Trace-AI

Overview

Trace-AI by Zerberus is a powerful, open-source platform designed to help development teams know exactly what they ship and trust what they depend on. It automatically generates real-time Software Bills of Materials (SBOMs) from your repositories, continuously tracks both direct and transitive dependencies, and provides exploit-aware vulnerability scanning combined with license compliance checks. By integrating directly with your CI workflows on GitHub or GitLab, Trace-AI empowers developers to visualize and manage software risk with clarity and precision—all without exposing their source code.

Trace-AI’s transparent, auditable model (ZSBOM) enables high confidence in supply chain security. The platform continuously monitors your projects to give you a dynamic vulnerability dashboard, risk scoring tailored by exploit context, and vendor visibility — from APIs to SLAs. It also simplifies compliance by instantly identifying complex open source licenses like GPL family licenses and mapping risks to popular security frameworks such as ISO 27001 and SOC 2.

Whether you are shipping to enterprises or managing open source projects, Trace-AI delivers actionable, audit-ready SBOM reports and compliance evidence — making vulnerability management, license auditing, and vendor risk monitoring straightforward and developer-friendly.

Key Features

• Real-time SBOM Generation: Automatically produce accurate CycloneDX and SPDX formatted SBOMs directly from your CI pipeline with continuous updates on dependencies, including transitive ones.
• Exploit-aware Vulnerability Scanning: Prioritize real, exploitable vulnerabilities by integrating multiple threat intelligence sources, avoiding noisy CVE dumps.
• License Compliance Management: Instantly identify copyleft licenses such as GPL, LGPL, and others to prevent surprises during audits and enterprise reviews.
• Vendor & API Visibility: Track APIs, SDKs, SLA expirations, and breach history alongside your dependencies for comprehensive risk insight.
• Vulnerability Dashboard: Visualize critical, high, medium, and low risk vulnerabilities with severity tags and direct versus transitive context.
• Open-source Transparency: ZSBOM classification logic, configuration, and policies are fully open and editable; community-driven with public GitHub repositories.

Use Cases

• Enterprise DevSecOps: Integrate Trace-AI into CI pipelines for continuous vulnerability assessment and license compliance before shipping software.
• Supply Chain Security: Gain visibility into software components’ risks, including exploitability, licensing, and vendor health.
• Compliance & Auditing: Produce accurate, audit-ready SBOMs and compliance evidence mapped to ISO 27001, SOC 2, PCI-DSS, HIPAA, GDPR, and more.
• Open Source Project Management: Maintain transparency and security in dependencies while engaging community contributions with an open-source SBOM solution.
• Vendor Risk Monitoring: Track third-party API SLAs, breach history, and SDK versions to mitigate external supply chain threats.

FAQ

What is an SBOM and why do I need one?
A Software Bill of Materials (SBOM) is an inventory of all components in your software. It’s essential for understanding your security posture, managing vulnerabilities, and regulatory compliance, especially under increasing supply chain risks.

How does exploit-aware scanning differ from traditional CVE scanning?
Traditional scanners report every CVE, causing alert fatigue. Trace-AI’s exploit-aware scanning focuses only on vulnerabilities with known active exploits, reducing noise and enabling prioritized remediation.

Which programming languages and package managers are supported?
Trace-AI supports all major ecosystems including npm/yarn (JavaScript), pip (Python), Maven/Gradle (Java), Go modules, RubyGems, NuGet (.NET), Cargo (Rust), among others, with ongoing expansion.

Is my code and data secure with Trace-AI?
Yes. Trace-AI analyzes only dependency manifests and lock files, never your source code. All data is encrypted both at rest and in transit. You can also run ZSBOM locally for full control.

How does ZSBOM compare with other SBOM tools?
ZSBOM is fully open-source and auditable. Unlike closed black-box tools, its classification logic, policies, and risk scoring are transparent and customizable, focusing on accuracy, exploit-awareness, and developer usability.

What compliance frameworks does Trace-AI support?
Trace-AI’s policy-as-code library supports ISO 27001, SOC 2, PCI-DSS, HIPAA, GDPR, and more, enabling you to fork and tailor compliance checks to your organizational needs.

What is the pricing model?
Trace-AI offers free usage for up to 5 repositories with predictable, per-repository pricing as you scale. No credit card required to start.

With Trace-AI, development teams gain a full, transparent, and continuously updated understanding of their software dependencies and risks — making safer, compliant software delivery an integral part of modern DevOps.