See what ships.Blockwhat doesn't.

Bytesafe SBOM Observer for component and vulnerability visibility across internal builds and vendor software, and Bytesafe Dependency Firewall for dependency protection before risky packages reach developers or CI/CD.

Book a Demo

Dependency Firewall

Dependency firewall

In attacks like Shai Hulud, malicious packages were downloaded by developers in the window between publication and detection. Traditional SCA tools would have found the problem after the package was already in the codebase. Dependency Firewall intercepts every package request before it reaches your environment.

Safety delay: new package versions are held for a configurable period before reaching developers, closing the window that attacks like Shai Hulud exploit.
Block CVEs and malware at the registry level. Every install is evaluated against your policy before the package reaches CI/CD or developer machines.
Publish scanning detects credentials and sensitive data before packages are uploaded to your upstream registry.

See Dependency Firewall See pricing

Public registries

npm · Maven · PyPI · NuGet · Go · OCI · Docker

Firewall + rules

CVE · malware · delay

Compliant packages

vetted · approved

What your security team gets

Block CVEs and malware before install, with CVSS and EPSS severity filters per team
Safety delay on new versions, plus dependency confusion protection and Sigstore/SLSA provenance checks
Publish scanning catches secrets and malware before packages reach your upstream registry
Full audit log of every block, allow, and exception, exportable to your SIEM

SBOM Observer

SBOM management and compliance

Know what components are in every product, which vulnerabilities affect them, and whether each release meets your compliance requirements. Across every application, release, and vendor in your portfolio.

Ingest SBOMs from CI/CD and vendor deliveries. CycloneDX and SPDX normalized into a single model alongside VEX, VDR, and SLSA attestations.
Policy engine for SBOM quality, security, and license rules. Enforce checks in CI/CD and fail builds on violations.
Compliance evidence for CRA, NIS2, and DORA: SBOMs, VEX, VDR, and policy results kept per release.

See SBOM Observer See pricing

What your compliance team gets

A single inventory of every component across all your products
Vulnerability exposure mapped to specific applications and releases
Audit-ready evidence: SBOMs, VEX, VDR, and policy results
Supplier SBOM quality tracking and validation

How the platform supports key regulations

Regulation

Cyber Resilience Act (CRA)

Products

SBOM Observer

What the platform covers

SBOM Observer produces SBOM, VEX, VDR and policy evidence for each release.

Regulation

NIS2

Products

SBOM Observer

What the platform covers

Track supplier risk with vendor SBOM analysis in SBOM Observer.

Regulation

DORA

Products

SBOM Observer

What the platform covers

Document third-party ICT risk with vendor SBOMs and VEX collected and analyzed across the platform.

Regulation

EO14028 / NTIA

Products

SBOM Observer

What the platform covers

SBOM generation, ingestion, and management covering NTIA minimum elements. CycloneDX and SPDX supported.

Regulation

Dependency security policies

Products

Dependency Firewall

What the platform covers

Enforce security policy on every package request. Block CVEs and malicious packages before install. Full audit log.

Regulation	Products	What the platform covers
Cyber Resilience Act (CRA)	SBOM Observer	SBOM Observer produces SBOM, VEX, VDR and policy evidence for each release.
NIS2	SBOM Observer	Track supplier risk with vendor SBOM analysis in SBOM Observer.
DORA	SBOM Observer	Document third-party ICT risk with vendor SBOMs and VEX collected and analyzed across the platform.
EO14028 / NTIA	SBOM Observer	SBOM generation, ingestion, and management covering NTIA minimum elements. CycloneDX and SPDX supported.
Dependency security policies	Dependency Firewall	Enforce security policy on every package request. Block CVEs and malicious packages before install. Full audit log.

Frequently asked questions

Common questions about the Observer platform and how the products fit together.

Can we buy a single product, or do we need all three?

Each product is sold separately and works on its own. If you already have a tool for SBOM management, you can just buy Dependency Firewall for dependency protection. We also offer combined agreements across SBOM Observer and Dependency Firewall.

How does the platform support CRA, NIS2, DORA, and EO 14028?

SBOM Observer produces the underlying evidence: SBOMs, VEX, VDR and policy results per release. Dependency Firewall enforces dependency policy before packages enter developer and CI/CD environments.

Is on-premise or private cloud deployment available?

Bytesafe SBOM Observer is available as managed SaaS, private cloud, and on-premise, including air-gapped environments. Bytesafe Dependency Firewall is available as Managed Cloud, BYO Cloud or On-Premise.

Where is the platform hosted and who operates it?

We are an EU-based company focused on software supply chain security since 2018. SaaS is hosted in the EU. Private cloud and on-premise deployments run in your own environment.

See the platform in action.

We can walk through SBOM Observer, Dependency Firewall, or how they work together in your environment.

Book a Demo