Trace-AI predicts and prevents supply-chain attacks via metadata-driven analysis of open-source dependencies, registries, and maintainer activity, no source code needed. Built by engineers who scaled to millions, it helps teams ship fast and secure.
Hey everyone 👋
Trace-AI was born out of frustration and field experience.
For years, we were the ones called in after incidents, patching breaches, rebuilding trust, and realising how reactive the industry had become. Every time, the same pattern repeated: teams depended entirely on a single vulnerability database (NVD/CVE), and when it lagged or missed context, chaos followed.
That’s when we asked: What if we could see risk before it appeared in a CVE feed?
We began our research with ZSBOM, a metadata-only software bill of materials framework that analyses package registries, maintainer behaviour, and dependency metadata, no source code required. The results were eye-opening.
Metadata held the patterns that predicted most supply-chain compromises weeks before disclosure.
Trace-AI is the next step, a SaaS layer that automates this intelligence at scale. It plugs into your CI/CD or GitHub repos, continuously analyses open-source dependencies, and produces verifiable, compliance-ready risk evidence aligned with the upcoming EU Cyber Resilience Act.
Built by engineers who’ve scaled systems to millions and lived through compliance bottlenecks, Trace-AI turns software assurance from a burden into a competitive edge.
If you’re building or securing software, give it a try, no credit card, five repos free.
We’d love your thoughts, feedback, or even your toughest questions. Let’s make shipping secure the new default. 🔒🚀
Love the metadata-first approach. Predicting risk before CVEs and no source access required fits real-world SOC workflows. The CRA alignment is a nice touch. Curious how you score maintainer behavior over time, and how noisy alerts are.
Really resonates with my own experience leading engineering teams. Vulnerabilities often felt like landmines in our sprint plans — this shift from reactive patching to predictive prioritization is exactly what the ecosystem needs. Excited to see where Trace AI takes this
Love the metadata-first approach. Predicting risk before CVEs and no source access required fits real-world SOC workflows. The CRA alignment is a nice touch. Curious how you score maintainer behavior over time, and how noisy alerts are. Congrats on the launch!
A while back, when I was leading engineering teams, one of the most frustrating challenges we faced wasn’t building features; it was dealing with vulnerabilities. Every time a security report came in, it completely threw off our plans and slowed everything down.
Worse, sometimes we had to live with those vulnerabilities not because we wanted to, but because fixing them would break something else or delay critical releases. It always felt like playing catch-up with risk.
That’s really where the idea for Trace AI came from. After living through those moments too many times, we wanted to build something that helps developers and security teams get ahead of vulnerabilities, not just react to them.
Trace AI predicts exploitability - so instead of adding another alert to your inbox, it tells you which vulnerabilities actually matter before they become a problem. That shift from reactive to predictive is what we’re most excited about.
You know that moment when a critical CVE drops and you're frantically checking if you're affected? Or when you discover during a security audit that you have dozens of vulnerabilities in packages you didn't even know you were using?
That's why we built Trace-AI.
Here's the reality: Most security tools tell you WHAT is vulnerable, but not WHERE it's coming from or WHY it's in your project. You see "requests 2.25.0 has CVE-XXXX" but then spend an hour digging through dependency trees trying to figure out which of your 15 services actually uses it and whether you installed it directly or if something else pulled it in.
What actually frustrated me as a developer:
Spending more time investigating dependencies than fixing them
Getting security alerts for packages I've never heard of (transitive dependency problems)
Not knowing if I can safely upgrade without breaking something
That panicked feeling when Log4Shell happened and we had to audit everything
If you've ever looked at your node_modules or site-packages folder and thought "I have no idea what half of this is," this is for you.
Platforms: GitHub (GitLab and Bitbucket in the works)
Looking for your feedback:
Try it with 5 repos free (no card needed) plus, Product Hunt community gets 2 additional repos! Use the promo code in this launch. Let me know what breaks, what works, or what you'd want to see next.
Don't see your language or platform? Reach out directly, we actively reprioritize our roadmap based on what teams actually need. If there's demand, we'll move it up the queue.
Follow along for updates, or drop your toughest questions. Real feedback from this community is what makes products better. 🙏
