Comparisons

Stores raw BOMs in both CycloneDX and SPDX formats, VEX, VDR, BOV, SARIF, signatures, attestations, build metadata, and any other artifacts per release.

Release-centric structure with versioned releases stored within Product-Component model with full release history, audit trail, and provenance details for each artifact.

Highly configurable auto-integration engine aggregating findings from multiple sources and from comopnents into products

Own finding audit engine with various scopes (organization-wide, product-level, feature set-level, component-level, branch-level, release-level). Supports all findings, including those from Dependency-Track and other sources.

Approval and lifecycle management for releases (ReARM Pro).

Supports its own SBOM augmentation and enrichment logic (via Reliza's BEAR project). Stores augmented and enriched SBOMs alongside original raw SBOMs.

Proprietary deduplication logic for SBOM data and findings significantly improves operability and reduces infrastructure footprint. ReARM tolerates full outage and data loss on Dependency-Track with an option to rebuild based on ReARM data.

Rich changelog capabilities, including findings over time, and changes over time.

Managed service with SSO - no infrastructure to maintain. Support for client-hosted deployments, including air-gapped deployments, available for higher tiers.

Premium support (up to 24x7 depending on plan).

Managed Dependency-Track instance included.

Approval and trigger workflows for release lifecycle.

Workflow for marketing releases (separate versioning schema that may be used for marketing).

Support for perspective, multi-organization workflow support (Standard and Enterprise plans)

On-premise / air-gapped deployment option (Enterprise plan)

Release-centric evidence store: artifacts are stored per versioned release with full provenance, audit trail, and lifecycle management.

Stores raw artifacts (SBOMs, VEX, VDR, SARIF, attestations, signatures) compressed for 10+ years with full traceability.

Product-Component model with multi-level nesting, automated bundling, and configurable auto-integration engine.

Built-in finding audit engine with scoped auditing (organization, product, component, branch, release levels).

Production-ready platform with managed service option (ReARM Pro), UI, approval workflows, and premium support.

Integrates with Dependency-Track for continuous vulnerability monitoring with proprietary deduplication and changelog tracking.

Supports OWASP Transparency Exchange API (TEA) and VDR export in CycloneDX and PDF formats.

SBOM enrichment and augmentation via Reliza's BEAR integration, storing enriched SBOMs alongside originals.

Stores and versions all supply chain artifacts (SBOMs, SARIF, VEX, VDR, attestations) produced by any tool in a release-centric model.

Tool-agnostic - ingests outputs from any SCA, SAST, or DAST tool.

Release-centric model: artifacts are tied to specific versioned releases with detailed provenance within the release (release as a whole, source code entry, deliverable).

Long-term artifact retention (10+ years) and continuous monitoring for vulnerabilities, including for old releases, for compliance and audit.

Aggregates findings from multiple tools into a unified view with changelogs.

Provides search capabilities across entire supply chain evidence base, such as identifying instances of specific dependency or vulnerability.

Own finding audit engine with various scopes (organization-wide, product-level, feature set-level, component-level, branch-level, release-level). Supports all findings from various sources.

Product-level aggregation with multi-level component nesting.