I’ve been using CycloneDX (maintained under OWASP, now ECMA-424) across projects. The full-stack BOM standard. supporting SBOM, CBOM, HBOM, ML-BOM, and many others. Complements great tools like @SyftProject from @anchore.

On Thursday, we announced the release of FlakeBOM, our lightning-fast, Rust-built CLI for generating CycloneDX SBOMs from Nix flakes. It provides a wealth of information not provided by other Nix-based tools and offers the perfect complement to Determinate Secure Packages 📦 📄 🍁 determinate.systems/blog/int…

We're excited to announce the release of FlakeBOM, a CLI for generating CycloneDX SBOMs from Nix flakes. Lightning-fast and complete with VEX metadata and support for a wealth of information not provided by other tools, it's truly the perfect complement to Determinate Secure Packages ❄️ ⚡ 📦 🚀 Read more at the link in thread 🧵 🔗 👇

The Anchore Enterprise API turns container inventory into programmatic queries. Retrieve package data and export SBOMs directly to SPDX or CycloneDX in a single API call. Read more in part 2 of our technical blog series: anchore.com/blog/working-wit…

Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken. @SvenRuppert zeigt die Praxis: javapro.io/de/sbom-fuer-java… javapro.io/de/sbom-fuer-java… #Maven #Gradle #CycloneDX

On Thursday, we'll tell you about a brand new tool we've built called FlakeBOM, a CLI that builds CycloneDX-compatible SBOMs from from Nix flakes, opening up a new universe of security-related workflows around Nix 🍁 📜 So much fun supply chain stuff happening on our side that we couldn't resist devoting an entire week to it, so stay tuned 📡

Most teams can name their certificates. Almost no one can name every algorithm and key running across their stack. That blind spot is the problem. The cryptography you can't see, buried in source code, binaries, databases, and HSMs, is exactly what "harvest now, decrypt later" attacks and quantum are counting on. CBOM Secure pulls all of it into one continuously updated inventory: every key, cert, and algorithm, discovered, risk-scored, and exported audit-ready in CycloneDX 1.6 and 1.7. From scattered cryptography to one clear inventory, so when a standard shifts or an algorithm breaks, it's a query, not a fire drill. See it in action: ow.ly/JI3E50Z8Xmm Gain execution-level visibility into your cryptographic assets across code, binaries, and cloud with CBOM to ensure compliance and seamless post-quantum migration. #EncryptionConsulting #PostQuantumCryptography #CyberSecurity

Your SBOM scanner gives you a report. Reports expire the moment you close the tab. cbomcompliance.com gives you something different: ✦ A cryptographically signed receipt — RS256, Merkle-committed, immutable ✦ Live CVE intelligence at signing — OSV, NVD, GHSA, EPSS scored ✦ Re-evaluate any old receipt against today's threat data ✦ Compare two receipts — see exactly what changed, what was added, what got riskier ✦ Zero data retention. No account needed. CMMC Level 2 enforcement starts November 10, 2026. Auditors don't want your scanner output. They want proof that can be independently verified years later. Trust is not declared. It is computed. cbomcompliance.com #CMMC #SBOM #CycloneDX #SPDX #SupplyChainSecurity #DevSecOps #CyberSecurity #AppSec #PKI #SoftwareSecurity #InfoSec #VulnerabilityManagement #OpenSourceSecurity #DoD #NIST #EO14028 @Ransom_DB @Chilcano

AI agents are being deployed faster than the security primitives that can detect their failures. Sigma was built for SIEM logs. YARA was built for malware binaries. OWASP Top 10 is a taxonomy. None of them were designed for what agents actually do: LLM I/O, MCP tool calls, SKILL.md manifests, context-window manipulation. That gap is what ATR fills. ATR is an open detection rule format for AI agent threats. YAML, MIT-licensed, machine-readable. Each rule defines the attack pattern to match, which input field to inspect, how to test it, and how it maps back to OWASP, MITRE ATLAS, SAFE-MCP, and NIST AI RMF. The schema is narrow enough that any engine — TypeScript, Python, Go, or Rust — can implement it without ambiguity. The core principle: ATR doesn't try to replace any existing security ecosystem. It acts as a converter into all of them. One rule. Multiple outputs. ATR → Sigma for SIEM ATR → YARA for malware analysts ATR → STIX for threat intelligence ATR → MISP tags for EU CERTs ATR → OSCAL for NIST AI RMF compliance ATR → CycloneDX for AI/ML BOMs Not a new walled garden. A bridge. PanGuard is the commercial layer built on top of these rules — the scanner that loads them, the audit evidence module that maps detections to compliance frameworks, and the runtime guard that enforces what the scanners find. The same open-core pattern that produced SOC Prime on top of Sigma, Joe Sandbox on top of YARA, Red Hat on top of Linux — now applied to AI agent security. Right now: 421 rules across 10 categories, shipping in production at Microsoft Agent Governance Toolkit, Cisco AI Defense, Gen Digital Sage (Norton / Avast parent), and MISP threat-intel used by EU CERTs. Mapped to every category of the OWASP Agentic Top 10 and to the 2026-05-01 Five Eyes joint guidance on agent deployment. The next era of AI security standards for AI agent security have to scale globally — that means open. github.com/Agent-Threat-Rule… panguard.ai agentthreatrule.org/en — Adam Lin