SBOM
SBOM vs. VEX: What's the Difference and When Do You Need Each?
SBOMs tell you what is in your software. VEX tells you which of those components are actually exploitable. Here is how to use both without drowning in noise.
Apr 15, 20268 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
SBOMs tell you what is in your software. VEX tells you which of those components are actually exploitable. Here is how to use both without drowning in noise.
A walkthrough of a CycloneDX 1.6 JSON document — metadata, components, services, dependencies, and vulnerabilities — with a real snippet and what to check first.
A clear walkthrough of CISA's 2026 revisions to the minimum elements for SBOM, what changed from the original NTIA baseline, and how to bring your outputs into compliance.
An engineer's side-by-side of Syft, Tern, and Trivy for SBOM generation in 2026, with honest notes on accuracy, performance, and where each tool actually fits.
How SBOMs have become a standard input to technical due diligence for software acquisitions, what acquirers actually look for, and how sellers should prepare.
Generating accurate SBOMs for firmware and IoT devices remains one of the toughest challenges in supply chain security. Here's the current state of the art.
A direct comparison of OpenVEX and CycloneDX VEX in 2026, covering spec differences, tooling support, and the operational tradeoffs that actually affect your choice.
A raw SBOM is a parts list. An enriched SBOM is a risk assessment. Here's how to bridge the gap.
A pragmatic architecture for ingesting, normalizing, and querying hundreds of thousands of SBOMs across an enterprise or agency, without drowning in noise.
Weekly insights on software supply chain security, delivered to your inbox.