diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md
index 35e5e784ddc30c27aa86db4e51223068f8eb3f4f..0300c342132fb1c73935bdcb81c6da772e4f4e98 100644
--- a/doc/user/application_security/dependency_scanning/static_reachability.md
+++ b/doc/user/application_security/dependency_scanning/static_reachability.md
@@ -109,9 +109,7 @@ Yes
 : The package linked to this vulnerability is confirmed reachable in code.
 
 Not Found
-: SRA ran successfully but did not detect usage of the vulnerable package. If a vulnerable
-dependency's reachability value is shown as **Not Found**, exercise caution rather than completely
-dismissing it, as SRA cannot always definitively determine package usage.
+: SRA ran successfully but did not detect usage of the vulnerable package.
 
 Not Available
 : SRA was not executed, so no reachability data exists.
@@ -119,6 +117,15 @@ Not Available
 When a direct dependency is marked as in use, all its transitive dependencies are also marked as
 in use.
 
+## Not Found reachability value
+
+- If a vulnerable dependency's reachability value is shown as **Not Found**, exercise caution rather than completely
+  dismissing it, as SRA cannot always definitively determine package usage.
+- Dependencies in excluded directories might appear in the SBOM but be marked as **Not Found**. This occurs when lock files
+  are in scope of dependency scanning but the source code that uses those dependencies is excluded. For example, you configure the
+  CI/CD variable `DS_EXCLUDED_PATHS` to exclude the directory `tests/` from dependency scanning. All dependencies identified from
+  the lock file are listed in the SBOM, but SRA does not scan source code in excluded paths.
+
 ## Supported languages and package managers
 
 Static reachability analysis is available for Python, JavaScript, TypeScript, and Java projects.