Solutions / Supply Chain

Don’t ask if a package is bad.
Ask if it breaks your business logic.

Reachability-and-contract aware supply chain security. CYBRET connects the exact call sites in your code to the invariants your business commits to, and only alerts when a dependency can actually violate them.

Same repo. Different question.
TRADITIONAL SCA
340
CVE alerts. Every Monday morning. Each one scored in isolation, none tied to whether your code actually reaches them.
is this package bad?
→ score in isolation
→ queue for triage
CYBRET DEPENDENCY LOGIC
4
Reachable, contract-crossing exposures. Each one with an exact call path and the business invariant it would break.
does this dep, in the way our code uses it,
violate a contract we committed to?
→ yes. show the path.
What it detects

Four classes of dependency risk, one reasoning layer.

The code property graph knows every call site. The behavioral contract layer knows what must hold. Precondition synthesis connects the two.

CLASS 01
Reachable & contract-crossing CVEs
The difference between a Monday-morning alert dump and a Sev-1 with a blast radius diagram.
CVE-2024-XXXX affects _.merge called on authz/role-resolver.ts:847 inside contract payment.authz.role_check route /payments/*, exploit path reachable
  • 01Exact call-site precision, not package-level coverage
  • 02Contract-crossing filter collapses 340 alerts into handfuls
  • 03Blast-radius diagram attached to every finding
CLASS 02
Semantic drift on updates
A patch bump Dependabot auto-merged silently changed a return shape. The contract doesn't care about version numbers, it cares about invariants.
lodash 4.17.20 → 4.17.21 _.get return shape changed under prototype-pollution fix auth check in role-resolver.ts:847 relied on the prior shape regression against payment.authz.role_check
  • 01Differential precondition synthesis on every dep upgrade
  • 02Flags semantic regressions, not version deltas
  • 03Gates PRs before the auto-merge lands
CLASS 03
Transitive logic exposure
The xz model. You have 847 transitive deps. Twelve of them have call paths into your payment contract. You’ve never heard of eight.
direct: jsonwebtoken@9.0.2 → transitive: jws@4.0.0 → transitive: safe-buffer@5.2.1 path reaches payment.authz.role_check rank: CRITICAL (contract-weighted)
  • 01Guard-aware BFS across the full dep tree
  • 02Ranked by contract criticality, not popularity
  • 03The AppSec-lead question five years in the making
CLASS 04
Trust graph violations
The organizational layer no incumbent has. Who vouched for this dep, when, and is that signature still valid?
ua-parser-js@0.7.29 last internal review: 22 months ago (Jira SEC-412) upstream maintainer changed 6 days ago reaches contract checkout.price_integrity flag: stale-trust + maintainer-change
  • 01Ties PR reviewers, Slack approvals, Jira, Confluence ADRs to deps
  • 02Re-evaluates trust on maintainer or ownership change
  • 03Catches supply-chain attacks in the signal window, not after the blog post
The moat

Three layers nobody else has assembled.

The industry has converged on “score the package” because the question is commoditized. CYBRET asks a structurally different question, and answering it requires all three of these to be wired into the same graph.

01
Code Property Graph
Exact call sites and data flow into every dependency. Import edges, CALLS_INTO edges, symbol-level resolution.
02
Behavioral Contract layer
Invariants the business commits to, extracted from RBAC specs, Confluence ADRs, PR reviews, Jira security tickets.
03
Reasoning layer
Precondition synthesis plus coloured Petri net reachability. Guard-aware traversal across code and dep tree.
The demo

Five minutes. Four scenes. A narrative incumbents can’t tell.

Run on a realistic e-commerce repo. Side-by-side with whatever SCA the buyer currently runs. The scoreboard tells the story.

SCENE 01
Scanner noise
Competing SCA on a real repo. 340 alerts. The AppSec lead in the room groans audibly.
SCENE 02
Contract-filtered signal
CYBRET on the same repo. Four alerts. Each with a call path into a contract and the invariant it breaks.
SCENE 03
Autonomous remediation
L2 opens a PR with the pinned version and a regression test generated from the CPG diff. Compounding knowledge.
SCENE 04
The kill shot
A silent transitive bump lands. CYBRET flags it instantly. Competitors don’t. This is the xz attack, months before it shipped.
Competitive diff

Honest on coverage. Sharp on the delta.

Snyk · GitHub Advanced Security
Broad CVE data, mature ecosystem coverage.
Precision and contract awareness. Complement year one, displace year two.
Socket
Great static analysis of packages themselves.
Different question, they analyze the package, we analyze the usage. Partner-compatible.
Endor Labs
Reachability analysis with solid marketing.
Code reachability vs contract reachability. Same graph, a layer they don’t have.
Chainguard
Hardened base images, build-time supply chain.
Different category. Complementary, not competitive.
Dependabot · Renovate
Dumb bumpers.
Autonomous remediation with contract-aware regression tests. Strawman at best.

SCA is dead.
Dependency Logic is what comes next.

Point CYBRET at one repo. See your 340 alerts collapse to the handful that actually matter, with the call path and contract attached.