Compliance infrastructure for the post-quantum era

The CBOM platform,
white-labeled.

QorBOM gives audit firms, MSSPs, and consultancies a turnkey CBOM scanner under their own brand. CycloneDX 1.6 + SPDX 3.0 output. Signed by QorTrace's methodology. EU CRA-ready. Your logo on every report.

Become a partner What you get

Limited early-access cohort · Apply before Q3 2026 launch · No payment yet

CBOM · cyclonedx-1.6.json
SIGNED · v0.1
  • KyberML-KEM
    QUANTUM-SAFE
  • DilithiumML-DSA
    QUANTUM-SAFE
  • SHA-256Hash
    ACCEPTABLE
  • AES-256AEAD
    ACCEPTABLE
  • RSA-2048PKI
    VULNERABLE
  • ECDSASigning
    VULNERABLE
Sample BOM · scan completes in <5s
The platform

Three pieces. Built so you ship a CBOM offering this quarter, not next year.

CBOM API

One endpoint. Paste a GitHub repo or upload a tarball. Get back a signed CycloneDX 1.6 BOM with every cryptographic primitive mapped to its post-quantum readiness. Audit-grade, regulator-defensible.

White-label dashboards

Drop in your logo, primary color, and disclaimer text. Every report your client sees carries your branding — not ours. Procurement loves it; you keep margin.

Reseller revenue share

Sell at your hourly rate; we run the scans behind the scenes. Transparent per-scan platform pricing means your blended margin is predictable. No annual minimums for the first 25 partners.

Regulatory tailwind

The EU Cyber Resilience Act (CRA) makes CBOMs a binding requirement by 2027. US Executive Orders 14028 and 14306 push the same direction. NIST FIPS 203 / 204 / 205 are now binding for federal contractors. Your enterprise clients are going to ask you for this — be ready before they do.

Standards · Regulations · Methodology

Aligned with every standard your clients will ask you about.

QorBOM is built on top of QorTrace's methodology — the same one used to ship Threat Radar, Atlas, and audit engagements for treasuries, custodians, and exchanges. Every output we emit is regulator-defensible, peer-review-ready, and traceable to a public methodology pin.

Specifications
  • CycloneDX 1.6
    OWASP standard · native cryptographic-asset components
  • SPDX 3.0.1
    Linux Foundation · security_CryptographicAsset profile
  • Package URL (purl) spec
    Universal component identification across ecosystems
  • OpenAPI 3.1
    Industry-standard partner API schema
Cryptographic standards
  • NIST FIPS 203 (ML-KEM)
    Key encapsulation, binding for federal contractors
  • NIST FIPS 204 (ML-DSA)
    Digital signatures, binding for federal contractors
  • NIST FIPS 205 (SLH-DSA)
    Stateless hash-based signatures
  • NSA CNSA 2.0
    2030 / 2035 deadlines for PQC migration
  • NIST SP 800-218 / 218A
    Secure SDF + PQC profile alignment
Regulatory frameworks
  • EU Cyber Resilience Act (CRA)
    Article 13 CBOM mandate · 2027
  • EU DORA
    Article 24 TLPT · cryptographic mapping
  • EU NIS2
    Cybersecurity risk-management for essential entities
  • EO 14028 & 14306
    US federal cybersecurity + crypto agility
  • FedRAMP rev 5
    Cryptographic inventory narrative in SSPs
  • CMMC 2.0
    DIB contractor crypto attestation
Standards bodies
  • NIST
    Post-quantum cryptography project alignment
  • ENISA
    Aligned with June 2024 PQC migration guidance
  • OWASP
    CycloneDX cryptographic-asset working group
  • OASIS
    STIX/TAXII threat-intel format compatibility
QorTrace methodology pin
qortrace-cbom-method-v0.1

Every BOM emitted carries this immutable methodology version + a SHA-256 over the canonical-sorted JSON. Reproducible by your peer-review process. Versioned via the QorTrace public methodology log so changes are publicly visible — auditors can cite the exact methodology used on the date of any historical scan.

Audit-defensible by design

Outputs map 1:1 to the evidence formats regulators and procurement teams already accept. No translation layer needed for your workpapers.

Privacy-respecting

We don't store client repository contents beyond the scan window. Source code is fetched, scanned in-memory, and discarded. Only the BOM persists.

Vendor-neutral

No proprietary BOM format, no lock-in. CycloneDX + SPDX are open standards — your clients can switch tooling tomorrow if they want to.

Standards · Regulations · Bodies

The badges your procurement team will recognize.

Each badge maps to a verifiable spec, citation, or audit trail. Hover for the full scope; the color band on each badge indicates whether QorBOM™ has implemented it, is aligned with it, or has an active roadmap commitment.

Partner pricing

Predictable margins. No annual minimums for early cohort.

For partners only. End-customer pricing at qortrace.com.
Platform
$999/mo
  • Up to 5 seats on the partner portal
  • Unlimited downstream client tenants
  • Standard SLA + email support
Per-scan
$50/scan
  • CycloneDX 1.6 + SPDX 3.0 output
  • Signed by QorTrace methodology
  • No volume commitment
White-label
$5,000/yr add-on
  • Your logo on every PDF + dashboard
  • Custom subdomain (yourpractice.qorbom.app)
  • Hide QorBOM™ chrome entirely
Apply

Join the early-access partner cohort.

Tell us about your firm. We'll reach out within two business days with onboarding details and a sandbox API key. No payment is collected before the platform launches.

By submitting, you agree we may email you about your application. See Privacy.