# Best Software Bill of Materials (SBOM) Software *By [Adam Crivello](https://research.g2.com/insights/author/adam-crivello)* Software bill of materials (SBOM) solutions generate, ingest, manage, and monitor a machine-readable inventory of the components within software supply chains. The components covered include libraries, packages, modules, associated licenses, and more. Companies and developers use SBOM software to deliver and annotate comprehensive SBOMs for their software’s third party and open source components . These solutions allow users to comply with government mandates that require the provision of a minimum SBOM. Maintaining and monitoring SBOMs also helps companies perform continuous risk assessments, though vulnerability remediation is not the primary focus of such tools. [software composition analysis (SCA) tools](https://www.g2.com/categories/software-composition-analysis) scan software supply chains’ components and dependencies at the code level to identify and remediate security vulnerabilities, whereas SBOM software automates the standardized presentation of those elements for transparency, observability, and compliance. To qualify for inclusion in the Software Bill of Materials (SBOM) category, a product must: - Automatically ingest and generate SBOMs in standard formats like CycloneDX and SPDX - Continuously monitor and update SBOMs based on component versions, associated licenses, dependencies, and more - Alert users of non-compliant elements in their software supply chain - Allow users to annotate SBOMs - Facilitate compliance with government regulations ## How Many Software Bill of Materials (SBOM) Software Products Does G2 Track? **Total Products under this Category:** 34 ### Category Stats (May 2026) - **Average Rating**: 4.51/5 - **New Reviews This Quarter**: 1 - **Buyer Segments**: Mid-Market 50% │ Enterprise 50% - **Top Trending Product**: Socket (+0.039) *Last updated: May 21, 2026* ## How Does G2 Rank Software Bill of Materials (SBOM) Software Products? **Why You Can Trust G2's Software Rankings:** - 30 Analysts and Data Experts - 800+ Authentic Reviews - 34+ Products - Unbiased Rankings G2's software rankings are built on verified user reviews, rigorous moderation, and a consistent research methodology maintained by a team of analysts and data experts. Each product is measured using the same transparent criteria, with no paid placement or vendor influence. While reviews reflect real user experiences, which can be subjective, they offer valuable insight into how software performs in the hands of professionals. Together, these inputs power the G2 Score, a standardized way to compare tools within every category. ## Which Software Bill of Materials (SBOM) Software Is Best for Your Use Case? - **Easiest to Use:** [OX Security](https://www.g2.com/products/ox-security/reviews) - **Best Free Software:** [OX Security](https://www.g2.com/products/ox-security/reviews) --- **Sponsored** ### FossID FossID is a Software Composition Analysis (SCA) suite designed to give organizations clear, defensible insight into the software they build and ship. It helps teams understand exactly what third-party, open source, and commercial code exists in their products so they can manage license compliance, intellectual property risk, and security with confidence. Agentic SCA by FossID brings software supply chain integrity into the moment of code creation for continuous, real-time license and security compliance so you can move at AI-speed and eliminate reactive code rework. FossID is ideal for organizations that value accuracy, transparency, and control over their software supply chain. It is widely used by manufacturers of embedded systems and software-driven products in industries such as automotive, aerospace, medical devices, industrial automation, electronics, and telecom, where regulatory requirements and long product lifecycles demand a higher standard of software governance. FossID is also trusted by legal, compliance, and GRC teams that need reliable, auditable results, as well as by acquirers and investors conducting technical due diligence. FossID analyzes real source code rather than relying solely on declared dependencies. FossID identifies reused components and code snippets with high precision, detecting fragments as small as six lines of code. This approach delivers more accurate results in complex, mixed codebases, including legacy systems, embedded software, and environments influenced by AI-assisted development. Key differentiators include deep snippet-level detection that remains effective even when code has been modified or reformatted, a 200M+ component open source knowledge base covering more than 2,500 licenses, and strong identification of license and copyright obligations. FossID is deployed in a way that ensures that source code never leaves the organization, a critical requirement for security- and IP-sensitive teams. FossID supports software supply chain integrity across the entire development and release lifecycle. Engineers use it early to identify and resolve issues before code is merged. Legal and compliance teams rely on it to validate policy compliance, manage license obligations and produce accurate SBOMs. Governance, Risk, and Compliance leaders use FossID to demonstrate software supply chain transparency, reduce audit risk, and support regulatory compliance initiatives, including the EU Cyber Resilience Act. The primary value of FossID is confidence. Confidence in what is inside your software, confidence in your compliance posture, and confidence that your teams can move forward efficiently without introducing unnecessary risk. [Visit website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=ppc&secure%5Bad_slot%5D=category_product_list&secure%5Bcategory_id%5D=1008169&secure%5Bdisplayable_resource_id%5D=1008169&secure%5Bdisplayable_resource_type%5D=Category&secure%5Bmedium%5D=sponsored&secure%5Bplacement_reason%5D=page_category&secure%5Bplacement_resource_ids%5D%5B%5D=1008169&secure%5Bprioritized%5D=false&secure%5Bproduct_id%5D=1331293&secure%5Bresource_id%5D=1008169&secure%5Bresource_type%5D=Category&secure%5Bsource_type%5D=category_page&secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fsoftware-bill-of-materials-sbom&secure%5Btoken%5D=e763366bd59983879f00164eb3230d1b7a7d33b60a0f4a06e038b5266d93d0c3&secure%5Burl%5D=http%3A%2F%2Ffossid.com%2F%3Futm_medium%3DMarketing%26utm_source%3DMarketing-Digital-Ad%26utm_campaign%3DG2_Crowd_Paid%26utm_content%3DG2_Crowd_Paid&secure%5Burl_type%5D=custom_url) --- ## What Are the Top-Rated Software Bill of Materials (SBOM) Software Products in 2026? ### 1. [OX Security](https://www.g2.com/products/ox-security/reviews) OX is redefining product security for the AI era. Founded by Neatsun Ziv and Lion Arzi, former Check Point executives, OX is the company behind VibeSec — the first AI-native vibe security platform. Unlike traditional “Shift Left” approaches that collapsed under AI’s speed, VibeSec makes software secure by default by preventing risks before they exist. Powered by the OX AI Data Lake and dynamic code-to-runtime context, OX Security delivers: Autonomous, embedded security that runs as fast as developers. Dynamic risk context that shrinks security backlogs before they spiral. Continuous alignment across code, cloud, APIs, and runtime. With OX, developers focus on building while security runs itself, giving enterprises complete confidence that every release ships secure. OX Security -Vendor desc (request to update): OX Security is the company behind VibeSec, an AI-native autonomous security platform built for the AI development era. Unlike traditional tools that chase vulnerabilities after code is written, VibeSec embeds dynamic security context directly into AI coding environments like Cursor and Copilot. The result: every line of code is secure by default. For the first time, security moves at the speed of AI-driven development, preventing vulnerabilities before they exist, shrinking backlogs with every commit, and making security a seamless part of the development flow. **Average Rating:** 4.8/5.0 **Total Reviews:** 51 **Who Is the Company Behind OX Security?** - **Seller:** [OX Security](https://www.g2.com/sellers/ox-security) - **Year Founded:** 2021 - **HQ Location:** New York, USA - **LinkedIn® Page:** https://www.linkedin.com/company/ox-security/ (184 employees on LinkedIn®) **Who Uses This Product?** - **Who Uses This:** Security Engineer - **Top Industries:** Financial Services, Information Technology and Services - **Company Size:** 63% Mid-Market, 25% Enterprise #### What Are OX Security's Pros and Cons? **Pros:** - Features (27 reviews) - Ease of Use (23 reviews) - Customer Support (22 reviews) - Integration Support (22 reviews) - Security (22 reviews) **Cons:** - Integration Issues (8 reviews) - Missing Features (8 reviews) - Complexity (5 reviews) - Inadequate Reporting (5 reviews) - Limited Cloud Integration (5 reviews) ### 2. [Cybeats](https://www.g2.com/products/cybeats/reviews) Cybeats is at the forefront of cybersecurity innovation and is focused explicitly on automating Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX) management. Our platform has built-in support for HBOM and AIBOM. Our mission is to empower organizations to rapidly identify and address vulnerabilities, significantly reducing costs while enhancing the security posture of their products. With our focus on the vision of "Building trust in every layer of your technology," Cybeats provides a robust platform that ensures transparency and security throughout the technological stack. Core Offerings - SBOM Management & Continuous Monitoring Cybeats offers a scalable solution for managing and monitoring SBOMs. Our platform stores enriches and distributes SBOMs efficiently across the organization and the organization's customers. This continuous monitoring helps proactively identify and mitigate software component risks. - SBOM Inventory & Management We provide a centralized system for SBOM inventory management that ensures all software components are accounted for, up-to-date, and secure. This systematic approach helps maintain a clear overview of all software elements, facilitating easier management and compliance. - Vulnerability Lifecycle Management (VLM) Our VLM capabilities integrate Vulnerability Exploitability Exchange (VEX) and Vulnerability Disclosure Program (VDP) processes. This integration helps identify, assess, manage, and mitigate vulnerabilities throughout their lifecycle, ensuring continuous protection against potential software supply chain threats. - Regulatory Compliance Cybeats aligns with global regulatory requirements, assisting organizations in staying compliant with evolving cybersecurity standards. Our solution simplifies compliance management, reducing the complexity and resources required to meet legal and industry standards. With the introduction of regulatory requirements of the FDA pre-market and post-market, the EU CRA, PCI-SSF, and others, companies that develop software-based products must align with the SBOM and Vulnerability management requirements. - OSS and Comercial Licensing Risk Assessment Understanding and managing licensing risks associated with software components is crucial. Cybeats provides tools to assess these risks, helping organizations avoid legal and financial repercussions related to software licensing. - SBOM Sharing and Exchange We facilitate secure sharing and exchange of SBOMs within and across organizations. This capability ensures that all parties in the software supply chain have access to accurate and timely information, enhancing collaborative efforts toward secure software development. **Average Rating:** 4.4/5.0 **Total Reviews:** 15 **Who Is the Company Behind Cybeats?** - **Seller:** [CYBEATS](https://www.g2.com/sellers/cybeats) - **Year Founded:** 2017 - **HQ Location:** Toronto, Ontario - **Twitter:** @cybeatstech (617 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/cybeats/ (33 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 47% Small-Business, 33% Mid-Market ### 3. [Aqua Security](https://www.g2.com/products/aqua-security/reviews) Aqua Security sees and stops attacks across the entire cloud native application lifecycle in a single, integrated platform. From software supply chain security for developers to cloud security and runtime protection for security teams, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry’s most comprehensive Cloud Native Application Protection Platform (CNAPP). Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries. **Average Rating:** 4.2/5.0 **Total Reviews:** 57 **Who Is the Company Behind Aqua Security?** - **Seller:** [Aqua Security Software Ltd](https://www.g2.com/sellers/aqua-security-software-ltd) - **Year Founded:** 2015 - **HQ Location:** Burlington, US - **Twitter:** @AquaSecTeam (7,686 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/aquasecteam/ (499 employees on LinkedIn®) **Who Uses This Product?** - **Top Industries:** Computer Software, Financial Services - **Company Size:** 56% Enterprise, 39% Mid-Market #### What Are Aqua Security's Pros and Cons? **Pros:** - Security (19 reviews) - Ease of Use (18 reviews) - Features (12 reviews) - Detection (10 reviews) - Vulnerability Identification (9 reviews) **Cons:** - Missing Features (9 reviews) - Lack of Features (6 reviews) - Limited Features (6 reviews) - Difficult Navigation (4 reviews) - Improvement Needed (4 reviews) ### 4. [Arnica](https://www.g2.com/products/arnica/reviews) Arnica simplifies and effectively automates source code security, while maintaining or improving development velocity. Arnica uses rich tooling integration, deep learning, and behavioral analytics to empower organizations with the tools to be proactive in building a secure software supply chain. **Average Rating:** 4.9/5.0 **Total Reviews:** 5 **Who Is the Company Behind Arnica?** - **Seller:** [Arnica](https://www.g2.com/sellers/arnica) - **Year Founded:** 2021 - **HQ Location:** Alpharetta, Georgia - **Twitter:** @arnicaio (125 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/arnica-io/about (54 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 60% Enterprise, 20% Mid-Market #### What Are Arnica's Pros and Cons? **Pros:** - Accuracy of Findings (1 reviews) - Actionable Recommendations (1 reviews) - Ease of Use (1 reviews) - Easy Setup (1 reviews) - Remediation Solutions (1 reviews) **Cons:** - Paid Features (1 reviews) ### 5. [Socket](https://www.g2.com/products/socket-socket/reviews) Socket is the leading developer-first security platform that protects modern applications from malicious and vulnerable open source dependencies. By combining real-time package monitoring with AI-powered code analysis, Socket detects and blocks supply chain attacks within minutes of publication. With advanced reachability analysis, automated remediation, and license compliance features, Socket enables teams to focus on building software, while we keep their open source code secure. **Average Rating:** 4.7/5.0 **Total Reviews:** 10 **Who Is the Company Behind Socket?** - **Seller:** [Socket](https://www.g2.com/sellers/socket) - **Year Founded:** 2020 - **HQ Location:** San Francisco, US - **Twitter:** @SocketSecurity (16,022 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/socketinc/ (91 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 40% Mid-Market, 30% Enterprise #### What Are Socket's Pros and Cons? **Pros:** - Security (3 reviews) - Open Source (2 reviews) - Accuracy of Findings (1 reviews) - Alerts (1 reviews) - Comprehensive Security (1 reviews) **Cons:** - Missing Features (1 reviews) - System Slowness (1 reviews) ### 6. [SOOS](https://www.g2.com/products/soos/reviews) SOOS is the complete application security posture management platform. Scan your software for vulnerabilities, control the introduction of new dependencies, exclude unwanted license types, generate and manage Software Bill of Materials (SBOM), and fill out your compliance worksheets across all your teams. SOOS’s ASPM is a dynamic, comprehensive approach to safeguarding your application infrastructure from vulnerabilities across the Software Development Life Cycle (SDLC) and live deployments. Easy to integrate, all in one dashboard. SCA - Deep tree vulnerability scanning, license compliance, governance DAST - Automated Web & API vulnerability scanning Containers - Scan contents for vulnerabilities SAST - Analyze code for security vulnerabilities IaC - Cloud security coverage SBOMs - Create – monitor – manage **Average Rating:** 4.6/5.0 **Total Reviews:** 42 **Who Is the Company Behind SOOS?** - **Seller:** [SOOS](https://www.g2.com/sellers/soos) - **Year Founded:** 2019 - **HQ Location:** Winooski, US - **Twitter:** @soostech (45 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/53122310 (26 employees on LinkedIn®) **Who Uses This Product?** - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 50% Mid-Market, 43% Small-Business #### What Are SOOS's Pros and Cons? **Pros:** - Ease of Use (8 reviews) - Easy Integrations (6 reviews) - Integrations (6 reviews) - Customer Support (5 reviews) - Vulnerability Detection (5 reviews) **Cons:** - Inadequate Reporting (4 reviews) - Poor Reporting (4 reviews) - Lacking Features (3 reviews) - Lack of Guidance (3 reviews) - Dashboard Issues (2 reviews) ### 7. [Mend.io](https://www.g2.com/products/mend-io/reviews) Modern risk doesn't live in one layer, it lives between them. Mend.io is built for every risk, across AI and AppSec, securing the code layer, the AI layer, and the interactions between them. From discovery and red teaming to guardrails and runtime protection, Mend.io delivers continuous protection across the entire AI application lifecycle. Mend.io solutions include: 1. Mend AI secures the layer where modern risk actually lives—the interaction between code and AI. It continuously discovers AI components (agents, prompts, models), tests real behavioral risk through automated red teaming, and enforces in-app runtime guardrails for one continuous control system for the AI lifecycle. 2. Mend AppSec secures the modern code layer by continuously discovering and prioritizing risk across code, libraries, containers, and dependencies, giving teams the clarity they need to reduce exposure and ship secure software faster. 3. Mend Renovate secures the foundation of every codebase by automatically updating dependencies, rating the likelihood each update will succeed without breaking changes, and grouping them by confidence level so teams can resolve them faster. **Average Rating:** 4.3/5.0 **Total Reviews:** 105 **Who Is the Company Behind Mend.io?** - **Seller:** [Mend](https://www.g2.com/sellers/mend-ab79a83a-6747-4682-8072-a3c176489d0b) - **Company Website:** https://mend.io - **Year Founded:** 2011 - **HQ Location:** Boston, Massachusetts - **Twitter:** @Mend_io (11,288 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/2440656/ (258 employees on LinkedIn®) **Who Uses This Product?** - **Who Uses This:** Software Engineer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 38% Small-Business, 34% Mid-Market #### What Are Mend.io's Pros and Cons? **Pros:** - Scanning Efficiency (8 reviews) - Ease of Use (7 reviews) - Easy Integrations (6 reviews) - Scanning Technology (6 reviews) - Vulnerability Detection (6 reviews) **Cons:** - Integration Issues (6 reviews) - Limited Features (3 reviews) - Missing Features (3 reviews) - Complex Implementation (2 reviews) - Confusing Interface (2 reviews) ### 8. [CAST Highlight](https://www.g2.com/products/cast-highlight/reviews) By scanning the source code of your applications, CAST Highlight instantly maps your software, generating the insights to understand, improve, and transform it. CIOs, CTOs, Enterprise Architects use CAST to: - Get the true view of all technologies and frameworks - Quantify technical debt and the ways to pay it down - See what’s going to break next, and how best to fix it - Drive cloud adoption faster, knowing what to move and optimize - Prove progress to the board with facts and industry benchmarks Businesses move faster using CAST technology to understand, improve, and transform their software. Through semantic analysis of source code, CAST produces 3D maps and dashboards to navigate inside individual applications and across entire portfolios. This intelligence empowers executives and technology leaders to steer, speed, and report on initiatives such as technical debt, GenAI, modernization, and cloud. As the pioneer of the software intelligence field, CAST is trusted by the world’s leading companies and governments, their consultancies and cloud providers. See it all at castsoftware.com. **Average Rating:** 4.5/5.0 **Total Reviews:** 85 **Who Is the Company Behind CAST Highlight?** - **Seller:** [CAST](https://www.g2.com/sellers/cast) - **Company Website:** https://www.castsoftware.com - **Year Founded:** 1990 - **HQ Location:** New York - **Twitter:** @SW_Intelligence (1,889 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/cast/ (1,259 employees on LinkedIn®) **Who Uses This Product?** - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 57% Enterprise, 24% Small-Business #### What Are CAST Highlight's Pros and Cons? **Pros:** - Ease of Use (8 reviews) - Easy Setup (4 reviews) - Cloud Services (3 reviews) - Efficiency (3 reviews) - Real-time Monitoring (3 reviews) **Cons:** - Complex Navigation (1 reviews) - Dashboard Issues (1 reviews) - Delayed Detection (1 reviews) - Difficulty (1 reviews) - Expensive (1 reviews) ### 9. [Manifest](https://www.g2.com/products/manifest-cyber-manifest/reviews) Manifest helps organizations understand and reduce the cybersecurity risk in the technology they produce and procure. The Manifest platform operationalizes software bills of materials (SBOMs), artificial intelligence bills of materials (AIBOMs), and Vulnerability Exploitability eXchange (VEX) documents so organizations can analyze and action the risk in internal or third-party tools. Manifest manages the entire SBOM lifecycle for customers in critical industries like enterprise technology, aerospace, defense contracting, healthcare, manufacturing & logistics, financial services, and the federal government. **Average Rating:** 5.0/5.0 **Total Reviews:** 3 **Who Is the Company Behind Manifest?** - **Seller:** [Manifest Cyber](https://www.g2.com/sellers/manifest-cyber) - **HQ Location:** Connecticut, USA - **Twitter:** @manifestcyber (90 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/manifestcyber/ (14 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 67% Mid-Market, 33% Small-Business #### What Are Manifest's Pros and Cons? **Pros:** - Ease of Use (3 reviews) - Automation (2 reviews) - Real-time Monitoring (2 reviews) - Authentication Security (1 reviews) - Customer Support (1 reviews) **Cons:** - Time Consumption (1 reviews) ### 10. [Snyk](https://www.g2.com/products/snyk/reviews) Snyk (pronounced sneak) is a developer security platform for securing custom code, open source dependencies, containers, and cloud infrastructure all from a single platform. Snyk’s developer security solutions enable modern applications to be built securely, empowering developers to own and build security for the whole application, from code & open source to containers & cloud infrastructure. Secure while you code in your IDE: find issues quickly using the scanner, fix issues easily with remediation advice, verify the updated code. Integrate your source code repositories to secure applications: integrate a repository to find issues, prioritize with context, fix & merge. Secure your containers as you build, throughout the SDLC: start fixing containers as soon as your write a Dockerfile, continuously monitor container images throughout their lifecycle, and prioritize with context. Secure build and deployment pipelines: Integrate natively with your CI/CD tool, configure your rules, find & fix issues in your application, and monitor your applications. Secure your apps quickly with Snyk’s vulnerability scanning and automated fixes - Try for Free! **Average Rating:** 4.5/5.0 **Total Reviews:** 132 **Who Is the Company Behind Snyk?** - **Seller:** [Snyk](https://www.g2.com/sellers/snyk) - **HQ Location:** Boston, Massachusetts - **Twitter:** @snyksec (21,054 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/10043614/ (1,207 employees on LinkedIn®) **Who Uses This Product?** - **Who Uses This:** Software Engineer - **Top Industries:** Computer Software, Information Technology and Services - **Company Size:** 45% Mid-Market, 35% Small-Business #### What Are Snyk's Pros and Cons? **Pros:** - Vulnerability Detection (3 reviews) - Vulnerability Identification (3 reviews) - Easy Integrations (2 reviews) - Features (2 reviews) - Integrations (2 reviews) **Cons:** - False Positives (2 reviews) - Poor Interface Design (2 reviews) - Scanning Issues (2 reviews) - Software Bugs (2 reviews) - Code Management (1 reviews) ### 11. [Anchore](https://www.g2.com/products/anchore/reviews) Anchore, Inc., based in Santa Barbara, CA, was founded in 2016 by Saïd Ziouani and Daniel Nurmi to help organizations implement secure container-based workflows without compromising velocity. Anchore Enterprise is a complete container security workflow solution for professional teams. Integrating seamlessly with a wide variety of development tools and platforms, it allows teams to adhere to defined industry security standards. The Anchore Enterprise user interface provides visibility to security teams, allowing them to audit and verify compliance throughout the organization. It can be deployed in air-gapped and public cloud environments and is built for large scale. Anchore Enterprise is based on Anchore Engine, an open-source tool for deep image inspection and vulnerability scanning. **Average Rating:** 4.4/5.0 **Total Reviews:** 4 **Who Is the Company Behind Anchore?** - **Seller:** [Anchore](https://www.g2.com/sellers/anchore) - **Year Founded:** 2016 - **HQ Location:** Santa Barbara, California, United States - **Twitter:** @anchore (2,795 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/anchore/ (91 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 50% Mid-Market, 50% Enterprise #### What Are Anchore's Pros and Cons? **Pros:** - Cloud Integration (1 reviews) - Ease of Use (1 reviews) - Easy Integrations (1 reviews) - Features (1 reviews) - Onboarding (1 reviews) ### 12. [1Exiger Platform](https://www.g2.com/products/1exiger-platform/reviews) Exiger’s award-winning, purpose-built technology platform, 1Exiger, is the only open-source, third-party and supply chain management software that helps companies and government agencies achieve cost savings, resilience, and compliance in real time. Created and launched in collaboration with our 550+ customers, the platform makes supply chain management simple, intuitive and accessible. The 1Exiger user experience is housed in an integrated suite that is scalable and secure. Using our powerful AI technology, you can uncover risks and reveal insights that enable confident decision-making. **Average Rating:** 4.5/5.0 **Total Reviews:** 17 **Who Is the Company Behind 1Exiger Platform?** - **Seller:** [Exiger](https://www.g2.com/sellers/exiger) - **Company Website:** https://www.exiger.com/ - **HQ Location:** New York, NY - **Twitter:** @exigerllc (1,853 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/exiger (848 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 53% Enterprise, 47% Mid-Market #### What Are 1Exiger Platform's Pros and Cons? **Pros:** - Risk Management (6 reviews) - Ease of Use (5 reviews) - Automation Efficiency (3 reviews) - Compliance Management (3 reviews) - Comprehensive Coverage (3 reviews) **Cons:** - Limited Customization (4 reviews) - Limited Functionality (4 reviews) - Difficult Usability (3 reviews) - Limited Features (3 reviews) - Poor Navigation (3 reviews) ### 13. [Finite State](https://www.g2.com/products/finite-state/reviews) Finite State empowers device OEMs to ship securely while enabling engineering teams to move at the speed of AI, immediately transforming product artifacts into audit-ready assurance through a single automated workflow. Leveraging deep binary analysis and AI-native execution, the platform unifies code, compiled components, and firmware in minutes—connecting security design with deployed software. By continuously generating SBOMs, VEX, and signed compliance packages, Finite State enables connected device companies across industries such as medical devices and automotive to meet evolving regulations, including the EU Cyber Resilience Act (CRA), and deliver continuous compliance at speed. Learn more at https://finitestate.io/ **Average Rating:** 4.8/5.0 **Total Reviews:** 2 **Who Is the Company Behind Finite State?** - **Seller:** [Finite State](https://www.g2.com/sellers/finite-state) - **Company Website:** https://finitestate.io - **Year Founded:** 2017 - **HQ Location:** Columbus, Ohio, United States - **Twitter:** @FiniteStateInc (664 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/finitestate (67 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 50% Enterprise, 50% Small-Business ### 14. [FossID](https://www.g2.com/products/fossid-fossid/reviews) FossID is a Software Composition Analysis (SCA) suite designed to give organizations clear, defensible insight into the software they build and ship. It helps teams understand exactly what third-party, open source, and commercial code exists in their products so they can manage license compliance, intellectual property risk, and security with confidence. Agentic SCA by FossID brings software supply chain integrity into the moment of code creation for continuous, real-time license and security compliance so you can move at AI-speed and eliminate reactive code rework. FossID is ideal for organizations that value accuracy, transparency, and control over their software supply chain. It is widely used by manufacturers of embedded systems and software-driven products in industries such as automotive, aerospace, medical devices, industrial automation, electronics, and telecom, where regulatory requirements and long product lifecycles demand a higher standard of software governance. FossID is also trusted by legal, compliance, and GRC teams that need reliable, auditable results, as well as by acquirers and investors conducting technical due diligence. FossID analyzes real source code rather than relying solely on declared dependencies. FossID identifies reused components and code snippets with high precision, detecting fragments as small as six lines of code. This approach delivers more accurate results in complex, mixed codebases, including legacy systems, embedded software, and environments influenced by AI-assisted development. Key differentiators include deep snippet-level detection that remains effective even when code has been modified or reformatted, a 200M+ component open source knowledge base covering more than 2,500 licenses, and strong identification of license and copyright obligations. FossID is deployed in a way that ensures that source code never leaves the organization, a critical requirement for security- and IP-sensitive teams. FossID supports software supply chain integrity across the entire development and release lifecycle. Engineers use it early to identify and resolve issues before code is merged. Legal and compliance teams rely on it to validate policy compliance, manage license obligations and produce accurate SBOMs. Governance, Risk, and Compliance leaders use FossID to demonstrate software supply chain transparency, reduce audit risk, and support regulatory compliance initiatives, including the EU Cyber Resilience Act. The primary value of FossID is confidence. Confidence in what is inside your software, confidence in your compliance posture, and confidence that your teams can move forward efficiently without introducing unnecessary risk. **Average Rating:** 4.0/5.0 **Total Reviews:** 2 **Who Is the Company Behind FossID?** - **Seller:** [FossID](https://www.g2.com/sellers/fossid-038ca491-2507-49c4-b6f1-2f965c09e84e) - **Company Website:** https://www.fossid.com - **Year Founded:** 2016 - **Twitter:** @FOSSID_AB (135 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/fossid-ab/ (1 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 50% Mid-Market, 50% Enterprise ### 15. [JFrog](https://www.g2.com/products/jfrog-2024-03-28/reviews) JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps and MLOps platform, is on a mission to create a world of software delivered without friction from development to production. Driven by a “Liquid Software” vision, the JFrog Platform is a software supply chain system of record that is designed to power organizations as they build, manage, and distribute secure software with speed and scale. Holistic security features help identify, protect, and remediate against threats and vulnerabilities. The universal, hybrid, multi-cloud JFrog Platform is available as both SaaS services across major cloud service providers and self-hosted. Millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation in the AI era. Learn more at www.jfrog.com or follow us on X @JFrog. **Average Rating:** 4.2/5.0 **Total Reviews:** 115 **Who Is the Company Behind JFrog?** - **Seller:** [JFrog Ltd](https://www.g2.com/sellers/jfrog-ltd) - **Company Website:** https://jfrog.com - **Year Founded:** 2008 - **HQ Location:** Sunnyvale, CA - **Twitter:** @jfrog (23,156 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/jfrog-ltd/ (2,292 employees on LinkedIn®) **Who Uses This Product?** - **Who Uses This:** DevOps Engineer, Software Engineer - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 51% Enterprise, 32% Mid-Market #### What Are JFrog's Pros and Cons? **Pros:** - Features (18 reviews) - Repository Management (14 reviews) - Deployment (13 reviews) - Integrations (12 reviews) - Easy Integrations (11 reviews) **Cons:** - Complexity (9 reviews) - Expensive (8 reviews) - Learning Curve (8 reviews) - Difficult Learning (7 reviews) - Learning Difficulty (7 reviews) ### 16. [SonarQube](https://www.g2.com/products/sonarqube/reviews) Sonar, the industry standard for code verification and automated code review, helps reduce outages, improve security, and lower risks associated with AI and agentic coding. As an independent verification platform, Sonar enables organizations to securely develop at the speed of AI. Sonar is the foundation for high-performance software engineering, analyzing over 750 billion lines of code daily to ensure applications are secure, reliable, and maintainable. Rooted in the open source community, Sonar is trusted by 7M+ developers globally, including teams at ServiceNow, Booking.com, Deutsche Bank, AstraZeneca, and Ford Motor Company. **Average Rating:** 4.4/5.0 **Total Reviews:** 140 **Who Is the Company Behind SonarQube?** - **Seller:** [SonarSource Sàrl](https://www.g2.com/sellers/sonarsource-sarl) - **Company Website:** https://www.sonarsource.com - **Year Founded:** 2008 - **HQ Location:** Geneva, Switzerland - **Twitter:** @SonarSource (10,925 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/sonarsource/ (929 employees on LinkedIn®) **Who Uses This Product?** - **Who Uses This:** DevOps Engineer, Software Engineer - **Top Industries:** Information Technology and Services, Computer Software - **Company Size:** 42% Enterprise, 39% Mid-Market #### What Are SonarQube's Pros and Cons? **Pros:** - Code Quality (24 reviews) - Features (20 reviews) - Issue Identification (19 reviews) - Ease of Use (18 reviews) - Easy Integrations (18 reviews) **Cons:** - Software Bugs (12 reviews) - Complex Configuration (10 reviews) - False Positives (10 reviews) - Complexity (8 reviews) - Complex Setup (8 reviews) ### 17. [Xygeni](https://www.g2.com/products/xygeni/reviews) Secure your Software Development and Delivery! Xygeni Security specializes in Application Security Posture Management (ASPM), using deep contextual insights to effectively prioritize and manage security risks while minimizing noise and overwhelming alerts. Our innovative technologies automatically detect malicious code in real-time upon new and updated components publication, immediately notifying customers and quarantining affected components to prevent potential breaches. With extensive coverage spanning the entire Software Supply Chain—including Open Source components, CI/CD processes and infrastructure, Anomaly detection, Secret leakage, Infrastructure as Code (IaC), and Container security—Xygeni ensures robust protection for your software applications. Trust Xygeni to protect your operations and empower your team to build and deliver with integrity and security. **Average Rating:** 4.6/5.0 **Total Reviews:** 4 **Who Is the Company Behind Xygeni?** - **Seller:** [Xygeni Security](https://www.g2.com/sellers/xygeni-security) - **Year Founded:** 2021 - **HQ Location:** Madrid, ES - **Twitter:** @xygeni (182 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/xygeni/ (30 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 60% Small-Business, 40% Mid-Market #### What Are Xygeni's Pros and Cons? **Pros:** - Comprehensive Security (2 reviews) - Prioritization (2 reviews) - Risk Management (2 reviews) - Security (2 reviews) - Cloud Integration (1 reviews) **Cons:** - Difficult Setup (1 reviews) - Learning Curve (1 reviews) ### 18. [BINARLY](https://www.g2.com/products/binarly/reviews) Binarly is an AI-powered platform dedicated to protecting devices from emerging firmware and hardware threats. Founded in 2021 and headquartered in Pasadena, California, Binarly leverages advanced machine learning and deep code inspection at the binary level to provide comprehensive visibility into hardware and firmware vulnerabilities. This approach enables security teams to detect and respond to sophisticated attacks below the operating system, ensuring robust protection for enterprise device infrastructures. **Who Is the Company Behind BINARLY?** - **Seller:** [BINARLY](https://www.g2.com/sellers/binarly) - **Year Founded:** 2021 - **HQ Location:** Santa Monica, US - **LinkedIn® Page:** https://www.linkedin.com/company/binarlyinc (48 employees on LinkedIn®) ### 19. [CAST SBOM Manager](https://www.g2.com/products/cast-sbom-manager/reviews) CAST SBOM Manager enables users to automatically create, customize, and maintain Software Bill of Materials (SBOMs) with the ultimate level of control and flexibility. It detects open source dependencies and related risks (vulnerabilities and security advisories, licenses, obsolescence) directly from scanning source code, and allows you to create and maintain SBOM metadata over time (proprietary components, custom licenses, vulnerabilities) and much more. **Who Is the Company Behind CAST SBOM Manager?** - **Seller:** [CAST](https://www.g2.com/sellers/cast) - **Year Founded:** 1990 - **HQ Location:** New York - **Twitter:** @SW_Intelligence (1,889 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/cast/ (1,259 employees on LinkedIn®) - **Ownership:** Bridgepoint ### 20. [CBOM Secure](https://www.g2.com/products/cbom-secure/reviews) CBOM Secure is a machine-readable Cryptographic Bill of Materials (CBOM) platform that delivers continuous visibility and control over cryptography across source code, binaries, containers, and runtime environments. It automatically discovers and inventories algorithms, keys, certificates, protocols, and libraries, creating a centralized, normalized system of record. By mapping cryptographic assets to real execution paths, CBOM helps organizations distinguish dormant components from active usage, prioritize risk, and accelerate incident response. The platform supports compliance with standards such as NIST, FIPS 140-3, CMMC 2.0, and ISO 27001 while identifying legacy and quantum-vulnerable cryptography to enable structured post-quantum migration. Available on-premises, in the cloud, SaaS, or hybrid, CBOM transforms undocumented cryptography into a governed, audit-ready security control. **Who Is the Company Behind CBOM Secure?** - **Seller:** [Encryption Consulting](https://www.g2.com/sellers/encryption-consulting) - **HQ Location:** N/A - **LinkedIn® Page:** https://www.linkedin.com/company/No-Linkedin-Presence-Added-Intentionally-By-DataOps (1 employees on LinkedIn®) ### 21. [Enso Security](https://www.g2.com/products/enso-security/reviews) Enso Application Security Posture is a platform for AppSec teams to manage their day-to-day work, implement their security strategy into an AppSec organizational program, enforce it and automate it. And all of that in a scalable rapidly changing environment. AppSec teams struggle with prioritization - they may have a vision and concept of how to handle AppSec, but they don’t know where to invest and what actions to take. To keep up with R&D velocity and scale, Enso provides full visibility on the application inventory, focuses the AppSec teams on the most important tasks and insights, and takes a policy-based “call to action” approach so that the AppSec professionals won’t waste their time looking for application changes, prioritizing, or doing manual work. **Who Is the Company Behind Enso Security?** - **Seller:** [Enso Security](https://www.g2.com/sellers/enso-security) - **HQ Location:** Boston, Massachusetts, United States - **LinkedIn® Page:** https://www.linkedin.com/company/enso-security/ (1,331 employees on LinkedIn®) ### 22. [Eracent SBOM-HQ](https://www.g2.com/products/eracent-sbom-hq/reviews) SBOM-HQ™ - from Eracent SBOM-HQ™ provides a well-rounded set of data, reporting and analysis features that help organizations minimize risks and comply with cyber mandates and directives. While SBOM-HQ™ provides value to in-house and commercial application development teams, it is also unique in its approach to meeting the requirements of organizations that purchase or subscribe to software from numerous publishers. These “software consumers” will have to manage dozens, hundreds, or even thousands of SBOMs for products that they use, and this is impractical or impossible to do one SBOM at a time. SBOM-HQ™ is based around a centralized, single-source repository of libraries, components, and other related data from SBOMs. It dramatically reduces response time when a vulnerability is reported since it eliminates the need to review SBOMs individually. How does SBOM-HQ™ work? Customers upload their SBOM files via the user interface. During this straightforward process, users can assign related information that can be used to support reporting, filters, data access, and more. This information includes Publisher, Line of Business, Application Component, and more. SBOM-HQ™ “deconstructs” each uploaded SBOM and records the software product to which the SBOM belongs and all the SBOM’s content. This results in an index of components and libraries mapped to products. If a vulnerability is reported by NIST or another organization, customers get an immediate report of every product in use in their organization that includes the affected component or library. SBOM-HQ™ is continuously monitored and updated, and it leverages vulnerability data from NIST and other trusted global sources. It uses this data to display risk scores, levels of criticality, and more. SBOM-HQ™ also provides visibility into license types for each component and library, reducing the risk of unknowingly using a library that has excessive restrictions when less risky options are available. The system offers version tracking – the version in use, newer available versions, and version history – as well as lifecycle dates that support obsolescence management. The dedicated open source library within Eracent’s IT-Pedia® product data library provides a solid foundation for SBOM-HQ™’s analysis and reporting. Who can benefit from using SBOM-HQ? SBOM-HQ is designed to support all teams engaged in the use and operation of software. DevOps – SBOM-HQ integrates into CI/CD to generate and enrich SBOMs with real time risk data, ensuring secure and compliant releases. Procurement – SBOM-HQ equips procurement teams with SBOM-driven insights into software quality and licensing risks, enabling smarter vendor selection and safer software purchases. CyberSec teams – SBOM-HQ evaluates cyber security aspects of purchased software and monitors new vulnerabilities that appear. ITOps – SBOM-HQ exposes software weaknesses and helps mitigate the risks. Legal and Licensing teams – SBOM-HQ delivers clear visibility into open source licenses, flags conflicts early, and provides audit-ready compliance reports. Why SBOM-HQ? SBOM-HQ is designed to support software buyers and users, not just software publishers. While most SBOM solutions stop at the software development life cycle, SBOM-HQ goes further. It empowers software consumers to continuously monitor not only what they build, but also what they buy - from design and procurement, through integration, all the way to production in their own data centers. With SBOM-HQ, transparency extends beyond development, delivering visibility and control across the entire software supply chain. To learn more about SBOM-HQ™, register for a free trial at sbomhq.com or contact Eracent today! **Who Is the Company Behind Eracent SBOM-HQ?** - **Seller:** [Eracent](https://www.g2.com/sellers/eracent) - **Year Founded:** 2000 - **HQ Location:** Riegelsville, Pennsylvania - **Twitter:** @eracent (141 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/15155 (82 employees on LinkedIn®) ### 23. [FOSSA](https://www.g2.com/products/fossa/reviews) Open source is a critical part of your software. In the average modern software product, over 80% of the source code shipped is derived from open source. Each component can have cascading legal, security, and quality implications for your customers, making it one of the most important things to manage correctly. FOSSA helps you manage your open source components. We plug into your development workflow to help your team automatically track, manage, and remediate issues with the open source you use to: - Stay compliant with software licenses and generate required attribution documents - Enforce usage and licensing policies throughout your CI/CD workflow - Monitor and remediate security vulnerabilities - Flag code quality issues and outdated components proactively By enabling open source, we help development teams increase development velocity and decrease risk. **Average Rating:** 4.2/5.0 **Total Reviews:** 15 **Who Is the Company Behind FOSSA?** - **Seller:** [FOSSA](https://www.g2.com/sellers/fossa) - **Year Founded:** 2015 - **HQ Location:** San Francisco, California - **Twitter:** @getfossa (776 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/fossa/ (56 employees on LinkedIn®) **Who Uses This Product?** - **Top Industries:** Computer Software - **Company Size:** 47% Small-Business, 33% Mid-Market #### What Are FOSSA's Pros and Cons? **Pros:** - Easy Integrations (1 reviews) - Issue Resolution (1 reviews) - Remediation Solutions (1 reviews) - Risk Management (1 reviews) - Security (1 reviews) ### 24. [Heeler](https://www.g2.com/products/heeler/reviews) Heeler empowers application security teams to shift left with the context they need to reduce noise, accelerate remediation, and move beyond traditional vulnerability management. By combining ASPM, SCA with static and runtime context, and runtime threat modeling, Heeler transforms AppSec programs from reactive firefighting to proactive, scalable security. How Heeler Helps AppSec Teams • Reduce Noise: AppSec teams and developers are drowning in findings. Heeler delivers unified code, runtime, business and security context, reducing alert noise by up to 95%, so teams can focus on critical issues and fix what matters most. • Fix Remediation: Remediation is broken. Most effort is spent reaching a fix—not implementing it. Heeler automates the remediation lifecycle, cutting effort and time, enabling AppSec teams to scale alongside engineering. • Move Beyond Vulnerabilities: With Heeler, continuous runtime threat modeling becomes a reality. Decompose running applications, track changes, compare deployments, and stop risks in real time—all before they reach production. Why Heeler is Essential Modern applications are more complex and dynamic than ever, expanding attack surfaces and making end-to-end security modeling nearly impossible without the right tools. Heeler bridges this gap, addressing the root causes of unscalable AppSec programs: • Lack of Context: Disparate data silos make understanding application behavior and identifying risks challenging. • Labor-Intensive Processes: Without unified context, security efforts are manual, unscalable, and push risk identification too far right. • Firefighting Mode: Security and engineering teams are trapped addressing too many findings and often focus their time on the wrong threats, leaving no bandwidth for secure-by-design initiatives. Key Capabilities • ProductDNA (Unified Context): Automates a real-time service catalog, mapping changesets to deployments and modeling every service with integrated code, runtime, business, and security context. • Runtime Threat Modeling: Enables continuous threat modeling with tools to decompose applications, track changes, compare deployments, and uncover risks in real time. • ASPM: Heeler reduces alert noise by up to 95% and automates remediation workflows, scaling security seamlessly with engineering demands. • SCA with Static and Runtime Context: Combines static and runtime data with business and deployment context, delivering next-gen SCA that prioritizes what matters, strengthens security, and simplifies AppSec workflows. Heeler ensures AppSec teams and developers have the context they need to shift left and build secure-by-design applications—effortlessly. **Who Is the Company Behind Heeler?** - **Seller:** [Heeler Security](https://www.g2.com/sellers/heeler-security) - **Year Founded:** 2023 - **HQ Location:** N/A - **LinkedIn® Page:** https://www.linkedin.com/company/heeler-security (20 employees on LinkedIn®) ### 25. [Hilt](https://www.g2.com/products/hilt/reviews) Hilt monitors how data actually moves across your environment, not just whether policies are followed. Using proprietary eBPF kernel probes, Hilt captures every data movement event at the base level across cloud workloads, endpoints, and network boundaries. A three-tier behavioral detection engine (deterministic rules, behavioral ML, and model inference) identifies anomalous data movement in real time including transfers where permissions were valid and no policy was violated, but the behavior was wrong. Automated containment blocks exfiltration in under one second. Deployed in minutes with one command, no code changes, and no SDK. Built for latency-sensitive environments including financial services, hedge funds, and law firms. **Who Is the Company Behind Hilt?** - **Seller:** [Hilt AI](https://www.g2.com/sellers/hilt-ai) - **HQ Location:** Milton Keynes, GB - **LinkedIn® Page:** https://www.linkedin.com/company/hilt-ai/ (1 employees on LinkedIn®) ## What Is Software Bill of Materials (SBOM) Software? [DevSecOps Software](https://www.g2.com/categories/devsecops) ## What Software Categories Are Similar to Software Bill of Materials (SBOM) Software? - [Static Application Security Testing (SAST) Software](https://www.g2.com/categories/static-application-security-testing-sast) - [Software Composition Analysis Tools](https://www.g2.com/categories/software-composition-analysis) - [Software Supply Chain Security Solutions](https://www.g2.com/categories/software-supply-chain-security-tools)