Launch of NetRise Provenance Reveals Who and What Are Behind Open Source, And How Risk Propagates Through the Supply Chain

Intelligence from millions of packages in thousands of repositories identifies contributors and maintainers who add risk, enabling better decision making among software developers and third-party risk teams.

AUSTIN, Texas, March 24, 2026 – NetRise^Ⓡ, the software supply chain security company that exists to eliminate blind trust in software, today announced the launch of NetRise Provenance, a new product that identifies risk associated with contributors to the open source components inside enterprise software and connected devices, and how far the risk associated with bad actors reaches across portfolios. Provenance adds a layer of trust and intelligence to the NetRise Platform, a deeper look into the Software Bill of Materials (SBOM).

For organizations that buy and operate software, NetRise Provenance adds a level of visibility into risk in the software supply chain that previously was opaque to procurement and third-party risk teams. Those teams now can see a variety of project health signals, including advisory relationships and how compromises propagate through dependency graphs, defining a blast radius from a malicious contributor.

For organizations that build and ship software, NetRise Provenance enables developers and product security teams to set policies to govern selection of open-source projects, automatically failing a build when dependencies cross a risk line.

“Virtually every major software supply chain story in recent years has been a trust problem as much as a vulnerability problem,” said Thomas Pace, co-founder and CEO of NetRise. “Bad actors gain the confidence of a community, become maintainers, misrepresent who is behind a project, and then push malicious code into widely-used packages. Enterprises then scramble to discover their exposure: When a compromised maintainer or project lives inside the software that runs critical operations across their business. NetRise Provenance replaces that guesswork with a clear view of the extent to which that contributor’s code reaches.”

NetRise Provenance is delivered as part of the NetRise Platform and through a developer friendly API, a command line interface (CLI), or github action. Key capabilities include:

• Unified with NetRise’s binary system of intelligence
  Overlay trust and provenance data on top of NetRise’s binary verified software asset inventory so buyers can connect who is behind a component with where it actually runs, how exploitable it is, and which products and devices need to be prioritized.
• Maintainer and organization attribution
  Map open source components to real maintainers and organizations, including country or local level footprint, so teams can apply internal policy, regulatory requirements, and ensure OFAC compliance requirements are met.
• Policy engine
  Feed SBOMs or container images into NetRise Provenance to enrich each package with advisories, contributor risk signals, and repository metadata. Apply simple policies that define what is unacceptable. Pass or fail exit codes let CI systems stop builds automatically when a dependency violates those rules, while reporting templates inform third-party risk and compliance teams.
• Blast radius and dependency analysis
  Use dependency and reverse dependency views to see where a maintainer, project, or repository appears across products, services, and vendors, so teams can scope incidents, sanctions, and policy changes in minutes and communicate to executives and regulators real impact.
• Trust and hygiene indicators
  Combine repository metadata, project policies, update cadence, advisory history, and other security practice indicators into an “at a glance” view that highlights projects with unusual behavior, making it easier to separate risky from healthy dependencies.

“Software supply chain compromises are beginning to follow a disturbing pattern, “said Michael Scott, co-founder and CTO of NetRise. “A bad actor gains trust in one project, and their code silently spreads across thousands of dependency chains. The hard problem isn't finding the compromise - it's answering 'where else does this person's code end up and ultimately run in my environment?' in minutes instead of weeks. We built Provenance to make that query instant. Starting from an SBOM, filesystem, or container image, we map every package back to its maintainers, their organizations, their locations, and their advisory history, including for binaries - then let teams set policy against it. The XZ Utils compromise was caught by accident. Provenance makes it where you no longer rely on luck.”

“Software supply chains increasingly depend on open source, which raises the importance of understanding not only what is in an application, but also who maintains it and how maintainer risk is concentrated across projects,” said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. “Contributor, organization, and geographic context layered onto dependency and SBOM data helps security and risk teams make clearer deployment decisions, respond faster to emerging threats, and target remediation toward the most exposed dependencies.”

“NetRise started by revealing all components inside compiled software,” added Pace. “With Provenance, we are now giving builders and buyers a unified view of who is inside that software and how trust is concentrated in specific contributors and projects. This additional visibility allows teams to make proactive decisions that enhance the risk posture for product security teams, and increase resilience for third-party risk teams. This launch marks another milestone in NetRise’s journey to a software trust platform that connects code, people, and policy in one place.”

NetRise Provenance is available as part of the NetRise Platform for enterprises, software and device makers, consultancies, and public sector organizations, and via API and CLI for developers who want to bring software trust decisions closer to where code is assembled.

Resources

• Meet NetRise: Request a meeting with our team in San Francisco for the RSA Conference 2026 from 3/24 - 3/26.
• Schedule a Demo: To learn more about the value that a software asset inventory brings to global enterprises and device manufacturers alike, see a demo of NetRise Provenance.
• To attend our RSAC 2026 events, please visit: https://www.netrise.io/company/events/netrise-at-rsac-2026
• For more information about NetRise Provenance, visit: https://www.netrise.io/products/provenance.

For more information or to request a demonstration, visit netrise.io or contact info@netrise.io.

About NetRise

NetRise is the software supply chain security company that exists to eliminate blind trust in software forever. By identifying every component in each binary image across firmware, kernels, operating systems, containers, and applications, NetRise exposes the full stack of inherited risk that source-based tools, vendor SBOMs, and questionnaires cannot see. Non-code related risk uncovered includes hidden dependencies, cryptographic artifacts, misconfigurations, secrets, among others. Global enterprises that produce and consume software, including government agencies, rely on NetRise to validate what they ship and what they run. When unforeseen software vulnerabilities are exploited by bad actors, NetRise answers the question, “where am I exposed?” enabling rapid identification, prioritization, mitigation, and policy updates, reducing material risk to the business.

Media Contact:

Danielle Ostrovsky
Hi-Touch PR
Ostrovsky@Hi-TouchPR.com