

Because generating an SBOM is a one-time engineering task, while prioritizing and acting on it is a continuous operational one, and most teams under-resource the second half. Executive Order 14028 (May 2021) and subsequent federal procurement rules pushed thousands of vendors to produce SBOMs for the first time, and many organizations treated "produce the SBOM" as the finish line — a compliance checkbox satisfied by a CycloneDX or SPDX file sitting in a repository. But a static SBOM is stale within days: new CVEs are published against existing components constantly, and NVD historically processes somewhere in the range of 25,000 to 30,000 new CVE records a year across the ecosystem. Without automated re-scoring as new vulnerability and exploit data lands, last month's "low risk" component quietly becomes this month's active exploitation target, and nobody notices until an audit or an incident forces a re-scan. Teams that stall here usually lack two things: a way to continuously re-run prioritization against the same SBOM as threat intelligence changes, and a workflow that routes the highest-priority findings to the engineer who owns that specific service, rather than dumping a spreadsheet into a shared channel.

What Does a Working Remediation Workflow Look Like in Practice?

It looks like a small, ranked queue with an owner and a deadline attached to each item — not a dashboard full of red badges. A functioning process typically narrows an initial SBOM finding set from thousands down to a top-20 or top-50 "act now" list, assigns each finding to the team that owns the affected service (not a central security team trying to patch everything itself), and tracks time-to-remediate against a risk-tiered SLA — for example, 7 days for KEV-listed and internet-reachable findings, 30 days for high-EPSS but unreachable findings, and quarterly batching for everything else. Industry remediation data has consistently shown that critical vulnerabilities in externally facing systems take a median of 60 to 90+ days to patch when there's no prioritization layer forcing faster action — plenty of time for an opportunistic attacker to scan for and exploit a known CVE, since mass exploitation attempts against newly disclosed CVEs often begin within 48 hours of public disclosure. Cutting that window meaningfully requires the ranking to happen automatically and continuously, not during a quarterly compliance review.

How Safeguard Helps

Safeguard is built specifically to close the gap between SBOM inventory and prioritized action. Rather than treating your SBOM as a static compliance artifact, Safeguard continuously ingests SBOM data (SPDX and CycloneDX formats) and cross-references it against live vulnerability intelligence, including CISA's KEV catalog and EPSS exploit-probability scoring, so severity isn't the only signal driving your queue. Safeguard's reachability analysis determines whether a flagged vulnerable function is actually invoked in your codebase's execution paths, filtering out the large share of findings — often the majority in a typical scan — that are technically present but practically unreachable. Findings are automatically scored against business context, including whether the affected service is internet-facing and whether it's running in production, so a critical CVE in a customer-facing payment service is never buried under hundreds of lower-stakes findings from internal tooling.

From there, Safeguard routes each prioritized finding to the owning team with clear remediation guidance and available fix paths, tracks time-to-remediate against configurable SLAs by risk tier, and re-scores your entire component inventory automatically as new CVEs, KEV entries, and EPSS updates land — so a component that was safe last week doesn't silently become an open door this week without anyone noticing. For teams that need to demonstrate SOC 2 or federal procurement compliance, Safeguard maintains an auditable record of what was found, how it was prioritized, who owned the fix, and how long remediation took, turning what used to be a defensive scramble into a documented, repeatable process. The result is a shift from "we have an SBOM with 4,000 findings" to "we have 18 findings that matter this week, and we know exactly who's fixing them and by when" — which is the actual outcome SBOM programs were meant to deliver in the first place.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.