Every cryptographic inventory is only as good as the places it can reach. A platform that sees your cloud KMS but not your source code, or your certificates but not the hosts they live on, leaves exactly the gaps that audits and quantum migrations expose. Most enterprises have no clear inventory of their cryptography at all. The whole point of a Cryptography Bill of Materials is that it is complete.
That completeness is the idea CBOM Secure is built on. It discovers, inventories, and continuously monitors every encryption key, certificate, algorithm, and cryptographic library across application source code, cloud, and on-premises infrastructure, then scores each asset for compliance risk and quantum exposure from a single deployment. What makes the picture trustworthy is how the platform models what it finds: as a relationship graph that links certificates to their private keys and traces how secrets are consumed across services, rather than treating each asset as an isolated entry in a list.
V1.1 is a release about extending that reach. It widens where the platform can discover cryptography, sharpens how teams explore and organize what it finds, and hardens the platform underneath so it deploys cleanly into production. Here is everything that is new.
“Most cryptographic inventories stop at certificates and network endpoints. The risk that matters often lives deeper: in source code, and in the relationships between keys, certificates, and the services that consume them.“
–Puneet Singh, Principal, Encryption Consulting LLC
The Cost of Cryptographic Blind Spots
The stakes are concrete. A single expired certificate can take a service down at a cost north of $300,000 an hour, and the manual audits teams still rely on can swallow four to eight weeks every cycle. The quantum clock is tightening too: a recent federal executive order pulled the civilian agency migration deadline forward from 2035 to as early as 2030 for key establishment and 2031 for digital signatures. Most tooling on the market still looks at certificates or network services in isolation, which leaves teams stitching together three or more products to see one estate. CBOM Secure is designed to replace that patchwork with a single inventory.
Reaching More of Your Estate: New Discovery Sources
The headline of this release is reach. Two new discovery paths bring large parts of the enterprise into the CBOM that were previously hard to inventory.
CrowdStrike Falcon integration
CBOM Secure now connects directly to CrowdStrike Falcon to import host inventory. Hosts found through Falcon are synchronized automatically into the CBOM host registry and deduplicated, so teams already running CrowdStrike gain visibility into the cryptographic assets on those hosts without standing up a separate discovery deployment. The integration ships with a deduplication review panel to merge or separate duplicate host entries, filtering by source so hosts brought in through CrowdStrike are easy to distinguish, and bulk host selection with pagination for large sync operations. Scans can be deployed to a client’s target host using CrowdStrike’s RTR protocol, which means discovery can run through the tooling you have already deployed.
AWS cloud discovery
The CBOM Discovery Manager now scans AWS cloud environments, depositing results straight into the asset inventory alongside existing support for Azure, GCP, HashiCorp Vault, HSMs, and on-premises infrastructure. New JWT token logic secures collector to cloud communication, and AWS results are validated into the platform’s CMDocs and CMDeposit collections. The cloud scan logic has been hardened to handle edge cases and empty result sets cleanly, so a quiet account does not produce a noisy result.
Discovery sensor documentation and setup scripts
To make all of that deployable, V1.1 adds detailed documentation for Discovery Manager and sensor deployment, plus automated setup scripts for provisioning discovery and build servers. The material covers remote sensor deployment, builds across platforms, and sensor configuration on GCP, Azure, and AWS.
Exploring and Organizing What You Find
Discovering cryptography is the first step. V1.1 also makes the inventory easier to navigate and to slice.
Source Code Visualizer
A new interactive Source Code Visualizer gives teams a graphical map of cryptographic API usage and library dependencies across application code. It surfaces deprecated algorithms, hardcoded secrets, and embedded credentials before code ships, and catching those issues that early makes remediation roughly 100 times cheaper than fixing them after an incident. Instead of reading findings as a flat list, you can see how the pieces of an application relate. The component shipped with security hardening and a set of usability improvements aimed at readability and navigation.
Cryptographic Material tagging
Cryptographic Material (CM) documents and deposits now support custom tags. Tags can be applied, updated, and queried through dedicated Tag APIs, with validation enforced on the MongoDB side for both CMDeposit and CMDocs records. The practical payoff is filtering and grouping: you can organize cryptographic assets by whatever scheme fits how your team works, then slice the inventory by tag.
Post-quantum cryptography multi-chart
The dashboard gains a new PQC chart that visualizes how quantum-relevant algorithms are distributed across your discovered assets. It supports filtering by algorithm family and by risk category, giving migration planners a clearer read on where vulnerable cryptography is concentrated and how a transition is progressing.
New on the Platform
Three additions round out the release across assistance, documentation, and deployment.
AI Service module
V1.1 introduces a new AI Service module that brings Retrieval Augmented Generation (RAG) to the platform, letting teams query CBOM documentation and major compliance sources, including NIST, FIPS, PCI, and RFC standards, in natural language. It includes a document ingestion pipeline, an LLM query interface, and a chat UI. Importantly for security-conscious environments, it can download and index documentation for fully offline assistance, so the model works inside air-gapped and restricted networks without reaching outside your perimeter. Where your environment allows it, the module can optionally be configured to pull additional information from the internet. The result is a way to interrogate dense compliance material and your own cryptographic posture without leaving the platform.
MCP-powered AI capabilities
The AI Service module is the first step in a larger direction. By embedding the Model Context Protocol (MCP) into CBOM Secure, the platform converts its cryptographic inventory, including discovered crypto materials, policy configurations, sensor data, and analytic rules, into a structured context that AI models can reason over in real time. That foundation lays the groundwork for capabilities such as natural-language querying of the CBOM, AI-assisted remediation recommendations, and automated anomaly detection across clouds and on-premises sensors. MCP also surfaces these discovery insights instantly in the React dashboard, which serves both security engineers and auditors, and moves the platform from passive inventory toward active cryptographic risk management.
Comprehensive in-app documentation
Full documentation is now built into the CBOM web interface, covering the Dashboard, Keys, Certificates, Cipher Suites, Analysis, Reports, AI Services, User Management, Policy Management, and System Configuration. Internal linking and routing were fixed so navigation between sections is seamless, which means answers live next to the screens they describe.
Docker production deployment with Nginx
All CBOM services are now containerized and deployable via Docker Compose, with Nginx acting as a reverse proxy in front of the microservices, and the result runs equally well in cloud, on-premises, and air-gapped environments. A seed data image populates MongoDB indexes and initial configuration on first boot, dedicated Docker entry points streamline container startup for each service, and the frontend Vite build is folded into the Docker pipeline. The path from zero to a running production deployment is far more repeatable.
What This Means in Practice
The throughline of V1.1 is coverage you can act on. CrowdStrike and AWS discovery pull more of the real environment into the CBOM; tagging and the Source Code Visualizer make a larger inventory navigable; the PQC chart turns discovery into migration insight; and the Docker, documentation, and AI additions make the platform easier to stand up and operate.
That coverage turns into outcomes teams can measure. Risk scoring from 0 to 100 flags weak algorithms, expiring certificates, short validity windows, self-signed certificates, key reuse, and insecure cipher configurations, so analysts know what to fix without sorting through everything by hand. Because the inventory stays current, compliance audits that once meant manual reconstruction take 70 to 80 percent less time, with every change captured in a tamper-evident trail that produces defensible evidence for regulators on demand. And when a certificate authority is compromised, or an algorithm is publicly broken, the work of identifying the blast radius drops from days or weeks to minutes, which is how organizations typically cut certificate-related incidents by more than 90 percent in their first 90 days.
CBOM Secure is built for the quantum transition, tracking exposure to vulnerable algorithms and the adoption of quantum-safe alternatives across the full environment. Findings export in the open CycloneDX format so they interoperate with SBOM, GRC, and supply chain tooling, and you are never locked into a single vendor. One deployment can serve multiple business units across a large enterprise.
To see V1.1 in your environment, request a demo or reach out to [email protected]
