Vendor Directory
Explore application security and software supply chain vendors.
Advanced Installer
Craft Installers That Define User Experience
Advanced Installer is a Windows installer authoring tool for installing, updating, and configuring products. The site positions the product for developers, ISVs and enterprises and highlights MSI authoring, Installer Analytics and tiered feature sets (Enterprise, Professional, Freeware). Content on the site covers Software Bill of Materials (SBOM) topics and notes that Advanced Installer “uses the Microsoft SBOM tool” to handle SBOMs from container images and filesystems. The product site also references an Application Packaging Academy and feature exploration pages. Descriptions and feature lists on the site indicate a vendor software offering focused on installer packaging with published guidance on SBOM integration.
42Crunch
Secure APIs from design to deployment
42Crunch is the leading API Security platform that automates the testing, fixing, and protection of APIs throughout their development lifecycle. It enables enterprises to enforce API security compliance across distributed teams, providing tools for API semantic validation and data definition. The platform continuously monitors security compliance across IDE, CI/CD, and runtime, allowing teams to collaboratively manage API governance. 42Crunch empowers developers with automated tools that reduce false positives and streamline security processes, ensuring APIs are secure from design through to production. It integrates with popular development tools and can be deployed on any container orchestrator.
Finite State
Secure your devices with precision insights
Finite State positions itself as a product cybersecurity platform for connected devices and embedded systems. The platform uncovers vulnerabilities in source code, binaries, and third-party components and consolidates risks into a unified view across a product portfolio. Finite State says it can dissect source code or binaries with precision to reduce false positives and help teams prioritize and fix issues, and it offers CI/CD integrations and automatic PRs for remediation workflows. The company highlights compliance-readiness, the ability to generate reports to meet regulatory compliance requirements, and notes it is SOC 2 Type 2 certified. The site also references recorded demos and access to expertise from former U.S. government officials.
Integrated Computer Solutions, Inc. (ICS)
Guarding Innovation, Securing Tomorrow's Technology
ICS - Integrated Computer Solutions provides software development and cybersecurity services for regulated and mission-critical markets. The record references a developer tool and product named SBOMGuard for Software Bill of Materials (SBOM) and SBOM Vulnerability Management, with language such as “Safeguard Your Medical Devices” and “Identify Known Vulnerabilities.” ICS describes cyber experts who help safeguard software powering connected medical, industrial and consumer devices, and offers full-lifecycle product development, cloud and web solutions, and UX-driven custom cross-platform software. The company positions these capabilities for regulated markets and medtech innovators seeking device design and software safety support.
JFrog
Unifying governance for secure software delivery
JFrog provides software supply chain solutions that empower organizations to manage, secure, and govern their AI and software assets from a single platform. It enables users to break down software delivery silos with a centralized system of record. JFrog's solutions facilitate evidence collection for attestation and ensure software integrity and compliance through evidence-based controls and contextualized insights. Its centralized governance model enhances security over every AI workload, catering to over 80% of the Fortune 100. These features are crucial for organizations aiming to maintain compliance and security across their software supply chains.
ONEKEY
Master Your SBOM with Confidence and Clarity
Effortless Product Cybersecurity & Compliance provides an all-in-one platform designed for manufacturers and operators to manage the Software Bill Of Materials (SBOM). Their tool allows users to generate, enrich, and monitor SBOMs from binaries, ensuring compliance and mitigating risks throughout the product lifecycle. The platform enables detailed oversight of what's in the code, functioning without the need for source code or network access. With capabilities that include vulnerability analysis and compliance reporting, ONEKEY streamlines cybersecurity and compliance processes for connected devices.
Cybeats
Navigate your software supply chain confidently
Cybeats offers SBOM Studio, an enterprise-class solution for managing Software Bill of Materials (SBOM) and enhancing software supply chain security. Organizations can leverage SBOM Studio to understand and track third-party components, ensuring compliance with industry regulations that mandate SBOM sharing. The platform allows users to document software origins and maintain security posture across the software development lifecycle. Cybeats focuses on building trust and transparency across software supply chains and provides insights that can lead to efficient remediation of security risks.
NetRise
Illuminate Your Software Supply Chain Security
NetRise offers the NetRise Platform for software supply chain security by analyzing compiled code rather than source code. The platform provides visibility into compiled software that runs in devices, apps, operating systems, and critical infrastructure, identifying components in a software build and validating the Software Bill of Materials (SBOM) with a binary-derived inventory of code that actually executes. NetRise emphasizes prioritization — "See Beyond CVEs" and "Prioritize What's Reachable" — to drive remediation and mitigation. The product also supports supplier risk assessment and comparing products for procurement, and enables inspection of third-party code without relying on vendor self-attestations or delayed disclosures.
SCANOSS
Navigate Open Source with Confidence
SCANOSS is an affordable, open OSS Inventory & Software Intelligence platform designed specifically for DevSecOps and supply chains. It provides actionable insights on open source software licenses and security vulnerabilities associated with undeclared OSS, legacy components, and AI-generated code. This platform enables organizations to manage their software supply chain more effectively, addressing potential security risks and compliance challenges inherent in modern software development practices. SCANOSS supports teams of all sizes, offering customizable pricing options to suit various organizational needs.
Cloudsmith
Secure your software supply chain effortlessly
Cloudsmith is a fully-managed, enterprise-scale solution for controlling, securing, and distributing software packages and containers. It provides supply chain security software with observability and governance, helping organizations protect their end users by mitigating compliance issues before they reach production systems. With a single, observable home for every package and container, Cloudsmith boosts productivity with global artifact distribution and powerful analytics. Streamline operations and drive innovation with integrated analytics, logging, and audit trail tools, making it the ideal platform for enterprises looking to enhance their software supply chain security.
Manifest
Illuminate Your Software Supply Chain Insights
Manifest automates Software Bill of Materials (SBOM) generation in SPDX and CycloneDX formats, offering organizations critical visibility into their software supply chain components. This platform addresses significant challenges such as software supply chain attacks, compliance gaps, and insufficient insight into third-party software and AI models. By providing end-to-end visibility, the Manifest Platform helps security and risk teams manage vulnerabilities, mitigate license violations, and ensure compliance across complex software environments. It is designed for enterprise teams in regulated industries, facilitating a secure and transparent software development lifecycle.
Wind River
Crafting Tomorrow's Embedded Innovations Today
Wind River provides software and platform solutions for mission-critical embedded and edge systems. The record describes a Yocto Project embedded Linux subscription that includes security vulnerability monitoring, long-term maintenance and support, and materials around the software bill of materials (SBOM). Wind River also offers Studio tools to create, build and integrate software for embedded and edge systems, an embedded virtualization platform to run multiple OSes on a single SoC, and a Debian-based enterprise Linux distribution for edge computing. The company describes tooling to automate testing, deploy, orchestrate and update software for embedded devices and to analyze data across networks of distributed devices and servers.
Lineaje Inc
Secure your software supply chain with confidence
Lineaje offers full-lifecycle software supply chain security, ensuring safety, compliance, and risk management through AI-powered solutions. The platform allows for high-integrity sourcing of open-source packages and images while unifying scanners to provide deeper contextual analysis at every stage of the software development lifecycle. By managing the entire SBOM lifecycle, Lineaje assists organizations in achieving continuous compliance and operational efficiency, especially for those selling to federal government entities. Their agentic AI continuously identifies and mitigates risks, streamlining the process of compliance verification and vendor communication.
Sonatype
Secure your code, simplify compliance journeys
Sonatype provides solutions for managing and securing open source and third-party components throughout the software development lifecycle (SDLC). Their platform, including Nexus Repository and IQ Server, integrates with various DevSecOps tools and development environments to ensure policy compliance. Features include automated alerts for policy violations, integration with popular CI/CD platforms, and real-time risk intelligence. Sonatype effectively empowers developers by embedding security practices directly into their workflows, enhancing efficiency and compliance management.
Toradex
Crafting Tomorrow's Embedded Solutions Today
Toradex produces embedded computing hardware and accompanying software for Single Board Computers (SBCs), Computer on Modules (CoM) and System on Modules. The site emphasizes production-ready software, strong integration between hardware and software, and software support including Long Term Supported (LTS) production releases. Product lifecycle states (In Development, Sample Production, Volume Production, Last Time Buy, End-of-Life) and software release cadence are documented. A site page titled "SBOM Reports" and mention of a Hardware Security Module (HSM) appear in the record, indicating published supply-chain or security-related artifacts alongside their hardware and software offerings.
Timesys is Now Lynx
Secure your embedded software journey
Timesys offers solutions for building, securing, and maintaining embedded Linux, Android, and open-source operating systems. Their services include SBOM Management, Vulnerability Monitoring, and Remediation, specifically tailored for embedded software markets. Additionally, they provide development tools that support SBOM generation. Their team also offers bespoke engineering services, test automation, and remote access infrastructure to enhance client control and security. Timesys focuses on supporting mission-critical applications with a modular approach ensuring security and compliance in software management.
Chainloop
Centralize, Verify, Secure Your Software Supply Chain
Chainloop is presented as a platform for SDLC governance that centralizes and verifies software supply-chain artifacts. The record states Chainloop unifies security artifacts (SBOMs, signatures, and attestations) into a single, verifiable source of truth and describes a "secure, scalable platform for managing Software Bills of Materials." The product is positioned for platform & DevSecOps (implement control gates, automate risk assessments across the software delivery lifecycle) and for compliance & legal (automate compliance checks, streamline audits, and centralize license compliance management). Messaging highlights alignment of teams across the SDLC and automated decision-making.
hoop.dev
Automated Security for Seamless Development Workflows
hoop.dev presents an offering described as Automated Access with Data Protection and references HoopAI in the context of AI audit readiness and AI compliance. The site highlights SBOM-related ideas — noting that SBOM updates on every build and that modern SBOM tools are embedded in the build process. Messaging targets developer security (DevExSec) with a webinar titled “DevExSec - Secure Access that Boosts DevEx,” and offers a whitepaper download. The site includes commercial calls-to-action and pricing language ("Pricing Let's Talk" / "START NOW AND EXPERIENCE THE DIFFERENCE"), indicating a productized, contact-sales offering rather than purely informational content.
Eracent
Secure your software supply chain confidently
Eracent provides automated SAM and ITAM solutions and a focused SBOM capability. The record describes a "CSMS SBOM Manager™" and "Comprehensive SBOM Management and Analysis" that support software supply chain security, list components in a Software Bill of Materials, and enable quick matching of vulnerabilities (CVEs) to affected software products. Eracent also references foundational data, asset and license management, cybersecurity & risk management, and coordination to support deployment of a NIST CSF 2.0 process. The content frames the offering as tools for application risk, security, obsolescence and licensing risk associated with open source software, and for enabling data sharing with complementary systems.
Medcrypt
Secure your path to FDA approval
MedCrypt provides FDA-focused medical device cybersecurity products and services for manufacturers preparing regulatory submissions. Their platform offers medical device SBOM vulnerability management with AI-driven risk prioritization, automated compliance reporting, and bulk remediation. They also offer regulatory strategy, penetration testing, threat modeling, PKI and certificate management, and process optimization to prepare for 510(k) or PMA submissions and EU/Health Canada filings. Capabilities listed include integrating and analyzing the software supply chain to identify and mitigate vulnerabilities, encrypting data, device management, incident response, automated cryptographic provisioning, and benchmarking product security posture with risk quantification. The company positions its Guardian & Helm platforms to accelerate FDA readiness and claims zero FDA rejections to date.