It has been twelve months since we shipped Safeguard v5, and the platform looks nothing like the version we tagged on January 3, 2025. That is not because the original release was lacking — it is because the threat landscape moved fast, our customers pushed us harder than we expected, and we made a deliberate decision to ship weekly instead of quarterly.
This post is a honest retrospective: what landed well, what we had to rethink, and what the next twelve months look like.
The Bet We Made
When we started planning v5 in mid-2024, the industry was drowning in SBOM hype but starving for SBOM utility. Every vendor could generate a CycloneDX or SPDX document. Almost nobody could tell you what to do with one once you had it.
Our thesis was simple: SBOMs are only valuable if they feed into automated policy decisions. A PDF sitting in a compliance folder does not reduce risk. A machine-readable inventory that triggers a gate when a critical dependency surfaces a new CVE — that reduces risk.
So v5 shipped with three pillars:
- Continuous SBOM Generation — not a one-time export, but a living document updated on every build.
- Policy Gates — configurable rules that block deployments when your software composition crosses a threshold you define.
- Griffin AI — our natural-language interface for querying your entire software inventory without writing SQL or memorizing API endpoints.
What Worked
Policy Gates became the killer feature. We expected security teams to be the primary users. Instead, engineering leads adopted gates first. They used them to enforce internal standards — no log4j below 2.17.1, no npm packages with more than three unmaintained transitive dependencies, no container base images older than 90 days. Within six months, policy gates were the most-used feature by a factor of three.
Griffin AI reduced mean-time-to-answer by 80%. Before Griffin, answering "which of our production services still ship with OpenSSL 1.1.1?" required querying an asset database, cross-referencing SBOM data, and filtering by deployment environment. With Griffin, the answer was one sentence typed into a chat interface. Security analysts told us this changed their daily workflow more than any dashboard ever did.
SBOM enrichment found its audience in regulated industries. Healthcare and financial services customers leaned heavily into our vulnerability correlation engine. Raw SBOMs are noisy — thousands of components, most of which are not exploitable in your specific context. Our enrichment layer cross-references NVD, OSV, and proprietary feeds to surface only the vulnerabilities that matter for your stack.
What We Had to Rethink
Our initial CI/CD integration was too opinionated. We shipped with deep GitHub Actions support and a basic Jenkins plugin. Customers running GitLab CI, Bitbucket Pipelines, and Azure DevOps felt like second-class citizens. By Q2 2025, we had rebuilt the integration layer around a universal CLI that works the same regardless of your CI system. Lesson learned: meet developers where they are, not where you wish they were.
Performance at scale was harder than we modeled. One enterprise customer had 14,000 microservices generating SBOMs on every commit. Our ingestion pipeline, originally designed for batch processing, buckled under the throughput. We spent two months re-architecting around event streaming and managed to bring ingestion latency from minutes to under ten seconds. That work is now the backbone for every customer, not just the large ones.
The dashboard needed fewer charts and more actions. Our first dashboard iteration was beautiful and nearly useless. It showed trends, distributions, and severity breakdowns — all things you can get from any BI tool. What customers actually wanted was a prioritized list of things to fix, with one-click remediation guidance. We stripped out half the visualizations and replaced them with an action-oriented feed. Engagement doubled.
By the Numbers
Over the past year, Safeguard v5 has processed:
- 2.3 million SBOMs across all customers
- 187 million components cataloged and tracked
- 4.2 million policy gate evaluations, with a 12% block rate (meaning 12% of builds were stopped before reaching production due to policy violations)
- 96% reduction in mean-time-to-remediation for critical vulnerabilities among customers using automated alerting
These numbers tell us something important: automation works. When you move security decisions from quarterly audits to per-build checks, the feedback loop tightens and teams fix things faster because they catch them sooner.
The Community Effect
One thing we did not anticipate was the community that formed around Safeguard's open-source tooling. Our CLI, SBOM parser, and CycloneDX validation library have collectively crossed 50,000 GitHub stars. Contributors from outside the company now account for roughly 30% of pull requests to those repositories.
This matters because supply chain security is not a problem any single vendor can solve. The more eyes on the tooling, the more robust the ecosystem becomes. We are committed to keeping our core libraries open and investing in the contributor experience.
What is Next
Without giving away too much of the 2026 roadmap, here are the themes we are focused on:
- Reachability analysis at scale. Not every CVE in your dependency tree is exploitable. We are building static and runtime analysis to prove which vulnerabilities are actually reachable in your code paths.
- Griffin AI v2. More context-aware, better at multi-step reasoning, and capable of generating remediation pull requests — not just answering questions.
- Third-party risk management. Extending SBOM-driven visibility beyond your own code to the software your vendors ship to you.
- Expanded compliance frameworks. FedRAMP, SOC 2, and ISO 27001 mappings that connect your SBOM posture directly to audit evidence.
How Safeguard.sh Helps
Safeguard is built for teams that want supply chain security to be a continuous process, not a quarterly checkbox. Whether you are a startup shipping your first container or an enterprise managing thousands of services, the platform scales to meet you. Policy gates enforce your standards automatically. Griffin AI answers your questions in plain English. And the SBOM enrichment engine cuts through the noise so you focus on what actually matters.
If you have been evaluating SBOM tooling, give Safeguard a try. The first year was just the beginning.