MDR-Ready Software Inventory Built on Developer Pipelines
Generate, validate, and manage SBOMs across formats, prove your secure lifecycle and vulnerability handling, and export audit-ready MDR evidence without slowing releases.
Get an MDR-Ready SBOM
AppSec Meets Technical Documentation
SOOS unifies SBOMs, scans, and policies in one view: fields validated, risks prioritized with VEX/attestations, and activity timestamped so auditors get defensible outputs, fast.
Security without slowdown — SBOM-First ASPM that ships MDR evidence
Defend Your Inventory
Continuously inventory components across source, containers, and ingested SBOMs. Consolidate many SBOMs into one linked archive.
Works Where You Build
Run in CI/CD, scan repos, images, binaries, or ingest third-party SBOMs. Cross-convert SPDX ↔ CycloneDX, no rebuilds required.
Emerging Threats
SOOS tracks new CVEs and industry headlines against your dependency tree. We flag past headliners (Log4Shell, xz, etc) and show fix guidance so you can act before it hits review.
Guided Upgrade Paths
Get fix versions and upgrade paths—even when findings originated from an ingested SBOM or binary, not your source.
MDR Evidence
Ready to Export
Generate SBOMs with the fields auditors expect and map outputs to Annex I GSPRs and lifecycle controls. No rework!
SLA-Driven Remediation
SLAs and a Compliance dashboard surface approaching/overdue items so you can prove timely handling post-market.
Lifecycle Proof, Captured
Show intake → triage → remediation history with timestamps; evidence that your vulnerability monitoring and update processes actually run.
All Formats Welcome
Bring SPDX, CycloneDX, or CSVs. SOOS normalizes, enriches, and cross-converts, consolidates into a linked archive, and exports submission-ready artifacts.
VEX Cuts False Urgency
Publish CSAF VEX or CycloneDX attestations and re-score vulns so reviewers see real risk, not noise.
Want to see an MDR-ready SBOM from SOOS?
Download a sample CycloneDX SBOM showing a VEX attestation and rescored vulnerability.
Sign-up for a free trial
to work with all of SOOS's powerful report formats, including CycloneDX and SPDX Software Bill of Materials (SBOMs), standalone CSAF VEX, SARIF results, open source license reports, and more.
AppSec Meets Technical Documentation
Track inventory, vulnerabilities, SLAs, and change history in a single dashboard. Generate an SBOM and evidence snapshots at any time to meet MDR requirements for technical documentation.
White-Glove Help, Fast Turnaround
We’ll stand up your first MDR-ready SBOM from repos, containers, filesystem scans, or even existing SBOMs, then automate it in your pipeline. Most teams export their first SBOM on the same day.
Automate Your Software Inventory
Start from what’s real: your components. SOOS ingests software artifacts like manifests, SBOMs, scans binaries/containers, and continuously maintains a consolidated, linked SBOM archive you can defend.
Frequently Asked Questions
Does the EU MDR require SBOMs?
Not explicitly. MDR/IVDR require secure lifecycle and risk management; SBOMs are state-of-the-art evidence that support those obligations and speed audits.
So why build SBOMs in the EU?
Because they make MDR audits cleaner—and the EU Cyber Resilience Act is making SBOM-like obligations mandatory across products with digital elements (phased from 2026/2027).
Can SOOS handle many formats (and CSVs)?
Yes. Ingest SPDX, CycloneDX, CSVs, manifests, binaries; normalize, enrich, cross-convert, and export consolidated, linked archives.
Do you support VEX/attestations?
Yes, SOOS supports CSAF VEX and CycloneDX attestations, plus vulnerability re-scoring for clearer auditor context.
Will this help with post-market surveillance?
Yes. SLAs, triage workflows, timestamps, and change logs give you ongoing evidence for PMS and vigilance activities.
What is SBOM-First ASPM?
Application Security Posture Management (ASPM) is how you continuously understand, prioritize, and fix risk across all the software you build, buy, and run. SBOM-First ASPM means you treat the bill of materials (and everything that enriches it) as the living source of truth throughout the SDLC, and not as a static document you file away.
How is SOOS different from typical SBOM tools?
Most “SBOM vaults” out there are essentially document stores: you upload/import SBOMs, maybe edit, and export reports for submissions. Useful, but static. SOOS is built to operate those artifacts across engineering workflows.
