Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
SLSA Level 3 gives you verifiable build provenance that satisfies CISA M-22-18 and EO 14028. Level 4 adds hermetic builds most teams will never need.
Provenance describes how software was built, attestations are signed claims about that process, and signing proves origin. Here's how the pieces fit.
A senior engineer's guide to training data poisoning defenses in 2026, from split-learning detection to provenance attestation and continuous pipeline monitoring.
SLSA Level 3 requires hardened builds, verifiable provenance, and isolated build environments. Here is the practical path, not the theoretical one.
Dependency confusion attacks are still landing in 2026 because scoped packages, registry config, and provenance checks are misconfigured by default. Here is the fix.
Training data is a supply chain component. Knowing what went into a model is the precondition for knowing what could come out of it. Few tools track this; the few that do matter disproportionately.
Long-lived signing keys are operational debt that every security team eventually pays down the hard way. Keyless signing is not an experiment anymore — it is the mainstream design.
Multi-modal models bring image, audio, and video into the AI supply chain. Each modality introduces provenance and integrity challenges that text-only pipelines never had to face.
Model weights are binaries with the privilege of code and the review of documents. Here is what signing, attestation, and provenance should actually look like.
Weekly insights on software supply chain security, delivered to your inbox.