Zebra initially integrated SCA tooling directly into developer pull requests to catch vulnerabilities early. But it quickly became clear that surfacing every alert, regardless of reachability or impact, created major issues:

• Alert Volume Management: Flagging all findings without factoring in exploitability or context created unnecessary noise, limiting actionable insights.
• Risk Clarity Challenges: The absence of contextual prioritization made it difficult for teams to effectively communicate relevant risk levels across leadership channels.
• Developer Experience Impact: The volume and perceived severity of issues led to friction and diluted focus on higher-impact vulnerabilities.
• Remediation Timing: Findings identified later in the cycle introduced delays and required significantly more effort to resolve than those caught earlier.
  

These observations informed a shift toward a more developer-aligned, risk-informed approach—designed to improve prioritization, streamline workflows, and enhance secure development practices at scale.

Zebra’s security team ran a competitive evaluation to find an SCA platform that could deliver on three core goals:

• Improve Risk Accuracy: Prioritize vulnerabilities based on real usage and reachability—highlighting what matters most.
• Empower Developers: Reduce alert fatigue, provide context-aware remediation guidance, and integrate seamlessly into existing workflows.
• Support Compliance: Automate SBOM and VEX generation,and ingest third-party SBOMs for supply chain visibility.

Why Endor Labs Won

• Reachability-Based Prioritization: Endor Labs showed which vulnerabilities were actually exploitable in Zebra’s code, reducing false positives dramatically.‍
• Developer-First Experience: Designed for modern workflows with intuitive APIs, IDE plugins, and actionable reporting.‍
• Clearer Risk Visibility: Enabled business unit leads to confidently report on their real risk—improving reporting to senior leadership and accelerating secure decision-making.