Compliance infrastructure for the post-quantum era

The CBOM platform,
white-labeled.

QorBOM gives audit firms, MSSPs, and consultancies a turnkey CBOM scanner under their own brand. CycloneDX 1.6 + SPDX 3.0 output. Signed by QorTrace's methodology. EU CRA-ready. Your logo on every report.

Limited early-access cohort · Apply before Q3 2026 launch · No payment yet

CBOM · cyclonedx-1.6.json
SIGNED · v0.1
  • KyberML-KEM
    QUANTUM-SAFE
  • DilithiumML-DSA
    QUANTUM-SAFE
  • SHA-256Hash
    ACCEPTABLE
  • AES-256AEAD
    ACCEPTABLE
  • RSA-2048PKI
    VULNERABLE
  • ECDSASigning
    VULNERABLE
Sample BOM · scan completes in <5s
The platform

Three pieces. Built so you ship a CBOM offering this quarter, not next year.

CBOM API

One endpoint. Paste a GitHub repo or upload a tarball. Get back a signed CycloneDX 1.6 BOM with every cryptographic primitive mapped to its post-quantum readiness. Audit-grade, regulator-defensible.

White-label dashboards

Drop in your logo, primary color, and disclaimer text. Every report your client sees carries your branding — not ours. Procurement loves it; you keep margin.

Reseller revenue share

Sell at your hourly rate; we run the scans behind the scenes. Transparent per-scan platform pricing means your blended margin is predictable. No annual minimums for the first 25 partners.

Regulatory tailwind

The EU Cyber Resilience Act (CRA) makes CBOMs a binding requirement by 2027. US Executive Orders 14028 and 14306 push the same direction. NIST FIPS 203 / 204 / 205 are now binding for federal contractors. Your enterprise clients are going to ask you for this — be ready before they do.

Standards · Regulations · Methodology

Aligned with every standard your clients will ask you about.

QorBOM is built on top of QorTrace's methodology — the same one used to ship Threat Radar, Atlas, and audit engagements for treasuries, custodians, and exchanges. Every output we emit is regulator-defensible, peer-review-ready, and traceable to a public methodology pin.

Specifications
  • CycloneDX 1.6
    OWASP standard · native cryptographic-asset components
  • SPDX 3.0.1
    Linux Foundation · security_CryptographicAsset profile
  • Package URL (purl) spec
    Universal component identification across ecosystems
  • OpenAPI 3.1
    Industry-standard partner API schema
Cryptographic standards
  • NIST FIPS 203 (ML-KEM)
    Key encapsulation, binding for federal contractors
  • NIST FIPS 204 (ML-DSA)
    Digital signatures, binding for federal contractors
  • NIST FIPS 205 (SLH-DSA)
    Stateless hash-based signatures
  • NSA CNSA 2.0
    2030 / 2035 deadlines for PQC migration
  • NIST SP 800-218 / 218A
    Secure SDF + PQC profile alignment
Regulatory frameworks
  • EU Cyber Resilience Act (CRA)
    Article 13 CBOM mandate · 2027
  • EU DORA
    Article 24 TLPT · cryptographic mapping
  • EU NIS2
    Cybersecurity risk-management for essential entities
  • EO 14028 & 14306
    US federal cybersecurity + crypto agility
  • FedRAMP rev 5
    Cryptographic inventory narrative in SSPs
  • CMMC 2.0
    DIB contractor crypto attestation
Standards bodies
  • NIST
    Post-quantum cryptography project alignment
  • ENISA
    Aligned with June 2024 PQC migration guidance
  • OWASP
    CycloneDX cryptographic-asset working group
  • OASIS
    STIX/TAXII threat-intel format compatibility
QorTrace methodology pin
qortrace-cbom-method-v0.1

Every BOM emitted carries this immutable methodology version + a SHA-256 over the canonical-sorted JSON. Reproducible by your peer-review process. Versioned via the QorTrace public methodology log so changes are publicly visible — auditors can cite the exact methodology used on the date of any historical scan.

Audit-defensible by design

Outputs map 1:1 to the evidence formats regulators and procurement teams already accept. No translation layer needed for your workpapers.

Privacy-respecting

We don't store client repository contents beyond the scan window. Source code is fetched, scanned in-memory, and discarded. Only the BOM persists.

Vendor-neutral

No proprietary BOM format, no lock-in. CycloneDX + SPDX are open standards — your clients can switch tooling tomorrow if they want to.

Standards · Regulations · Bodies

The badges your procurement team will recognize.

Each badge maps to a verifiable spec, citation, or audit trail. Hover for the full scope; the color band on each badge indicates whether QorBOM™ has implemented it, is aligned with it, or has an active roadmap commitment.

Partner pricing

Predictable margins. No annual minimums for early cohort.

For partners only. End-customer pricing at qortrace.com.
Platform
$999/mo
  • Up to 5 seats on the partner portal
  • Unlimited downstream client tenants
  • Standard SLA + email support
Per-scan
$50/scan
  • CycloneDX 1.6 + SPDX 3.0 output
  • Signed by QorTrace methodology
  • No volume commitment
White-label
$5,000/yr add-on
  • Your logo on every PDF + dashboard
  • Custom subdomain (yourpractice.qorbom.app)
  • Hide QorBOM™ chrome entirely
Apply

Join the early-access partner cohort.

Tell us about your firm. We'll reach out within two business days with onboarding details and a sandbox API key. No payment is collected before the platform launches.

By submitting, you agree we may email you about your application. See Privacy.

GET STARTED IN 60s
Need to scope a PQC audit, scan a wallet, or pick a tier? I'll walk you through it in under a minute — with sources.