01
Discover
Static + runtime scanners walk your codebase, container images, network captures, and config to surface every algorithm in use — including the ones buried in third-party deps you didn't write.
Typical first scan4,800+ findings
THE CRYPTOGRAPHIC BILL OF MATERIALS PLATFORM
The audit-firm
CBOM platform.
Generate, version, and ship cryptographic bills of materials stamped with your own brand. Big-4 + boutique audit practices license the engine; we keep the methodology NIST FIPS-203/204/205 current so you don't have to.
CYCLONEDX 1.6SPDX 3.0.1NIST FIPS 203/204/205EU CRA-READY
CBOM · cyclonedx-1.6.json
KEMKyber-1024
SIGDilithium-3
HASHSHA-256
SYMAES-256-GCM
LEGACYRSA-2048
LEGACYECDSA-P256
QorBOM SCORE: 62/100 · 2 deprecated primitives flagged
§01 · The Primer
What is a Cryptographic Bill of Materials?
A CBOM is a machine-readable inventory of every cryptographic primitive in a software stack — the keys, algorithms, certificates, and protocols that protect each layer. Think of it as an SBOM, but quantum-aware: it surfaces exactly which assets will break when classical RSA & ECC retire, and where to migrate first.
02
Inventory
Findings normalize into a signed, versioned CBOM keyed to NIST FIPS 203/204/205 and CISA's 2024 reporting schema. Every primitive carries an exposure score, owner, and proof of provenance.
Standards mappedNIST · CISA · EU CRA
03
Migrate
The CBOM becomes a living migration plan: drift alerts when a new RSA key ships, partner-firm sign-offs on each retirement, and an audit-trail every regulator already asks for.
Hand-off ready forBig-4 auditors
ALIGNED WITHNIST FIPS 203NIST FIPS 204NIST FIPS 205CISA CBOM-2024EU CRASOC 2 (track)
LIVE · NO SIGNUP
Don't take our word for it.
Scan a real repo right now.
The same engine your branded portal will run. Anonymous + rate-limited + the first 25 findings + 25 components are returned.
- Generates CycloneDX 1.6 + SPDX 3.0.1 in one pass
- Flags Q-day-exposed primitives (RSA, ECDSA, DH)
- Maps to NIST FIPS 203/204/205 + EU CRA controls
- Result is reproducible — pin a methodology version
TRY IT · 30 SECONDS · FREE
Scan any public GitHub repo. Get a CBOM.
Live, anonymous. The first 25 findings + 25 components are returned so you can see exactly what an audit-ready CBOM looks like. Apply for an API key for the full output.
FOR AUDIT FIRMS
Run a post-quantum readiness practice
without re-platforming twice a year.
Your brand, your portal
Subdomain, logo, color, footer. Tenant-isolated. We don't show up in the URL bar or in the report PDF. Your client sees you, not us.
REST + CLI + CycloneDX
Pull CBOMs through a plain HTTP API or our CLI. Pipe them into your existing GRC stack. CycloneDX 1.6 + SPDX 3.0.1 are first-class outputs.
Stamped & versioned
Every report cites the exact methodology hash that generated it. Re-run a year later, get a diff — defensible in a regulator's review.
Methodology, maintained
We update for every NIST draft, CISA notice, and EU CRA delegated act. You inherit the changes without re-platforming.
No source retention
Scans are ephemeral. We never write your client's repo contents to disk. Hashes only. SOC-2-track architecture, auditable by inspection.
Procurement-ready
Trust page, methodology page, SLA, DPA, and standardised SoC questionnaire. Your client's CISO has answers before they ask.
API · REST · CycloneDX
One endpoint. Audit-ready output.
Fire a POST, get back a CBOM signed against the current methodology version. The response is what you ship to your client — no transformation, no manual cleanup.
READ THE FULL API DOCS →curl -X POST https://api.qorbom.com/v1/scans \
-H "Authorization: Bearer $QORBOM_KEY" \
-H "Content-Type: application/json" \
-d '{
"repo_url": "https://github.com/acme/payments",
"branch": "main",
"format": "cyclonedx-1.6"
}'FOUNDING COHORT · SEATING NOW
Onboard your first client on QorBOM in under a week.
Sign a partnership letter, pick a tenant subdomain, drop a logo, configure your first scan. No build-out. No backlog for our engineering team. The founding cohort gets concierge onboarding + locked-in pricing.
§99 · POWERED BY QORTRACE
Need to scan a client's actual code?
QorTrace is the engine behind every QorBOM — the actual scanner that walks a client's codebase, container images, and runtime traffic to produce the inventory. If you're standing in front of a real engagement, that's the next call.