Cryptographic Bill of Materials (CBOM)

Preparing Software for the Post-Quantum Era

CBOM is an advanced verification and code testing service designed to identify, catalogue, and assess all cryptographic assets used within software source code and its dependencies, including algorithms, certificates, keys, protocols, libraries, and cryptographic implementations. 

Using reachability analysis and dependency mapping, the CBOM provides visibility into both direct and hidden cryptographic risks across modern software supply chains

Why CBOM Matters

Governments and standards bodies worldwide are now transitioning towards post-quantum cryptography, with migration periods already underway and expected to continue between 2028 and 2035. 

Many software applications, including software escrow deposits created today, still rely on cryptographic standards such as RSA and ECC that are expected to become vulnerable to future quantum attacks in time. Putting at risk many services and data.  

This creates a long-term security and continuity challenge for businesses dependent on third-party software. 

The CBOM provides visibility into those risks today, enabling organisation’s to better understand and plan future migration requirements. 

CBOM Deliverables

The Escrow Company’s CBOM assessment produces three core deliverables: 

Detailed Technical Results 

Delivered in CycloneDX 1.6 format (JSON/XML) with full file paths, line references, and cryptographic call graph context. 

Human-Readable Excel Report 

Designed for technical and operational review teams. 

Executive Summary Report 

A high-level summary for both the Depositor and Beneficiary outlining: 

  • Quantum risk level  
  • Key findings  
  • Cryptographic exposure areas  
  • Recommended next steps  

Example CBOM Outputs

Left: Cryptographic inventory. Above Example Migration Roadmap

Built for Modern Software Environments

The CBOM service can be applied to: 

  • Third Party Software as part of software escrow and SaaS escrow deposits  
  • Cloud-native platforms  
  • Open-source dependency ecosystems  
  • Inhouse built applications 
  • When using third party or subcontracted software developers to build a software system 

We scope and analyze this based on the number of code repositories and number of unique applications and can be scaled as required. 

The Escrow Company is a trusted 3rd party that specializes in source code verification and audits. We can quickly analyze software and technology builds to support an M&A due diligence process.

 

developer
attorney

Supporting Long-Term Software Resilience

While a CBOM itself does not migrate applications to post-quantum cryptography, it provides the visibility and awareness needed to begin planning and prioritising the transition to a secure state. 

For clients of third-party systems , performing this as part of a SaaS escrow arrangement adds an additional layer of assurance around the long-term supportability of critical software systems and partnership with a critical supplier. 

For software vendors, it demonstrates proactive cryptographic governance and software supply chain transparency. 

Advanced Verification for Future Continuity

As organisations prepare for the transition towards post-quantum cryptography, visibility into cryptographic dependencies is becoming an increasingly important component of long-term software resilience and continuity planning. 

Looking for a CBOM?

  • Detailed analysis of a codebase to identify quantum risk and potential cryptographic exposure areas.
  • Meaningful list of recommended next steps.
  • Global service with offices in London (HQ) UK, Atlanta, USA, and Sydney, Australia.
Leading Companies Trust The Escrow Company
AIG
ub
pf
uni160
DFE

YES! I want a free CBOM quote

If you have any questions about our services or would like to receive a free quote, simply fill in your details and we will be in touch with you.

Needs to be in international format, please include + country code