Skip to main content

Commercial (Proprietary) Tools

These are tools offered by Commercial Vendors which are not open sourced.

CybeatsvSBOM Studio

Company Contact Cybeats Technologies Inc.
SPDX Support Produce(Analyze), Consume(Import), Transform(Translate), Transform(Merge), Enrich(Security Enrichment and Threat Modeling), Share(Secure Signed Sharing)
Additional Support Enrich(Security Enrichment and Threat Modeling), Share(Secure Signed Sharing)
Functionality Cybeats SBOM Studio is a cybersecurity software inventory analysis platform. It is built for the pre-market stages of IoT firmware development and helps device makers with mapping, management and design, and enrichment for IoT device’s firmware. Cybeats SBOM Studio generates SBOMs with the runtime data information for more precise identification of vulnerabilities and exploits abilities. The solution models and translates the data into enriched SBOMs. SBOM Studio exports and imports SPDX/CycloneDX formats and enriches the model with vulnerability and context based exploitability data providing visibility into threat modeling and threat intelligence angle of the device.
Location Website:
Installation instructions Contact: for demo
How to use: Analyze: (Linux) Agent operating on device can scan and inventory system content and information

Import: Model your solution in SBOM Studio and import source and binary SBOM files in SPDX or CycloneDX formats.

Export: Export and share security signed SBOMS in SPDX and CycloneDX formats.

Versions supported: SPDX 2.2


Company Contact MediSAO
SPDX Support Produce(Analyze), Consume(Import), Transform(Translate)
Functionality CyberProtek is an SBOM generation and translation tool  for IoT that scans code metadata to create SBOMs, translates between SWID/SPDX/CycloneDx and manages vulnerabilities.
Location Website:
Installation instructions Entirely web based. Contact MedISAO for demo.
How to use To import: Upload or paste SBOM into Import tab, or use supported scanning tool in development environment

To export:Download SPDX from SBOM export tab as a text file.from web portal.

versions supported: SPDX 2.1, SPDX 2.2 (WIP)?


Company nexB Inc.
Product DejaCode
SPDX Support Produce (Analyze, Edit)
Functionality DejaCode is an enterprise-level open source compliance application, powered by ScanCode. You can 

generate an SPDX 2.3 SBOM from your Product definitions.

Location Website:


Installation instructions Options include: 

  • Sign up for a free evaluation
  • Become a DejaCode SaaS customer
  • Install DejaCode on-premises
How to use Define (review, approve) the details of your Product in DejaCode. Use the Share option to generate an SPDX 2.3 SBOM in .json format.
Versions supported SPDX 2.3


Company aDolus Technology Inc.
Product FACT
SPDX Support Produce(Analyze)
Functionality Generates SBOMs for Industrial Control System (ICS) software and analyzes the created SBOMs to detect vulnerabilities, obsolescence, and malware.
Location Website:
Installation instructions Contact aDolus for demo
How to use Through website, API, or local install of tool
Version Supported SPDX 2.2

FOSSID  → Snyk

Company Contact FOSSID AB
SPDX Support Produce(Analyze), Consume(View), Consume(Diff), Consume(Import)
Functionality FOSSID is a Software Composition Analysis tool that scans your code for open source licenses and vulnerabilities, and gives you full transparency and control of your software products and services.
Location Website:
Installation instructions Contact FOSSID
How to use Contact FOSSID
versions supported: SPDX 2.1, SPDX 2.2

Hub-SPDX (Black Duck Hub Report Utility)

Company Contact Synopsys
SPDX Support Produce(Analyze)
Functionality Download a report in SPDX format from Black Duck Hub
Location Website:
Installation instructions
How to Use
versions supported: SPDX 2.1, SPDX 2.2


Company Medsec
Product MedScan
Support Consume
Functionality Consumes SBOM’s for helping hospitals manage medical device assets
Location Website:
Installation instructions Virtualized appliance inside hospital, Webportal for user, Contact MedSec for demo
How to use To import:Locate the device profile relevant to the SBOM, and select ‘add SBOM’

To export: locate the device profile desired and select ‘Download SBOM’

Version supported Contact MedScan

Software Assurance Guardian Point Man (SAG-PM)

Company Contact Reliable Energy Analytics LLC
SPDX Support Consume(Import)
Functionality Processes spdx SBOM’s as part of a seven step software supply chain risk assessment
Installation instructions Contained in Company provided Documentation
How to use Sag comprehensive {software install pkg}  {Evidence output loc}
versions supported: SPDX 2.2 in .spdx format


Company Contact SourceAuditor
SPDX Support Produce(Analyze), Consume(View), Consume(Diff, Consume(Import), Transformation(Translate)
Functionality Supports SPDX document exports for full audit analysis of source and binaries.  Supports consuming SPDX documents for incremental code audits.
Location Website:
Installation instructions Contact
How to use Primarily used by consultants to generate SPDX documents for source code analysis and audits.
versions supported: SPDX 1.2, SPDX 2.0, SPDX 2.1, SPDX 2.2, SPDX 2.3(WIP)


Company Contact TrustSource
SPDX Support Produce(Analyze),
Functionality Contact TrustSource
Location Website:
Installation instructions Contact TrustSource
How to use Primarily used by consultants to generate SPDX documents for source code analysis and audits.
versions supported: SPDX 2.1(WIP), ?


Company Vigilant Ops
Product InSight Platform
SPDX Support Produce(Analyze), Consume (View), Transform (Translate), Transform(Tool Support)
Functionality Vigilant Ops InSight is a cloud-based platform utilized by both Medical Device Manufacturers (MDM) and Healthcare Delivery Organizations (HDO). MDMs use the platform for generating, maintaining, and securely sharing medical device Cybersecurity Bill of Materials (CBOM) with HDOs. The InSight platform leverages advanced technology, artificial intelligence, and machine learning algorithms to continuously monitor public data sources for component vulnerability updates.
Location Website:
Installation instructions Web based platform. Visit to request a demo OR email
How to use To Import: Import of SPDX not currently supported.

To Export: Medical Device Manufacturers (MDM) can generate a CBOM in Vigilant Ops encrypted format using the CBOM Generator. This CBOM can then be uploaded to the web based InSight MDM application using the “Upload CBOM” option. The CBOM can then be exported in SPDX format using the “Export” menu option in the MDM application.

Version supported SPDX 2.1



Company Timesys
Product Vigiles
SPDX Support Produce (Build), Consume (View), Consume (Diff), Transform (Tool support)
Functionality Vigiles is a Software Composition Analysis (SCA) tool that generates and analyzes Software Bill of Materials (SBOM) for publicly known cybersecurity vulnerabilities. In addition, Vigiles provides a complete vulnerability lifecycle management tool: discovery, prioritization, triaging, remediation, compliance and on-going monitoring/alerts.
Location Website:
Installation instructions Web based tool, register for a free account (
How to Use
Version supported SPDX 2.2