SBOM and AI Vulnerability Discovery: How Your Software Bill of Materials Becomes the Attack Surface Map
When AI can scan your SBOM and cross-reference it against 10,000 Glasswing findings in seconds, the compliance document becomes an attacker's roadmap

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The Biden EO 14028 mandate and subsequent CISA guidance have made SBOMs a compliance reality for any organization selling software to US federal agencies. The EU Cyber Resilience Act extended the requirement to the European market. What the compliance mandates did not anticipate: the same machine-readable component inventory that enables your vulnerability management program can be used by AI systems to map your entire attack surface against a growing library of AI-discovered CVEs in seconds. The SBOM is simultaneously your best tool for supply chain security and a potential roadmap for targeted attacks.
What SBOM Is and Why It Is Mandated
A Software Bill of Materials is a machine-readable inventory of every component in a software product. The analogy to a food ingredient label is intentional: just as a food label lets you identify allergens, an SBOM lets you identify components with known vulnerabilities. When a critical CVE is published in Log4j, OpenSSL, or wolfSSL, an organization with a complete SBOM can answer the question 'are we affected?' in hours instead of weeks of manual codebase archaeology. Executive Order 14028, signed in May 2021, required NIST to issue minimum SBOM standards as part of secure software development practices. CISA subsequently translated those standards into procurement requirements for federal software vendors. The mandate exists because the 2020 SolarWinds and Kaseya supply chain attacks demonstrated that organizations often did not know which components their software products contained until after an exploitation event.
SBOM Formats: SPDX vs. CycloneDX
Two formats dominate SBOM production today. SPDX (Software Package Data Exchange) is an ISO standard maintained by the Linux Foundation. It was originally designed for license compliance and has been extended for security use cases. SPDX documents are produced in RDF, JSON, YAML, or tagged-value text formats. CycloneDX is an OWASP standard designed specifically for security use cases including vulnerability management, supply chain analysis, and SBOM exchange. It supports a broader set of relationship types and is natively designed for machine-readable vulnerability correlation. Both formats are accepted under CISA and NIST guidance. Most tooling in the ecosystem supports both: Syft, Trivy, and Microsoft SBOM Tool can generate either format. For AI vulnerability management integration, CycloneDX is generally preferred because its VEX (Vulnerability Exploitability eXchange) extension provides a standardized format for annotating SBOM components with known vulnerability status and justifications.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Regulatory Landscape: EO 14028, CISA, and EU CRA
The regulatory picture across major jurisdictions is now clear. In the United States, EO 14028 (May 2021) established SBOM as a component of secure software development practices for federal procurement. CISA's 2023 SBOM guidance extended requirements to critical infrastructure sectors, and OMB M-22-18 set hard timelines for federal agencies to require SBOMs from software vendors. In the European Union, the Cyber Resilience Act entered into force in 2024 with a two-year implementation window. It requires manufacturers of connected products sold in the EU to produce and maintain SBOMs and to report actively exploited vulnerabilities within 24 hours. For organizations that sell software in both markets, compliance requires maintaining SBOMs in formats acceptable to both CISA and EU notified bodies. The EU CRA also includes import controls, meaning non-EU manufacturers selling into the EU market face the same obligations as EU-based manufacturers.
How AI Tools Use SBOMs for Vulnerability Scanning
AI vulnerability discovery tools can process SBOMs as structured inputs to perform two distinct operations. The first is known-CVE correlation: the AI ingests the SBOM, extracts every component name and version, and cross-references the list against CVE databases to identify components with known vulnerabilities. This is the standard SBOM vulnerability scanning function performed by tools like Trivy, Grype, and Snyk. The second, more powerful operation is the one Glasswing enables: the AI cross-references SBOM components against its own AI-discovered vulnerability database, identifying components where novel vulnerabilities have been found that do not yet appear in CVE databases. When Claude Mythos discovers a vulnerability in the wolfSSL TLS library and Glasswing coordinates the CVD, every organization with wolfSSL in its SBOM can be notified before the CVE is published. This is the legitimate and valuable use of SBOM plus AI discovery. The adversarial mirror image is the concern.
The Dual-Use Risk: Compliance Asset vs. Attack Surface Map
The same machine-readable structure that makes SBOMs useful for vulnerability management makes them immediately useful for adversaries. An attacker who obtains your SBOM can perform the following operation in seconds: extract all component names and versions, cross-reference against CVE databases and public exploit repositories, filter to components where working exploits exist, and sort by exploit complexity to identify the lowest-effort attack path into your software. Before AI, this cross-reference required manual research over hours. With AI, it is an automated query. The SBOM that took your team weeks to generate and gives you visibility into your attack surface gives an adversary exactly the same visibility the moment they obtain a copy. This is not a reason to avoid SBOM: the benefits of internal vulnerability management far outweigh the risks. It is a reason to apply strict access controls to SBOM distribution and to treat SBOM documents as sensitive security artifacts rather than marketing collateral.
FFmpeg as a Case Study: Embedded in Thousands of SBOMs
FFmpeg is an open source multimedia library used in video players, conferencing software, streaming platforms, content delivery systems, and embedded media devices. It is one of the most widely deployed software components in the world and has accumulated hundreds of CVEs over its history, including memory corruption vulnerabilities that have been exploited in the wild. Any product with video decoding, encoding, transcoding, or streaming capability likely embeds FFmpeg. Many of those products have SBOMs that explicitly list FFmpeg. When Claude Mythos scans a codebase and identifies a novel vulnerability in FFmpeg's packet parsing or codec handling, the Glasswing CVD process notifies affected partners. But the list of affected products can be derived immediately by any party with access to a corpus of product SBOMs: query for FFmpeg, filter to the affected version range, identify the affected products. The SBOM makes this correlation trivially fast.
SBOM Access Control and Sharing Protocols
SBOM access control requires a tiered model that satisfies compliance requirements without making SBOMs freely available to adversaries. Tier one is internal use: the SBOM is used by your vulnerability management team for continuous monitoring and is stored in a controlled internal repository with access limited to security and engineering staff. Tier two is customer sharing: SBOMs are shared with enterprise customers upon request under a mutual NDA, through an authenticated customer portal, or via a SBOM exchange platform like the CISA SBOM sharing system. Tier three is regulatory disclosure: SBOMs are shared with government agencies under procurement requirements through secure submission portals. Public posting of full SBOMs on open repositories is appropriate only for pure open source projects where the component list is already public by definition. For commercial software, avoid public SBOM publishing and instead provide a contact mechanism for qualified customers to request access.
Integrating SBOM into AI-Era Vulnerability Management
The SBOM becomes most powerful when it is connected to real-time vulnerability intelligence including AI-discovered findings. The integration architecture has three layers. The generation layer produces SBOMs at build time using tools like Syft or the Microsoft SBOM Tool, automatically including every dependency resolved at build time in CycloneDX format. The monitoring layer continuously cross-references the SBOM against CVE feeds including NVD, CISA KEV, and Glasswing CVD notifications to identify newly relevant vulnerabilities in listed components. The response layer automatically creates vulnerability management tickets when a new high-severity CVE matches a component in the SBOM, pre-populated with the affected component version, fix version if available, and the relevant EPSS score. This pipeline transforms the SBOM from a static compliance artifact into an active component of the vulnerability management program.
SBOM Vulnerability Mapping Workflow and Access Control Checklist
The Mythos Brief contains the complete SBOM vulnerability mapping workflow for integrating SBOMs with Glasswing CVD notifications, plus the SBOM access control checklist aligned with CISA guidance and EU CRA requirements.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
SBOMs are now a regulatory reality and a genuine operational asset for vulnerability management. The challenge AI has added is not a reason to abandon SBOM: it is a reason to control SBOM distribution as carefully as any sensitive security document and to integrate SBOM with real-time CVD intelligence including Glasswing disclosures. FFmpeg in thousands of product SBOMs is a preview of what AI-assisted attack surface mapping looks like at scale. The SBOM vulnerability mapping workflow, access control checklist, and Glasswing cross-reference template in the Mythos Brief give your program the structure to stay ahead of it: decryptiondigest.com/mythos-brief.
Frequently asked questions
What is an SBOM?
A Software Bill of Materials (SBOM) is a machine-readable inventory of every software component in a product, including open source libraries, commercial dependencies, and internal packages. Each entry typically includes the component name, version, supplier, and license. SBOMs allow organizations to quickly identify whether they are using a component with a known vulnerability, similar to how a food label lists ingredients so consumers can identify allergens. The analogy is imperfect because software components interact in complex ways that ingredient lists do not capture, but the core function is the same: transparency about what is in the product.
Is an SBOM required by law?
For software sold to US federal agencies, yes. Executive Order 14028 (May 2021) required NIST to issue guidance on SBOM as part of secure software development practices, and CISA subsequently issued SBOM requirements for federal software procurement. The EU Cyber Resilience Act, which entered into force in 2024, requires SBOMs for connected products sold in the EU market. For private sector software not sold to government, SBOM is currently a strong recommendation rather than a legal mandate in most jurisdictions, but that is changing as sector-specific regulators in financial services, healthcare, and critical infrastructure adopt SBOM requirements.
How does AI use SBOMs to find vulnerabilities?
AI vulnerability discovery tools can use SBOMs as a structured input to identify potentially vulnerable components before any code analysis is performed. An AI system ingests the SBOM, cross-references every listed component against known CVE databases and AI-discovered vulnerability lists like Glasswing findings, and produces a ranked list of components requiring deeper investigation. This is the benign use case. The adversarial use case is identical: an attacker who obtains your SBOM can perform the same cross-reference in seconds to identify which of your components match known exploitable vulnerabilities.
Should I share my SBOM publicly?
SBOM sharing is a spectrum from fully private (SBOM used only for internal vulnerability management) to fully public (SBOM published in a product repository for downstream users). For most organizations, a tiered approach is appropriate: share SBOMs with customers under NDA or through authenticated portals upon request to meet compliance requirements, but do not publish them publicly where adversaries can freely download and cross-reference them against exploit databases. The EU CRA and CISA guidance both contemplate this tiered sharing model. Internal SBOM use for your own vulnerability management does not require external sharing.
How do I find if FFmpeg is in my SBOM?
If you are using a standard SBOM format like CycloneDX or SPDX, query your SBOM file for the component name 'FFmpeg' or the package URL 'pkg:pypi/ffmpeg' or equivalent for your package ecosystem. Most SBOM generation tools including Syft, Trivy, and Microsoft SBOM Tool produce searchable JSON or XML output. If FFmpeg is embedded as a compiled binary rather than a declared dependency, it may not appear in your SBOM without a binary analysis step that detects embedded libraries by scanning for known code signatures, which tools like Tern and Anchore can perform.
How should a vendor respond when a Glasswing CVD notification arrives for a component listed in customer SBOMs?
Start by querying your SBOM repository to identify every product version that includes the affected component at a vulnerable version. Generate the impact list before the CVE is publicly assigned so you can notify affected enterprise customers through authenticated channels before public disclosure. Prepare a VEX statement using CycloneDX's Vulnerability Exploitability eXchange format to document whether the vulnerable code path is reachable in your product's configuration. Publish the VEX annotation alongside a patched SBOM on your customer portal and provide a remediation deadline that accounts for the confirmed exploit capability associated with Glasswing disclosures rather than relying on EPSS to set urgency.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
