SOOS

SOOS develops application security posture management software for DevSecOps and engineering teams. Its platform helps organizations find, fix, and prevent vulnerabilities and open-source license issues across source code, web apps and APIs, containers, and software bills of materials. The offering is built around patented deep-tree dependency analysis, continuous scanning, and a unified dashboard that brings multiple application security workflows together.

SOOS focuses on making software supply chain security practical inside day-to-day development work. Its capabilities span automated software inventory, license governance, remediation guidance, attestations, and workflow automation that fit into CI/CD and issue management processes. SOOS is positioned for growing teams that want simpler AppSec operations, while also supporting organizations that need stronger SBOM management, compliance evidence, and cross-team visibility.

Offerings, Capabilities, and Integrations

SOOS provides a unified ASPM environment that centralizes findings, prioritization, policy enforcement, and remediation workflows across multiple scan types. Its platform is designed to reduce manual security toil by automating scans, surfacing actionable fix paths, maintaining historical evidence, and supporting attestations and reporting from a single operational view.

The platform supports both native analysis and the ingestion of results from external tools, which helps customers consolidate AppSec work without replacing every existing control. SOOS integrates with common developer and security workflows through CI/CD connections, issue management systems, GitHub-based workflows, OpenID Connect single sign-on, and external platforms such as Vanta. It also supports role-aware visibility for engineering, security, legal, and compliance stakeholders.

Products and Services

• SOOS Core: SOOS Core is the company’s primary commercial ASPM offering, combining patented SCA with a unified dashboard, CI/CD integrations, issue management, governance, inventory search, and support for add-on modules such as DAST, SBOM Manager, Containers, and SAST.
• SCA: SCA is SOOS’s patented software composition analysis product for identifying open-source vulnerabilities, license issues, typo risks, and dependency problems deep in the dependency tree, with suggested fixes and policy-based prioritization.
• DAST: DAST provides dynamic testing for web applications and APIs, including OpenAPI, SOAP, and GraphQL use cases, and supports CI/CD-driven scanning, issue tracking, and unified reporting alongside other SOOS findings.
• SBOM Manager: SBOM Manager lets teams generate, ingest, validate, monitor, and export first- and third-party SBOMs, maintain historical records, and manage attestations and VEX-style evidence for compliance workflows.
• Containers: Containers extends SOOS’s deep dependency analysis to container security by scanning images and related software components for vulnerabilities, license issues, and governance concerns before and after deployment.
• SAST: SAST adds static analysis into the SOOS workflow, allowing teams to run supported engines or ingest SARIF and SonarQube results, track SLAs, manage tickets, and review code findings in the same dashboards as other scan types.
• SOOS SBOM API: SOOS SBOM API gives customers programmatic access to the company’s large repository of generated open-source SBOMs and related dependency, vulnerability, and license intelligence for software inventory use cases.
• Community Edition: Community Edition is SOOS’s free SCA offering for maintainers, providing core SCA capabilities, SBOM management, and GitHub integration for open-source projects.
• SOOS Plus: SOOS Plus is a more customizable package for organizations that need expanded SBOM monitoring, multi-organization support, tenant-wide search, API access, global configuration controls, and custom SSO options.

Target Customers

SOOS targets DevSecOps, engineering, and application security teams that need to identify and remediate software supply chain risk without slowing release cycles. Its platform is built for organizations that develop software internally, rely heavily on open-source components, and need tighter control over vulnerabilities, licenses, and software inventory.

The company also aligns with cross-functional buyers that include security leaders, legal teams, and compliance stakeholders who need a shared view of posture and evidence. SOOS has clear relevance for software development shops, regulated product teams, medical device organizations with SBOM and submission requirements, and managed security or compliance providers that want to embed AppSec and SBOM workflows into client services.

Cloud Integrations and Marketplace

• Azure Marketplace: SOOS Core is listed in Azure Marketplace, giving Microsoft-focused buyers a marketplace procurement path for the platform.
• Azure DevOps: SOOS integrates with Azure DevOps across SCA, DAST, SBOM Manager, Containers, and SAST workflows, including pipeline-oriented scanning and issue management support.
• AWS CodeBuild: SOOS supports AWS CodeBuild as a CI/CD integration option for scan execution within AWS-based development pipelines.

Key People

• Dave Ostrosky: Chief Executive Officer
• Rich Tarrant: Chairman
• Josh Jennings: Founder / Chief Engineering Officer
• Eric Allard: Chief Technology Officer
• Jerry Tarrant: Chief Financial Officer
• Courtney Griesser: Vice President, Corporate Operations
• Emily Peden: Program Manager
• Greg Steen: Software Architect

Key Facts

• Headquarters: Winooski, Vermont, United States
• Employees: 11-50
• Annual Revenue: Undisclosed
• Parent Company: None
• Subsidiaries: None
• Publicly Listed: Privately held

Analyst Recognitions

• IDC: 2025 IDC MarketScape: Worldwide Application Security Posture Management Vendor Assessment — Major Player.