sbom.tools is officially live🚀

🎉sbom-tools is now listed in the @CycloneDX_Spec Tool Center as Semantic SBOM Diff (sbom-tools). github.com/CycloneDX/tool-ce…

sbom-tools v0.1.21 is out 🩹Bug-fix release: - view -o json: full vuln detail dependency_kind - diff similarity: bounded 0–100 - CRA section in diff reports: compact summary Thanks @MCh0rfa for all three fixes👏 cargo | brew install sbom-tools github.com/sbom-tool/sbom-to…

Shipped SBOM.Tools v0.1.20 🚀 This one's all about EU Cyber Resilience Act (CRA) readiness. - New cra-docs command, generates your Annex V Declaration of Conformity straight from the SBOM - Full CSAF v2.0 round-trip - Article 24 OSS steward profile for maintainers - CRA standards-drift detection in `watch` - 14 compliance levels now, including CNSA 2.0 and NIST PQC If you're staring down CRA deadlines, this should make life easier. github.com/sbom-tool/sbom-to…

🔐sbom-tools v0.1.19 ships a CBOM quality engine that actually grades it: - Algorithm strength PQC readiness - OID & metadata coverage - Key/cert lifecycle hygiene sbom-tools quality --profile cbom github.com/sbom-tool/sbom-to…

Lately I've been thinking about how AI is changing vulnerability research and reverse engineering. VR and RE are some of the hardest workflows to parallelize. Even with great knowledge transfer and team practices, you usually default to one person per vuln or RE task. The work is just too context-heavy to split. AI breaks that ceiling. It's no longer "one researcher, one task", it's you working one angle while Claude annotates disassembly code, explores another path, or helps you piece together what the last result means. Watching this land in domains we assumed were fundamentally serial is wild.

Another great example of AI-driven vuln research finding high-impact bugs in a heavily audited open-source project. Where human analysts give up or move on to a more interesting attack surface, AI keeps going until the end. Context, prompts, and skills still matter, but it’s not a magic box you ask “find me a 0-day.” VR was always artisanal. Not just running tools in sequence, but deep understanding of the problem space, historical knowledge of prior findings, and intuition for where bugs persist. Malware analysis got commoditized years ago with sandbox automation. VR resisted. Now AI has outpaced human analysts in throughput. Still needs guidance and direction, but it’s a completely new era. Some people I know still dismiss the progress, but hard to argue with results.

Also new: 8 CBOM scoring categories, CBOM-aware diffing, TUI upgrades, and deeper crypto analysis. cargo install sbom-tools brew install sbom-tool/tap/sbom-tools

Building a future where software security is proactive by design.

🚀SBOM.Tools v0.1.19 is out: the first open-source CLI/TUI to score CBOM quality, not just parse crypto inventory. This release puts real weight on PQC readiness and compliance, with scoring aligned to CNSA 2.0 NIST PQC guidance, and grade caps when there’s zero post-quantum migration. Full details: github.com/sbom-tool/sbom-to…

My first week at Anthropic 🚀 For most of my career, I’ve been focused on different shades of cybersecurity, always building novel approaches to solve some of the industry’s hardest problems, and helping protect the systems we all depend on. What stands out to me most right now is the pace of progress in AI. It’s not just accelerating innovation — it’s reshaping entire industries, including cybersecurity, at a speed that feels truly unprecedented. We’ve reached an inflection point where old assumptions are being challenged, familiar problems are being reimagined, and entirely new ones are emerging faster than ever before. That’s exactly why I chose to be at the forefront of this wave of change. I’ve never seen a technological shift this rapid, or this consequential. The next few years will redefine how we build, defend, and trust the systems around us. Being part of that journey at this moment feels deeply inspiring.

How did we get to a point where everyone suddenly claims (with the help of AI) to be a vulnerability researcher and exploit writer? I’m worried about the amount of content fatigue this is creating. There’s definitely been a lot of good work done, but there’s also plenty of slop and hype. Especially when early-stage startups with no real technical depth are trying to exploit the moment.

In today’s reality, the sheer number of CVEs discovered by your platform is no longer a meaningful success metric. What still matters is the quality of the findings and clear proof of exploitability. Stop chasing easy targets just to inflate the numbers. That does not say anything positive about your product.

The market is still underrating the gap between finding bugs and actually proving exploitability. A lot of companies argue that vulnerability discovery is becoming commoditized, that multiple models can now spot bug patterns, and that results like Anthropic Mythos are reproducible. That misses the real technical bottleneck. Finding the bug is not the hard part anymore. In many cases, that’s close to a solved problem. What matters is whether a model can turn that finding into a real exploit: chaining primitives, building a working test case, and demonstrating that the issue is actually exploitable without a human carrying it across the finish line. That capability matters on both sides: - offensively, because exploitability is what separates signal from noise - defensively, because you need a credible proof case to build the right fix We’re probably heading into another market correction where a lot of “AI companies” that are really just UI wrappers get washed out. The next winners won’t be the ones with the nicest interface. They’ll be the ones with real underlying capability.