SBOMator

ESL SBOMator – Secure Your Software Supply Chain
Enterprise Security & Compliance

Secure Your Software Supply Chain

ESL SBOMator generates comprehensive Software Bill of Materials (SBOM) reports with full license detection for any environment โ€” online or air-gapped. Affordable, secure, and built for organizations that refuse to compromise on cybersecurity.

100%
Air-Gap Ready
FDA
Compliant
24/7
Support
ESL SBOMator security visualization showing interconnected software components and vulnerability scanning

Complete SBOM Solution

Three powerful components working together to deliver end-to-end visibility, security, and compliance for your software supply chain.

Project Scan

The core of SBOMator. Launch scans, build comprehensive SBOMs with full license detection (Apache, LGPL, MIT, and more), and create detailed reports for compliance and security with ease.

  • Automated scanning
  • License compliance detection
  • Multi-language support (C/C++, Python, Java)

Database Management

Stay current with NVD, KEV, and OSV vulnerability databases. Auto-download when online, or manually update for air-gapped environments. Your data stays secure on your infrastructure.

  • NVD, KEV & OSV databases
  • Auto-download or manual update
  • Private on-premises deployment

Report Information

Capture device details and software metadata for regulated industries. Generate FDA-compliant documentation, detect licensing obligations, and create comprehensive audit reports automatically.

  • FDA & IEC 62304 compliance
  • License obligation tracking
  • Multiple export formats

See SBOMator in Action

This sample report shows how SBOMator analyzes a real project, identifies vulnerable components, and highlights security risk in a clear, actionable format.

OWASP WebGoat Demo Scan

This example uses the intentionally vulnerable OWASP WebGoat project to demonstrate how SBOMator surfaces component inventory, CVE exposure, severity distribution, and prioritization for remediation.

You can explore the full interactive report here.

  • 197 total components identified
  • 10 vulnerable components detected
  • 109 known CVEs highlighted
  • Direct links to vulnerability intelligence
View Sample Report
SBOMator sample report preview showing component inventory and vulnerability analysis for OWASP WebGoat

This project is intentionally vulnerable and is used here to demonstrate SBOMator’s detection and reporting capabilities.

This sample is based on the OWASP WebGoat project, an open-source application maintained by OWASP.

Why Choose ESL SBOMator?

Built for security teams, compliance officers, and organizations that demand the highest standards of software supply chain visibility.

Works Anywhere

Full functionality in networked or air-gapped environments โ€” no forced cloud dependency

Cost-Effective

Affordable solution starting at $5,000 vs. competitors at $20,000-$50,000 annually

License Compliance

Automatic detection of open source licenses and obligations (Apache, LGPL, MIT, and more)

No Vendor Lock-In

One-time purchase option available โ€” no forced annual subscriptions

Data Privacy

Your code never leaves your infrastructure โ€” perfect for sensitive environments

Multi-Format Support

Works with C/C++, Python, Java, and supports all major SBOM formats

Trusted Across Industries

From healthcare to defense, ESL SBOMator delivers the security and compliance capabilities organizations need.

Healthcare & Medical Devices

Generate FDA-compliant documentation and meet stringent regulatory requirements for medical device software. Serving medical device manufacturers since 2008 with proven compliance solutions.

Key Requirements:
  • FDA 21 CFR Part 11
  • IEC 62304 compliance
  • Static code analysis

Banking & Financial Services

Maintain cybersecurity standards in highly regulated financial environments. Works seamlessly in secure, air-gapped banking infrastructure where uptime and data privacy are critical.

Key Requirements:
  • Air-gap deployment
  • On-premises security
  • License compliance tracking

Defense & Government

Operate in classified and secure environments while maintaining complete software supply chain visibility. No cloud dependency means your sensitive code stays within your infrastructure.

Key Requirements:
  • Zero internet dependency
  • NIST compliance
  • Classified system ready

Enterprise Software

Track dependencies, identify vulnerabilities, detect license obligations, and maintain compliance across your entire software portfolio. Affordable alternative to expensive enterprise tools.

Key Requirements:
  • Multi-language support
  • License detection
  • Cost-effective pricing
New Feature

AI/ML SBOM Add-on

Bring AI transparency to your software supply chain. Our upcoming AI/ML SBOM Add-on extends SBOMator with the elements regulators now expect for AI-enabled products โ€” aligned with the G7 SBOM for AI โ€” Minimum Elements (2026).

G7
Aligned
3
Checking Levels
100%
Air-Gap Ready

What’s coming in the AI/ML SBOM Add-on

Traditional SBOMs miss the components that actually drive risk in an AI system โ€” model weights, datasets, external inference APIs, and accelerators. The add-on closes that gap.

Local Model Detection

Discovers AI/ML artifacts across your codebase and hashes them as first-class SBOM components.

  • .onnx, .pt, .safetensors
  • .gguf and quantized formats
  • Framework detection

External AI API Inventory

Identifies calls to hosted inference services so your supply chain is fully documented.

  • OpenAI, Anthropic, Gemini
  • Azure AI & AWS Bedrock
  • Notebooks & scripts scanned

G7-Aligned CycloneDX

Reports enriched with AI-specific properties so auditors can filter, query, and prove compliance.

  • esl:ai_sbom_profile
  • esl:ai_sbom_check_level
  • Model & dataset metadata

Air-Gap Ready

Bundled offline guidance โ€” no internet required. Built for classified, medical, and industrial environments.

  • Offline HTML guides
  • No telemetry
  • Same air-gap workflow

Separate License Key

Activates with its own 16-digit key. Never overwrites your base SBOMator license โ€” buy it only when you need it.

  • Keys starting with 9
  • UI controls stay disabled until activated
  • Zero disruption to existing scans

Infrastructure Awareness

Enumerates accelerator and runtime dependencies so your AI stack is fully accounted for.

  • CUDA, TensorRT, ROCm
  • Accelerator drivers
  • Inference runtimes

Three Checking Levels

Match effort to compliance need. Switch any time โ€” settings persist in your .esl-project file alongside existing scan configuration.

Minimum

AI Inventory Only
  • Detects AI/ML frameworks
  • Finds local model artifacts
  • Hashes every artifact
  • Fast, lightweight scan
Recommended

Medium

Metadata + Compliance Profile
  • Parses Hugging Face metadata
  • Reads config.json & model cards
  • Detects dataset manifests
  • Captures intended use & data flow

Maximum

Deep AI Supply-Chain Review
  • Scans notebooks & training scripts
  • Identifies external AI service calls
  • Enumerates inference infrastructure
  • Runs security & data-min checklist

Aligned with the G7 SBOM for AI โ€” Minimum Elements (2026)

Directly supports the seven G7 clusters โ€” Metadata, System-Level Properties, Models, Datasets, Infrastructure, Security Properties, and KPIs. Published jointly by the G7 Cybersecurity Working Group, BSI, and CISA.

ESL SBOMator Legal PackDownload

Do you wish to know more ?

Contact Us