# Best Software Bill of Materials (SBOM) Software

*By [Adam Crivello](https://research.g2.com/insights/author/adam-crivello)*


Software bill of materials (SBOM) solutions generate, ingest, manage, and monitor a machine-readable inventory of the components within software supply chains. The components covered include libraries, packages, modules, associated licenses, and more. Companies and developers use SBOM software to deliver and annotate comprehensive SBOMs for their software’s third party and open source components .

These solutions allow users to comply with government mandates that require the provision of a minimum SBOM. Maintaining and monitoring SBOMs also helps companies perform continuous risk assessments, though vulnerability remediation is not the primary focus of such tools. [software composition analysis (SCA) tools](https://www.g2.com/categories/software-composition-analysis) scan software supply chains’ components and dependencies at the code level to identify and remediate security vulnerabilities, whereas SBOM software automates the standardized presentation of those elements for transparency, observability, and compliance.

To qualify for inclusion in the Software Bill of Materials (SBOM) category, a product must:

- Automatically ingest and generate SBOMs in standard formats like CycloneDX and SPDX
- Continuously monitor and update SBOMs based on component versions, associated licenses, dependencies, and more
- Alert users of non-compliant elements in their software supply chain
- Allow users to annotate SBOMs
- Facilitate compliance with government regulations







## How Many Software Bill of Materials (SBOM) Software Products Does G2 Track?
**Total Products under this Category:** 33

### Category Stats (Jul 2026)
- **Average Rating**: 4.48/5 (↓0.03 vs Jun 2026) The average rating of products in this category, based on all submitted ratings
- **Top Trending Product**: Arnica (+0.87%) - Among all products in this category, Arnica recorded the largest rating increase compared to last month
*Last updated: July 10, 2026*


## How Does G2 Rank Software Bill of Materials (SBOM) Software Products?

**Why You Can Trust G2's Software Rankings:**

- 30 Analysts and Data Experts
- 900+ Authentic Reviews
- 33+ Products
- Unbiased Rankings

G2's software rankings are built on verified user reviews, rigorous moderation, and a consistent research methodology maintained by a team of analysts and data experts. Each product is measured using the same transparent criteria, with no paid placement or vendor influence. While reviews reflect real user experiences, which can be subjective, they offer valuable insight into how software performs in the hands of professionals. Together, these inputs power the G2 Score, a standardized way to compare tools within every category.


## Which Software Bill of Materials (SBOM) Software Is Best for Your Use Case?

- **Easiest to Use:** [OX Security](https://www.g2.com/products/ox-security/reviews)
- **Best Free Software:** [OX Security](https://www.g2.com/products/ox-security/reviews)


---

**Sponsored**

### CAST Highlight

Portfolio-level insights for app modernization, AI readiness, tech debt, OSS risks CAST Highlight is a SaaS software intelligence technology that delivers rapid, fact-based insights across your entire application portfolio. By automatically analyzing the source code of hundreds or thousands of applications, CAST Highlight helps organizations assess cloud maturity, AI &amp; Agentic readiness, software health, open source risk, resiliency, technical debt, and sustainability from a single lightweight scan. CAST Highlight is designed for CIOs, CTOs, enterprise architects, cloud leaders, application owners, security teams, and modernization teams that need a fact-based way to prioritize modernization, cloud, and AI adoption decisions at scale. It helps teams identify which applications are ready to move quickly, which require remediation, and where hidden software risks may affect transformation cost, timelines, security, resilience, or business outcomes. Unlike traditional manual or survey-based assessments, CAST Highlight analyzes application source code directly to rapidly segment portfolios, prioritize modernization paths, and uncover risks before they impact transformation programs. Organizations use CAST Highlight to: - Accelerate cloud migration and modernization planning - Segment applications by cloud maturity and transformation path - Identify high-value AI adoption opportunities - Assess Agentic Readiness across application portfolios - Prioritize technical debt, resiliency, and maintainability improvements - Assess open source vulnerabilities and IP / license exposure - Evaluate software sustainability with Green Impact insights - Reduce complexity, cost, and risk across transformation programs Businesses move faster using CAST to understand, improve, and transform their software. Through semantic analysis of source code, CAST generates dashboards and 3D maps for executives, technologists, and AI to navigate inside individual applications and across entire portfolios. This intelligence enables companies to steer, speed, and report on initiatives such as technical debt, modernization, and cloud. As the pioneer of the software intelligence field, CAST is trusted by the world’s leading companies and governments, their consultancies and cloud providers. See it all at castsoftware.com.



[Visit website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=ppc&amp;secure%5Bad_slot%5D=category_product_list&amp;secure%5Bcategory_id%5D=1008169&amp;secure%5Bchosen_at%5D=2026-07-10T07%3A49%3A10Z&amp;secure%5Bdisplayable_resource_id%5D=1008169&amp;secure%5Bdisplayable_resource_type%5D=Category&amp;secure%5Bmedium%5D=sponsored&amp;secure%5Bplacement_reason%5D=page_category&amp;secure%5Bplacement_resource_ids%5D%5B%5D=1008169&amp;secure%5Bprioritized%5D=false&amp;secure%5Bproduct_id%5D=58553&amp;secure%5Bresource_id%5D=1008169&amp;secure%5Bresource_type%5D=Category&amp;secure%5Bsource_type%5D=category_page&amp;secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fsoftware-bill-of-materials-sbom&amp;secure%5Btoken%5D=98b5387af39c0412da2ccb8216145df1c2387dfae5fa37d6a5b93d341780e585&amp;secure%5Burl%5D=https%3A%2F%2Fwww.castsoftware.com%2Ftryhighlight%3Futm_campaign%3Dg2_clicks_ads%26utm_source%3Dcast_highlight%26utm_medium%3Dtrial_request&amp;secure%5Burl_type%5D=free_trial)

---

## What Are the Top-Rated Software Bill of Materials (SBOM) Software Products in 2026?
### 1. [OX Security](https://www.g2.com/products/ox-security/reviews)
OX is redefining product security for the AI era. Founded by Neatsun Ziv and Lion Arzi, former Check Point executives, OX is the company behind VibeSec — the first AI-native vibe security platform. Unlike traditional “Shift Left” approaches that collapsed under AI’s speed, VibeSec makes software secure by default by preventing risks before they exist. Powered by the OX AI Data Lake and dynamic code-to-runtime context, OX Security delivers: Autonomous, embedded security that runs as fast as developers. Dynamic risk context that shrinks security backlogs before they spiral. Continuous alignment across code, cloud, APIs, and runtime. With OX, developers focus on building while security runs itself, giving enterprises complete confidence that every release ships secure. OX Security -Vendor desc (request to update): OX Security is the company behind VibeSec, an AI-native autonomous security platform built for the AI development era. Unlike traditional tools that chase vulnerabilities after code is written, VibeSec embeds dynamic security context directly into AI coding environments like Cursor and Copilot. The result: every line of code is secure by default. For the first time, security moves at the speed of AI-driven development, preventing vulnerabilities before they exist, shrinking backlogs with every commit, and making security a seamless part of the development flow.


**Average Rating:** 4.8/5.0
**Total Reviews:** 51

**Who Is the Company Behind OX Security?**

- **Seller:** [OX Security](https://www.g2.com/sellers/ox-security)
- **Year Founded:** 2021
- **HQ Location:** New York, USA
- **LinkedIn® Page:** https://www.linkedin.com/company/ox-security/ (199 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Security Engineer
- **Top Industries:** Financial Services, Information Technology and Services
- **Company Size:** 63% Mid-Market, 25% Enterprise


#### What Are OX Security's Pros and Cons?

**Pros:**

- Features (8 reviews)
- Collaboration (6 reviews)
- Customer Support (6 reviews)
- Easy Integrations (6 reviews)
- Speed (6 reviews)

**Cons:**

- Complexity (5 reviews)
- Overwhelming Interface (4 reviews)
- Complex Setup (3 reviews)
- Dashboard Issues (3 reviews)
- Difficult Learning (3 reviews)


### What Do G2 Reviewers Say About OX Security?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate the **comprehensive security testing** OX Security offers, streamlining issue management and enhancing team focus.
- Users value the **seamless collaboration** offered by OX Security, enhancing integration and communication within development workflows.
- Users commend the **responsive customer support** of OX Security, facilitating seamless integration and effective issue resolution.
- Users value the **seamless integrations** with tools, enhancing workflows and boosting overall security without delays.
- Users commend OX Security for its **speed in vulnerability remediation** , enabling faster triage and efficient management of security issues.

**Cons:**

- Users find OX Security&#39;s **complexity overwhelming** , especially due to inadequate documentation and a steep learning curve.
- Users find the **overwhelming interface** of OX Security challenging, especially with inadequate documentation and tiny text sizes.
- Users find the **complex setup** challenging, especially due to lacking documentation and overwhelming UI for new users.
- Users find the **dashboard issues** hinder effective reporting and can be overwhelming during the initial implementation phase.
- Users find the **difficult learning** curve challenging due to OX Security&#39;s overwhelming interface and lack of documentation.

#### What Are Recent G2 Reviews of OX Security?

**"[A powerful and comprehensive tool that meets most best practices for web app security testing](https://www.g2.com/survey_responses/ox-security-review-10961361)"**

**Rating:** 4.5/5.0 stars
*— Verified User in Gambling &amp; Casinos*

[Read full review](https://www.g2.com/survey_responses/ox-security-review-10961361)

---

**"[A Transformative Game-Changer in Application Security Posture Management](https://www.g2.com/survey_responses/ox-security-review-10618682)"**

**Rating:** 5.0/5.0 stars
*— Dudi E.*

[Read full review](https://www.g2.com/survey_responses/ox-security-review-10618682)

---



### 2. [Cybeats](https://www.g2.com/products/cybeats/reviews)
Cybeats is at the forefront of cybersecurity innovation and is focused explicitly on automating Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX) management. Our platform has built-in support for HBOM and AIBOM. Our mission is to empower organizations to rapidly identify and address vulnerabilities, significantly reducing costs while enhancing the security posture of their products. With our focus on the vision of &quot;Building trust in every layer of your technology,&quot; Cybeats provides a robust platform that ensures transparency and security throughout the technological stack. Core Offerings - SBOM Management &amp; Continuous Monitoring Cybeats offers a scalable solution for managing and monitoring SBOMs. Our platform stores enriches and distributes SBOMs efficiently across the organization and the organization&#39;s customers. This continuous monitoring helps proactively identify and mitigate software component risks. - SBOM Inventory &amp; Management We provide a centralized system for SBOM inventory management that ensures all software components are accounted for, up-to-date, and secure. This systematic approach helps maintain a clear overview of all software elements, facilitating easier management and compliance. - Vulnerability Lifecycle Management (VLM) Our VLM capabilities integrate Vulnerability Exploitability Exchange (VEX) and Vulnerability Disclosure Program (VDP) processes. This integration helps identify, assess, manage, and mitigate vulnerabilities throughout their lifecycle, ensuring continuous protection against potential software supply chain threats. - Regulatory Compliance Cybeats aligns with global regulatory requirements, assisting organizations in staying compliant with evolving cybersecurity standards. Our solution simplifies compliance management, reducing the complexity and resources required to meet legal and industry standards. With the introduction of regulatory requirements of the FDA pre-market and post-market, the EU CRA, PCI-SSF, and others, companies that develop software-based products must align with the SBOM and Vulnerability management requirements. - OSS and Comercial Licensing Risk Assessment Understanding and managing licensing risks associated with software components is crucial. Cybeats provides tools to assess these risks, helping organizations avoid legal and financial repercussions related to software licensing. - SBOM Sharing and Exchange We facilitate secure sharing and exchange of SBOMs within and across organizations. This capability ensures that all parties in the software supply chain have access to accurate and timely information, enhancing collaborative efforts toward secure software development.


**Average Rating:** 4.4/5.0
**Total Reviews:** 15

**Who Is the Company Behind Cybeats?**

- **Seller:** [CYBEATS](https://www.g2.com/sellers/cybeats)
- **Year Founded:** 2017
- **HQ Location:** Toronto, Ontario
- **Twitter:** @cybeatstech (616 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/cybeats/ (32 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 47% Small-Business, 33% Mid-Market



#### What Are Recent G2 Reviews of Cybeats?

**"[Great Computer Security Service Solutin](https://www.g2.com/survey_responses/cybeats-review-7160083)"**

**Rating:** 4.5/5.0 stars
*— Patrícia P.*

[Read full review](https://www.g2.com/survey_responses/cybeats-review-7160083)

---

**"[A safe and secure enterprise supply chain management system is created and enabled by Cybeats](https://www.g2.com/survey_responses/cybeats-review-7468992)"**

**Rating:** 4.5/5.0 stars
*— Karan C.*

[Read full review](https://www.g2.com/survey_responses/cybeats-review-7468992)

---



### 3. [Aqua Security](https://www.g2.com/products/aqua-security/reviews)
Aqua Security sees and stops attacks across the entire cloud native application lifecycle in a single, integrated platform. From software supply chain security for developers to cloud security and runtime protection for security teams, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry’s most comprehensive Cloud Native Application Protection Platform (CNAPP). Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries.


**Average Rating:** 4.2/5.0
**Total Reviews:** 57

**Who Is the Company Behind Aqua Security?**

- **Seller:** [Aqua Security Software Ltd](https://www.g2.com/sellers/aqua-security-software-ltd)
- **Year Founded:** 2015
- **HQ Location:** Burlington, US
- **Twitter:** @AquaSecTeam (7,673 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/aquasecteam/ (466 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Computer Software, Financial Services
- **Company Size:** 56% Enterprise, 39% Mid-Market


#### What Are Aqua Security's Pros and Cons?

**Pros:**

- Security (18 reviews)
- Ease of Use (15 reviews)
- Detection (10 reviews)
- Features (10 reviews)
- Comprehensive Security (8 reviews)

**Cons:**

- Missing Features (7 reviews)
- Lack of Features (5 reviews)
- Improvement Needed (4 reviews)
- Limited Features (4 reviews)
- Complexity (3 reviews)


### What Do G2 Reviewers Say About Aqua Security?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate Aqua Security for its **proactive threat detection** , ensuring security issues are addressed before they escalate.
- Users value the **ease of use** of Aqua Security, appreciating its intuitive UI and smooth implementation process.
- Users value the **effective detection of security issues** by Aqua Security, ensuring proactive resolution before problems escalate.
- Users appreciate the **ease of deployment and comprehensive security insights** offered by Aqua Security for proactive code protection.
- Users value Aqua Security&#39;s **comprehensive security frameworks** , enhancing their ability to manage and protect cloud environments effectively.

**Cons:**

- Users feel the **missing features** in Aqua Security hinder effective data analysis and integration capabilities.
- Users report a **lack of features** in Aqua Security, limiting functionality and hindering effective analysis and integration.
- Users note that **improvement is needed** for deeper insights, better integration, and enhanced reporting features in Aqua Security.
- Users note the **limited features** of Aqua Security, highlighting the need for enhanced functionality and integration options.
- Users find Aqua Security&#39;s **complex interface** challenging, especially during initial setup and task execution.

#### What Are Recent G2 Reviews of Aqua Security?

**"[AquaSec have been very efficient and user friendly.](https://www.g2.com/survey_responses/aqua-security-review-7802942)"**

**Rating:** 5.0/5.0 stars
*— Adefolarin B.*

[Read full review](https://www.g2.com/survey_responses/aqua-security-review-7802942)

---

**"[Allows us to monitor security of or platforms and scan images easily.](https://www.g2.com/survey_responses/aqua-security-review-10502217)"**

**Rating:** 5.0/5.0 stars
*— Mitchell M.*

[Read full review](https://www.g2.com/survey_responses/aqua-security-review-10502217)

---



### 4. [Arnica](https://www.g2.com/products/arnica/reviews)
Arnica is a comprehensive application security posture management (ASPM) platform that protects developers, source code, and products throughout the software development lifecycle. The platform provides real-time application security scanning with 100% coverage across the software supply chain, addressing risks in Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IaC), hardcoded secrets detection, and more. At its core, Arnica offers AI-native security governance that takes control of AI-generated code through advanced AI SAST scanning and agentic rules enforcement. The platform automatically injects centrally-controlled security requirements into AI coding agents like Copilot, Cursor, and Claude at the point of code generation, ensuring every line of AI-written code is secure by default before vulnerabilities reach production. This approach addresses 92% of risks before they ever reach production environments. Arnica&#39;s pipelineless architecture provides automatic coverage for every repository without requiring CI/CD pipeline integrations or IDE deployments. The platform scans every code change at the feature branch level, delivering developer-native workflows that keep teams focused on building features rather than chasing security issues. Risk prioritization is enhanced through OWASP Top 10, CVSS, EPSS, and KEV scoring, combined with organizational context to surface the most critical vulnerabilities. The platform excels in developer experience by delivering security findings directly within existing workflows through Slack, Microsoft Teams, pull request comments, and automated ticket management in Jira and Azure DevOps Boards. AI-powered mitigation suggestions provide context-aware, automated fixes that align with organizational coding standards, significantly reducing mean-time-to-remediation. Key security capabilities include real-time secrets detection with automatic validation and mitigation, comprehensive container scanning that maps vulnerabilities directly to source code, and intelligent dependency management with automated SCA upgrades. The platform maintains SOC 2 Type 2 compliance and ISO 27001 certification, ensuring enterprise-grade security standards. Arnica&#39;s unique value proposition lies in its ability to scale security across entire organizations while maintaining development velocity, providing complete visibility into code risks, and enabling proactive security measures that prevent vulnerabilities from reaching production environments.


**Average Rating:** 4.9/5.0
**Total Reviews:** 8

**Who Is the Company Behind Arnica?**

- **Seller:** [Arnica](https://www.g2.com/sellers/arnica)
- **Company Website:** https://www.arnica.io
- **Year Founded:** 2021
- **HQ Location:** Alpharetta, Georgia
- **Twitter:** @arnicaio (124 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/arnica-io/about (60 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 63% Enterprise, 25% Small-Business


#### What Are Arnica's Pros and Cons?

**Pros:**

- Accuracy of Findings (1 reviews)
- Actionable Recommendations (1 reviews)
- Ease of Use (1 reviews)
- Easy Setup (1 reviews)
- Remediation Solutions (1 reviews)

**Cons:**

- Paid Features (1 reviews)


### What Do G2 Reviewers Say About Arnica?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **accuracy of findings** from Arnica, effectively identifying unused elevated privileges to enhance security.
- Users value Arnica for its **actionable recommendations** that effectively reduce security risks and over-provisioning in code repositories.
- Users appreciate the **easy setup and administration** of Arnica, enjoying a quick and hassle-free experience.
- Users love the **easy setup** of Arnica, appreciating the time saved during administration and configuration.
- Users value Arnica for its ability to **simplify remediation of over-provisioning** , enhancing security and reducing risks effectively.

**Cons:**

- Users note that the **full feature set is limited** to GitHub Enterprise, leaving smaller teams without essential protections.

#### What Are Recent G2 Reviews of Arnica?

**"[Intuitive Dashboards and AI That Finds Real Issues](https://www.g2.com/survey_responses/arnica-review-12972680)"**

**Rating:** 5.0/5.0 stars
*— Verified User in Computer Software*

[Read full review](https://www.g2.com/survey_responses/arnica-review-12972680)

---

**"[Developer-friendly AppSec with a flexible policy engine](https://www.g2.com/survey_responses/arnica-review-12962349)"**

**Rating:** 5.0/5.0 stars
*— Thomas G.*

[Read full review](https://www.g2.com/survey_responses/arnica-review-12962349)

---


#### What Are G2 Users Discussing About Arnica?

- [What is Arnica used for?](https://www.g2.com/discussions/what-is-arnica-used-for)

### 5. [Finite State](https://www.g2.com/products/finite-state/reviews)
Finite State empowers device OEMs to ship securely while enabling engineering teams to move at the speed of AI, immediately transforming product artifacts into audit-ready assurance through a single automated workflow. Leveraging deep binary analysis and AI-native execution, the platform unifies code, compiled components, and firmware in minutes—connecting security design with deployed software. By continuously generating SBOMs, VEX, and signed compliance packages, Finite State enables connected device companies across industries such as medical devices and automotive to meet evolving regulations, including the EU Cyber Resilience Act (CRA), and deliver continuous compliance at speed. Learn more at https://finitestate.io/


**Average Rating:** 4.3/5.0
**Total Reviews:** 12

**Who Is the Company Behind Finite State?**

- **Seller:** [Finite State](https://www.g2.com/sellers/finite-state)
- **Company Website:** https://finitestate.io
- **Year Founded:** 2017
- **HQ Location:** Columbus, Ohio, United States
- **Twitter:** @FiniteStateInc (670 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/finitestate (78 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 50% Enterprise, 25% Mid-Market



#### What Are Recent G2 Reviews of Finite State?

**"[Deep Visibility Into Supply Chain Risks and CVEs—Boosting Product Security](https://www.g2.com/survey_responses/finite-state-review-12966722)"**

**Rating:** 5.0/5.0 stars
*— Suru S.*

[Read full review](https://www.g2.com/survey_responses/finite-state-review-12966722)

---

**"[Finite State Review: Firmware Security Simplified](https://www.g2.com/survey_responses/finite-state-review-12997919)"**

**Rating:** 5.0/5.0 stars
*— Prasanth B.*

[Read full review](https://www.g2.com/survey_responses/finite-state-review-12997919)

---



### 6. [Mend.io](https://www.g2.com/products/mend-io/reviews)
Modern risk doesn&#39;t live in one layer, it lives between them. Mend.io is built for every risk, across AI and AppSec, securing the code layer, the AI layer, and the interactions between them. From discovery and red teaming to guardrails and runtime protection, Mend.io delivers continuous protection across the entire AI application lifecycle. Mend.io solutions include: 1. Mend AI secures the layer where modern risk actually lives—the interaction between code and AI. It continuously discovers AI components (agents, prompts, models), tests real behavioral risk through automated red teaming, and enforces in-app runtime guardrails for one continuous control system for the AI lifecycle. 2. Mend AppSec secures the modern code layer by continuously discovering and prioritizing risk across code, libraries, containers, and dependencies, giving teams the clarity they need to reduce exposure and ship secure software faster. 3. Mend Renovate secures the foundation of every codebase by automatically updating dependencies, rating the likelihood each update will succeed without breaking changes, and grouping them by confidence level so teams can resolve them faster.


**Average Rating:** 4.3/5.0
**Total Reviews:** 107

**Who Is the Company Behind Mend.io?**

- **Seller:** [Mend](https://www.g2.com/sellers/mend-ab79a83a-6747-4682-8072-a3c176489d0b)
- **Company Website:** https://mend.io
- **Year Founded:** 2011
- **HQ Location:** Boston, Massachusetts
- **Twitter:** @Mend_io (11,256 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/2440656/ (257 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Software Engineer
- **Top Industries:** Computer Software, Information Technology and Services
- **Company Size:** 37% Small-Business, 34% Mid-Market


#### What Are Mend.io's Pros and Cons?

**Pros:**

- Scanning Efficiency (8 reviews)
- Ease of Use (7 reviews)
- Easy Integrations (6 reviews)
- Scanning Technology (6 reviews)
- Vulnerability Detection (6 reviews)

**Cons:**

- Integration Issues (6 reviews)
- Limited Features (3 reviews)
- Missing Features (3 reviews)
- Complex Implementation (2 reviews)
- Confusing Interface (2 reviews)


### What Do G2 Reviewers Say About Mend.io?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate the **scanning efficiency** of Mend.io, highlighting quick scans and detailed reporting for better management.
- Users find Mend.io to be an **easy-to-use** tool that enhances security and provides responsive support.
- Users value the **easy integrations** with source code repositories, enhancing security and simplifying their workflows.
- Users find Mend.io&#39;s **scanning technology highly effective** for comprehensive binary, source code, and container scans.
- Users value the **Vulnerability Detection** in Mend.io for its efficiency in identifying and prioritizing critical vulnerabilities quickly.

**Cons:**

- Users face **integration issues** with on-premise tools and experience difficulty getting features to work effectively.
- Users feel the **limited features** of Mend.io hinder integration and functionality, leading to additional workarounds.
- Users find the **missing features** in Mend.io limit functionality, requiring workarounds for integration and scanning processes.
- Users face **complex implementation** challenges with Mend.io, requiring extensive support and causing delays in integration.
- Users find the **confusing interface** of Mend.io awkward, especially when switching between different product portals.

#### What Are Recent G2 Reviews of Mend.io?

**"[Great Tool for Managing 3rd party libraries](https://www.g2.com/survey_responses/mend-io-review-6728890)"**

**Rating:** 4.5/5.0 stars
*— Johannes B.*

[Read full review](https://www.g2.com/survey_responses/mend-io-review-6728890)

---

**"[Effortless Integration with Budget-Friendly Scanning](https://www.g2.com/survey_responses/mend-io-review-4261734)"**

**Rating:** 5.0/5.0 stars
*— Verified User in Computer Software*

[Read full review](https://www.g2.com/survey_responses/mend-io-review-4261734)

---


#### What Are G2 Users Discussing About Mend.io?

- [What is your experience regarding pricing and costs for Mend.io, and how does it compare to other open-source security solutions?](https://www.g2.com/discussions/what-is-your-experience-regarding-pricing-and-costs-for-mend-io-and-how-does-it-compare-to-other-open-source-security-solutions)
- [What is Mend (formerly WhiteSource) used for?](https://www.g2.com/discussions/what-is-mend-formerly-whitesource-used-for)
- [What is white Source bolt?](https://www.g2.com/discussions/what-is-white-source-bolt)
- [What are SCA tools?](https://www.g2.com/discussions/what-are-sca-tools)
- [What is software composition analysis SCA?](https://www.g2.com/discussions/what-is-software-composition-analysis-sca)

### 7. [Socket](https://www.g2.com/products/socket-socket/reviews)
Socket is the leading developer-first security platform that protects modern applications from malicious and vulnerable open source dependencies. By combining real-time package monitoring with AI-powered code analysis, Socket detects and blocks supply chain attacks within minutes of publication. With advanced reachability analysis, automated remediation, and license compliance features, Socket enables teams to focus on building software, while we keep their open source code secure.


**Average Rating:** 4.7/5.0
**Total Reviews:** 10

**Who Is the Company Behind Socket?**

- **Seller:** [Socket](https://www.g2.com/sellers/socket)
- **Year Founded:** 2020
- **HQ Location:** San Francisco, US
- **Twitter:** @SocketSecurity (21,558 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/socketinc/ (115 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 40% Mid-Market, 30% Enterprise


#### What Are Socket's Pros and Cons?

**Pros:**

- Security (3 reviews)
- Open Source (2 reviews)
- Accuracy of Findings (1 reviews)
- Alerts (1 reviews)
- Comprehensive Security (1 reviews)

**Cons:**

- Missing Features (1 reviews)
- System Slowness (1 reviews)


### What Do G2 Reviewers Say About Socket?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **robust security features** of Socket, ensuring protection against supply chain attacks and integration with risk programs.
- Users appreciate Socket&#39;s **effective open source security analysis** , making package evaluations accurate and time-efficient.
- Users commend the **accuracy of findings** from Socket&#39;s analysis, enhancing efficiency in reviewing open source packages.
- Users value the **proactive alerts** from Socket, ensuring strong monitoring against supply chain attacks and responsive support.
- Users value the **comprehensive security** of Socket, enhancing decision-making and risk management in software supply chains.

**Cons:**

- Users feel the need for **missing features** in Socket, desiring broader coverage to consolidate tools effectively.
- Users experience **system slowness** with Socket, noting that the UI takes considerable time to load.

#### What Are Recent G2 Reviews of Socket?

**"[Unique Approach to Supply Chain Security Problem and Does It Really Well](https://www.g2.com/survey_responses/socket-review-12052484)"**

**Rating:** 5.0/5.0 stars
*— Sindhoor H.*

[Read full review](https://www.g2.com/survey_responses/socket-review-12052484)

---

**"[Essential Tool for Application Security with Stellar MCP Feature](https://www.g2.com/survey_responses/socket-review-12686360)"**

**Rating:** 5.0/5.0 stars
*— Shreejal M.*

[Read full review](https://www.g2.com/survey_responses/socket-review-12686360)

---



### 8. [SOOS](https://www.g2.com/products/soos/reviews)
SOOS is the complete application security posture management platform. Scan your software for vulnerabilities, control the introduction of new dependencies, exclude unwanted license types, generate and manage Software Bill of Materials (SBOM), and fill out your compliance worksheets across all your teams. SOOS’s ASPM is a dynamic, comprehensive approach to safeguarding your application infrastructure from vulnerabilities across the Software Development Life Cycle (SDLC) and live deployments. Easy to integrate, all in one dashboard. SCA - Deep tree vulnerability scanning, license compliance, governance DAST - Automated Web &amp; API vulnerability scanning Containers - Scan contents for vulnerabilities SAST - Analyze code for security vulnerabilities IaC - Cloud security coverage SBOMs - Create – monitor – manage


**Average Rating:** 4.6/5.0
**Total Reviews:** 42

**Who Is the Company Behind SOOS?**

- **Seller:** [SOOS](https://www.g2.com/sellers/soos)
- **Year Founded:** 2019
- **HQ Location:** Winooski, US
- **Twitter:** @soostech (44 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/53122310 (24 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 50% Mid-Market, 43% Small-Business


#### What Are SOOS's Pros and Cons?

**Pros:**

- Ease of Use (9 reviews)
- Customer Support (5 reviews)
- Easy Integrations (5 reviews)
- Integrations (5 reviews)
- Easy Setup (4 reviews)

**Cons:**

- Lack of Guidance (3 reviews)
- Poor Reporting (3 reviews)
- Dashboard Issues (2 reviews)
- Inadequate Reporting (2 reviews)
- Lacking Features (2 reviews)


### What Do G2 Reviewers Say About SOOS?
*AI-generated summary from verified user reviews*

**Pros:**

- Users rave about the **ease of use** of SOOS, highlighting effortless setup and excellent support throughout the process.
- Users commend the **awesome customer support** of SOOS, making onboarding and setup a seamless experience.
- Users appreciate the **easy integrations** of SOOS, seamlessly enhancing their development workflow and visibility into vulnerabilities.
- Users appreciate the **seamless integrations** of SOOS, enhancing workflow and providing clear visibility into vulnerabilities.
- Users celebrate the **easy setup** of SOOS, finding it intuitive and supported by helpful examples and team engagement.

**Cons:**

- Users report a **lack of guidance** on vulnerabilities and best practices, complicating the onboarding and remediation process.
- Users note the need for **better reporting options** in SOOS to effectively analyze vulnerabilities and recommendations.
- Users face **dashboard issues** due to limited reporting options and inconvenient sign-in and scanning processes.
- Users find the **reporting inadequate** , seeking improved customization and filtering capabilities for better analysis and sharing.
- Users find the **lack of features** in SOOS limits analysis and makes the platform unintuitive for new users.

#### What Are Recent G2 Reviews of SOOS?

**"[Awesome tool for detecting vulnerabilities within project dependecies](https://www.g2.com/survey_responses/soos-review-7753830)"**

**Rating:** 4.5/5.0 stars
*— Nayan C.*

[Read full review](https://www.g2.com/survey_responses/soos-review-7753830)

---

**"[Reliable continuous security assessment for our pipelines](https://www.g2.com/survey_responses/soos-review-7744758)"**

**Rating:** 4.0/5.0 stars
*— Brallan G.*

[Read full review](https://www.g2.com/survey_responses/soos-review-7744758)

---



### 9. [CAST Highlight](https://www.g2.com/products/cast-highlight/reviews)
Portfolio-level insights for app modernization, AI readiness, tech debt, OSS risks CAST Highlight is a SaaS software intelligence technology that delivers rapid, fact-based insights across your entire application portfolio. By automatically analyzing the source code of hundreds or thousands of applications, CAST Highlight helps organizations assess cloud maturity, AI &amp; Agentic readiness, software health, open source risk, resiliency, technical debt, and sustainability from a single lightweight scan. CAST Highlight is designed for CIOs, CTOs, enterprise architects, cloud leaders, application owners, security teams, and modernization teams that need a fact-based way to prioritize modernization, cloud, and AI adoption decisions at scale. It helps teams identify which applications are ready to move quickly, which require remediation, and where hidden software risks may affect transformation cost, timelines, security, resilience, or business outcomes. Unlike traditional manual or survey-based assessments, CAST Highlight analyzes application source code directly to rapidly segment portfolios, prioritize modernization paths, and uncover risks before they impact transformation programs. Organizations use CAST Highlight to: - Accelerate cloud migration and modernization planning - Segment applications by cloud maturity and transformation path - Identify high-value AI adoption opportunities - Assess Agentic Readiness across application portfolios - Prioritize technical debt, resiliency, and maintainability improvements - Assess open source vulnerabilities and IP / license exposure - Evaluate software sustainability with Green Impact insights - Reduce complexity, cost, and risk across transformation programs Businesses move faster using CAST to understand, improve, and transform their software. Through semantic analysis of source code, CAST generates dashboards and 3D maps for executives, technologists, and AI to navigate inside individual applications and across entire portfolios. This intelligence enables companies to steer, speed, and report on initiatives such as technical debt, modernization, and cloud. As the pioneer of the software intelligence field, CAST is trusted by the world’s leading companies and governments, their consultancies and cloud providers. See it all at castsoftware.com.


**Average Rating:** 4.5/5.0
**Total Reviews:** 86

**Who Is the Company Behind CAST Highlight?**

- **Seller:** [CAST](https://www.g2.com/sellers/cast)
- **Company Website:** https://www.castsoftware.com
- **Year Founded:** 1990
- **HQ Location:** New York
- **Twitter:** @SW_Intelligence (1,887 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/cast/ (1,264 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 57% Enterprise, 24% Small-Business


#### What Are CAST Highlight's Pros and Cons?

**Pros:**

- Ease of Use (8 reviews)
- Easy Setup (4 reviews)
- Cloud Services (3 reviews)
- Efficiency (3 reviews)
- Real-time Monitoring (3 reviews)

**Cons:**

- Complex Navigation (1 reviews)
- Dashboard Issues (1 reviews)
- Delayed Detection (1 reviews)
- Difficulty (1 reviews)
- Expensive (1 reviews)


### What Do G2 Reviewers Say About CAST Highlight?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate the **ease of use** of CAST Highlight, finding it simple for efficient application analysis and insights.
- Users appreciate the **easy setup** of CAST Highlight, enabling quick onboarding and efficient portfolio analysis with minimal effort.
- Users value the **insightful assessments of cloud compatibility** from CAST Highlight, enhancing decision-making for software migration.
- Users find CAST Highlight invaluable for its **efficient analysis** of applications, enhancing modernization strategies with quick insights.
- Users value the **real-time monitoring** of CAST Highlight for its swift, actionable insights and ease of use.

**Cons:**

- Users find the **complex navigation** of CAST Highlight challenging, hindering their overall experience and efficiency.
- Users find that the **dashboard issues** can hinder customization and clarity, particularly affecting new teams&#39; experience.
- Users find the **delayed detection** can hinder deep technical analysis, impacting effective metric interpretation and usage.
- Users find that CAST Highlight can be **difficult to configure and interpret** , particularly for teams unfamiliar with the platform.
- Users feel the **high price** restricts CAST Highlight&#39;s usability, limiting its accessibility for larger companies.

#### What Are Recent G2 Reviews of CAST Highlight?

**"[Efficient Analysis &amp; Confident Modernization](https://www.g2.com/survey_responses/cast-highlight-review-12250186)"**

**Rating:** 4.5/5.0 stars
*— Neha C.*

[Read full review](https://www.g2.com/survey_responses/cast-highlight-review-12250186)

---

**"[Portfolio Insights in One Place with CAST Highlight](https://www.g2.com/survey_responses/cast-highlight-review-12977472)"**

**Rating:** 4.5/5.0 stars
*— Verified User in Government Administration*

[Read full review](https://www.g2.com/survey_responses/cast-highlight-review-12977472)

---


#### What Are G2 Users Discussing About CAST Highlight?

- [What is cast imaging?](https://www.g2.com/discussions/what-is-cast-imaging) - 1 comment
- [How does a cast tool work?](https://www.g2.com/discussions/how-does-a-cast-tool-work)
- [What is CAST software tool?](https://www.g2.com/discussions/what-is-cast-software-tool) - 1 comment
- [What does cast highlight do?](https://www.g2.com/discussions/what-does-cast-highlight-do) - 1 comment

### 10. [Manifest](https://www.g2.com/products/manifest-cyber-manifest/reviews)
Manifest helps organizations understand and reduce the cybersecurity risk in the technology they produce and procure. The Manifest platform operationalizes software bills of materials (SBOMs), artificial intelligence bills of materials (AIBOMs), and Vulnerability Exploitability eXchange (VEX) documents so organizations can analyze and action the risk in internal or third-party tools. Manifest manages the entire SBOM lifecycle for customers in critical industries like enterprise technology, aerospace, defense contracting, healthcare, manufacturing &amp; logistics, financial services, and the federal government.


**Average Rating:** 5.0/5.0
**Total Reviews:** 3

**Who Is the Company Behind Manifest?**

- **Seller:** [Manifest Cyber](https://www.g2.com/sellers/manifest-cyber)
- **HQ Location:** Connecticut, USA
- **Twitter:** @manifestcyber (89 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/manifestcyber/ (14 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 67% Mid-Market, 33% Small-Business


#### What Are Manifest's Pros and Cons?

**Pros:**

- Ease of Use (3 reviews)
- Automation (2 reviews)
- Real-time Monitoring (2 reviews)
- Authentication Security (1 reviews)
- Customer Support (1 reviews)

**Cons:**

- Time Consumption (1 reviews)


### What Do G2 Reviewers Say About Manifest?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate the **ease of use** of Manifest, facilitating quick integration and efficient SBOM generation.
- Users commend the **automation capabilities** of Manifest, enhancing efficiency and security in managing software supply chain dependencies.
- Users value the **real-time monitoring** capabilities of Manifest, ensuring secure software supply chain management and risk prevention.
- Users value the **authentication security** of Manifest, ensuring robust protection for their software supply chain.
- Users commend the **exceptional customer support** of Manifest, appreciating their proactive and dedicated assistance with the product.

**Cons:**

- Users find that the **integration process consumes considerable time** , impacting their overall productivity with Manifest.

#### What Are Recent G2 Reviews of Manifest?

**"[Real “Continuous Compliance”](https://www.g2.com/survey_responses/manifest-review-9130056)"**

**Rating:** 5.0/5.0 stars
*— Peter Z.*

[Read full review](https://www.g2.com/survey_responses/manifest-review-9130056)

---

**"[Cutting-Edge Tool Enables Complete Lifecycle Management of your Software Bill of Materials](https://www.g2.com/survey_responses/manifest-review-9139664)"**

**Rating:** 5.0/5.0 stars
*— Shaun M.*

[Read full review](https://www.g2.com/survey_responses/manifest-review-9139664)

---



### 11. [Snyk](https://www.g2.com/products/snyk/reviews)
Snyk (pronounced sneak) is a developer security platform for securing custom code, open source dependencies, containers, and cloud infrastructure all from a single platform. Snyk’s developer security solutions enable modern applications to be built securely, empowering developers to own and build security for the whole application, from code &amp; open source to containers &amp; cloud infrastructure. Secure while you code in your IDE: find issues quickly using the scanner, fix issues easily with remediation advice, verify the updated code. Integrate your source code repositories to secure applications: integrate a repository to find issues, prioritize with context, fix &amp; merge. Secure your containers as you build, throughout the SDLC: start fixing containers as soon as your write a Dockerfile, continuously monitor container images throughout their lifecycle, and prioritize with context. Secure build and deployment pipelines: Integrate natively with your CI/CD tool, configure your rules, find &amp; fix issues in your application, and monitor your applications. Secure your apps quickly with Snyk’s vulnerability scanning and automated fixes - Try for Free!


**Average Rating:** 4.5/5.0
**Total Reviews:** 135

**Who Is the Company Behind Snyk?**

- **Seller:** [Snyk](https://www.g2.com/sellers/snyk)
- **HQ Location:** Boston, Massachusetts
- **Twitter:** @snyksec (21,057 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/10043614/ (1,370 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Software Engineer
- **Top Industries:** Computer Software, Information Technology and Services
- **Company Size:** 44% Mid-Market, 35% Small-Business


#### What Are Snyk's Pros and Cons?

**Pros:**

- Easy Integrations (5 reviews)
- Vulnerability Detection (5 reviews)
- Ease of Use (4 reviews)
- User Interface (4 reviews)
- Vulnerability Identification (4 reviews)

**Cons:**

- Expensive (3 reviews)
- False Positives (3 reviews)
- Poor Interface Design (2 reviews)
- Pricing Issues (2 reviews)
- Scanning Issues (2 reviews)


### What Do G2 Reviewers Say About Snyk?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **easy integration** of Snyk with GitHub, streamlining vulnerability management in development workflows.
- Users appreciate Snyk for its **rapid vulnerability detection** , effectively enhancing security and efficiency in code development.
- Users find Snyk to be **highly intuitive and easy to use** , facilitating quick vulnerability identification and management.
- Users appreciate the **intuitive user interface** of Snyk, making vulnerability management straightforward and efficient.
- Users value Snyk&#39;s **extensive vulnerability identification capabilities** , allowing for swift detection and security improvements in code.

**Cons:**

- Users note that Snyk is **very expensive** , which may deter some from fully utilizing its features.
- Users report issues with **false positives** from Snyk, causing confusion and potential oversight on real vulnerabilities.
- Users find the **poor interface design** of Snyk frustrating, affecting usability and integration with other features.
- Users highlight **pricing issues** , noting high costs for full access to Snyk&#39;s extensive features, although it&#39;s a worthwhile investment.
- Users experience **false positives and slow scans** with Snyk, impacting efficiency and requiring additional tools for quality.

#### What Are Recent G2 Reviews of Snyk?

**"[Seamless Dev-First Security with Fast Scans and Actionable Fixes](https://www.g2.com/survey_responses/snyk-review-12676270)"**

**Rating:** 4.5/5.0 stars
*— Prateek J.*

[Read full review](https://www.g2.com/survey_responses/snyk-review-12676270)

---

**"[Developer-Friendly Security with Clear, Automated Fixes](https://www.g2.com/survey_responses/snyk-review-12974957)"**

**Rating:** 4.5/5.0 stars
*— Hemanth K.*

[Read full review](https://www.g2.com/survey_responses/snyk-review-12974957)

---


#### What Are G2 Users Discussing About Snyk?

- [What is Snyk scanning?](https://www.g2.com/discussions/what-is-snyk-scanning) - 2 comments, 2 upvotes
- [Is Snyk a SaaS?](https://www.g2.com/discussions/is-snyk-a-saas) - 2 comments
- [How good is Snyk?](https://www.g2.com/discussions/how-good-is-snyk) - 2 comments
- [What is Snyk used for?](https://www.g2.com/discussions/what-is-snyk-used-for)

### 12. [Anchore](https://www.g2.com/products/anchore/reviews)
Anchore, Inc., based in Santa Barbara, CA, was founded in 2016 by Saïd Ziouani and Daniel Nurmi to help organizations implement secure container-based workflows without compromising velocity. Anchore Enterprise is a complete container security workflow solution for professional teams. Integrating seamlessly with a wide variety of development tools and platforms, it allows teams to adhere to defined industry security standards. The Anchore Enterprise user interface provides visibility to security teams, allowing them to audit and verify compliance throughout the organization. It can be deployed in air-gapped and public cloud environments and is built for large scale. Anchore Enterprise is based on Anchore Engine, an open-source tool for deep image inspection and vulnerability scanning.


**Average Rating:** 4.4/5.0
**Total Reviews:** 4

**Who Is the Company Behind Anchore?**

- **Seller:** [Anchore](https://www.g2.com/sellers/anchore)
- **Year Founded:** 2016
- **HQ Location:** Santa Barbara, California, United States
- **Twitter:** @anchore (2,797 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/anchore/ (91 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 50% Mid-Market, 50% Enterprise


#### What Are Anchore's Pros and Cons?

**Pros:**

- Cloud Integration (1 reviews)
- Ease of Use (1 reviews)
- Easy Integrations (1 reviews)
- Features (1 reviews)
- Onboarding (1 reviews)



### What Do G2 Reviewers Say About Anchore?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate the **seamless cloud integration** of Anchore, enhancing their security workflows and issue tracking efficiency.
- Users find Anchore&#39;s interface **clean and easy to use** , facilitating seamless integration with tools like DefectDojo and Jira.
- Users value the **easy integrations** of Anchore, enhancing their security workflows with tools like DefectDojo and Jira.
- Users appreciate the **clean interface and easy integration** of Anchore, enhancing their security workflows effectively.
- Users appreciate the **clean and easy-to-use interface** of Anchore, enhancing their issue remediation workflows seamlessly.


#### What Are Recent G2 Reviews of Anchore?

**"[Love the intuitive interface and dashboard to assess security posture in a single place](https://www.g2.com/survey_responses/anchore-review-11048224)"**

**Rating:** 4.0/5.0 stars
*— Raja A.*

[Read full review](https://www.g2.com/survey_responses/anchore-review-11048224)

---

**"[Anchore: Essential Tool for Container Security and Compliance](https://www.g2.com/survey_responses/anchore-review-10025756)"**

**Rating:** 4.0/5.0 stars
*— Dr habeeb M.*

[Read full review](https://www.g2.com/survey_responses/anchore-review-10025756)

---


#### What Are G2 Users Discussing About Anchore?

- [What is Anchore used for?](https://www.g2.com/discussions/what-is-anchore-used-for)

### 13. [1Exiger Platform](https://www.g2.com/products/1exiger-platform/reviews)
Exiger’s award-winning, purpose-built technology platform, 1Exiger, is the only open-source, third-party and supply chain management software that helps companies and government agencies achieve cost savings, resilience, and compliance in real time. Created and launched in collaboration with our 550+ customers, the platform makes supply chain management simple, intuitive and accessible. The 1Exiger user experience is housed in an integrated suite that is scalable and secure. Using our powerful AI technology, you can uncover risks and reveal insights that enable confident decision-making.


**Average Rating:** 4.5/5.0
**Total Reviews:** 17

**Who Is the Company Behind 1Exiger Platform?**

- **Seller:** [Exiger](https://www.g2.com/sellers/exiger)
- **Company Website:** https://www.exiger.com/
- **HQ Location:** New York, NY
- **Twitter:** @exigerllc (1,851 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/exiger (800 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 53% Enterprise, 47% Mid-Market


#### What Are 1Exiger Platform's Pros and Cons?

**Pros:**

- Risk Management (6 reviews)
- Ease of Use (5 reviews)
- Automation Efficiency (3 reviews)
- Compliance Management (3 reviews)
- Comprehensive Coverage (3 reviews)

**Cons:**

- Limited Customization (4 reviews)
- Limited Functionality (4 reviews)
- Difficult Usability (3 reviews)
- Limited Features (3 reviews)
- Poor Navigation (3 reviews)


### What Do G2 Reviewers Say About 1Exiger Platform?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate the **AI-driven risk management** of the 1Exiger Platform, simplifying compliance and enhancing efficiency.
- Users find the **ease of use** of 1Exiger Platform exceptional, enabling efficient risk management with minimal effort.
- Users appreciate the **automation efficiency** of the 1Exiger Platform, simplifying complex compliance workflows and risk management.
- Users appreciate the **centralized compliance management** of the 1Exiger Platform, streamlining risk and regulatory oversight effectively.
- Users praise the **comprehensive solutions** of 1Exiger Platform, making risk management user-friendly and efficient for teams.

**Cons:**

- Users express concerns over **limited customization** in certain modules, particularly hindering mobile accessibility and functionality.
- Users find the **limited functionality** of the 1Exiger Platform, especially on mobile, hinders their productivity.
- Users experience **difficult usability** due to a steep learning curve and complex navigation, especially for newcomers.
- Users find that the **customization options and mobile accessibility** of the 1Exiger Platform are quite limited.
- Users find the **navigation complex** , which hinders usability and requires adjustment for effective use of the platform.

#### What Are Recent G2 Reviews of 1Exiger Platform?

**"[Easy-to-Use Platform That Centralizes Risk &amp; Compliance Data and Saves Time](https://www.g2.com/survey_responses/1exiger-platform-review-10545189)"**

**Rating:** 4.5/5.0 stars
*— Verified User in Package/Freight Delivery*

[Read full review](https://www.g2.com/survey_responses/1exiger-platform-review-10545189)

---

**"[Great Visibility Into HQ Practices for Remote Teams](https://www.g2.com/survey_responses/1exiger-platform-review-12726616)"**

**Rating:** 4.0/5.0 stars
*— carl l.*

[Read full review](https://www.g2.com/survey_responses/1exiger-platform-review-12726616)

---


#### What Are G2 Users Discussing About 1Exiger Platform?

- [What is DDIQ used for?](https://www.g2.com/discussions/what-is-ddiq-used-for)

### 14. [FossID](https://www.g2.com/products/fossid-fossid/reviews)
FossID is a Software Composition Analysis (SCA) suite designed to give organizations clear, defensible insight into the software they build and ship. It helps teams understand exactly what third-party, open source, and commercial code exists in their products so they can manage license compliance, intellectual property risk, and security with confidence. Agentic SCA by FossID brings software supply chain integrity into the moment of code creation for continuous, real-time license and security compliance so you can move at AI-speed and eliminate reactive code rework. FossID is ideal for organizations that value accuracy, transparency, and control over their software supply chain. It is widely used by manufacturers of embedded systems and software-driven products in industries such as automotive, aerospace, medical devices, industrial automation, electronics, and telecom, where regulatory requirements and long product lifecycles demand a higher standard of software governance. FossID is also trusted by legal, compliance, and GRC teams that need reliable, auditable results, as well as by acquirers and investors conducting technical due diligence. FossID analyzes real source code rather than relying solely on declared dependencies. FossID identifies reused components and code snippets with high precision, detecting fragments as small as six lines of code. This approach delivers more accurate results in complex, mixed codebases, including legacy systems, embedded software, and environments influenced by AI-assisted development. Key differentiators include deep snippet-level detection that remains effective even when code has been modified or reformatted, a 200M+ component open source knowledge base covering more than 2,500 licenses, and strong identification of license and copyright obligations. FossID is deployed in a way that ensures that source code never leaves the organization, a critical requirement for security- and IP-sensitive teams. FossID supports software supply chain integrity across the entire development and release lifecycle. Engineers use it early to identify and resolve issues before code is merged. Legal and compliance teams rely on it to validate policy compliance, manage license obligations and produce accurate SBOMs. Governance, Risk, and Compliance leaders use FossID to demonstrate software supply chain transparency, reduce audit risk, and support regulatory compliance initiatives, including the EU Cyber Resilience Act. The primary value of FossID is confidence. Confidence in what is inside your software, confidence in your compliance posture, and confidence that your teams can move forward efficiently without introducing unnecessary risk.


**Average Rating:** 4.0/5.0
**Total Reviews:** 2

**Who Is the Company Behind FossID?**

- **Seller:** [FossID](https://www.g2.com/sellers/fossid-038ca491-2507-49c4-b6f1-2f965c09e84e)
- **Company Website:** https://www.fossid.com
- **Year Founded:** 2016
- **Twitter:** @FOSSID_AB (137 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/fossid-ab/ (1 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 50% Mid-Market, 50% Enterprise



#### What Are Recent G2 Reviews of FossID?

**"[Detects Code-Snippets reliable and has good usabiilty](https://www.g2.com/survey_responses/fossid-review-11298102)"**

**Rating:** 4.0/5.0 stars
*— Nikolaus F.*

[Read full review](https://www.g2.com/survey_responses/fossid-review-11298102)

---

**"[Powerful, Customizable Scanning with Accurate License Detection and Great Support](https://www.g2.com/survey_responses/fossid-review-12638783)"**

**Rating:** 4.0/5.0 stars
*— Jackie L.*

[Read full review](https://www.g2.com/survey_responses/fossid-review-12638783)

---



### 15. [JFrog](https://www.g2.com/products/jfrog-2024-03-28/reviews)
JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps and MLOps platform, is on a mission to create a world of software delivered without friction from development to production. Driven by a “Liquid Software” vision to keep software continuously flowing, secure, and always up to date, the JFrog Platform serves as the definitive software supply chain system of record. It is uniquely engineered to power organizations as they build, manage, and distribute trusted software with unprecedented speed, security, and scale across hybrid and multi-cloud environments. As software engineering evolves in the AI era, JFrog’s newest offerings address the industry&#39;s most pressing trend: the rise of agentic software development and the hidden security risks of &quot;Shadow AI.&quot; In response to threat actors increasingly targeting developer workflows including a massive surge in malicious open-source AI models and infected packages; JFrog has expanded its platform capabilities to deliver absolute end-to-end visibility and automated compliance. Key new innovations include the JFrog AI Catalog, which enables organizations to centralize, govern, and control the lifecycle of AI models approved for enterprise use. To secure autonomous coding environments, JFrog introduced the Universal MCP Registry and the Agent Skills Registry (developed alongside NVIDIA). These new solutions establish the industry’s first enterprise-grade trust layer to safely manage and store AI agent skills, monitor connections, and instantly block unsafe developer tools or malicious coding extensions right where developers work. Furthermore, the integration of advanced DevGovOps and Runtime Security tools allows teams to replace slow, manual compliance audits with continuous, background policy enforcement. By shifting security left directly into the binary pipeline, JFrog ensures that the volume of AI-assisted code does not outpace an organization&#39;s ability to verify its safety. Today, millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on the universal JFrog Platform to eliminate point-solution fatigue, bridge the governance gap, and securely embrace digital transformation. Learn more at www.jfrog.com or follow us on X @JFrog.


**Average Rating:** 4.2/5.0
**Total Reviews:** 138

**Who Is the Company Behind JFrog?**

- **Seller:** [JFrog Ltd](https://www.g2.com/sellers/jfrog-ltd)
- **Company Website:** https://jfrog.com
- **Year Founded:** 2008
- **HQ Location:** Sunnyvale, CA
- **Twitter:** @jfrog (23,186 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/jfrog-ltd/ (2,364 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Software Engineer, DevOps Engineer
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 50% Enterprise, 31% Mid-Market


#### What Are JFrog's Pros and Cons?

**Pros:**

- Features (18 reviews)
- Repository Management (14 reviews)
- Deployment (13 reviews)
- Integrations (12 reviews)
- Easy Integrations (11 reviews)

**Cons:**

- Complexity (9 reviews)
- Expensive (8 reviews)
- Learning Curve (8 reviews)
- Difficult Learning (7 reviews)
- Learning Difficulty (7 reviews)


### What Do G2 Reviewers Say About JFrog?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **unified support for diverse package formats** in JFrog, enhancing their DevOps workflows significantly.
- Users value the **centralized management of artifacts** in JFrog, enhancing security and efficiency in DevOps workflows.
- Users value the **seamless deployment integration** of JFrog, streamlining CI/CD pipelines and enhancing security across projects.
- Users value the **seamless integrations** of JFrog with various tools, enhancing their CI/CD pipeline efficiency and security.
- Users love the **easy integrations** with various tools, enhancing their CI/CD workflow and artifact management.

**Cons:**

- Users find the **complexity** of the JFrog platform overwhelming, often requiring extensive training to navigate its functionalities.
- Users feel the **cost of JFrog** can be prohibitive for smaller teams, making adoption challenging and less accessible.
- Users face a **steep learning curve** and significant setup time, making initial adoption challenging for smaller teams.
- Users find the **difficult learning curve** of JFrog challenging, necessitating extensive training to harness its full capabilities.
- Users find the **learning difficulty** of JFrog challenging, as it requires substantial time and effort to master.

#### What Are Recent G2 Reviews of JFrog?

**"[JFrog Simplifies Artifact Management for Organized, Reliable Deployments](https://www.g2.com/survey_responses/jfrog-review-12870354)"**

**Rating:** 4.5/5.0 stars
*— Subhashree S.*

[Read full review](https://www.g2.com/survey_responses/jfrog-review-12870354)

---

**"[Efficient, Scalable Artifact Management That Streamlines the Software Delivery Lifecycle](https://www.g2.com/survey_responses/jfrog-review-12788318)"**

**Rating:** 4.0/5.0 stars
*— Arkajit D.*

[Read full review](https://www.g2.com/survey_responses/jfrog-review-12788318)

---


#### What Are G2 Users Discussing About JFrog?

- [What are the benefits and challenges of using JFrog for managing your software supply chain?](https://www.g2.com/discussions/what-are-the-benefits-and-challenges-of-using-jfrog-for-managing-your-software-supply-chain)
- [What does Jfrog Platform do?](https://www.g2.com/discussions/what-does-jfrog-platform-do)
- [What is difference between JFrog and Nexus?](https://www.g2.com/discussions/what-is-difference-between-jfrog-and-nexus)
- [What is Artifactory software used for?](https://www.g2.com/discussions/what-is-artifactory-software-used-for)

### 16. [SonarQube](https://www.g2.com/products/sonarqube/reviews)
Sonar, the industry standard for code verification and automated code review, helps reduce outages, improve security, and lower risks associated with AI and agentic coding. As an independent verification platform, Sonar enables organizations to securely develop at the speed of AI. Sonar is the foundation for high-performance software engineering, analyzing over 750 billion lines of code daily to ensure applications are secure, reliable, and maintainable. Rooted in the open source community, Sonar is trusted by 7M+ developers globally, including teams at ServiceNow, Booking.com, Deutsche Bank, AstraZeneca, and Ford Motor Company.


**Average Rating:** 4.4/5.0
**Total Reviews:** 150

**Who Is the Company Behind SonarQube?**

- **Seller:** [SonarSource Sàrl](https://www.g2.com/sellers/sonarsource-sarl)
- **Company Website:** https://www.sonarsource.com
- **Year Founded:** 2008
- **HQ Location:** Geneva, Switzerland
- **Twitter:** @SonarSource (10,913 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/sonarsource/ (973 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** DevOps Engineer, Software Engineer
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 43% Enterprise, 39% Mid-Market


#### What Are SonarQube's Pros and Cons?

**Pros:**

- Code Quality (24 reviews)
- Features (20 reviews)
- Issue Identification (19 reviews)
- Ease of Use (18 reviews)
- Easy Integrations (18 reviews)

**Cons:**

- Software Bugs (12 reviews)
- Complex Configuration (10 reviews)
- False Positives (10 reviews)
- Complexity (8 reviews)
- Complex Setup (8 reviews)


### What Do G2 Reviewers Say About SonarQube?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **rapid identification of code quality and security issues** with SonarQube, simplifying code maintenance and reliability.
- Users value the **quick code quality and security issue detection** of SonarQube, enhancing maintainability and reliability over time.
- Users value SonarQube for its **efficient issue identification** , improving code quality and maintainability effortlessly.
- Users appreciate the **ease of use** of SonarQube, allowing seamless integration and daily applications without hassle.
- Users appreciate the **easy integrations** of SonarCloud, enhancing their development workflows seamlessly.

**Cons:**

- Users face challenges with **software bugs** in SonarQube, leading to issues slipping into production unexpectedly.
- Users find the **complex configuration** of SonarQube challenging, often requiring extensive tuning and setup time.
- Users often face **false positives** , complicating the effectiveness of SonarQube in real-world and legacy code projects.
- Users find SonarQube&#39;s **complexity** challenging, particularly during configuration and excessive warning management.
- Users find the **complex setup** of SonarQube time-consuming and challenging, especially for legacy projects and specific environments.

#### What Are Recent G2 Reviews of SonarQube?

**"[SonarQube: Easy Integration, Simple UI, and Solid Free Code Quality Scanning](https://www.g2.com/survey_responses/sonarqube-review-12975264)"**

**Rating:** 4.5/5.0 stars
*— Divyarajsinh  C.*

[Read full review](https://www.g2.com/survey_responses/sonarqube-review-12975264)

---

**"[Catches bugs early, saves us time](https://www.g2.com/survey_responses/sonarqube-review-13087609)"**

**Rating:** 5.0/5.0 stars
*— Srinidhi H.*

[Read full review](https://www.g2.com/survey_responses/sonarqube-review-13087609)

---


#### What Are G2 Users Discussing About SonarQube?

- [What is SonarLint used for?](https://www.g2.com/discussions/what-is-sonarlint-used-for)
- [What is SonarQube and how does it work?](https://www.g2.com/discussions/what-is-sonarqube-and-how-does-it-work) - 1 upvote
- [What is the benefit of SonarQube?](https://www.g2.com/discussions/what-is-the-benefit-of-sonarqube)
- [What are the main components of SonarQube platform?](https://www.g2.com/discussions/what-are-the-main-components-of-sonarqube-platform)
- [What is SonarQube and its features?](https://www.g2.com/discussions/what-is-sonarqube-and-its-features)

### 17. [Xygeni](https://www.g2.com/products/xygeni/reviews)
Secure your Software Development and Delivery! Xygeni Security specializes in Application Security Posture Management (ASPM), using deep contextual insights to effectively prioritize and manage security risks while minimizing noise and overwhelming alerts. Our innovative technologies automatically detect malicious code in real-time upon new and updated components publication, immediately notifying customers and quarantining affected components to prevent potential breaches. With extensive coverage spanning the entire Software Supply Chain—including Open Source components, CI/CD processes and infrastructure, Anomaly detection, Secret leakage, Infrastructure as Code (IaC), and Container security—Xygeni ensures robust protection for your software applications. Trust Xygeni to protect your operations and empower your team to build and deliver with integrity and security.


**Average Rating:** 4.6/5.0
**Total Reviews:** 4

**Who Is the Company Behind Xygeni?**

- **Seller:** [Xygeni Security](https://www.g2.com/sellers/xygeni-security)
- **Year Founded:** 2021
- **HQ Location:** Madrid, ES
- **Twitter:** @xygeni (178 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/xygeni/ (30 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 60% Small-Business, 40% Mid-Market


#### What Are Xygeni's Pros and Cons?

**Pros:**

- Comprehensive Security (2 reviews)
- Prioritization (2 reviews)
- Risk Management (2 reviews)
- Security (2 reviews)
- Cloud Integration (1 reviews)

**Cons:**

- Difficult Setup (1 reviews)
- Learning Curve (1 reviews)


### What Do G2 Reviewers Say About Xygeni?
*AI-generated summary from verified user reviews*

**Pros:**

- Users commend the **comprehensive security** of Xygeni, enhancing their development process with effective risk management and compliance.
- Users value Xygeni&#39;s **contextual risk prioritization** , empowering teams to focus on critical security issues effectively.
- Users highlight the **advanced risk management capabilities** of Xygeni, effectively identifying and prioritizing security vulnerabilities.
- Users value the **robust security features** of Xygeni, enabling proactive threat management and compliance automation in development.
- Users value the **seamless CI/CD integration** of Xygeni, enhancing security while maintaining efficient development processes.

**Cons:**

- Users experience **difficult setup** with Xygeni, as certain edge cases complicate the integration with CI/CD pipelines.
- Users note a **steep learning curve** for first-time users, requiring familiarity with AppSec best practices.

#### What Are Recent G2 Reviews of Xygeni?

**"[The essential tool for proactive security and confident development](https://www.g2.com/survey_responses/xygeni-review-11393516)"**

**Rating:** 4.5/5.0 stars
*— Marcos C.*

[Read full review](https://www.g2.com/survey_responses/xygeni-review-11393516)

---

**"[Revolutionized Our Security Workflow with Unified, AI-Driven Efficiency](https://www.g2.com/survey_responses/xygeni-review-11998435)"**

**Rating:** 5.0/5.0 stars
*— Yerassyl K.*

[Read full review](https://www.g2.com/survey_responses/xygeni-review-11998435)

---



### 18. [BINARLY](https://www.g2.com/products/binarly/reviews)
Binarly is an AI-powered platform dedicated to protecting devices from emerging firmware and hardware threats. Founded in 2021 and headquartered in Pasadena, California, Binarly leverages advanced machine learning and deep code inspection at the binary level to provide comprehensive visibility into hardware and firmware vulnerabilities. This approach enables security teams to detect and respond to sophisticated attacks below the operating system, ensuring robust protection for enterprise device infrastructures.



**Who Is the Company Behind BINARLY?**

- **Seller:** [BINARLY](https://www.g2.com/sellers/binarly)
- **Year Founded:** 2021
- **HQ Location:** Santa Monica, US
- **LinkedIn® Page:** https://www.linkedin.com/company/binarlyinc (48 employees on LinkedIn®)






### 19. [CAST SBOM Manager](https://www.g2.com/products/cast-sbom-manager/reviews)
CAST SBOM Manager enables users to automatically create, customize, and maintain Software Bill of Materials (SBOMs) with the ultimate level of control and flexibility. It detects open source dependencies and related risks (vulnerabilities and security advisories, licenses, obsolescence) directly from scanning source code, and allows you to create and maintain SBOM metadata over time (proprietary components, custom licenses, vulnerabilities) and much more.



**Who Is the Company Behind CAST SBOM Manager?**

- **Seller:** [CAST](https://www.g2.com/sellers/cast)
- **Year Founded:** 1990
- **HQ Location:** New York
- **Twitter:** @SW_Intelligence (1,887 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/cast/ (1,264 employees on LinkedIn®)
- **Ownership:** Bridgepoint






### 20. [CBOM Secure](https://www.g2.com/products/cbom-secure/reviews)
CBOM Secure is a machine-readable Cryptographic Bill of Materials (CBOM) platform that delivers continuous visibility and control over cryptography across source code, binaries, containers, and runtime environments. It automatically discovers and inventories algorithms, keys, certificates, protocols, and libraries, creating a centralized, normalized system of record. By mapping cryptographic assets to real execution paths, CBOM helps organizations distinguish dormant components from active usage, prioritize risk, and accelerate incident response. The platform supports compliance with standards such as NIST, FIPS 140-3, CMMC 2.0, and ISO 27001 while identifying legacy and quantum-vulnerable cryptography to enable structured post-quantum migration. Available on-premises, in the cloud, SaaS, or hybrid, CBOM transforms undocumented cryptography into a governed, audit-ready security control.



**Who Is the Company Behind CBOM Secure?**

- **Seller:** [Encryption Consulting](https://www.g2.com/sellers/encryption-consulting)
- **HQ Location:** N/A
- **LinkedIn® Page:** https://www.linkedin.com/company/No-Linkedin-Presence-Added-Intentionally-By-DataOps (1 employees on LinkedIn®)






### 21. [Enso Security](https://www.g2.com/products/enso-security/reviews)
Enso Application Security Posture is a platform for AppSec teams to manage their day-to-day work, implement their security strategy into an AppSec organizational program, enforce it and automate it. And all of that in a scalable rapidly changing environment. AppSec teams struggle with prioritization - they may have a vision and concept of how to handle AppSec, but they don’t know where to invest and what actions to take. To keep up with R&amp;D velocity and scale, Enso provides full visibility on the application inventory, focuses the AppSec teams on the most important tasks and insights, and takes a policy-based “call to action” approach so that the AppSec professionals won’t waste their time looking for application changes, prioritizing, or doing manual work.



**Who Is the Company Behind Enso Security?**

- **Seller:** [Enso Security](https://www.g2.com/sellers/enso-security)
- **HQ Location:** Boston, Massachusetts, United States
- **LinkedIn® Page:** https://www.linkedin.com/company/enso-security/ (1,331 employees on LinkedIn®)






### 22. [Eracent SBOM-HQ](https://www.g2.com/products/eracent-sbom-hq/reviews)
SBOM-HQ™ - from Eracent SBOM-HQ™ provides a well-rounded set of data, reporting and analysis features that help organizations minimize risks and comply with cyber mandates and directives. While SBOM-HQ™ provides value to in-house and commercial application development teams, it is also unique in its approach to meeting the requirements of organizations that purchase or subscribe to software from numerous publishers. These “software consumers” will have to manage dozens, hundreds, or even thousands of SBOMs for products that they use, and this is impractical or impossible to do one SBOM at a time. SBOM-HQ™ is based around a centralized, single-source repository of libraries, components, and other related data from SBOMs. It dramatically reduces response time when a vulnerability is reported since it eliminates the need to review SBOMs individually. How does SBOM-HQ™ work? Customers upload their SBOM files via the user interface. During this straightforward process, users can assign related information that can be used to support reporting, filters, data access, and more. This information includes Publisher, Line of Business, Application Component, and more. SBOM-HQ™ “deconstructs” each uploaded SBOM and records the software product to which the SBOM belongs and all the SBOM’s content. This results in an index of components and libraries mapped to products. If a vulnerability is reported by NIST or another organization, customers get an immediate report of every product in use in their organization that includes the affected component or library. SBOM-HQ™ is continuously monitored and updated, and it leverages vulnerability data from NIST and other trusted global sources. It uses this data to display risk scores, levels of criticality, and more. SBOM-HQ™ also provides visibility into license types for each component and library, reducing the risk of unknowingly using a library that has excessive restrictions when less risky options are available. The system offers version tracking – the version in use, newer available versions, and version history – as well as lifecycle dates that support obsolescence management. The dedicated open source library within Eracent’s IT-Pedia® product data library provides a solid foundation for SBOM-HQ™’s analysis and reporting. Who can benefit from using SBOM-HQ? SBOM-HQ is designed to support all teams engaged in the use and operation of software. DevOps – SBOM-HQ integrates into CI/CD to generate and enrich SBOMs with real time risk data, ensuring secure and compliant releases. Procurement – SBOM-HQ equips procurement teams with SBOM-driven insights into software quality and licensing risks, enabling smarter vendor selection and safer software purchases. CyberSec teams – SBOM-HQ evaluates cyber security aspects of purchased software and monitors new vulnerabilities that appear. ITOps – SBOM-HQ exposes software weaknesses and helps mitigate the risks. Legal and Licensing teams – SBOM-HQ delivers clear visibility into open source licenses, flags conflicts early, and provides audit-ready compliance reports. Why SBOM-HQ? SBOM-HQ is designed to support software buyers and users, not just software publishers. While most SBOM solutions stop at the software development life cycle, SBOM-HQ goes further. It empowers software consumers to continuously monitor not only what they build, but also what they buy - from design and procurement, through integration, all the way to production in their own data centers. With SBOM-HQ, transparency extends beyond development, delivering visibility and control across the entire software supply chain. To learn more about SBOM-HQ™, register for a free trial at sbomhq.com or contact Eracent today!



**Who Is the Company Behind Eracent SBOM-HQ?**

- **Seller:** [Eracent](https://www.g2.com/sellers/eracent)
- **Year Founded:** 2000
- **HQ Location:** Riegelsville, Pennsylvania
- **Twitter:** @eracent (141 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/15155 (70 employees on LinkedIn®)






### 23. [FOSSA](https://www.g2.com/products/fossa/reviews)
Open source is a critical part of your software. In the average modern software product, over 80% of the source code shipped is derived from open source. Each component can have cascading legal, security, and quality implications for your customers, making it one of the most important things to manage correctly. FOSSA helps you manage your open source components. We plug into your development workflow to help your team automatically track, manage, and remediate issues with the open source you use to: - Stay compliant with software licenses and generate required attribution documents - Enforce usage and licensing policies throughout your CI/CD workflow - Monitor and remediate security vulnerabilities - Flag code quality issues and outdated components proactively By enabling open source, we help development teams increase development velocity and decrease risk.


**Average Rating:** 4.2/5.0
**Total Reviews:** 15

**Who Is the Company Behind FOSSA?**

- **Seller:** [FOSSA](https://www.g2.com/sellers/fossa)
- **Year Founded:** 2015
- **HQ Location:** San Francisco, California
- **Twitter:** @getfossa (774 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/fossa/ (59 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Computer Software
- **Company Size:** 47% Small-Business, 33% Mid-Market


#### What Are FOSSA's Pros and Cons?

**Pros:**

- Easy Integrations (1 reviews)
- Issue Resolution (1 reviews)
- Remediation Solutions (1 reviews)
- Risk Management (1 reviews)
- Security (1 reviews)



### What Do G2 Reviewers Say About FOSSA?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **easy integrations** of FOSSA with their tech stack, streamlining dependency management and enhancing security.
- Users find FOSSA&#39;s **issue resolution capabilities** excellent for identifying vulnerabilities and recommending fixes effectively.
- Users value FOSSA&#39;s **robust remediation solutions** , effectively identifying library issues and recommending fixes for vulnerabilities.
- Users value FOSSA for its **effective risk management** , identifying vulnerabilities and providing recommendations in their applications.
- Users value FOSSA for its **robust security insights** that enhance the safety of their applications throughout the pipeline.


#### What Are Recent G2 Reviews of FOSSA?

**"[Fossa for enterprise applications](https://www.g2.com/survey_responses/fossa-review-10931000)"**

**Rating:** 4.0/5.0 stars
*— Pavan Kumar G.*

[Read full review](https://www.g2.com/survey_responses/fossa-review-10931000)

---

**"[&quot;The FOSSA Experience&quot;](https://www.g2.com/survey_responses/fossa-review-8576931)"**

**Rating:** 5.0/5.0 stars
*— Elvis M.*

[Read full review](https://www.g2.com/survey_responses/fossa-review-8576931)

---



### 24. [Heeler](https://www.g2.com/products/heeler/reviews)
Heeler empowers application security teams to shift left with the context they need to reduce noise, accelerate remediation, and move beyond traditional vulnerability management. By combining ASPM, SCA with static and runtime context, and runtime threat modeling, Heeler transforms AppSec programs from reactive firefighting to proactive, scalable security. How Heeler Helps AppSec Teams • Reduce Noise: AppSec teams and developers are drowning in findings. Heeler delivers unified code, runtime, business and security context, reducing alert noise by up to 95%, so teams can focus on critical issues and fix what matters most. • Fix Remediation: Remediation is broken. Most effort is spent reaching a fix—not implementing it. Heeler automates the remediation lifecycle, cutting effort and time, enabling AppSec teams to scale alongside engineering. • Move Beyond Vulnerabilities: With Heeler, continuous runtime threat modeling becomes a reality. Decompose running applications, track changes, compare deployments, and stop risks in real time—all before they reach production. Why Heeler is Essential Modern applications are more complex and dynamic than ever, expanding attack surfaces and making end-to-end security modeling nearly impossible without the right tools. Heeler bridges this gap, addressing the root causes of unscalable AppSec programs: • Lack of Context: Disparate data silos make understanding application behavior and identifying risks challenging. • Labor-Intensive Processes: Without unified context, security efforts are manual, unscalable, and push risk identification too far right. • Firefighting Mode: Security and engineering teams are trapped addressing too many findings and often focus their time on the wrong threats, leaving no bandwidth for secure-by-design initiatives. Key Capabilities • ProductDNA (Unified Context): Automates a real-time service catalog, mapping changesets to deployments and modeling every service with integrated code, runtime, business, and security context. • Runtime Threat Modeling: Enables continuous threat modeling with tools to decompose applications, track changes, compare deployments, and uncover risks in real time. • ASPM: Heeler reduces alert noise by up to 95% and automates remediation workflows, scaling security seamlessly with engineering demands. • SCA with Static and Runtime Context: Combines static and runtime data with business and deployment context, delivering next-gen SCA that prioritizes what matters, strengthens security, and simplifies AppSec workflows. Heeler ensures AppSec teams and developers have the context they need to shift left and build secure-by-design applications—effortlessly.



**Who Is the Company Behind Heeler?**

- **Seller:** [Heeler Security](https://www.g2.com/sellers/heeler-security)
- **Year Founded:** 2023
- **HQ Location:** N/A
- **LinkedIn® Page:** https://www.linkedin.com/company/heeler-security (20 employees on LinkedIn®)






### 25. [Hilt](https://www.g2.com/products/hilt/reviews)
Hilt monitors how data actually moves across your environment, not just whether policies are followed. Using proprietary eBPF kernel probes, Hilt captures every data movement event at the base level across cloud workloads, endpoints, and network boundaries. A three-tier behavioral detection engine (deterministic rules, behavioral ML, and model inference) identifies anomalous data movement in real time including transfers where permissions were valid and no policy was violated, but the behavior was wrong. Automated containment blocks exfiltration in under one second. Deployed in minutes with one command, no code changes, and no SDK. Built for latency-sensitive environments including financial services, hedge funds, and law firms.



**Who Is the Company Behind Hilt?**

- **Seller:** [Hilt AI](https://www.g2.com/sellers/hilt-ai)
- **HQ Location:** Milton Keynes, GB
- **LinkedIn® Page:** https://www.linkedin.com/company/hilt-ai/ (1 employees on LinkedIn®)







## What Is Software Bill of Materials (SBOM) Software?

[DevSecOps Software](https://www.g2.com/categories/devsecops)

## What Software Categories Are Similar to Software Bill of Materials (SBOM) Software?

- [Static Application Security Testing (SAST) Software](https://www.g2.com/categories/static-application-security-testing-sast)
- [Software Composition Analysis Tools](https://www.g2.com/categories/software-composition-analysis)
- [Software Supply Chain Security Solutions](https://www.g2.com/categories/software-supply-chain-security-tools)



