Ortelius Blog
Topics include Supply Chain Security, Vulnerability Management, Neat Tricks, and Contributor insights.
SecureChainCon 2026
Categories:
SecureChainCon 2026, On Demand
Run Free, Run Safe: Defend Post-Deployment in the Age of AI
Software supply chain security is entering a new phase. Attackers are no longer limited to exploiting weaknesses discovered during development. They are targeting what’s already running in production, often within days of a vulnerability being disclosed. As AI accelerates both vulnerability discovery and weaponization, organizations must evolve from build-time scanning to continuous post-deployment defense. SecureChainCon, hosted by the Ortelius open-source community, brings together practitioners, security leaders, platform engineers, and open-source contributors working to close the gap between vulnerability detection and real-world exposure. The conference focuses on making SBOMs operational, improving deployment visibility, and using automation and AI-assisted remediation workflows to reduce risk across live environments. This is not another conference about scanning earlier in the pipeline; it’s about Continuous Threat Exposure Management (CTEM) and Remediation for what’s already deployed. SecureChainCon is designed for teams ready to move beyond pre-deployment scanning and toward continuous defense of the software that is already in production—where today’s attacks actually happen.
Beer and Donuts
Awards, roadmap and community annoucements. Meet the team - a lively discussion of contributors and friends.
Keynote
You Can’t Manage What You Can’t See: The Role for Open Standards in the Age of AI with John Linford, The Open Group
John Linford is the The Open Group Security Portfolio Forum Director, responsible for facilitating the creation and delivery of standards and certification programs from the Security Forum, Open Trusted Technology Forum (OTTF), and Assured Dependability Work Group. These groups comprise the cybersecurity and supply chain security SMEs in The Open Group. As Forum Director, John supports the leaders and participants of his Forums and Work Group in utilizing the resources of The Open Group to facilitate collaboration to publish their deliverables.
Ortelius Technical Demo
Steve Taylor walks through updates for the next release of Ortelius. This includes a simpler process for connecting to GitHub/GitLab repos, and the implementation of Jenkins into the Ortleius Platform.
Sense, Reason, Act Safely: Runtime Controls for Enterprise AI Agents
AI agents create a new post-deployment control challenge: organizations need continuous visibility into what an agent accessed, how it reasoned, what it changed, and which approvals authorized its actions. Siddharth demonstrates a practical sense–reason–act model for deployed AI: sense with telemetry and runtime context, reason with constrained models, structured outputs, and policy checks, and act through deterministic workflows, approval gates, remediation queues, and rollback mechanisms.
Contextual SBOMs: Unlocking Precise Vulnerability Management with Build-Time Content Intelligence
Przemyslaw “Rogue” Roguski, Red Hat
Software Bills of Materials (SBOMs) are essential for software transparency and vulnerability management, but traditional SBOMs often lose critical detail in complex multistage builds by grouping content from different stages and layers together. This session explains the need for Contextual SBOMs, which capture where components originate, including base images and specific build stages.
Beyond the Birth Certificate: Architecting Deployment-Aware SBOMs for Real-Time Defense
Janane Suresh, SBOM Enthusiast
SBOMs improved software transparency, but too often they remain static build-time records that show what was created, not where it is running or what risk it presents now. This session explores the shift to Deployment-Aware SBOMs, using Log4j as a catalyst for why stale inventory is not enough. Attendees will learn how a continuous evidence pipeline maps SBOM metadata to live production environments—clusters, namespaces, and pods—to improve vulnerability identification, prioritization, and remediation speed.
Post-Deployment CVE Triage with LLMs: Cutting Scanner Noise with Runtime Context
Trivy and Grype scans often return hundreds of CVEs, but many are unreachable, mitigated by existing controls, or irrelevant to the deployed service. CVSS rates the vulnerability, not the production context. This talk introduces vens, an open-source tool that combines scanner output with a YAML description of the deployed system—exposure, data sensitivity, compliance scope, and controls—and uses an LLM in a Sense → Reason → Act loop. The result is a CycloneDX VEX document with an OWASP Risk Rating for each vulnerability, ready for use in tools like Dependency-Track and Trivy.
Strengthen AI cyber resilience for your Microsoft cloud data
Azure, Entra ID, and Microsoft 365 power many AI initiatives and business operations, but their deep integration also expands the attack surface and increases the risk of data loss and security breaches. This session highlights key vulnerabilities across these platforms and shares practical strategies to strengthen data resilience, improve recovery, and protect business continuity against evolving cyber threats.