Features

SBOM documentation, submission-ready.

From SBOM import to FDA eSTAR sections. Vulnerability scanning, triage, and regulatory reports. One platform, no spreadsheet surgery.

SBOM Management

Upload, validate, and manage your software bill of materials.

Import your SBOM in CycloneDX or SPDX format. Threat Detective validates it against NTIA minimum element requirements and flags missing data: supplier names, component versions, PURLs, CPEs, and dependency relationships. Fix gaps before a reviewer finds them.

CycloneDX and SPDX support.
Import SBOMs in both major formats. No manual conversion required. Upload directly from your build pipeline or development tools.
NTIA minimum element validation.
Automatically checks for supplier name, component name, version, unique identifier, dependency relationships, SBOM author, and timestamp. Flags any missing fields with clear guidance on how to fix them.
PURL and CPE identification.
Validates Package URLs (PURLs) and Common Platform Enumeration (CPEs) for each component. These identifiers are how vulnerability databases match your components to known issues.
Component inventory management.
Track all commercial, open-source, and off-the-shelf software components in your device. See versions, licences, and risk levels at a glance across your entire SBOM.
Threat Detective SBOM component inventory view

Vulnerability Scanning

Vulnerability scanning across three databases. Continuously.

Every component in your SBOM is scanned against three vulnerability databases: the National Vulnerability Database (NVD), GitHub Security Advisories, and OSV. When a new vulnerability is disclosed, you see it matched to your components automatically.

NVD (National Vulnerability Database).
The primary source for CVE data maintained by NIST. Includes severity scores (CVSS), affected product versions, and reference links.
GitHub Security Advisories.
Community-reviewed vulnerability data for open-source packages. Often has advisory information before it reaches the NVD, giving you earlier visibility.
OSV (Open Source Vulnerabilities).
Google-maintained database covering a wide range of open-source ecosystems. Provides precise affected version ranges for accurate matching against your components.
Automatic matching and deduplication.
Vulnerabilities from all three sources are matched to your components by PURL and CPE, then deduplicated so you see one finding per issue, not three.
Threat Detective vulnerability scanning results

Triage and Documentation

Prioritise by risk. Document your decisions. Build your audit trail.

Not every vulnerability needs the same response. You prioritise findings using industry-standard scoring, then document your decisions in the format regulators expect. Threat Detective guides the workflow.

CVSS severity scoring.
Every vulnerability is scored using the Common Vulnerability Scoring System (CVSS). Critical, High, Medium, and Low severity ratings help you focus on the most important findings first.
EPSS exploitability data.
The Exploit Prediction Scoring System (EPSS) estimates the probability that a vulnerability will be exploited in the wild. A high-severity vulnerability with low exploitability may not need the same urgency as one actively being exploited.
Exploitability decisions and compensating controls.
For each finding, record whether it is exploitable in the context of your device, document any compensating controls, and provide your risk justification. This is the evidence FDA and EU reviewers expect to see.
Bulk decisions across versions.
If the same vulnerability affects multiple software versions, apply your decision once and it carries across all affected versions. No duplicating work across releases.
Threat Detective vulnerability triage and decision workflow

Submission-Ready Reports

Generate the documentation regulators actually want to see.

No reformatting, no copy-pasting between tools. Your regulatory documentation is generated directly from your SBOM data and vulnerability assessments.

FDA eSTAR cybersecurity sections.
Generate the SBOM and vulnerability documentation sections required for FDA premarket cybersecurity submissions. Formatted for eSTAR, ready to include in your 510(k), De Novo, or PMA application.
EU Notified Body summaries.
Produce cybersecurity documentation aligned to EU MDR and IVDR requirements. Summary reports formatted for Notified Body review as part of your conformity assessment.
QMS-ready reports.
Export vulnerability assessments and SBOM summaries in formats that integrate with your quality management system. Evidence that auditors can trace from component to decision to report.
Enriched SBOM export.
Export your validated, enriched SBOM back to CycloneDX or SPDX format with vulnerability data, assessment status, and decision records included. Share a complete picture with regulators or customers.
Threat Detective report generation view

Post-Market Monitoring

Your device is cleared. Keep it compliant.

New vulnerabilities are disclosed every week. Your SBOM is monitored continuously after clearance, surfacing new findings that affect your components. You maintain the documentation regulators expect throughout your device's market life, without the manual work.

Continuous vulnerability monitoring.
Your SBOM is scanned daily against all three vulnerability databases. When a new CVE is disclosed that affects one of your components, it appears in your Needs Decision queue automatically.
Multi-version tracking.
Track vulnerabilities across every software version deployed in the field. Your current release, previous versions still in clinics, and legacy builds each get their own monitored SBOM.
Smart alerting.
Daily alerts for Critical and High severity findings. Weekly summary for everything else. No constant noise, just the findings that need your attention for regulatory compliance.
Annual review tracking.
Regulators expect you to review your vulnerability decisions annually. Threat Detective tracks when each assessment is due for review and alerts you before it lapses.
Threat Detective post-market vulnerability monitoring

How Threat Detective compares.

Most medical device teams manage SBOM documentation using spreadsheets, consultants, or enterprise security platforms not designed for regulatory submissions. Here is how Threat Detective is different.

vs. Spreadsheets

Spreadsheets can store vulnerability data, but they cannot scan databases automatically, validate SBOM formats, generate eSTAR sections, or track changes over time. Every new CVE disclosure means manual lookup and manual entry. Threat Detective does the scanning, matching, and documentation automatically.

vs. Consultants

A cybersecurity consultant produces a point-in-time report for a single submission. When a new vulnerability is disclosed the next week, that report is already out of date. Threat Detective gives you ongoing access: continuous monitoring, current documentation, and an audit trail that stays up to date between submissions.

vs. Enterprise Security Platforms

Enterprise vulnerability scanners like Snyk or Mend are built for software development teams, not regulatory submissions. They scan code repositories but do not produce eSTAR documentation, track exploitability decisions, or generate the evidence format that FDA and EU reviewers require. Threat Detective is purpose-built for this workflow.

See it for yourself.

Upload your SBOM and see what Threat Detective finds. 14 days free, no credit card required.