Run Free, Run Safe: Defend Post-Deployment in the Age of AI

Software supply chain security is entering a new phase. Attackers are no longer limited to exploiting weaknesses discovered during development. They are targeting what’s already running in production, often within days of a vulnerability being disclosed. As AI accelerates both vulnerability discovery and weaponization, organizations must evolve from build-time scanning to continuous post-deployment defense. SecureChainCon, hosted by the Ortelius open-source community, brings together practitioners, security leaders, platform engineers, and open-source contributors working to close the gap between vulnerability detection and real-world exposure. The conference focuses on making SBOMs operational, improving deployment visibility, and using automation and AI-assisted remediation workflows to reduce risk across live environments. This is not another conference about scanning earlier in the pipeline; it’s about Continuous Threat Exposure Management (CTEM) and Remediation for what’s already deployed. SecureChainCon is designed for teams ready to move beyond pre-deployment scanning and toward continuous defense of the software that is already in production—where today’s attacks actually happen.

Keynote Speaker - John Linford, The Open Group

You Can’t Manage What You Can’t See: The Role for Open Standards in the Age of AI

With the ever-increasing adoption of AI, designing and developing products securely has been still more critical, but actively managing your deployed products has become imperative. So how do you manage those vulnerabilities post-deployment?

Join this conversation with John Linford, The Open Group Security Portfolio Director, to learn more about tools, techniques, and (open) standards that can help you and your company gain visibility into your vulnerabilities and actively manage and mitigate them. John Linford is the The Open Group Security Portfolio Forum Director, responsible for facilitating the creation and delivery of standards and certification programs from the Security Forum, Open Trusted Technology Forum (OTTF), and Assured Dependability Work Group. These groups comprise the cybersecurity and supply chain security SMEs in The Open Group. The Open Group is a global consortium that enables the achievement of business objectives through technology standards. As Forum Director, John supports the leaders and participants of his Forums and Work Group in utilizing the resources of The Open Group to facilitate collaboration and follow The Open Group consensus-based Standards process to publish their deliverables.

Guest Speakers

Agenda:

9:00-9:30 - Beer and Donuts Awards, roadmap and community annoucements. Meet the team - a lively discussion of contributors and friends.

9:30-10:00 - Live Keynote - John Linford A keynote presentation and interview with John Linford of the Open Group

10:00-10:30 - Live Ortelius Demos - with the Architecture Team See the newest features of the Ortelius Post-Deployment CVE Detection Platform

10:30-12:00 - Guest Speakers

10:30- 10:45 - Siddharth Jain - Sense, Reason, Act Safely

AI agents in enterprise systems create a post-deployment control problem: once they are running, teams need continuous visibility into what the agent saw, how it reasoned, what it changed, and which human or policy gates approved the action. This talk shares architecture patterns from building production AI workflows for finance and enterprise operations at OpenAI. The examples include permissioned access to source documents and structured data, cited and inspectable outputs, MCP integrations and UIs, Apps SDK surfaces, Temporal-style workflow orchestration, evals, audit trails, and human-in-the-loop review. Siddharth will map those patterns to a practical sense-reason-act model for deployed AI systems: sense with telemetry, source grounding, and runtime context; reason with constrained model calls, structured outputs, evals, and policy checks; and act through deterministic workflows, approval gates, remediation queues, and rollback paths. Attendees will leave with concrete design patterns for making AI-assisted remediation and enterprise automation reviewable, governed, and safer after deployment.

10:45-11:00 - Przemyslaw Roguski, Red Hat - Contextual SBOMs

Software Bills of Materials (SBOMs) are fundamental to modern software transparency, providing a component inventory vital for vulnerability management programs. However, in complex, modern build environments, especially those involving multistage builds, traditional analyzed SBOMs fail to provide the necessary detail, often grouping content from various build stages and layers into a single component. This session delves into the critical need for and implementation of Contextual SBOMs. A Contextual SBOM is an advanced form of the SBOM that captures origin of the content sourced from base image or build stages of the multistage builds. By precisely identifying content that is COPY-ied from builders in multistage builds , the Contextual SBOM enables a significant “shift-left” in security. This intelligence is essential for precise vulnerability management, allowing security teams to differentiate between transient build tools and actual product dependencies, thereby ensuring a verifiable, trusted software supply chain and proactively managing vulnerabilities during the build phase. This talk is ideal for security professionals, compliance officers, compliance auditors, developers and anyone involved in the supply chain aspects of software.

11:00-11:15 - Janane Suresh, Oracle - Deployment-Aware SBOMs

Standardizing on Software Bills of Materials (SBOMs) was a massive step forward for transparency, but for most organizations, the SBOM remains a “birth certificate”—a static document that tells you what was born in the factory, but not where it lives or what it’s doing now. In an era where AI-accelerated attacks weaponize vulnerabilities in hours, relying on stale build-time data is a recipe for a 100-day remediation cycle. Using the lessons of Log4j as a catalyst, this session explores the shift from static inventory to “Deployment-Aware” SBOMs. We will walk through the architecture of a continuous evidence pipeline that maps your SBOM metadata directly to live production environments—clusters, namespaces, and pods. By bridging the gap between build-time identity and runtime behavior, we solve the two biggest hurdles in modern vulnerability management: Identification and Prioritization.

11:15-11:30 - Fahed Dorgaa - Post-Deployment CVE Triage with LLMs

A Trivy or Grype scan against a running service returns hundreds of CVEs. Most are unreachable in the deployed runtime, already covered by an existing control, or irrelevant to the service’s exposure and data. CVSS rates the CVE; it cannot rate your production context. This talk walks through vens (https://github.com/venslabs/vens), an open-source tool built to close that gap. vens takes the scanner report plus a YAML description of the deployed system (exposure, data sensitivity, compliance scope, existing controls) and uses an LLM as the “Reason” step in a Sense → Reason → Act loop. The output is a CycloneDX VEX document with an OWASP Risk Rating (0–81) per vulnerability, consumable by vulnerability management platforms (e.g., Dependency-Track, Trivy, etc.).

11:30-11:45- Vanessa Toves, Druva - AI Cyber Resilience for Microsoft Cloud Data

Azure services, Entra ID and Microsoft 365 form the backbone of many AI initiatives and business operations, seamlessly integrating to drive efficiency and innovation. However, this interconnected power also expands the attack surface, increasing the potential risk of data loss and security breaches. This compounded with an organization’s pursuit of AI initiatives, the threat vectors increased overnight. Data resilience across these platforms is no longer optional—it’s essential to ensuring business continuity and swift recovery from cyber incidents. In this session, we’ll uncover the key vulnerabilities and provide actionable strategies to strengthen your data security posture against evolving threats.

11:45 Closing with Tracy Ragan

Key Takeaways

---