The platform ingests NVD, OSV, EPSS, KEV, MITRE ATT&CK, MISP, and STIX feeds, then correlates them against your tenant SBOMs. Findings are ranked by reachability and exploitability — so the alert that pages on-call is the one that actually applies to you.
A modern threat-intel programme subscribes to half a dozen feeds. Each fires hundreds of items per day. Without joining each item to the tenant's actual artefacts and exploit context, the team drowns inside a week.
EPSS and the KEV catalogue tell you which vulnerabilities are being exploited in the wild. ATT&CK and MISP tell you what adversaries do with them. None of that helps until you can answer "does this affect our shipped software, in a reachable code path".
Safeguard owns both ends of that join: the public-intel ingestion side and the per-tenant SBOM and call-graph side. Correlation is the platform's natural shape.
A CVE feed alone gives you a queue of indistinguishable items. Mapping each to your SBOM is the cheap part; mapping to reachability is the part that filters the noise.
EPSS gives probability of exploit; KEV says it's been seen in the wild; ATT&CK ties to adversary technique. Joining them per-finding is manual without the right indexes.
Threat indicators (domains, hashes, addresses) need correlation with your runtime telemetry — not just your SBOM. Most pipelines miss the runtime join.
A KEV-listed CVE in a critical-infrastructure package weighs differently than the same CVE in a marketing service. Tenants need to tune weights without scripting.
NVD, OSV, EPSS, KEV, MITRE ATT&CK, MISP, and STIX feeds ingested on rolling intervals with provenance preserved per item; tenants can add private feeds.
Each feed item is joined against the tenant SBOMs and Safeguard SCA call graph; non-applicable items collapse out before the alert queue.
Eagle ranks the surviving items by reachability (does any production path reach the vulnerable function) and exploitability (EPSS percentile, KEV presence, observed-in-the-wild status).
Tenants set thresholds and routing per environment and sector; alerts page on-call with the full evidence bundle attached, suitable for the incident-response loop.
Rolling pulls of NVD / OSV / EPSS / KEV / ATT&CK / MISP / STIX; each item canonicalised with feed-provenance metadata.
Affected-package identifiers matched against tenant SBOMs across all registered repos, containers, and runtimes.
Items where the deployed call graph cannot reach the vulnerable function are collapsed before alerting.
EPSS percentile, KEV presence, ATT&CK mapping, and MISP IOC overlap combined into a single exploitability score.
The Eagle ranker sorts the surviving items by combined reachability × exploitability; tenant-tuned weights applied per environment.
High-rank items page on-call; medium items open findings; everything is preserved in the audit trail with evidence bundles attached.
Feeds into incident-response, joins on SBOM Studio artefacts, and ranks with the Eagle model.
Connect one SBOM and we'll run the past 30 days of KEV adds against your call graph as a free triage report.