Beyond the SBOM: Defending the Software Supply Chain in 2026
April 30, 2026
SBOMs were never meant to be the finish line. They are a transparency tool, and transparency alone does not stop an attacker who has already automated reconnaissance across your dependency chain and is moving faster than your team can triage.
This panel brings together security leaders from Forrester, Eclypsium, Anchore, and ActiveState to unpack what it actually takes to defend the software supply chain in an environment where exploitation cycles are measured in hours, not weeks.
The conversation covers the gaps attackers are actively exploiting between software, infrastructure, and vendor ecosystems, and what organizations need to do to close them before those gaps become breach disclosures. That means operationalizing SBOMs beyond documentation, strengthening pre-deployment controls, hardening infrastructure dependencies, and building a continuous monitoring posture that can function at enterprise scale.
It also means reckoning with AI. Standard SBOMs were not designed to account for AI BOMs, and the hidden risks in the AI development lifecycle are a category most organizations have not yet built a program around.
What you will take away from this session:
- Why SBOMs alone cannot defend against modern supply chain attacks, and how adversaries are exploiting the infrastructure, identity, and deployment pathways that sit outside traditional software inventories
- Practical methods for evaluating and mitigating vendor and open source software risk before software is purchased, deployed, or integrated into critical workflows
- How to work with vendors to remediate vulnerabilities, validate security claims, and maintain trust across the full software lifecycleContinuous monitoring strategies that deliver real-time visibility into emerging risks across both software and infrastructure supply chains
- How to distinguish between standard SBOMs and AI BOMs, and what that distinction means for managing risk in AI-assisted development environmentsIf your security program is still treating the SBOM as the destination rather than the starting point, this session is the recalibration your team needs.
.webp)
.jpeg)
.jpeg)