# Best Software Bill of Materials (SBOM) Software

*By [Adam Crivello](https://research.g2.com/insights/author/adam-crivello)*


Software bill of materials (SBOM) solutions generate, ingest, manage, and monitor a machine-readable inventory of the components within software supply chains. The components covered include libraries, packages, modules, associated licenses, and more. Companies and developers use SBOM software to deliver and annotate comprehensive SBOMs for their software’s third party and open source components .

These solutions allow users to comply with government mandates that require the provision of a minimum SBOM. Maintaining and monitoring SBOMs also helps companies perform continuous risk assessments, though vulnerability remediation is not the primary focus of such tools. [software composition analysis (SCA) tools](https://www.g2.com/categories/software-composition-analysis) scan software supply chains’ components and dependencies at the code level to identify and remediate security vulnerabilities, whereas SBOM software automates the standardized presentation of those elements for transparency, observability, and compliance.

To qualify for inclusion in the Software Bill of Materials (SBOM) category, a product must:

- Automatically ingest and generate SBOMs in standard formats like CycloneDX and SPDX
- Continuously monitor and update SBOMs based on component versions, associated licenses, dependencies, and more
- Alert users of non-compliant elements in their software supply chain
- Allow users to annotate SBOMs
- Facilitate compliance with government regulations







## How Many Software Bill of Materials (SBOM) Software Products Does G2 Track?
**Total Products under this Category:** 33

### Category Stats (Jul 2026)
- **Average Rating**: 4.48/5 (↓0.03 vs Jun 2026) The average rating of products in this category, based on all submitted ratings
- **Top Trending Product**: Arnica (+0.37%) - Among all products in this category, Arnica recorded the largest rating increase compared to last month
*Last updated: July 17, 2026*


## How Does G2 Rank Software Bill of Materials (SBOM) Software Products?

**Why You Can Trust G2's Software Rankings:**

- 30 Analysts and Data Experts
- 900+ Authentic Reviews
- 33+ Products
- Unbiased Rankings

G2's software rankings are built on verified user reviews, rigorous moderation, and a consistent research methodology maintained by a team of analysts and data experts. Each product is measured using the same transparent criteria, with no paid placement or vendor influence. While reviews reflect real user experiences, which can be subjective, they offer valuable insight into how software performs in the hands of professionals. Together, these inputs power the G2 Score, a standardized way to compare tools within every category.


## Which Software Bill of Materials (SBOM) Software Is Best for Your Use Case?

- **Easiest to Use:** [OX Security](https://www.g2.com/products/ox-security/reviews)
- **Best Free Software:** [OX Security](https://www.g2.com/products/ox-security/reviews)


---

**Sponsored**

### KORONA POS

Developed by COMBASE, KORONA POS is a cloud-based point of sale built for retailers, quick-service dining, and ticketing businesses. It was built to help businesses automate operations, gain insight into performance, and effectively scale. KORONA POS software comes with a user-friendly and fully customizable front-end cashier system. Users can create unique button layouts, change prices and buttons, add images and descriptions, set different user permissions, add automated prompts, and adjust the customer-facing screen with different messaging, loyalty logins, or advertising. The back-end of KORONA POS, called KORONA Studio, offers merchants vast inventory management features, custom sales reporting and KPI metrics, employee management, vendor relations, gift card management, promotions, ticketing features, loss prevention features, self-checkout solutions, RFID technology, and modern payment options. It&#39;s also fully integrated with card processing, eCommerce, accounting, payroll and scheduling apps, and CRM systems and contains an open API through which any merchant or partner can build any integration to KORONA POS. KORONA POS is a subscription-based cloud POS system. Each account is billed by the number of terminals and includes automated updates, full customer support, and no additional fees. The KORONA POS cloud is updated quarterly with new features and integrations. Merchants can also use existing hardware solutions that run on Windows or Linux operating systems. Customer support is included in every subscription and is reachable promptly by phone, chat, and email, and emergency phone support is available 24/7. KORONA POS also provides an in-depth product manual (https://manual.koronapos.com/) and video tutorials on its YouTube channel (https://www.youtube.com/playlist?list=PLtUxCVhwpmcpahIMGY5pzEvSTQVlNTAAy).



[Visit website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=ppc&amp;secure%5Bad_slot%5D=category_product_list&amp;secure%5Bcategory_id%5D=1008169&amp;secure%5Bchosen_at%5D=2026-07-17T23%3A08%3A29Z&amp;secure%5Bdisplayable_resource_id%5D=1111&amp;secure%5Bdisplayable_resource_type%5D=Category&amp;secure%5Bmedium%5D=sponsored&amp;secure%5Bplacement_reason%5D=retargeted_product&amp;secure%5Bplacement_resource_ids%5D%5B%5D=42651&amp;secure%5Bprioritized%5D=false&amp;secure%5Bproduct_id%5D=42651&amp;secure%5Bresource_id%5D=1008169&amp;secure%5Bresource_type%5D=Category&amp;secure%5Bsource_type%5D=category_page&amp;secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fsoftware-bill-of-materials-sbom&amp;secure%5Btoken%5D=c4cd3629a885a0c944f49c7f7ed10ceb6827b1555ef3488db9fdb0617de94884&amp;secure%5Burl%5D=https%3A%2F%2Fkoronapos.com%2Fschedule-a-demo%2F%3Futm_source%3DG2%26utm_medium%3Dcompetitor%26utm_campaign%3Dfree-trail&amp;secure%5Burl_type%5D=book_demo)

---

## What Are the Top-Rated Software Bill of Materials (SBOM) Software Products in 2026?
### 1. [OX Security](https://www.g2.com/products/ox-security/reviews)
OX rewires your security program for the Mythos Age: the era where AI writes the code, chains the exploits, and moves faster than human-built defenses can track. OX is the unified Prompt to Runtime security platform. It moves your control surface upstream to the prompt, preventing and governing risk at the source instead of chasing it downstream in runtime. OX Mind and OX AI Context Lake connect AI-user governance, code security, cloud and runtime enforcement, and agentic pentesting into one system that shares context across the entire Agentic Development Lifecycle (ADLC), replacing fragmented point tools with a single platform. The platform runs on four connected pillars: OX VibeSec: Prevents unsafe AI decisions at the point of creation and governs every AI user in the organization, not just developers using coding assistants. Full visibility into which agents, MCPs, skills, and packages run, with what permissions, against what data. OX Code: Separates exploitable risk from theoretical noise using evidence from your actual deployment, threat model, and threat intelligence. OX Cloud: Prevents misconfigurations and enforces runtime boundaries that code and agents cannot cross, watching what actually runs in production. OX Agentic Pentester: Continuously simulates adversarial agent behavior to prove exploit paths back to their exact source, feeding what it finds back into OX VibeSec to sharpen governance. OX connects to your existing stack and traces every finding back to its origin (the prompt, the AI user, or the endpoint that created it), then fixes issues at the source rather than flagging them after the fact. For new deployments, OX consolidates governance, code security, cloud enforcement, and pentesting into one platform. For existing stacks, OX layers governance on top and makes current tools smarter through continuous learning, so the same issue never gets created twice. Visit https://ox.security for more information.


**Average Rating:** 4.8/5.0
**Total Reviews:** 51

**Who Is the Company Behind OX Security?**

- **Seller:** [OX Security](https://www.g2.com/sellers/ox-security)
- **Year Founded:** 2021
- **HQ Location:** New York, USA
- **LinkedIn® Page:** https://www.linkedin.com/company/ox-security/ (199 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Security Engineer
- **Top Industries:** Financial Services, Information Technology and Services
- **Company Size:** 63% Mid-Market, 25% Enterprise


#### What Are OX Security's Pros and Cons?

**Pros:**

- Features (8 reviews)
- Collaboration (6 reviews)
- Customer Support (6 reviews)
- Easy Integrations (6 reviews)
- Speed (6 reviews)

**Cons:**

- Complexity (5 reviews)
- Overwhelming Interface (4 reviews)
- Complex Setup (3 reviews)
- Dashboard Issues (3 reviews)
- Difficult Learning (3 reviews)


### What Do G2 Reviewers Say About OX Security?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **intuitive dashboard and seamless integration** of OX Security, enhancing their security management and workflow efficiency.
- Users value the **seamless collaboration** enabled by OX Security, enhancing their focus on critical development tasks.
- Users commend the **responsive customer support** of OX Security, enhancing their overall operational efficiency and satisfaction.
- Users value the **seamless integrations** with existing tools, enhancing workflows and boosting overall development efficiency.
- Users appreciate the **speed** of OX Security, enabling faster remediation of vulnerabilities and cloud misconfigurations.

**Cons:**

- Users find the **complexity** of OX Security daunting, facing a steep learning curve and inadequate documentation.
- Users find the **interface overwhelming** , with a steep learning curve and insufficient documentation to guide new users.
- Users find the **complex setup** challenging, especially due to inadequate documentation and overwhelming UI for new users.
- Users find the **executive dashboard limiting** , impacting effective reporting on product security enhancements to management.
- Users find OX Security&#39;s **difficult learning curve** challenging, particularly due to its complex interface and lacking documentation.

#### What Are Recent G2 Reviews of OX Security?

**"[A powerful and comprehensive tool that meets most best practices for web app security testing](https://www.g2.com/survey_responses/ox-security-review-10961361)"**

**Rating:** 4.5/5.0 stars
*— Verified User in Gambling &amp; Casinos*

[Read full review](https://www.g2.com/survey_responses/ox-security-review-10961361)

---

**"[A Transformative Game-Changer in Application Security Posture Management](https://www.g2.com/survey_responses/ox-security-review-10618682)"**

**Rating:** 5.0/5.0 stars
*— Dudi E.*

[Read full review](https://www.g2.com/survey_responses/ox-security-review-10618682)

---



### 2. [Cybeats](https://www.g2.com/products/cybeats/reviews)
Cybeats is at the forefront of cybersecurity innovation and is focused explicitly on automating Software Bill of Materials (SBOM) and Vulnerability Exploitability eXchange (VEX) management. Our platform has built-in support for HBOM and AIBOM. Our mission is to empower organizations to rapidly identify and address vulnerabilities, significantly reducing costs while enhancing the security posture of their products. With our focus on the vision of &quot;Building trust in every layer of your technology,&quot; Cybeats provides a robust platform that ensures transparency and security throughout the technological stack. Core Offerings - SBOM Management &amp; Continuous Monitoring Cybeats offers a scalable solution for managing and monitoring SBOMs. Our platform stores enriches and distributes SBOMs efficiently across the organization and the organization&#39;s customers. This continuous monitoring helps proactively identify and mitigate software component risks. - SBOM Inventory &amp; Management We provide a centralized system for SBOM inventory management that ensures all software components are accounted for, up-to-date, and secure. This systematic approach helps maintain a clear overview of all software elements, facilitating easier management and compliance. - Vulnerability Lifecycle Management (VLM) Our VLM capabilities integrate Vulnerability Exploitability Exchange (VEX) and Vulnerability Disclosure Program (VDP) processes. This integration helps identify, assess, manage, and mitigate vulnerabilities throughout their lifecycle, ensuring continuous protection against potential software supply chain threats. - Regulatory Compliance Cybeats aligns with global regulatory requirements, assisting organizations in staying compliant with evolving cybersecurity standards. Our solution simplifies compliance management, reducing the complexity and resources required to meet legal and industry standards. With the introduction of regulatory requirements of the FDA pre-market and post-market, the EU CRA, PCI-SSF, and others, companies that develop software-based products must align with the SBOM and Vulnerability management requirements. - OSS and Comercial Licensing Risk Assessment Understanding and managing licensing risks associated with software components is crucial. Cybeats provides tools to assess these risks, helping organizations avoid legal and financial repercussions related to software licensing. - SBOM Sharing and Exchange We facilitate secure sharing and exchange of SBOMs within and across organizations. This capability ensures that all parties in the software supply chain have access to accurate and timely information, enhancing collaborative efforts toward secure software development.


**Average Rating:** 4.4/5.0
**Total Reviews:** 15

**Who Is the Company Behind Cybeats?**

- **Seller:** [CYBEATS](https://www.g2.com/sellers/cybeats)
- **Year Founded:** 2017
- **HQ Location:** Toronto, Ontario
- **Twitter:** @cybeatstech (616 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/cybeats/ (32 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 47% Small-Business, 33% Mid-Market



#### What Are Recent G2 Reviews of Cybeats?

**"[Great Computer Security Service Solutin](https://www.g2.com/survey_responses/cybeats-review-7160083)"**

**Rating:** 4.5/5.0 stars
*— Patrícia P.*

[Read full review](https://www.g2.com/survey_responses/cybeats-review-7160083)

---

**"[A safe and secure enterprise supply chain management system is created and enabled by Cybeats](https://www.g2.com/survey_responses/cybeats-review-7468992)"**

**Rating:** 4.5/5.0 stars
*— Karan C.*

[Read full review](https://www.g2.com/survey_responses/cybeats-review-7468992)

---



### 3. [Aqua Security](https://www.g2.com/products/aqua-security/reviews)
Aqua Security sees and stops attacks across the entire cloud native application lifecycle in a single, integrated platform. From software supply chain security for developers to cloud security and runtime protection for security teams, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry’s most comprehensive Cloud Native Application Protection Platform (CNAPP). Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries.


**Average Rating:** 4.2/5.0
**Total Reviews:** 57

**Who Is the Company Behind Aqua Security?**

- **Seller:** [Aqua Security Software Ltd](https://www.g2.com/sellers/aqua-security-software-ltd)
- **Year Founded:** 2015
- **HQ Location:** Burlington, US
- **Twitter:** @AquaSecTeam (7,673 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/aquasecteam/ (466 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Computer Software, Financial Services
- **Company Size:** 56% Enterprise, 39% Mid-Market


#### What Are Aqua Security's Pros and Cons?

**Pros:**

- Security (18 reviews)
- Ease of Use (15 reviews)
- Detection (10 reviews)
- Features (10 reviews)
- Comprehensive Security (8 reviews)

**Cons:**

- Missing Features (7 reviews)
- Lack of Features (5 reviews)
- Improvement Needed (4 reviews)
- Limited Features (4 reviews)
- Complexity (3 reviews)


### What Do G2 Reviewers Say About Aqua Security?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value Aqua Security&#39;s **proactive threat intelligence** and comprehensive approach, ensuring robust protection for their code.
- Users commend the **ease of use** of Aqua Security, highlighting its intuitive UI and smooth implementation process.
- Users value Aqua Security for its **effective detection** of vulnerabilities, providing insightful security solutions and proactive threat intelligence.
- Users value the **extensive security insights** and intuitiveness of Aqua Security, enhancing their development process significantly.
- Users value the **comprehensive security** features of Aqua Security, simplifying container management and enhancing protection effectiveness.

**Cons:**

- Users note the **missing features** in Aqua Security, including limited integration, reporting, and drill-down capabilities.
- Users note a **lack of features** , limiting functionality and making analysis cumbersome with basic metrics and read-only visuals.
- Users indicate that **improvement is needed** in widget functionality, reporting, and integration for better usability.
- Users find Aqua Security&#39;s features **limited** , lacking crucial functionalities like dark mode and enhanced reporting capabilities.
- Users find Aqua Security&#39;s **complex interface** and setup process challenging, requiring significant technical knowledge and documentation.

#### What Are Recent G2 Reviews of Aqua Security?

**"[AquaSec have been very efficient and user friendly.](https://www.g2.com/survey_responses/aqua-security-review-7802942)"**

**Rating:** 5.0/5.0 stars
*— Adefolarin B.*

[Read full review](https://www.g2.com/survey_responses/aqua-security-review-7802942)

---

**"[Allows us to monitor security of or platforms and scan images easily.](https://www.g2.com/survey_responses/aqua-security-review-10502217)"**

**Rating:** 5.0/5.0 stars
*— Mitchell M.*

[Read full review](https://www.g2.com/survey_responses/aqua-security-review-10502217)

---



### 4. [Arnica](https://www.g2.com/products/arnica/reviews)
Arnica is a comprehensive application security posture management (ASPM) platform that protects developers, source code, and products throughout the software development lifecycle. The platform provides real-time application security scanning with 100% coverage across the software supply chain, addressing risks in Static Application Security Testing (SAST), Software Composition Analysis (SCA), Infrastructure as Code (IaC), hardcoded secrets detection, and more. At its core, Arnica offers AI-native security governance that takes control of AI-generated code through advanced AI SAST scanning and agentic rules enforcement. The platform automatically injects centrally-controlled security requirements into AI coding agents like Copilot, Cursor, and Claude at the point of code generation, ensuring every line of AI-written code is secure by default before vulnerabilities reach production. This approach addresses 92% of risks before they ever reach production environments. Arnica&#39;s pipelineless architecture provides automatic coverage for every repository without requiring CI/CD pipeline integrations or IDE deployments. The platform scans every code change at the feature branch level, delivering developer-native workflows that keep teams focused on building features rather than chasing security issues. Risk prioritization is enhanced through OWASP Top 10, CVSS, EPSS, and KEV scoring, combined with organizational context to surface the most critical vulnerabilities. The platform excels in developer experience by delivering security findings directly within existing workflows through Slack, Microsoft Teams, pull request comments, and automated ticket management in Jira and Azure DevOps Boards. AI-powered mitigation suggestions provide context-aware, automated fixes that align with organizational coding standards, significantly reducing mean-time-to-remediation. Key security capabilities include real-time secrets detection with automatic validation and mitigation, comprehensive container scanning that maps vulnerabilities directly to source code, and intelligent dependency management with automated SCA upgrades. The platform maintains SOC 2 Type 2 compliance and ISO 27001 certification, ensuring enterprise-grade security standards. Arnica&#39;s unique value proposition lies in its ability to scale security across entire organizations while maintaining development velocity, providing complete visibility into code risks, and enabling proactive security measures that prevent vulnerabilities from reaching production environments.


**Average Rating:** 4.9/5.0
**Total Reviews:** 8

**Who Is the Company Behind Arnica?**

- **Seller:** [Arnica](https://www.g2.com/sellers/arnica)
- **Company Website:** https://www.arnica.io
- **Year Founded:** 2021
- **HQ Location:** Alpharetta, Georgia
- **Twitter:** @arnicaio (124 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/arnica-io/about (60 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 63% Enterprise, 25% Small-Business


#### What Are Arnica's Pros and Cons?

**Pros:**

- Accuracy of Findings (1 reviews)
- Actionable Recommendations (1 reviews)
- Ease of Use (1 reviews)
- Easy Setup (1 reviews)
- Remediation Solutions (1 reviews)

**Cons:**

- Paid Features (1 reviews)


### What Do G2 Reviewers Say About Arnica?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **accuracy of findings** from Arnica, which helps identify and minimize unnecessary elevated privileges.
- Users value the **actionable recommendations** provided by Arnica, facilitating effective management of elevated privileges in code repositories.
- Users love the **easy setup and administration** of Arnica, saving time while meeting their needs effectively.
- Users love the **easy setup** of Arnica, finding it quick and efficient for their needs.
- Users value Arnica for its ability to **simplify remediation of overprovisioning** and enhance security through effective privilege management.

**Cons:**

- Users note that **paid features** in Arnica restrict access for smaller teams, limiting comprehensive protections.

#### What Are Recent G2 Reviews of Arnica?

**"[Intuitive Dashboards and AI That Finds Real Issues](https://www.g2.com/survey_responses/arnica-review-12972680)"**

**Rating:** 5.0/5.0 stars
*— Verified User in Computer Software*

[Read full review](https://www.g2.com/survey_responses/arnica-review-12972680)

---

**"[Developer-friendly AppSec with a flexible policy engine](https://www.g2.com/survey_responses/arnica-review-12962349)"**

**Rating:** 5.0/5.0 stars
*— Thomas G.*

[Read full review](https://www.g2.com/survey_responses/arnica-review-12962349)

---


#### What Are G2 Users Discussing About Arnica?

- [What is Arnica used for?](https://www.g2.com/discussions/what-is-arnica-used-for)

### 5. [Finite State](https://www.g2.com/products/finite-state/reviews)
Finite State empowers device OEMs to ship securely while enabling engineering teams to move at the speed of AI, immediately transforming product artifacts into audit-ready assurance through a single automated workflow. Leveraging deep binary analysis and AI-native execution, the platform unifies code, compiled components, and firmware in minutes—connecting security design with deployed software. By continuously generating SBOMs, VEX, and signed compliance packages, Finite State enables connected device companies across industries such as medical devices and automotive to meet evolving regulations, including the EU Cyber Resilience Act (CRA), and deliver continuous compliance at speed. Learn more at https://finitestate.io/


**Average Rating:** 4.3/5.0
**Total Reviews:** 12

**Who Is the Company Behind Finite State?**

- **Seller:** [Finite State](https://www.g2.com/sellers/finite-state)
- **Company Website:** https://finitestate.io
- **Year Founded:** 2017
- **HQ Location:** Columbus, Ohio, United States
- **Twitter:** @FiniteStateInc (670 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/finitestate (78 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 50% Enterprise, 25% Mid-Market



#### What Are Recent G2 Reviews of Finite State?

**"[Deep Visibility Into Supply Chain Risks and CVEs—Boosting Product Security](https://www.g2.com/survey_responses/finite-state-review-12966722)"**

**Rating:** 5.0/5.0 stars
*— Suru S.*

[Read full review](https://www.g2.com/survey_responses/finite-state-review-12966722)

---

**"[Finite State Review: Firmware Security Simplified](https://www.g2.com/survey_responses/finite-state-review-12997919)"**

**Rating:** 5.0/5.0 stars
*— Prasanth B.*

[Read full review](https://www.g2.com/survey_responses/finite-state-review-12997919)

---



### 6. [Mend.io](https://www.g2.com/products/mend-io/reviews)
Modern risk doesn&#39;t live in one layer, it lives between them. Mend.io is built for every risk, across AI and AppSec, securing the code layer, the AI layer, and the interactions between them. From discovery and red teaming to guardrails and runtime protection, Mend.io delivers continuous protection across the entire AI application lifecycle. Mend.io solutions include: 1. Mend AI secures the layer where modern risk actually lives—the interaction between code and AI. It continuously discovers AI components (agents, prompts, models), tests real behavioral risk through automated red teaming, and enforces in-app runtime guardrails for one continuous control system for the AI lifecycle. 2. Mend AppSec secures the modern code layer by continuously discovering and prioritizing risk across code, libraries, containers, and dependencies, giving teams the clarity they need to reduce exposure and ship secure software faster. 3. Mend Renovate secures the foundation of every codebase by automatically updating dependencies, rating the likelihood each update will succeed without breaking changes, and grouping them by confidence level so teams can resolve them faster.


**Average Rating:** 4.3/5.0
**Total Reviews:** 109

**Who Is the Company Behind Mend.io?**

- **Seller:** [Mend](https://www.g2.com/sellers/mend-ab79a83a-6747-4682-8072-a3c176489d0b)
- **Company Website:** https://mend.io
- **Year Founded:** 2011
- **HQ Location:** Boston, Massachusetts
- **Twitter:** @Mend_io (11,256 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/2440656/ (257 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Software Engineer
- **Top Industries:** Computer Software, Information Technology and Services
- **Company Size:** 37% Small-Business, 34% Mid-Market


#### What Are Mend.io's Pros and Cons?

**Pros:**

- Scanning Efficiency (8 reviews)
- Ease of Use (7 reviews)
- Easy Integrations (6 reviews)
- Scanning Technology (6 reviews)
- Vulnerability Detection (6 reviews)

**Cons:**

- Integration Issues (6 reviews)
- Limited Features (3 reviews)
- Missing Features (3 reviews)
- Complex Implementation (2 reviews)
- Confusing Interface (2 reviews)


### What Do G2 Reviewers Say About Mend.io?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **scanning efficiency** of Mend.io, appreciating its quick and accurate results across multiple repositories.
- Users appreciate the **ease of use** of Mend.io, highlighting simple integration and efficient navigation to find vulnerabilities.
- Users appreciate the **easy integrations** of Mend.io, enabling efficient scanning and streamlined workflows across multiple repositories.
- Users appreciate the **quick and accurate scanning** capabilities of Mend.io, enhancing their development workflow and security.
- Users commend the **excellent automated vulnerability detection** in Mend.io, enhancing efficiency in their CI/CD processes.

**Cons:**

- Users struggle with **integration issues** , finding the setup process for tools like Jira and on-premise systems challenging.
- Users find **limited features** in Mend.io, struggling with functionality and integration challenges for various tools and cases.
- Users note that Mend.io lacks **essential features** , requiring additional tools and workarounds for effective integration.
- Users experience **complex implementation** with Mend.io, citing difficulties in integration and frequent false positives.
- Users find the **confusing interface** of Mend.io awkward, especially when switching between different product portals.

#### What Are Recent G2 Reviews of Mend.io?

**"[Great Tool for Managing 3rd party libraries](https://www.g2.com/survey_responses/mend-io-review-6728890)"**

**Rating:** 4.5/5.0 stars
*— Johannes B.*

[Read full review](https://www.g2.com/survey_responses/mend-io-review-6728890)

---

**"[Effortless Integration with Budget-Friendly Scanning](https://www.g2.com/survey_responses/mend-io-review-4261734)"**

**Rating:** 5.0/5.0 stars
*— Verified User in Computer Software*

[Read full review](https://www.g2.com/survey_responses/mend-io-review-4261734)

---


#### What Are G2 Users Discussing About Mend.io?

- [What is your experience regarding pricing and costs for Mend.io, and how does it compare to other open-source security solutions?](https://www.g2.com/discussions/what-is-your-experience-regarding-pricing-and-costs-for-mend-io-and-how-does-it-compare-to-other-open-source-security-solutions)
- [What is Mend (formerly WhiteSource) used for?](https://www.g2.com/discussions/what-is-mend-formerly-whitesource-used-for)
- [What is white Source bolt?](https://www.g2.com/discussions/what-is-white-source-bolt)
- [What are SCA tools?](https://www.g2.com/discussions/what-are-sca-tools)
- [What is software composition analysis SCA?](https://www.g2.com/discussions/what-is-software-composition-analysis-sca)

### 7. [Socket](https://www.g2.com/products/socket-socket/reviews)
Socket is the leading developer-first security platform that protects modern applications from malicious and vulnerable open source dependencies. By combining real-time package monitoring with AI-powered code analysis, Socket detects and blocks supply chain attacks within minutes of publication. With advanced reachability analysis, automated remediation, and license compliance features, Socket enables teams to focus on building software, while we keep their open source code secure.


**Average Rating:** 4.7/5.0
**Total Reviews:** 10

**Who Is the Company Behind Socket?**

- **Seller:** [Socket](https://www.g2.com/sellers/socket)
- **Year Founded:** 2020
- **HQ Location:** San Francisco, US
- **Twitter:** @SocketSecurity (21,558 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/socketinc/ (115 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 40% Mid-Market, 30% Enterprise


#### What Are Socket's Pros and Cons?

**Pros:**

- Security (3 reviews)
- Open Source (2 reviews)
- Accuracy of Findings (1 reviews)
- Alerts (1 reviews)
- Comprehensive Security (1 reviews)

**Cons:**

- Missing Features (1 reviews)
- System Slowness (1 reviews)


### What Do G2 Reviewers Say About Socket?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value Socket&#39;s **exceptional security features** , particularly in monitoring and mitigating supply chain attacks effectively.
- Users praise Socket for its **effective open source security analysis** , streamlining package reviews and enhancing reliability.
- Users value the **accuracy of findings** from Socket, appreciating the thorough analysis it offers for open source security.
- Users value the **proactive alerts** from Socket, ensuring quick responses to potential supply chain threats.
- Users value the **comprehensive security** features of Socket, enhancing decision-making and risk management in software supply chains.

**Cons:**

- Users find the **missing features** in Socket limit its ability to consolidate multiple use cases effectively.
- Users report experiencing **system slowness** , particularly noting the UI&#39;s slow loading times impacting their overall experience.

#### What Are Recent G2 Reviews of Socket?

**"[Unique Approach to Supply Chain Security Problem and Does It Really Well](https://www.g2.com/survey_responses/socket-review-12052484)"**

**Rating:** 5.0/5.0 stars
*— Sindhoor H.*

[Read full review](https://www.g2.com/survey_responses/socket-review-12052484)

---

**"[Essential Tool for Application Security with Stellar MCP Feature](https://www.g2.com/survey_responses/socket-review-12686360)"**

**Rating:** 5.0/5.0 stars
*— Shreejal M.*

[Read full review](https://www.g2.com/survey_responses/socket-review-12686360)

---



### 8. [SOOS](https://www.g2.com/products/soos/reviews)
SOOS is the complete application security posture management platform. Scan your software for vulnerabilities, control the introduction of new dependencies, exclude unwanted license types, generate and manage Software Bill of Materials (SBOM), and fill out your compliance worksheets across all your teams. SOOS’s ASPM is a dynamic, comprehensive approach to safeguarding your application infrastructure from vulnerabilities across the Software Development Life Cycle (SDLC) and live deployments. Easy to integrate, all in one dashboard. SCA - Deep tree vulnerability scanning, license compliance, governance DAST - Automated Web &amp; API vulnerability scanning Containers - Scan contents for vulnerabilities SAST - Analyze code for security vulnerabilities IaC - Cloud security coverage SBOMs - Create – monitor – manage


**Average Rating:** 4.6/5.0
**Total Reviews:** 42

**Who Is the Company Behind SOOS?**

- **Seller:** [SOOS](https://www.g2.com/sellers/soos)
- **Year Founded:** 2019
- **HQ Location:** Winooski, US
- **Twitter:** @soostech (44 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/53122310 (24 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 50% Mid-Market, 43% Small-Business


#### What Are SOOS's Pros and Cons?

**Pros:**

- Ease of Use (9 reviews)
- Customer Support (5 reviews)
- Easy Integrations (5 reviews)
- Integrations (5 reviews)
- Easy Setup (4 reviews)

**Cons:**

- Lack of Guidance (3 reviews)
- Poor Reporting (3 reviews)
- Dashboard Issues (2 reviews)
- Inadequate Reporting (2 reviews)
- Lacking Features (2 reviews)


### What Do G2 Reviewers Say About SOOS?
*AI-generated summary from verified user reviews*

**Pros:**

- Users find SOOS to be **easy to use** , benefiting from user-friendly configurations and excellent support.
- Users praise the **awesome customer support** from SooS, ensuring a smooth onboarding and configuration process.
- Users commend SOOS for its **easy integrations** , enabling seamless workflows and efficient vulnerability management in development.
- Users value the **seamless integrations** of SOOS, enhancing workflow efficiency and simplifying vulnerability management.
- Users find the **easy setup** of SOOS to be intuitive and efficient, enhancing their overall experience.

**Cons:**

- Users note a **lack of guidance** in documentation and processes, hindering onboarding and remediation efforts.
- Users find the **poor reporting** of SOOS limits their ability to analyze vulnerabilities effectively across projects.
- Users find the **dashboard issues** frustrating, particularly with limited reporting and filtering options that hinder analysis.
- Users find SOOS lacks **adequate reporting** , needing better customization and filtering options for effective analysis.
- Users find the **lack of features** in SOOS limits usability, especially with reporting and intuitive navigation.

#### What Are Recent G2 Reviews of SOOS?

**"[Awesome tool for detecting vulnerabilities within project dependecies](https://www.g2.com/survey_responses/soos-review-7753830)"**

**Rating:** 4.5/5.0 stars
*— Nayan C.*

[Read full review](https://www.g2.com/survey_responses/soos-review-7753830)

---

**"[Reliable continuous security assessment for our pipelines](https://www.g2.com/survey_responses/soos-review-7744758)"**

**Rating:** 4.0/5.0 stars
*— Brallan G.*

[Read full review](https://www.g2.com/survey_responses/soos-review-7744758)

---



### 9. [CAST Highlight](https://www.g2.com/products/cast-highlight/reviews)
Portfolio-level insights for app modernization, AI readiness, tech debt, OSS risks CAST Highlight is a SaaS software intelligence technology that delivers rapid, fact-based insights across your entire application portfolio. By automatically analyzing the source code of hundreds or thousands of applications, CAST Highlight helps organizations assess cloud maturity, AI &amp; Agentic readiness, software health, open source risk, resiliency, technical debt, and sustainability from a single lightweight scan. CAST Highlight is designed for CIOs, CTOs, enterprise architects, cloud leaders, application owners, security teams, and modernization teams that need a fact-based way to prioritize modernization, cloud, and AI adoption decisions at scale. It helps teams identify which applications are ready to move quickly, which require remediation, and where hidden software risks may affect transformation cost, timelines, security, resilience, or business outcomes. Unlike traditional manual or survey-based assessments, CAST Highlight analyzes application source code directly to rapidly segment portfolios, prioritize modernization paths, and uncover risks before they impact transformation programs. Organizations use CAST Highlight to: - Accelerate cloud migration and modernization planning - Segment applications by cloud maturity and transformation path - Identify high-value AI adoption opportunities - Assess Agentic Readiness across application portfolios - Prioritize technical debt, resiliency, and maintainability improvements - Assess open source vulnerabilities and IP / license exposure - Evaluate software sustainability with Green Impact insights - Reduce complexity, cost, and risk across transformation programs Businesses move faster using CAST to understand, improve, and transform their software. Through semantic analysis of source code, CAST generates dashboards and 3D maps for executives, technologists, and AI to navigate inside individual applications and across entire portfolios. This intelligence enables companies to steer, speed, and report on initiatives such as technical debt, modernization, and cloud. As the pioneer of the software intelligence field, CAST is trusted by the world’s leading companies and governments, their consultancies and cloud providers. See it all at castsoftware.com.


**Average Rating:** 4.5/5.0
**Total Reviews:** 86

**Who Is the Company Behind CAST Highlight?**

- **Seller:** [CAST](https://www.g2.com/sellers/cast)
- **Company Website:** https://www.castsoftware.com
- **Year Founded:** 1990
- **HQ Location:** New York
- **Twitter:** @SW_Intelligence (1,887 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/cast/ (1,264 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 57% Enterprise, 24% Small-Business


#### What Are CAST Highlight's Pros and Cons?

**Pros:**

- Ease of Use (8 reviews)
- Easy Setup (4 reviews)
- Cloud Services (3 reviews)
- Efficiency (3 reviews)
- Real-time Monitoring (3 reviews)

**Cons:**

- Complex Navigation (1 reviews)
- Dashboard Issues (1 reviews)
- Delayed Detection (1 reviews)
- Difficulty (1 reviews)
- Expensive (1 reviews)


### What Do G2 Reviewers Say About CAST Highlight?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate the **ease of use** of CAST Highlight, allowing for quick and efficient application analysis without complications.
- Users find the **easy setup** of CAST Highlight to be straightforward and efficient, enhancing their analysis experience.
- Users value CAST Highlight for its **comprehensive cloud assessment capabilities** , aiding in application migration and risk analysis.
- Users value the **efficiency** of CAST Highlight, enabling quick, objective analysis of application portfolios for better decision-making.
- Users appreciate the **real-time monitoring** of CAST Highlight, enabling quick, actionable insights for effective portfolio management.

**Cons:**

- Users find the **complex navigation** in CAST Highlight challenging, affecting their overall user experience and efficiency.
- Users find the **dashboard issues** in CAST Highlight hinder effective insights and require customization for better alignment.
- Users find the **delayed detection** of issues in CAST Highlight hinders timely responses and detailed analysis.
- Users find the **difficulty in initial configuration** and metric interpretation challenging for new teams utilizing CAST Highlight.
- The **high price** of CAST Highlight restricts its usage in large companies, limiting its potential impact.

#### What Are Recent G2 Reviews of CAST Highlight?

**"[Efficient Analysis &amp; Confident Modernization](https://www.g2.com/survey_responses/cast-highlight-review-12250186)"**

**Rating:** 4.5/5.0 stars
*— Neha C.*

[Read full review](https://www.g2.com/survey_responses/cast-highlight-review-12250186)

---

**"[Portfolio Insights in One Place with CAST Highlight](https://www.g2.com/survey_responses/cast-highlight-review-12977472)"**

**Rating:** 4.5/5.0 stars
*— Verified User in Government Administration*

[Read full review](https://www.g2.com/survey_responses/cast-highlight-review-12977472)

---


#### What Are G2 Users Discussing About CAST Highlight?

- [What is cast imaging?](https://www.g2.com/discussions/what-is-cast-imaging) - 1 comment
- [How does a cast tool work?](https://www.g2.com/discussions/how-does-a-cast-tool-work)
- [What is CAST software tool?](https://www.g2.com/discussions/what-is-cast-software-tool) - 1 comment
- [What does cast highlight do?](https://www.g2.com/discussions/what-does-cast-highlight-do) - 1 comment

### 10. [Manifest](https://www.g2.com/products/manifest-cyber-manifest/reviews)
Manifest helps organizations understand and reduce the cybersecurity risk in the technology they produce and procure. The Manifest platform operationalizes software bills of materials (SBOMs), artificial intelligence bills of materials (AIBOMs), and Vulnerability Exploitability eXchange (VEX) documents so organizations can analyze and action the risk in internal or third-party tools. Manifest manages the entire SBOM lifecycle for customers in critical industries like enterprise technology, aerospace, defense contracting, healthcare, manufacturing &amp; logistics, financial services, and the federal government.


**Average Rating:** 5.0/5.0
**Total Reviews:** 3

**Who Is the Company Behind Manifest?**

- **Seller:** [Manifest Cyber](https://www.g2.com/sellers/manifest-cyber)
- **HQ Location:** Connecticut, USA
- **Twitter:** @manifestcyber (89 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/manifestcyber/ (14 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 67% Mid-Market, 33% Small-Business


#### What Are Manifest's Pros and Cons?

**Pros:**

- Ease of Use (3 reviews)
- Automation (2 reviews)
- Real-time Monitoring (2 reviews)
- Authentication Security (1 reviews)
- Customer Support (1 reviews)

**Cons:**

- Time Consumption (1 reviews)


### What Do G2 Reviewers Say About Manifest?
*AI-generated summary from verified user reviews*

**Pros:**

- Users praise the **ease of use** of Manifest, appreciating its seamless integration and straightforward functionality for compliance tasks.
- Users commend the **automation capabilities** of Manifest, enhancing efficiency in managing software supply chain security.
- Users value the **real-time monitoring** capabilities of Manifest, ensuring proactive management of software supply chain risks.
- Users value the **exceptional authentication security** of Manifest, enhancing the safety of their software supply chain.
- Users value the **exceptional customer support** of Manifest, noting their commitment to user satisfaction and assistance.

**Cons:**

- Users find that the **integration process** with other tools can be time-consuming and challenging to manage.

#### What Are Recent G2 Reviews of Manifest?

**"[Real “Continuous Compliance”](https://www.g2.com/survey_responses/manifest-review-9130056)"**

**Rating:** 5.0/5.0 stars
*— Peter Z.*

[Read full review](https://www.g2.com/survey_responses/manifest-review-9130056)

---

**"[Cutting-Edge Tool Enables Complete Lifecycle Management of your Software Bill of Materials](https://www.g2.com/survey_responses/manifest-review-9139664)"**

**Rating:** 5.0/5.0 stars
*— Shaun M.*

[Read full review](https://www.g2.com/survey_responses/manifest-review-9139664)

---



### 11. [Snyk](https://www.g2.com/products/snyk/reviews)
Snyk (pronounced sneak) is a developer security platform for securing custom code, open source dependencies, containers, and cloud infrastructure all from a single platform. Snyk’s developer security solutions enable modern applications to be built securely, empowering developers to own and build security for the whole application, from code &amp; open source to containers &amp; cloud infrastructure. Secure while you code in your IDE: find issues quickly using the scanner, fix issues easily with remediation advice, verify the updated code. Integrate your source code repositories to secure applications: integrate a repository to find issues, prioritize with context, fix &amp; merge. Secure your containers as you build, throughout the SDLC: start fixing containers as soon as your write a Dockerfile, continuously monitor container images throughout their lifecycle, and prioritize with context. Secure build and deployment pipelines: Integrate natively with your CI/CD tool, configure your rules, find &amp; fix issues in your application, and monitor your applications. Secure your apps quickly with Snyk’s vulnerability scanning and automated fixes - Try for Free!


**Average Rating:** 4.5/5.0
**Total Reviews:** 135

**Who Is the Company Behind Snyk?**

- **Seller:** [Snyk](https://www.g2.com/sellers/snyk)
- **HQ Location:** Boston, Massachusetts
- **Twitter:** @snyksec (21,057 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/10043614/ (1,370 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Software Engineer
- **Top Industries:** Computer Software, Information Technology and Services
- **Company Size:** 44% Mid-Market, 35% Small-Business


#### What Are Snyk's Pros and Cons?

**Pros:**

- Vulnerability Detection (3 reviews)
- Vulnerability Identification (3 reviews)
- Easy Integrations (2 reviews)
- Easy Setup (2 reviews)
- Features (2 reviews)

**Cons:**

- False Positives (2 reviews)
- Poor Interface Design (2 reviews)
- Pricing Issues (2 reviews)
- Scanning Issues (2 reviews)
- Software Bugs (2 reviews)


### What Do G2 Reviewers Say About Snyk?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value Snyk&#39;s **rapid vulnerability detection** , enabling efficient identification and remediation in development environments.
- Users appreciate Snyk&#39;s **rapid vulnerability identification** , enhancing security through quick updates and effective integration.
- Users value the **easy integrations** of Snyk, enhancing workflow efficiency in CI/CD pipelines and GitHub.
- Users appreciate the **easy setup** of Snyk, enabling seamless integration with GitHub and efficient codebase scanning.
- Users commend Snyk for its **intuitive GUI and customizable organization structure** , enhancing vulnerability management and reporting efficiency.

**Cons:**

- Users experience **false positives** from Snyk, leading to confusion and slowing down the scanning process.
- Users feel the **poor interface design** of Snyk hinders usability, especially with the separate DAST interface.
- Users face **pricing issues** with Snyk, as the cost can be high for accessing all features.
- Users often face **scanning issues** such as false positives and slow scans, affecting overall efficiency and workflow.
- Users report **false positives** and slow scans in Snyk, affecting efficiency and integration with other tools.

#### What Are Recent G2 Reviews of Snyk?

**"[Seamless Dev-First Security with Fast Scans and Actionable Fixes](https://www.g2.com/survey_responses/snyk-review-12676270)"**

**Rating:** 4.5/5.0 stars
*— Prateek J.*

[Read full review](https://www.g2.com/survey_responses/snyk-review-12676270)

---

**"[Developer-Friendly Security with Clear, Automated Fixes](https://www.g2.com/survey_responses/snyk-review-12974957)"**

**Rating:** 4.5/5.0 stars
*— Hemanth K.*

[Read full review](https://www.g2.com/survey_responses/snyk-review-12974957)

---


#### What Are G2 Users Discussing About Snyk?

- [What is Snyk scanning?](https://www.g2.com/discussions/what-is-snyk-scanning) - 2 comments, 2 upvotes
- [Is Snyk a SaaS?](https://www.g2.com/discussions/is-snyk-a-saas) - 2 comments
- [How good is Snyk?](https://www.g2.com/discussions/how-good-is-snyk) - 2 comments
- [What is Snyk used for?](https://www.g2.com/discussions/what-is-snyk-used-for)

### 12. [Anchore](https://www.g2.com/products/anchore/reviews)
Anchore, Inc., based in Santa Barbara, CA, was founded in 2016 by Saïd Ziouani and Daniel Nurmi to help organizations implement secure container-based workflows without compromising velocity. Anchore Enterprise is a complete container security workflow solution for professional teams. Integrating seamlessly with a wide variety of development tools and platforms, it allows teams to adhere to defined industry security standards. The Anchore Enterprise user interface provides visibility to security teams, allowing them to audit and verify compliance throughout the organization. It can be deployed in air-gapped and public cloud environments and is built for large scale. Anchore Enterprise is based on Anchore Engine, an open-source tool for deep image inspection and vulnerability scanning.


**Average Rating:** 4.4/5.0
**Total Reviews:** 4

**Who Is the Company Behind Anchore?**

- **Seller:** [Anchore](https://www.g2.com/sellers/anchore)
- **Year Founded:** 2016
- **HQ Location:** Santa Barbara, California, United States
- **Twitter:** @anchore (2,797 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/anchore/ (91 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 50% Mid-Market, 50% Enterprise


#### What Are Anchore's Pros and Cons?

**Pros:**

- Cloud Integration (1 reviews)
- Ease of Use (1 reviews)
- Easy Integrations (1 reviews)
- Features (1 reviews)
- Onboarding (1 reviews)



### What Do G2 Reviewers Say About Anchore?
*AI-generated summary from verified user reviews*

**Pros:**

- Users praise the **seamless cloud integration** of Anchore, enhancing workflows with tools like DefectDojo and Jira.
- Users appreciate the **clean and intuitive interface** of Anchore, making integration and workflow management seamless.
- Users appreciate the **easy integrations** of Anchore, effectively enhancing security workflows with tools like DefectDojo and Jira.
- Users appreciate the **clean and easy-to-use interface** of Anchore, enhancing their security issue remediation workflows.
- Users praise the **easy-to-use onboarding interface** of Anchore, enhancing integration and workflow management for security issues.


#### What Are Recent G2 Reviews of Anchore?

**"[Love the intuitive interface and dashboard to assess security posture in a single place](https://www.g2.com/survey_responses/anchore-review-11048224)"**

**Rating:** 4.0/5.0 stars
*— Raja A.*

[Read full review](https://www.g2.com/survey_responses/anchore-review-11048224)

---

**"[Anchore: Essential Tool for Container Security and Compliance](https://www.g2.com/survey_responses/anchore-review-10025756)"**

**Rating:** 4.0/5.0 stars
*— Dr habeeb M.*

[Read full review](https://www.g2.com/survey_responses/anchore-review-10025756)

---


#### What Are G2 Users Discussing About Anchore?

- [What is Anchore used for?](https://www.g2.com/discussions/what-is-anchore-used-for)

### 13. [1Exiger Platform](https://www.g2.com/products/1exiger-platform/reviews)
Exiger’s award-winning, purpose-built technology platform, 1Exiger, is the only open-source, third-party and supply chain management software that helps companies and government agencies achieve cost savings, resilience, and compliance in real time. Created and launched in collaboration with our 550+ customers, the platform makes supply chain management simple, intuitive and accessible. The 1Exiger user experience is housed in an integrated suite that is scalable and secure. Using our powerful AI technology, you can uncover risks and reveal insights that enable confident decision-making.


**Average Rating:** 4.5/5.0
**Total Reviews:** 17

**Who Is the Company Behind 1Exiger Platform?**

- **Seller:** [Exiger](https://www.g2.com/sellers/exiger)
- **Company Website:** https://www.exiger.com/
- **HQ Location:** New York, NY
- **Twitter:** @exigerllc (1,851 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/exiger (800 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 53% Enterprise, 47% Mid-Market


#### What Are 1Exiger Platform's Pros and Cons?

**Pros:**

- Risk Management (6 reviews)
- Ease of Use (5 reviews)
- Automation Efficiency (3 reviews)
- Compliance Management (3 reviews)
- Comprehensive Coverage (3 reviews)

**Cons:**

- Limited Customization (4 reviews)
- Limited Functionality (4 reviews)
- Difficult Usability (3 reviews)
- Limited Features (3 reviews)
- Poor Navigation (3 reviews)


### What Do G2 Reviewers Say About 1Exiger Platform?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value the **AI-driven risk management** of 1Exiger Platform, enhancing efficiency and transparency in compliance workflows.
- Users appreciate the **ease of use** of 1Exiger Platform, finding it simple to navigate and manage risk effectively.
- Users appreciate the **automation efficiency** of the 1Exiger Platform, enabling simplified risk management and actionable insights.
- Users value the **centralized compliance management** of the 1Exiger Platform, streamlining risk assessments and data integration.
- Users value the **comprehensive coverage** of 1Exiger Platform, enabling effective risk management with user-friendly solutions.

**Cons:**

- Users find the **customization options limited** on 1Exiger Platform, especially for mobile access and specific modules.
- Users find the **limited functionality** of the 1Exiger Platform restricts customization and mobile access, impacting usability.
- Users face **difficult usability** issues on the 1Exiger Platform, particularly due to its complex learning curve and navigation.
- Users find the **customization options limited** and mobile accessibility lacking, which hinders their overall experience.
- Users find the **poor navigation** can complicate their experience, particularly for newcomers and large data handling.

#### What Are Recent G2 Reviews of 1Exiger Platform?

**"[Easy-to-Use Platform That Centralizes Risk &amp; Compliance Data and Saves Time](https://www.g2.com/survey_responses/1exiger-platform-review-10545189)"**

**Rating:** 4.5/5.0 stars
*— Verified User in Package/Freight Delivery*

[Read full review](https://www.g2.com/survey_responses/1exiger-platform-review-10545189)

---

**"[Great Visibility Into HQ Practices for Remote Teams](https://www.g2.com/survey_responses/1exiger-platform-review-12726616)"**

**Rating:** 4.0/5.0 stars
*— carl l.*

[Read full review](https://www.g2.com/survey_responses/1exiger-platform-review-12726616)

---


#### What Are G2 Users Discussing About 1Exiger Platform?

- [What is DDIQ used for?](https://www.g2.com/discussions/what-is-ddiq-used-for)

### 14. [FossID](https://www.g2.com/products/fossid-fossid/reviews)
FossID is a Software Composition Analysis (SCA) suite designed to give organizations clear, defensible insight into the software they build and ship. It helps teams understand exactly what third-party, open source, and commercial code exists in their products so they can manage license compliance, intellectual property risk, and security with confidence. Agentic SCA by FossID brings software supply chain integrity into the moment of code creation for continuous, real-time license and security compliance so you can move at AI-speed and eliminate reactive code rework. FossID is ideal for organizations that value accuracy, transparency, and control over their software supply chain. It is widely used by manufacturers of embedded systems and software-driven products in industries such as automotive, aerospace, medical devices, industrial automation, electronics, and telecom, where regulatory requirements and long product lifecycles demand a higher standard of software governance. FossID is also trusted by legal, compliance, and GRC teams that need reliable, auditable results, as well as by acquirers and investors conducting technical due diligence. FossID analyzes real source code rather than relying solely on declared dependencies. FossID identifies reused components and code snippets with high precision, detecting fragments as small as six lines of code. This approach delivers more accurate results in complex, mixed codebases, including legacy systems, embedded software, and environments influenced by AI-assisted development. Key differentiators include deep snippet-level detection that remains effective even when code has been modified or reformatted, a 200M+ component open source knowledge base covering more than 2,500 licenses, and strong identification of license and copyright obligations. FossID is deployed in a way that ensures that source code never leaves the organization, a critical requirement for security- and IP-sensitive teams. FossID supports software supply chain integrity across the entire development and release lifecycle. Engineers use it early to identify and resolve issues before code is merged. Legal and compliance teams rely on it to validate policy compliance, manage license obligations and produce accurate SBOMs. Governance, Risk, and Compliance leaders use FossID to demonstrate software supply chain transparency, reduce audit risk, and support regulatory compliance initiatives, including the EU Cyber Resilience Act. The primary value of FossID is confidence. Confidence in what is inside your software, confidence in your compliance posture, and confidence that your teams can move forward efficiently without introducing unnecessary risk.


**Average Rating:** 4.0/5.0
**Total Reviews:** 2

**Who Is the Company Behind FossID?**

- **Seller:** [FossID](https://www.g2.com/sellers/fossid-038ca491-2507-49c4-b6f1-2f965c09e84e)
- **Company Website:** https://www.fossid.com
- **Year Founded:** 2016
- **Twitter:** @FOSSID_AB (137 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/fossid-ab/ (1 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 50% Mid-Market, 50% Enterprise



#### What Are Recent G2 Reviews of FossID?

**"[Detects Code-Snippets reliable and has good usabiilty](https://www.g2.com/survey_responses/fossid-review-11298102)"**

**Rating:** 4.0/5.0 stars
*— Nikolaus F.*

[Read full review](https://www.g2.com/survey_responses/fossid-review-11298102)

---

**"[Powerful, Customizable Scanning with Accurate License Detection and Great Support](https://www.g2.com/survey_responses/fossid-review-12638783)"**

**Rating:** 4.0/5.0 stars
*— Jackie L.*

[Read full review](https://www.g2.com/survey_responses/fossid-review-12638783)

---



### 15. [JFrog](https://www.g2.com/products/jfrog-2024-03-28/reviews)
JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps, DevGovOps and MLOps platform, is on a mission to create a world of software delivered without friction from development to production. Driven by a “Liquid Software” vision to keep software continuously flowing, secure, and always up to date, the JFrog Platform serves as the definitive software supply chain system of record. It is uniquely engineered to power organizations as they build, manage, and distribute trusted software with unprecedented speed, security, and scale across hybrid and multi-cloud environments. As software engineering evolves in the AI era, JFrog’s newest offerings address the industry&#39;s most pressing trend: the rise of agentic software development and the hidden security risks of &quot;Shadow AI.&quot; In response to threat actors increasingly targeting developer workflows including a massive surge in malicious open-source AI models and infected packages; JFrog has expanded its platform capabilities to deliver absolute end-to-end visibility and automated compliance. Key new innovations include the JFrog AI Catalog, which enables organizations to centralize, govern, and control the lifecycle of AI models approved for enterprise use. To secure autonomous coding environments, JFrog introduced the Universal MCP Registry and the Agent Skills Registry (developed alongside NVIDIA). These new solutions establish the industry’s first enterprise-grade trust layer to safely manage and store AI agent skills, monitor connections, and instantly block unsafe developer tools or malicious coding extensions right where developers work. Furthermore, the integration of advanced DevGovOps and Runtime Security tools allows teams to replace slow, manual compliance audits with continuous, background policy enforcement. By shifting security left directly into the binary pipeline, JFrog ensures that the volume of AI-assisted code does not outpace an organization&#39;s ability to verify its safety. Today, millions of users and approximately 6,600 organizations worldwide, including a majority of the Fortune 100, depend on the universal JFrog Platform to eliminate point-solution fatigue, bridge the governance gap, and securely embrace digital transformation. Learn more at www.jfrog.com or follow us on X @JFrog.


**Average Rating:** 4.2/5.0
**Total Reviews:** 146

**Who Is the Company Behind JFrog?**

- **Seller:** [JFrog Ltd](https://www.g2.com/sellers/jfrog-ltd)
- **Company Website:** https://jfrog.com
- **Year Founded:** 2008
- **HQ Location:** Sunnyvale, CA
- **Twitter:** @jfrog (23,186 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/jfrog-ltd/ (2,364 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** Software Engineer, DevOps Engineer
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 50% Enterprise, 31% Mid-Market


#### What Are JFrog's Pros and Cons?

**Pros:**

- Features (18 reviews)
- Repository Management (14 reviews)
- Deployment (13 reviews)
- Integrations (12 reviews)
- Easy Integrations (11 reviews)

**Cons:**

- Complexity (9 reviews)
- Expensive (8 reviews)
- Learning Curve (8 reviews)
- Difficult Learning (7 reviews)
- Learning Difficulty (7 reviews)


### What Do G2 Reviewers Say About JFrog?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate the **comprehensive integration and multi-format support** of JFrog, streamlining their DevOps processes effectively.
- Users appreciate JFrog&#39;s **centralized artifact management** , enhancing efficiency in storing and tracking components across environments.
- Users value the **seamless deployment integration** of JFrog, enhancing CI/CD pipelines and security management effectively.
- Users value the **seamless integrations** of JFrog, enhancing their CI/CD processes across various package formats.
- Users value the **easy integrations** of JFrog with various tools, enhancing their CI/CD workflows seamlessly.

**Cons:**

- Users find JFrog&#39;s platform to be **overly complex** , requiring significant training to navigate its extensive features effectively.
- Users find JFrog to be **expensive** , with costs posing challenges for smaller teams and individual developers.
- Users often face a **steep learning curve** with JFrog, requiring significant time to master its complexity.
- Users find the **difficult learning curve** of JFrog requires extensive training to navigate its complex features effectively.
- Users find JFrog to have a **steep learning curve** , requiring significant time and effort to reach proficiency.

#### What Are Recent G2 Reviews of JFrog?

**"[JFrog Simplifies Artifact Management for Organized, Reliable Deployments](https://www.g2.com/survey_responses/jfrog-review-12870354)"**

**Rating:** 4.5/5.0 stars
*— Subhashree S.*

[Read full review](https://www.g2.com/survey_responses/jfrog-review-12870354)

---

**"[Efficient, Scalable Artifact Management That Streamlines the Software Delivery Lifecycle](https://www.g2.com/survey_responses/jfrog-review-12788318)"**

**Rating:** 4.0/5.0 stars
*— Arkajit D.*

[Read full review](https://www.g2.com/survey_responses/jfrog-review-12788318)

---


#### What Are G2 Users Discussing About JFrog?

- [What are the benefits and challenges of using JFrog for managing your software supply chain?](https://www.g2.com/discussions/what-are-the-benefits-and-challenges-of-using-jfrog-for-managing-your-software-supply-chain)
- [What does Jfrog Platform do?](https://www.g2.com/discussions/what-does-jfrog-platform-do)
- [What is difference between JFrog and Nexus?](https://www.g2.com/discussions/what-is-difference-between-jfrog-and-nexus)
- [What is Artifactory software used for?](https://www.g2.com/discussions/what-is-artifactory-software-used-for)

### 16. [SonarQube](https://www.g2.com/products/sonarqube/reviews)
Sonar, the industry standard for code verification and automated code review, helps reduce outages, improve security, and lower risks associated with AI and agentic coding. As an independent verification platform, Sonar enables organizations to securely develop at the speed of AI. Sonar is the foundation for high-performance software engineering, analyzing over 750 billion lines of code daily to ensure applications are secure, reliable, and maintainable. Rooted in the open source community, Sonar is trusted by 7M+ developers globally, including teams at ServiceNow, Booking.com, Deutsche Bank, AstraZeneca, and Ford Motor Company.


**Average Rating:** 4.4/5.0
**Total Reviews:** 152

**Who Is the Company Behind SonarQube?**

- **Seller:** [SonarSource Sàrl](https://www.g2.com/sellers/sonarsource-sarl)
- **Company Website:** https://www.sonarsource.com
- **Year Founded:** 2008
- **HQ Location:** Geneva, Switzerland
- **Twitter:** @SonarSource (10,913 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/sonarsource/ (973 employees on LinkedIn®)

**Who Uses This Product?**
- **Who Uses This:** DevOps Engineer, Software Engineer
- **Top Industries:** Information Technology and Services, Computer Software
- **Company Size:** 43% Enterprise, 40% Mid-Market


#### What Are SonarQube's Pros and Cons?

**Pros:**

- Code Quality (24 reviews)
- Features (20 reviews)
- Issue Identification (19 reviews)
- Ease of Use (18 reviews)
- Easy Integrations (18 reviews)

**Cons:**

- Software Bugs (12 reviews)
- Complex Configuration (10 reviews)
- False Positives (10 reviews)
- Complexity (8 reviews)
- Complex Setup (8 reviews)


### What Do G2 Reviewers Say About SonarQube?
*AI-generated summary from verified user reviews*

**Pros:**

- Users value how SonarQube **efficiently flags code quality and security issues** , ensuring a clean and maintainable codebase.
- Users value the **issue filtering and prioritization features** of SonarQube, enhancing focus on high-priority tasks.
- Users value the **issue identification and prioritization** features of SonarQube, improving focus on critical tasks.
- Users find SonarQube&#39;s **ease of use** invaluable for maintaining code quality and integrating seamlessly into development workflows.
- Users appreciate the **easy integrations** with existing CI/CD tools, enhancing their development workflow seamlessly.

**Cons:**

- Users face challenges with **software bugs** as SonarQube can consume excessive RAM and occasionally reports false positives.
- Users find SonarQube&#39;s configuration **complex** , especially for beginners, leading to difficulties and overwhelming warnings to manage.
- Users encounter **false positives** that complicate evaluations, though mitigation options exist through detailed analysis and rule customization.
- Users find that SonarQube&#39;s **complexity in configuration** and excessive warnings can hinder effective usage and efficiency.
- Users find the **complex setup** of SonarQube challenging, especially for beginners unfamiliar with the configuration process.

#### What Are Recent G2 Reviews of SonarQube?

**"[SonarQube: Easy Integration, Simple UI, and Solid Free Code Quality Scanning](https://www.g2.com/survey_responses/sonarqube-review-12975264)"**

**Rating:** 4.5/5.0 stars
*— Divyarajsinh  C.*

[Read full review](https://www.g2.com/survey_responses/sonarqube-review-12975264)

---

**"[Powerful Tool for Clean and Maintainable Code](https://www.g2.com/survey_responses/sonarqube-review-13115123)"**

**Rating:** 4.0/5.0 stars
*— chaithanya r.*

[Read full review](https://www.g2.com/survey_responses/sonarqube-review-13115123)

---


#### What Are G2 Users Discussing About SonarQube?

- [What is SonarLint used for?](https://www.g2.com/discussions/what-is-sonarlint-used-for)
- [What is SonarQube and how does it work?](https://www.g2.com/discussions/what-is-sonarqube-and-how-does-it-work) - 1 upvote
- [What is the benefit of SonarQube?](https://www.g2.com/discussions/what-is-the-benefit-of-sonarqube)
- [What are the main components of SonarQube platform?](https://www.g2.com/discussions/what-are-the-main-components-of-sonarqube-platform)
- [What is SonarQube and its features?](https://www.g2.com/discussions/what-is-sonarqube-and-its-features)

### 17. [Xygeni](https://www.g2.com/products/xygeni/reviews)
Secure your Software Development and Delivery! Xygeni Security specializes in Application Security Posture Management (ASPM), using deep contextual insights to effectively prioritize and manage security risks while minimizing noise and overwhelming alerts. Our innovative technologies automatically detect malicious code in real-time upon new and updated components publication, immediately notifying customers and quarantining affected components to prevent potential breaches. With extensive coverage spanning the entire Software Supply Chain—including Open Source components, CI/CD processes and infrastructure, Anomaly detection, Secret leakage, Infrastructure as Code (IaC), and Container security—Xygeni ensures robust protection for your software applications. Trust Xygeni to protect your operations and empower your team to build and deliver with integrity and security.


**Average Rating:** 4.6/5.0
**Total Reviews:** 4

**Who Is the Company Behind Xygeni?**

- **Seller:** [Xygeni Security](https://www.g2.com/sellers/xygeni-security)
- **Year Founded:** 2021
- **HQ Location:** Madrid, ES
- **Twitter:** @xygeni (178 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/xygeni/ (30 employees on LinkedIn®)

**Who Uses This Product?**
- **Company Size:** 60% Small-Business, 40% Mid-Market


#### What Are Xygeni's Pros and Cons?

**Pros:**

- Comprehensive Security (2 reviews)
- Prioritization (2 reviews)
- Risk Management (2 reviews)
- Security (2 reviews)
- Cloud Integration (1 reviews)

**Cons:**

- Difficult Setup (1 reviews)
- Learning Curve (1 reviews)


### What Do G2 Reviewers Say About Xygeni?
*AI-generated summary from verified user reviews*

**Pros:**

- Users commend Xygeni for its **comprehensive security features** , enhancing protection while maintaining efficient software development processes.
- Users value the **contextual risk prioritization** of Xygeni, enabling focus on the most critical security issues efficiently.
- Users value the **effective risk management** of Xygeni, ensuring security without hindering development speed.
- Users praise the **robust security features** of Xygeni, ensuring efficient vulnerability management and compliance throughout development.
- Users value the **seamless CI/CD integration** of Xygeni, enhancing security without hindering development speed.

**Cons:**

- Users experience **difficult setup** with Xygeni due to manual adjustments needed for specific CI/CD configurations.
- Users find the **learning curve for first-time users** challenging, needing familiarity with AppSec best practices for deeper insights.

#### What Are Recent G2 Reviews of Xygeni?

**"[The essential tool for proactive security and confident development](https://www.g2.com/survey_responses/xygeni-review-11393516)"**

**Rating:** 4.5/5.0 stars
*— Marcos C.*

[Read full review](https://www.g2.com/survey_responses/xygeni-review-11393516)

---

**"[Revolutionized Our Security Workflow with Unified, AI-Driven Efficiency](https://www.g2.com/survey_responses/xygeni-review-11998435)"**

**Rating:** 5.0/5.0 stars
*— Yerassyl K.*

[Read full review](https://www.g2.com/survey_responses/xygeni-review-11998435)

---



### 18. [BINARLY](https://www.g2.com/products/binarly/reviews)
Binarly is an AI-powered platform dedicated to protecting devices from emerging firmware and hardware threats. Founded in 2021 and headquartered in Pasadena, California, Binarly leverages advanced machine learning and deep code inspection at the binary level to provide comprehensive visibility into hardware and firmware vulnerabilities. This approach enables security teams to detect and respond to sophisticated attacks below the operating system, ensuring robust protection for enterprise device infrastructures.



**Who Is the Company Behind BINARLY?**

- **Seller:** [BINARLY](https://www.g2.com/sellers/binarly)
- **Year Founded:** 2021
- **HQ Location:** Santa Monica, US
- **LinkedIn® Page:** https://www.linkedin.com/company/binarlyinc (48 employees on LinkedIn®)






### 19. [CAST SBOM Manager](https://www.g2.com/products/cast-sbom-manager/reviews)
CAST SBOM Manager enables users to automatically create, customize, and maintain Software Bill of Materials (SBOMs) with the ultimate level of control and flexibility. It detects open source dependencies and related risks (vulnerabilities and security advisories, licenses, obsolescence) directly from scanning source code, and allows you to create and maintain SBOM metadata over time (proprietary components, custom licenses, vulnerabilities) and much more.



**Who Is the Company Behind CAST SBOM Manager?**

- **Seller:** [CAST](https://www.g2.com/sellers/cast)
- **Year Founded:** 1990
- **HQ Location:** New York
- **Twitter:** @SW_Intelligence (1,887 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/cast/ (1,264 employees on LinkedIn®)
- **Ownership:** Bridgepoint






### 20. [CBOM Secure](https://www.g2.com/products/cbom-secure/reviews)
CBOM Secure is a machine-readable Cryptographic Bill of Materials (CBOM) platform that delivers continuous visibility and control over cryptography across source code, binaries, containers, and runtime environments. It automatically discovers and inventories algorithms, keys, certificates, protocols, and libraries, creating a centralized, normalized system of record. By mapping cryptographic assets to real execution paths, CBOM helps organizations distinguish dormant components from active usage, prioritize risk, and accelerate incident response. The platform supports compliance with standards such as NIST, FIPS 140-3, CMMC 2.0, and ISO 27001 while identifying legacy and quantum-vulnerable cryptography to enable structured post-quantum migration. Available on-premises, in the cloud, SaaS, or hybrid, CBOM transforms undocumented cryptography into a governed, audit-ready security control.



**Who Is the Company Behind CBOM Secure?**

- **Seller:** [Encryption Consulting](https://www.g2.com/sellers/encryption-consulting)
- **HQ Location:** N/A
- **LinkedIn® Page:** https://www.linkedin.com/company/No-Linkedin-Presence-Added-Intentionally-By-DataOps (1 employees on LinkedIn®)






### 21. [Enso Security](https://www.g2.com/products/enso-security/reviews)
Enso Application Security Posture is a platform for AppSec teams to manage their day-to-day work, implement their security strategy into an AppSec organizational program, enforce it and automate it. And all of that in a scalable rapidly changing environment. AppSec teams struggle with prioritization - they may have a vision and concept of how to handle AppSec, but they don’t know where to invest and what actions to take. To keep up with R&amp;D velocity and scale, Enso provides full visibility on the application inventory, focuses the AppSec teams on the most important tasks and insights, and takes a policy-based “call to action” approach so that the AppSec professionals won’t waste their time looking for application changes, prioritizing, or doing manual work.



**Who Is the Company Behind Enso Security?**

- **Seller:** [Enso Security](https://www.g2.com/sellers/enso-security)
- **HQ Location:** Boston, Massachusetts, United States
- **LinkedIn® Page:** https://www.linkedin.com/company/enso-security/ (1,331 employees on LinkedIn®)






### 22. [Eracent SBOM-HQ](https://www.g2.com/products/eracent-sbom-hq/reviews)
SBOM-HQ™ - from Eracent SBOM-HQ™ provides a well-rounded set of data, reporting and analysis features that help organizations minimize risks and comply with cyber mandates and directives. While SBOM-HQ™ provides value to in-house and commercial application development teams, it is also unique in its approach to meeting the requirements of organizations that purchase or subscribe to software from numerous publishers. These “software consumers” will have to manage dozens, hundreds, or even thousands of SBOMs for products that they use, and this is impractical or impossible to do one SBOM at a time. SBOM-HQ™ is based around a centralized, single-source repository of libraries, components, and other related data from SBOMs. It dramatically reduces response time when a vulnerability is reported since it eliminates the need to review SBOMs individually. How does SBOM-HQ™ work? Customers upload their SBOM files via the user interface. During this straightforward process, users can assign related information that can be used to support reporting, filters, data access, and more. This information includes Publisher, Line of Business, Application Component, and more. SBOM-HQ™ “deconstructs” each uploaded SBOM and records the software product to which the SBOM belongs and all the SBOM’s content. This results in an index of components and libraries mapped to products. If a vulnerability is reported by NIST or another organization, customers get an immediate report of every product in use in their organization that includes the affected component or library. SBOM-HQ™ is continuously monitored and updated, and it leverages vulnerability data from NIST and other trusted global sources. It uses this data to display risk scores, levels of criticality, and more. SBOM-HQ™ also provides visibility into license types for each component and library, reducing the risk of unknowingly using a library that has excessive restrictions when less risky options are available. The system offers version tracking – the version in use, newer available versions, and version history – as well as lifecycle dates that support obsolescence management. The dedicated open source library within Eracent’s IT-Pedia® product data library provides a solid foundation for SBOM-HQ™’s analysis and reporting. Who can benefit from using SBOM-HQ? SBOM-HQ is designed to support all teams engaged in the use and operation of software. DevOps – SBOM-HQ integrates into CI/CD to generate and enrich SBOMs with real time risk data, ensuring secure and compliant releases. Procurement – SBOM-HQ equips procurement teams with SBOM-driven insights into software quality and licensing risks, enabling smarter vendor selection and safer software purchases. CyberSec teams – SBOM-HQ evaluates cyber security aspects of purchased software and monitors new vulnerabilities that appear. ITOps – SBOM-HQ exposes software weaknesses and helps mitigate the risks. Legal and Licensing teams – SBOM-HQ delivers clear visibility into open source licenses, flags conflicts early, and provides audit-ready compliance reports. Why SBOM-HQ? SBOM-HQ is designed to support software buyers and users, not just software publishers. While most SBOM solutions stop at the software development life cycle, SBOM-HQ goes further. It empowers software consumers to continuously monitor not only what they build, but also what they buy - from design and procurement, through integration, all the way to production in their own data centers. With SBOM-HQ, transparency extends beyond development, delivering visibility and control across the entire software supply chain. To learn more about SBOM-HQ™, register for a free trial at sbomhq.com or contact Eracent today!



**Who Is the Company Behind Eracent SBOM-HQ?**

- **Seller:** [Eracent](https://www.g2.com/sellers/eracent)
- **Year Founded:** 2000
- **HQ Location:** Riegelsville, Pennsylvania
- **Twitter:** @eracent (141 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/15155 (70 employees on LinkedIn®)






### 23. [FOSSA](https://www.g2.com/products/fossa/reviews)
Open source is a critical part of your software. In the average modern software product, over 80% of the source code shipped is derived from open source. Each component can have cascading legal, security, and quality implications for your customers, making it one of the most important things to manage correctly. FOSSA helps you manage your open source components. We plug into your development workflow to help your team automatically track, manage, and remediate issues with the open source you use to: - Stay compliant with software licenses and generate required attribution documents - Enforce usage and licensing policies throughout your CI/CD workflow - Monitor and remediate security vulnerabilities - Flag code quality issues and outdated components proactively By enabling open source, we help development teams increase development velocity and decrease risk.


**Average Rating:** 4.2/5.0
**Total Reviews:** 15

**Who Is the Company Behind FOSSA?**

- **Seller:** [FOSSA](https://www.g2.com/sellers/fossa)
- **Year Founded:** 2015
- **HQ Location:** San Francisco, California
- **Twitter:** @getfossa (774 Twitter followers)
- **LinkedIn® Page:** https://www.linkedin.com/company/fossa/ (59 employees on LinkedIn®)

**Who Uses This Product?**
- **Top Industries:** Computer Software
- **Company Size:** 47% Small-Business, 33% Mid-Market


#### What Are FOSSA's Pros and Cons?

**Pros:**

- Easy Integrations (1 reviews)
- Issue Resolution (1 reviews)
- Remediation Solutions (1 reviews)
- Risk Management (1 reviews)
- Security (1 reviews)



### What Do G2 Reviewers Say About FOSSA?
*AI-generated summary from verified user reviews*

**Pros:**

- Users appreciate the **easy integrations** of FOSSA, seamlessly working with Maven and Gardle in their pipelines.
- Users benefit from Fossa&#39;s **effective issue resolution** , identifying vulnerabilities and recommending fixes for library dependencies.
- Users value the **effective remediation solutions** of FOSSA, which identify and suggest fixes for vulnerabilities in applications.
- Users value FOSSA for its **effective risk management** , identifying library issues and recommending fixes swiftly.
- Users value FOSSA&#39;s **security insights** that identify vulnerabilities and recommend fixes for their applications.


#### What Are Recent G2 Reviews of FOSSA?

**"[Fossa for enterprise applications](https://www.g2.com/survey_responses/fossa-review-10931000)"**

**Rating:** 4.0/5.0 stars
*— Pavan Kumar G.*

[Read full review](https://www.g2.com/survey_responses/fossa-review-10931000)

---

**"[&quot;The FOSSA Experience&quot;](https://www.g2.com/survey_responses/fossa-review-8576931)"**

**Rating:** 5.0/5.0 stars
*— Elvis M.*

[Read full review](https://www.g2.com/survey_responses/fossa-review-8576931)

---



### 24. [Heeler](https://www.g2.com/products/heeler/reviews)
Heeler empowers application security teams to shift left with the context they need to reduce noise, accelerate remediation, and move beyond traditional vulnerability management. By combining ASPM, SCA with static and runtime context, and runtime threat modeling, Heeler transforms AppSec programs from reactive firefighting to proactive, scalable security. How Heeler Helps AppSec Teams • Reduce Noise: AppSec teams and developers are drowning in findings. Heeler delivers unified code, runtime, business and security context, reducing alert noise by up to 95%, so teams can focus on critical issues and fix what matters most. • Fix Remediation: Remediation is broken. Most effort is spent reaching a fix—not implementing it. Heeler automates the remediation lifecycle, cutting effort and time, enabling AppSec teams to scale alongside engineering. • Move Beyond Vulnerabilities: With Heeler, continuous runtime threat modeling becomes a reality. Decompose running applications, track changes, compare deployments, and stop risks in real time—all before they reach production. Why Heeler is Essential Modern applications are more complex and dynamic than ever, expanding attack surfaces and making end-to-end security modeling nearly impossible without the right tools. Heeler bridges this gap, addressing the root causes of unscalable AppSec programs: • Lack of Context: Disparate data silos make understanding application behavior and identifying risks challenging. • Labor-Intensive Processes: Without unified context, security efforts are manual, unscalable, and push risk identification too far right. • Firefighting Mode: Security and engineering teams are trapped addressing too many findings and often focus their time on the wrong threats, leaving no bandwidth for secure-by-design initiatives. Key Capabilities • ProductDNA (Unified Context): Automates a real-time service catalog, mapping changesets to deployments and modeling every service with integrated code, runtime, business, and security context. • Runtime Threat Modeling: Enables continuous threat modeling with tools to decompose applications, track changes, compare deployments, and uncover risks in real time. • ASPM: Heeler reduces alert noise by up to 95% and automates remediation workflows, scaling security seamlessly with engineering demands. • SCA with Static and Runtime Context: Combines static and runtime data with business and deployment context, delivering next-gen SCA that prioritizes what matters, strengthens security, and simplifies AppSec workflows. Heeler ensures AppSec teams and developers have the context they need to shift left and build secure-by-design applications—effortlessly.



**Who Is the Company Behind Heeler?**

- **Seller:** [Heeler Security](https://www.g2.com/sellers/heeler-security)
- **Year Founded:** 2023
- **HQ Location:** N/A
- **LinkedIn® Page:** https://www.linkedin.com/company/heeler-security (20 employees on LinkedIn®)






### 25. [Hilt](https://www.g2.com/products/hilt/reviews)
Hilt monitors how data actually moves across your environment, not just whether policies are followed. Using proprietary eBPF kernel probes, Hilt captures every data movement event at the base level across cloud workloads, endpoints, and network boundaries. A three-tier behavioral detection engine (deterministic rules, behavioral ML, and model inference) identifies anomalous data movement in real time including transfers where permissions were valid and no policy was violated, but the behavior was wrong. Automated containment blocks exfiltration in under one second. Deployed in minutes with one command, no code changes, and no SDK. Built for latency-sensitive environments including financial services, hedge funds, and law firms.



**Who Is the Company Behind Hilt?**

- **Seller:** [Hilt AI](https://www.g2.com/sellers/hilt-ai)
- **HQ Location:** Milton Keynes, GB
- **LinkedIn® Page:** https://www.linkedin.com/company/hilt-ai/ (1 employees on LinkedIn®)







## What Is Software Bill of Materials (SBOM) Software?

[DevSecOps Software](https://www.g2.com/categories/devsecops)

## What Software Categories Are Similar to Software Bill of Materials (SBOM) Software?

- [Static Application Security Testing (SAST) Software](https://www.g2.com/categories/static-application-security-testing-sast)
- [Software Composition Analysis Tools](https://www.g2.com/categories/software-composition-analysis)
- [Software Supply Chain Security Solutions](https://www.g2.com/categories/software-supply-chain-security-tools)



