Skip Navigation

Sonatype Intelligence

The whole truth about open source risk.


Expert research powers the Sonatype Platform.

More Coverage

More Coverage.

70% more vulnerabilities than alternative databases.

Faster Results

Faster Results.

10x Faster than National Vulnerability Database.

More Expertise

More Expertise.

65 world class professionals with 500+ years of experience.

The difference is simple.

Better Identification
Scan apps “as deployed” — not “as declared.” Identify true risk by verifying ALL embedded dependencies.
Examine fingerprints — not file names and package manifests. Precisely identify risk with Advanced Binary Fingerprints (ABF).
Report real risk — not false alarms. Spend more time fixing actual bugs and less time chasing false positives.
Better Knowledge
Above and beyond public data. Get details on complete universe of open source vulnerabilities.
Super fast and always on. Learn about new open source vulnerabilities faster than anyone else.
Designed for developers. Give developers exactly what they want — actionable guidance to remediate open source risk.

Open Source Components Analyzed

Edwin K

“It has given us visibility into security issues and made us more proactive in dealing with things. It scans and gives you a low false-positive count.”


Dig Deeper to Identify the Truth
Strata Layers

Avoid fake news, analyze deployed dependencies.

Alternative tools are prone to false positives and negatives because they scan apps “as declared” and trust developers to disclose the truth about dependencies embedded in software.

Sonatype scans apps “as deployed” utilizing Advanced Binary Fingerprinting (ABF). The result is a precise read on embedded dependencies and a Software Bill of Materials (SBOM) that reflects the truth about third-party risk. ABF identification utilizes cryptographic hash for binaries, structural similarity, derived coordinate, and file name.  It can even identify renamed or modified components whether they were declared or not, misnamed, or added to the code base manually.

The recent Octopus Scanner is a great example of why scanning the manifest is not "good enough" to identify malicious components being injected into our software supply chains.

Sonatype Intelligence

Nexus Intelligence Continuous Insight

Go above and beyond public data sources.

Public databases like NVD provide a relatively small and typically outdated view of open source security vulnerabilities.

Sonatype Intelligence however, delivers a universal and timely understanding of open source security risk. It has ingested and analyzed more than 96 million components and it never stops learning, using artificial intelligence and machine learning to dynamically monitor every GitHub commit to every open source project, advisory websites, Google search alerts, OSS Index, and a plethora of vulnerability sites. Additionally, new vulnerabilities are regularly discovered by our own researchers and added to our proprietary knowledge base.

Sonatype Intelligence also sees things that others simply can't, continuously gaining insight from more than 4 million instances of Sonatype Nexus Repository Manager, and from 146 billion components requested annually from The Central Repository.

Nexus Intelligence Scan

Remediate faster with expert guidance designed for developers.

Whenever new vulnerabilities are disclosed or discovered our team immediately validates the exploit path, identifies the root cause, and creates actionable information to help organizations (and development teams) evaluate, triage, and remediate threats faster than adversaries can attack. Guidance is carefully curated and written for easy consumption by frontline software developers. Instead of cryptic security alerts that are difficult to decipher, Sonatype Intelligence provides developers step-by-step instructions on how to detect and remediate the vulnerability, including upgrade path and the root cause, relative risk of other component versions, and workarounds to avoid refactoring code.

Sonatype Intelligence Insights

Discover Vulnerabilities

Learn more with “Secondary Expansion.”

Sonatype Intelligence is the only security research service that actively practices “secondary expansion,” an extra level of investigation to determine if newly discovered vulnerabilities are also present and exploitable in other components. It’s important to go the extra mile because it's common for open source projects to borrow code from other projects. Simply stated, if a single vulnerability exists in multiple libraries, we automatically let you know. Over the past 5 years, we've associated vulnerabilities to 3 million more components than public databases.


Nexus Intelligence works faster

Understand threats faster.

Whenever new open source vulnerabilities are disclosed, criminals immediately begin looking for opportunities to exploit them in the wild. As a result, it’s literally a race between “bad guys” and “good guys” to see who acts first. Companies lose when bad actors are able to exploit open source vulnerabilities faster than they can remediate them.

When it comes to managing the constantly evolving security threats within open source, speed is absolutely critical. That’s why Sonatype Intelligence works 24x7x365 to stay abreast of the changing threat landscape and publishes detailed information on new vulnerabilities 10X faster than NVD.

Combat counterfeit components

Combat counterfeit components.

Over the past two years, more than 20 instances of adversaries intentionally publishing malicious components into public open source and container repositories were recorded. Open source projects impacted by malicious injections have been difficult to detect because, on the surface, they look no different than other open source code contributions.

To combat this new type of attack, Sonatype developed patent-pending technology to monitor millions of open source projects in real-time to identify abnormal development behavior and suspicious patterns as new component versions are released. Now developers and security teams alike can see within Sonatype Intelligence when a component version has been detected as malicious code.

Community of Software Developers

Trust in community credibility.

From our humble beginning as core contributors to Apache Maven, to supporting and maintaining the Central Repository, OSS Index, and the Central Security Project, we’ve long played a meaningful role in helping the global community of software developers embrace the power of open innovation. We're passionate about the community and we're dedicated to providing premium security research to help owners and consumers of open source projects minimize risk and maximize value.

Learn More

Don't take our word for it, see for yourself how our data stacks up against the competition.
Discover why accurate data is critical to securing open source code.
Take a test drive of our data and see for yourself if there are vulnerabilities lurking in your application.