Manifest, an early stage startup building technology to help businesses generate, collect, and operationalize software bill of materials (SBOMs), has banked $6 million in venture capital funding as investors race to find value in software supply chain security companies.
The $6 million seed round was led by First Round Capital and closes alongside news that Manifest secured two new contracts from the U.S. government to help federal agencies and the military understand what’s in the software that they use.
“Enterprises can no longer afford to blindly build and consume software without tracking what’s inside,” Manifest said. “[We help] enterprises automatically monitor their SBOMs, so they can quickly identify any exposure to vulnerabilities and alert customers before they even know there’s an issue. This allows enterprises to put remediation strategies in place within a matter of hours or days — not weeks or months, as we saw with organizations scrambling in the wake of Log4Shell.”
Manifest, created by entrepreneurs with prior experience at the Pentagon and Palantir, is banking on the growing importance of mandatory SBOMs to provide nested lists of components in modern software products.
The U.S. government has issued mandates describing SBOMs as a critical part of federal cybersecurity policy, forcing CISOs and security leaders to look for SBOM management capabilities.
According to Manifest, tools have emerged to help developers generate SBOMs but there’s almost nothing to help security professionals consume SBOMs. And without a method of consumption, SBOMs remain uncontextualized bits of JSON files stored on desktops and in Google Drive folders.
The company said its platform is capable of automatically generating SBOMs without developer intervention from an organization’s CI/CD pipeline, and securely share SBOMs between vendors and customers with AskBOM, an automated SBOM solicitation tool.
The Manifest platform also promises tools to ingest SBOMs in any format (CycloneDX or SPDX) or file type. The company also promises vulnerability and exploitability assessment capabilities to match known components from vulnerability databases, and enrich that data with exploitability information from EPSS and CISA’s KEV (known exploited vulnerabilities) list..
Related: CISO Forum Panel: Navigating SBOMs and Supply Chain Security Transparency
Related: Cybersecurity Leaders Scramble to Decipher SBOM Mandate
