When Log4Shell hit, one Anchore Enterprise customer faced the same nightmare scenario as thousands of organizations worldwide: Where is log4j hiding in our infrastructure?
The difference? While most organizations spent weeks manually hunting through systems, this customer ran a single API command and identified every instance of log4j across their entire environment in five minutes.
That’s the transformation Josh Bressers (VP of Security, Anchore) and Brian Thomason (Solutions Engineering Manager, Anchore) demonstrated in their recent webinar on rapid incident response to zero-day vulnerabilities—and it represents a fundamental shift in how security teams can respond to critical threats.
TL;DR: Traditional vulnerability management treats SBOMs as compliance artifacts, but modern incident response requires treating them as operational intelligence.
This technical deep-dive covers three critical scenarios that every security team will face:
- Proactive Threat Hunting: How to identify vulnerable components before CVE disclosure using SBOM archaeology
- Runtime Vulnerability Prioritization: Real-time identification of critical vulnerabilities in production Kubernetes environments
- CI/CD Security Blindness: The massive attack surface hiding in build environments that most teams never scan
Ready to see the difference between reactive firefighting and strategic preparation? Keep reading for the technical insights that will change how you approach zero-day response.
The CUPS Case Study: Getting Ahead of Zero-Day Disclosure
In September 2024, security researchers began dropping hints on Twitter about a critical Linux vulnerability affecting systems “by default.” No CVE. No technical details. Just cryptic warnings about a two-week disclosure timeline.
The security community mobilized to solve the puzzle, eventually identifying CUPS as the target. But here’s where most organizations hit a wall: How do you prepare for a vulnerability when you don’t know what systems contain the affected component?
Traditional approaches require manual system audits—a process that scales poorly and often misses transitive dependencies buried deep in container layers. The SBOM-centric approach inverts this narrative.
“One of the examples I like to use is when log4j happened, we have an Anchore enterprise customer that had all of their infrastructure stored inside of Anchore Enterprise as SBOMs. Log4Shell happens and they’re like, holy crap, we need to search for log4Shell. And so we’re like, ah, you can do that here, run this command. And literally in five minutes they knew where every instance of log4j was in all of their environments.“
—Josh Bressers, VP of Security, Anchore
The Technical Implementation
What was the command they used? The webinar demonstrates this live against thousands of stored SBOMs to locate CUPS across an entire infrastructure:
$ curl -u admin:password \
"https://enterprise.example.com/v1/images/by_package?name=cups" \
| jq '.results[] | .tag_history[0].tag'This single command returns every container image containing CUPS, complete with version information, registry details, and deployment metadata. The query executes against historical and current SBOMs, providing comprehensive coverage across the entire software supply chain.
Security teams can begin impact assessment and remediation planning before vulnerability details become public, transforming reactive incident response into proactive threat management.
What Else You’ll Discover
This proactive discovery capability represents just the foundation of a comprehensive demonstration that tackles the blind spots plaguing modern security operations.
Runtime Vulnerability Management: The Infrastructure You Don’t Control
Josh revealed a critical oversight in most security programs; vulnerabilities in Kubernetes infrastructure components that application teams never see.
The demonstration focused on a critical CVE in the nginx ingress controller—infrastructure deployed by SRE teams but invisible to application security scans. Using Anchore Enterprise’s Kubernetes runtime capabilities, the team showed how to:
- Identify running containers with critical vulnerabilities in real-time
- Prioritize remediation based on production deployment status
- Bridge the visibility gap between application and infrastructure security
“I could have all of my software tracked in Anchore Enterprise and I wouldn’t have any insight into this — because it wasn’t my code. It was someone else’s problem. But it’s still my risk.”
—Josh Bressers, VP of Security, Anchore
CI/CD Archaeology: When the Past Comes Back
The most eye-opening demonstration involved scanning a GitHub Actions runner environment—revealing 13,000 vulnerabilities across thousands of packages in a standard build environment.
The technical process showcased how organizations can:
- Generate comprehensive SBOMs of build environments using filesystem scanning
- Maintain historical records of CI/CD dependencies for incident investigation
- Identify potentially compromised build tools (like the TJ Actions backdoor incident)
“This is literally someone else’s computer building our software, and we might not know what’s in it. That’s why SBOM archaeology matters.”
—Josh Bressers, VP of Security, Anchore
Why SBOMs Are the Strategic Differentiator
Four truths stood out:
- Speed is critical: Minutes, not months, decide outcomes.
- Visibility gaps are real: Runtime and CI/CD are blind spots for most teams.
- History matters: SBOMs are lightweight evidence when past build logs are gone.
- Automation is essential: Manual tracking doesn’t scale to millions of dependencies.
Or as Josh put it:
“Storing images forever is expensive. Storing SBOMs? Easy. They’re just JSON documents—and we’re really good at searching JSON.”
The Bottom Line: Minutes vs. Months
When the next zero-day hits your infrastructure, will you spend five minutes identifying affected systems or five months hunting through manual inventories?
The technical demonstrations in this webinar show exactly how SBOM-driven incident response transforms security operations from reactive firefighting into strategic threat management. This is the difference between organizations that contain breaches and those that make headlines.
Stay ahead of the next disclosure:
- 👉 Watch the full webinar on-demand
- Follow Anchore on LinkedIn and X for zero-day analysis and SBOM best practices.
- Subscribe to our newsletter for exclusive insights into supply chain security, automation, and compliance.
Zero-day vulnerabilities aren’t slowing down. But with SBOM-driven response, your timeline doesn’t have to be measured in months.
Learn how SBOMs enable organizations to react to zero-day disclosures in minutes rather than days or weeks.
