Six steps, browser-local
Upload an SBOM, get OSV-backed CVEs, role reports, and exports. Free tier works without an account. See sample reports Pricing
Get an SBOM
No file yet? Usually:
- Build — CycloneDX/SPDX from repo or CI (e.g. Maven, npm, containers).
- Request — from your software vendor.
- Explore — sample reports or app samples.
More detail: FAQ
Upload your SBOM
CycloneDX, SPDX, or SWID (JSON or XML). Analysis stays in your browser. Need a file? See Get an SBOM.
Live vulnerability scan
Real-time OSV.dev lookups per component.
Aggregate risk signals
Vulnerability counts and heuristics roll up to portfolio-style views. Figures are indicative— not actuarial or certification-grade.
Compliance assessment
Tool-assisted mapping to NTIA, NIST SP 800-161, ISO 27001:2022—gaps are indicators; validate in your program.
Strategic intelligence
Per-component flags; exec and stakeholder text generated from the run.
Export and act
PDF, HTML, JSON, CSV, or Excel—pick the format for each audience.
What you get
Outputs matched to each role, from board to engineering.
For security teams
- CVSS v3 scores per component
- OSV.dev live CVEs — not cached
- Ransomware + supply chain risk
- Batch analysis (up to 10 files)
For compliance officers
- NTIA EO 14028 compliance
- NIST SP 800-161 mapping
- ISO 27001:2022 gap analysis
- Audit-ready evidence export
For executives
- Executive summary with key findings
- Board-ready PDF export
- Stakeholder narratives auto-generated per audience
Know where your software stands?
Take the free diagnostic — 15 questions, instant results, personalized recommendations.