Revolutionizing Open-Source Security: Beyond Alert Fatigue with Context-Aware AI

      Open-source software (OSS) has become the bedrock of modern digital infrastructure, powering everything from enterprise applications to critical government systems. Its widespread adoption brings undeniable benefits, accelerating development cycles and fostering innovation. However, this reliance also introduces significant and complex systemic risks, including vulnerabilities, potential malicious compromises, and intricate license compliance issues. Managing these risks effectively, especially at scale within large organizations, presents a formidable challenge that traditional security tools often struggle to address.

The Limitations of Traditional Security Tools

      The industry has long depended on tools like Software Composition Analysis (SCA) and advanced reachability analyzers to identify flaws within open-source dependencies. While these tools are effective at providing component-level insights—such as a vulnerability's base severity or whether a piece of code is technically "reachable"—they critically fall short in one key area: organizational context. For instance, a vulnerability that is technically reachable through an obscure, internal offline script might be flagged with the same urgency as one exposed via a public-facing, unauthenticated API. This lack of contextual differentiation leads to a pervasive problem known as "alert fatigue," where security teams are overwhelmed by a flood of alerts, many of which are technically valid but operationally benign. Consequently, critical alerts can get lost in the noise, diverting valuable engineering resources and slowing down remediation efforts.

      Furthermore, enterprise governance is rarely a simple matter of a blanket "allow" or "deny" policy. Organizations operate under unique, bespoke constraints; a package that's acceptable in one context might require extensive legal review if it touches sensitive payment gateways or classified data. Traditional security platforms, with their rigid, checkbox-based compliance frameworks, compel organizations to invest heavily in building custom "wrapper" tools. These internal solutions are designed merely to filter noise and align alerts with their specific operational structure, creating inefficiency and decentralizing security posture. These systemic failures—organizational blind spots, reactive awareness, and a significant disconnect between security alerts and business outcomes—highlight the urgent need for a more sophisticated approach.

DEPTEX: An Organization-First Approach to Risk Management

      To address these critical shortcomings, a new paradigm represented by platforms like DEPTEX emerges, advocating for an "organization-first" approach to software supply chain security. This innovative framework posits that supply chain risk is not merely an intrinsic property of a software component but rather an emergent phenomenon. It arises from the intricate interplay between dependencies, the assets they comprise, their owners, and the specific operational environments in which they function. By shifting the focus from isolated component analysis to a holistic, graph-based understanding of an organization's ecosystem, DEPTEX enables a more proactive, efficient, and strategically aligned risk management strategy.

Programmable Governance: Security "As Code"

      One of the cornerstone contributions of this new approach is the concept of "Programmable Governance," essentially Security "As Code." Unlike legacy Application Security Posture Management (ASPM) tools that rely on static Role-Based Access Control (RBAC) and binary compliance states, DEPTEX flips this model. It introduces an extensible, declarative engine that allows security teams to codify their unique compliance requirements directly into the platform. This means enterprises can natively integrate bespoke external APIs, define highly specific dependency constraints (e.g., only specific licenses for payment-related code), and enforce dynamic pull request (PR) policies.

      This programmable approach empowers organizations to move beyond rigid, one-size-fits-all rules. For example, a company might define a policy that automatically flags or blocks a PR if it introduces a new dependency with a known critical vulnerability into a public-facing service. Similarly, different departments or "units" can have tailored security policies that reflect their specific risk profiles and compliance obligations. This flexibility streamlines security operations, making compliance an integrated, proactive part of the development lifecycle rather than a reactive bottleneck. Platforms that embrace customization and deep integration, much like how ARSA Technology delivers Custom AI Solutions tailored to unique enterprise needs, are critical for this level of sophisticated governance.

Context-Aware Prioritization with Execution Path Dominance (EPD)

      Another pivotal innovation in this new security landscape is "Context-Aware Prioritization," exemplified by a "Depscore" system that utilizes Execution Path Dominance (EPD). This sophisticated algorithm moves beyond simple binary reachability—the "true/false" signal of whether a vulnerability can be theoretically called. Instead, EPD fuses Code Property Graph (CPG) slicing with Large Language Model (LLM) semantic verification to determine a vulnerability's true operational blast radius.

Code Property Graph (CPG) Slicing: Imagine your software as a vast network where every line of code, every function, and every variable is a node, and the relationships between them are edges. CPG slicing allows a system to trace the actual execution paths* that a program can take. Instead of just knowing a vulnerable function exists in a dependency, CPG slicing can tell you if a user-facing input can actually trigger that specific vulnerable function in your deployed application. Large Language Model (LLM) Semantic Verification: While CPG slicing provides structural analysis, LLMs bring semantic understanding. They can analyze the meaning and context* of how a vulnerable component is used within your code. An LLM might determine that even if a path to a vulnerable function exists, the way your code calls it mitigates the risk, or that the function is used in a non-sensitive, sandboxed environment.

      By combining these two powerful techniques, EPD provides a nuanced understanding of risk. It calculates a vulnerability's true operational impact, drastically reducing false-positive urgency and allowing security teams to focus remediation efforts on the threats that genuinely matter to their organization. This kind of advanced, context-aware analysis mirrors the precision that ARSA achieves with its AI Video Analytics, where raw video feeds are transformed into highly specific, actionable intelligence based on real-world context.

Modeling Supply Chain Risk with Graph Abstraction

      To operationalize this context-aware approach, supply chain information is often modeled as a typed property graph. This graph abstraction represents the entire enterprise ecosystem:

• Nodes: Represent key entities such as Organizations (the top-level entity), Units (departments or teams within the organization), Assets (deployable software components), Components (open-source dependencies), Actors (maintainers), and Risk Signals (observed vulnerabilities).
• Edges: Map the operational realities, showing relationships like "Org contains Unit," "Unit owns Asset," and "Asset depends_on Comp." Vulnerabilities are linked as "Signal affects Comp."

      This graph model enforces structural integrity constraints. For example, if an asset lacks an owner, it's immediately flagged as a "governance risk gap." The model then defines a "topological blast radius" by identifying all affected assets and units linked to a specific risk signal. Crucially, a component-level signal doesn't directly translate to actionable organizational risk. Instead, risk is contextualized through a monotone function that considers factors like the vulnerability's severity, confidence, directness, scope, exposure, criticality of the affected asset, and any identified ownership gaps. This contextual risk is then mathematically aggregated upwards to the team (Unit) and enterprise (Org) levels, providing a prioritized, organization-first ranking of risks. This enables actionable governance metrics such as overall organizational exposure and cross-team coordination overhead.

Practical Implications for Enterprise Cybersecurity

      The implementation of such an organization-first, context-aware platform offers profound benefits for global enterprises:

• Reduced Alert Fatigue and Optimized Resources: By filtering out operationally benign alerts, engineering teams can focus their efforts on critical, high-impact vulnerabilities, improving developer productivity and morale. This leads to a significant reduction in wasted time and resources.

Proactive Risk Management: Instead of reacting to external disclosures or post-scan results, the "Security As Code" approach integrates risk monitoring directly into the continuous integration (PR) process, intercepting risks before* they enter production.

• Enhanced Compliance and Data Sovereignty: Programmable governance allows organizations to enforce bespoke compliance rules natively, ensuring adherence to specific regulatory standards (e.g., GDPR, HIPAA) by precisely controlling how dependencies are used and data is managed. For instance, solutions offered by ARSA Technology are often deployed fully on-premise, providing complete data control for sensitive environments, a testament to being experienced since 2018 in delivering robust enterprise solutions.
• Strategic Stakeholder Alignment: By providing an organization-first view of risk, complete with prioritized rankings and contextual details, security leaders, engineering managers, and compliance officers can make coordinated, data-driven decisions that align with business objectives.

      In essence, these advancements transform open-source security from a reactive, compliance-driven chore into a strategic advantage. By leveraging sophisticated AI and graph-based models, enterprises can gain unprecedented visibility and control over their software supply chain, protecting their digital assets more effectively and building resilience in an increasingly interconnected world.

      To learn more about how advanced AI and IoT solutions can fortify your enterprise operations and help manage complex risks, we invite you to contact ARSA for a free consultation.

      **Source:** Ruckman-Utting, H., Nedungadi, V., Okuma, T., Wang, L., Ehebald, S., & Tayebi, M. A. (2026). DEPTEX: Organization-First, Open Source Dependency Risk Monitoring. arXiv preprint arXiv:2605.00179. https://arxiv.org/abs/2605.00179