Products
netrise-platform-icon
NetRise Platform
Analyze compiled code to create accurate SBOMs and uncover risk within the software that actually runs on your devices and throughout your enterprise.
ZeroLens-icon
NetRise ZeroLens
Identify weaknesses in compiled software before bad actors find and exploit them.
integration-menu-img
Integrations
NetRise integrates seamlessly into your workflow. Explore our ecosystem to secure your software supply chain.
Solutions
Solutions

Explore our comprehensive solutions designed to meet diverse industry needs and use cases, ensuring security, compliance, and maximum efficiency.

Featured Article
d654602309a74ff97e7cda24e838b73f
The Limitations of Traditional Network-Based Vulnerability Scanning – And the Systematic Underestimation of
Software Risks
Use Cases
ph_seal-check-light
Compliance Adherence
Ensure compliance with global standards.
ph_chart-scatter-light
Continuous Monitoring
Real-time insights and alerts.
ph_warning-light
Holistic Risk Visibility
Achieve full visibility on vulnerabilities.
ph_list-checks-light
Inventory & Querying
Track and manage software assets.
ph_currency-circle-dollar-light
Return on Investment
Maximize risk-adjusted returns.
ph_hand-coins-light-1
SBOM Management
Maintain comprehensive software bills.
By Industry
ph_user-rectangle-light
Consulting Firms
Solutions for consultancy needs.
ph_barbell
Device Manufacturers
Compliance and security across devices.
ph_building-office-light
Enterprise Corporations
Security for large-scale environments.
ph_bank-light
Government Organizations
Reliable public sector solutions.
ph_ambulance-light
Healthcare
Secure and compliant healthcare data.
ph_lightning-light
Power & Utilities
Manage risk in critical infrastructure.
Resources
Resources

Explore our comprehensive solutions designed to meet diverse industry needs and use cases, ensuring security, compliance, and maximum efficiency.

Latest Resources
SCVis-report
Supply Chain Visibility &
Risk Study
Resource Library
ph_notepad-light
Blog
Stay informed with our last articles.
ph_newspaper-light
Whitepapers & Briefs
In-depth insights on industry standards.
ph_microphone-light
Webinars & Podcasts
Check our last webinars & podcasts
glossary-icon
Glossary
Master supply chain security terms.
News & Updates
ph_megaphone-light
Annoucements
Latest product and company updates.
ph_newspaper-clipping-light
In the News
View media coverage and news highlights featuring NetRise.
ph_calendar-star-light
Events
Upcoming industry conferences.
ph_medal-light
Awards
Industry recognitions and achievements.
Company
Company
about
About us
Learn more about our mission to enhance cybersecurity across industries.
careers
Careers
Explore exciting career opportunities to shape the future of secure technology.
security
Security
Discover our cutting-edge solutions to protect your digital infrastructure.
Schedule a Demo
Schedule a Demo
Product Security Jun 5, 2025 6min read

SWFT & ATOs: Why SBOM Validation Needs Binary Analysis

The U.S. Department of Defense (DoD) is overhauling its Authorization to Operate (ATO) process with the new Software Fast Track (SWFT) framework, shifting from static, point-in-time approvals to a continuous data-driven risk evaluation. 

SWFT isn't just about speed: it calls for full Software Bill of Materials (SBOM) transparency, encourages third-party validation, and layers in automated analysis to ensure every change is assessed in near real time. That means SBOMs must be accurate and refreshed, and they must reflect what’s actually deployed, something most source-code-based tools can’t guarantee.

At the heart of SWFT is a new model of trust and validation.  The DoD’s recent RFI on “SWFT Automation & Artificial Intelligence” asks how large-language models and machine learning might help process submissions, but the real value lies in analyzing what's running, not just what was written. That's where binary code analysis (BCA) becomes essential, verifying compiled software artifacts, including firmware, to surface risks and satisfy SWFT's transparency goals.

To understand how this shift impacts software vendors and integrators, let’s take a deeper look at the key components of the SWFT initiative and explore how solutions like NetRise are positioned to meet these emerging requirements.

 

DoD’s Evolving ATO Model: Automation, Transparency, and SBOMs


The DoD is rolling out a new model called SWFT. Based on the Air Force’s earlier “Fast Track ATO” process, SWFT isn’t just a faster path. It’s reimagining how the DoD evaluates risk.

As Acting Pentagon Chief Information Officer Katie Arrington explained at a recent AFCEA DC event:

“Provide me your SBOM for both your sandbox and production [environments], along with a third-party SBOM. I will have AI tools on the back end to review the data instead of waiting for a human. If all of it passes the right requirements: Provisional ATO.”

This signals a major pivot from manual review to machine-speed risk assessment, paving the way for faster, more secure software approvals. However, the requirements for ATOs are also evolving.

 

SWFT’s RFI-Driven Requirements


In May 2025, the DoD released a Request for Information (RFI) outlining six areas it will use to assess and expedite software: 

  1. Secure Software Development & Supply Chain Security
  2. NIST 800-218 SSDF alignment
  3. SBOM completeness and format
  4. Risk assessment artifacts and automation
  5. Secure artifact exchange
  6. Automated accelerated software verification

By structuring SWFT around these domains, the DoD signals a move from checkbox compliance to data-driven, continuous assurance.


Key Changes Under SWFT


SWFT introduces significant updates to the Authorization to Operate (ATO) process, emphasizing automation, transparency, and continuous assessment:

  • Third-party validation of each SBOM to ensure accuracy and integrity
  • AI-powered analysis through tools inside the DoD’s Enterprise Mission Assurance Support Service (eMASS)
  • Provisional ATOs issued automatically when all requirements are met
  • SBOMs required for both sandbox and production environments

Important: The SBOMs needed for SWFT won't be one-off snapshots. SWFT will demand refreshed SBOMs whenever a component changes, posing scale and version-management hurdles given the DoD’s tens of thousands of products and variant deployments.


Artifact & Information Sharing


The SWFT RFI also probes how vendors can securely and efficiently share sensitive artifacts like penetration test reports and vulnerability assessments with the DoD, without creating new bottlenecks. Ensuring timely, automated ingestion of these data feeds is critical to preventing the same delays SWFT aims to eliminate. 


Why Hardware Must Follow the Same Model


Most SBOM tools focus on application-layer components, leaving binary-level risks, especially in firmware, invisible. That’s a problem in devices like rugged laptops, SATCOM terminals, and military sensors where absent source-level visibility, vulnerabilities, especially those within third-party dependencies, misconfigurations, and hard-coded secrets, can remain hidden. 

NetRise solves this gap with binary code analysis that uncovers risks and generates complete, comprehensive, and accurate SBOMs, meeting the DoD’s push for transparency and automation under the SWFT model.


The Risk:


Validating SBOMs created with source-code software composition analysis means vulnerabilities in compiled software can go undetected. Traditional SBOM tools rely on source code or package manifests, while NetRise uses binary code analysis to extract full software inventories directly from compiled code, delivering the deeper visibility and third-party validation the DoD's new SWFT model now requires.

 

Shift Right for Greater Assurance


Traditional security practices focus heavily on scanning source code during development. But in many DoD procurement and deployment scenarios, source code isn’t available. That’s where Shift Right, analyzing compiled software post-build, becomes important.

NetRise enables Shift Right security by analyzing binaries directly, ensuring that the final, deployed artifacts meet security, compliance, and SBOM requirements. This "trust but verify" approach aligns with the DoD’s new focus on third-party validation and AI-powered continuous monitoring under SWFT.

 

Automated, Accelerated Verification


The final SWFT RFI question zeroes in on tooling that can support automated accelerated software verification. In practice, this means integrating CI/CD pipelines, SBOM ingestion, vulnerability feeds (beyond CVEs), and AI-based scoring into a unified workflow that issues provisional ATOs in hours, not months.

 

The Opportunity:


NetRise helps you extend SWFT-style controls to every device you procure, closing a critical visibility gap and accelerating secure acquisition. Traditional SBOM tools often focus on source-code components, but they can overlook critical compiled, binary code, where hidden vulnerabilities may reside. 

With NetRise, you gain the visibility needed to generate comprehensive, accurate SBOMs, powered by deep binary analysis. Our platform inspects every layer, from firmware to application, ensuring even opaque or undocumented components are fully accounted for. This enables you to meet SBOM transparency requirements across your entire technology stack with confidence.

By detecting risks at the device level and leveraging AI-powered risk analysis, NetRise ensures you're not only meeting DoD requirements but also addressing potential vulnerabilities that may be missed by traditional SBOM tools.

Learn More


How NetRise Supports Fast, Verifiable ATOs for Software and Hardware

 
1. How NetRise Supports Fast, Verifiable ATOs for Software and Hardware

NetRise creates accurate SBOMs without access to source code, so you can meet DoD transparency requirements across all environments. By analyzing compiled binaries rather than relying on developer-provided manifests, NetRise delivers a more complete and verifiable view of your technology stack.

2. Third-Party SBOM Validation

As an independent solution provider, NetRise enables SBOM validation aligned with emerging federal and DoD expectations, leveraging cryptographic hashing, deep binary analysis, and full component transparency to strengthen supply chain assurance.

3. AI-Powered Risk Analysis

Our platform uses machine learning to uncover vulnerabilities, hardcoded secrets, misconfigurations, and outdated components hidden in compiled code.

4. Unified Visibility and Compliance Reporting

Track risk, control status, and SBOM health across devices via a single dashboard, mapped to industry standards and open-source license requirements.


Stay Ahead of Evolving DoD Acquisition Requirements:


The new SWFT model shows that SBOMs are no longer optional; they’re foundational. And the need for visibility doesn’t stop at the application layer.

With NetRise, you can secure every layer of your technology stack while keeping pace with emerging DoD and federal cybersecurity requirements.

Our unique binary code analysis empowers you to Shift Right, validating compiled software artifacts, not just source code, ensuring that the final software delivered matches security expectations. By providing full, independent third-party validation, NetRise helps you meet SWFT’s transparency and risk evaluation standards with confidence.

👉 Get in touch to see how NetRise can help you modernize your ATO strategy and meet SWFT program requirements faster, with greater assurance and fewer blind spots.

Stay up to date with the news

Sign Up To Get Our Free Insights Delivered To Your Inbox