SecurePixie — Cybersecurity engineering for defensible software supply chains

What we do

Three practices, one discipline: evidence over assertion.

We deliver tooling, audits, and engineering for environments where a passing scan isn’t enough — your auditor, your regulator, and your customer’s legal team all need to see the work.

Software supply chain transparency

Audit-ready Software Bills of Materials with verified license attribution and known-vulnerability data, traced to the artifacts you actually shipped.

License compliance & audit

Evidence packages for legal review, M&A due diligence, and regulator inquiries — produced from real artifacts, not vendor declarations.

Security engineering

Custom tooling for environments where commercial scanners stop short — bundled artifacts, vendored dependencies, and one-off review processes.

The license-data gap

Most SBOMs report wrong or incomplete license data. That’s a liability, not a deliverable.

Generators infer license fields from package metadata that anyone can write. When legal or a regulator asks for proof, the SBOM you handed over doesn’t hold up. Here’s where the gap usually shows.

Typical SBOM tools

Convenient. Wrong often enough to matter.

Trust whatever a package.json, POM, or setup.cfg claims.
Silently emit “NOASSERTION” for components they can’t resolve.
Miss bundled, vendored, or transitively patched code entirely.
Produce output that doesn’t survive a serious legal or regulatory review.

SecurePixie approach

Validated against the artifact, not the manifest.

Cross-check declared license against multiple authoritative sources.
Inspect the actual binaries and source trees you ship — including vendored copies.
Flag conflicts, ambiguity, and missing data instead of papering over them.
Emit signed, traceable evidence packages a reviewer can verify.

In development

Our product: SBOMX

Audit-ready Software Bills of Materials with verified license attribution.

SBOMX closes the license-data gap by validating component licenses against multiple authoritative sources, producing audit-ready evidence that holds up under legal review. Built for the regulatory environment your organization actually operates in.

Validated against the actual artifact — we inspect the binaries and source trees you ship, not just whatever the package metadata claims.
Signed evidence packages — outputs are reproducible and reviewer-verifiable.
Maps to NIST SSDF and EO 14028 guidance — aligned to controls your auditor already asks about.

Get early access

Evidence report

acme-platform · v4.12.0

278

Verified

Review

Conflict

100%

Coverage

License coverage all 284 components attributed

SPDX 2.3

Evidence chain signed, reproducible build → SBOM

cosign · in-toto

Vendored copies 5 internal forks need review

5 / 284

License conflict log4j-core declared MIT, source = Apache-2.0

1 / 284

Framework alignment NIST SSDF PS.3.2, EO 14028 §4(e)

passed

Engagement

One objective: an SBOM your legal team will sign off on.

We work two ways, depending on how often your evidence needs to be current.

One-time

Evidence package on demand

For audits, M&A diligence, customer requests, or one-shot regulator inquiries. We produce a signed, traceable SBOM against a specific build and hand it over with the supporting evidence.

Continuous

In-environment monitoring

For teams shipping regularly. We deploy inside your build pipeline so every release produces a current, signed evidence package — no manual SBOM regeneration when legal asks.

Get in touch

Talk to us about an audit, an engagement, or SBOMX early access.

An assistant acknowledges every inbound immediately, and a human follows up personally within one business day. If you’re under deadline pressure, say so in the subject line.

hello@securepixie.com SBOMX early access