SCIP unifies software composition analysis (SCA), supply chain risk monitoring, and AI threat detection in one Splunk app. Ingest SBOMs, correlate components against live vulnerability intelligence (OSV, NVD, CISA KEV, EPSS), detect adversarial AI/ML threats with MITRE ATLAS, and assess compliance posture across nine global frameworks — with detection logic written as transparent SPL you can open and read, and no external security product required.
CAPABILITIES
- SBOM ingestion — file-drop or HEC, supporting CycloneDX (JSON/XML) and SPDX (JSON)
- Vulnerability correlation — daily OSV feed (264,944+ records across 5 ecosystems) with PURL-based correlation; NVD CPE-based correlation; CISA KEV matching with BOD 22-01 SLA tracking; EPSS exploit-probability scoring
- Supply Chain Risk Score — 0–100 global and per-application risk scoring weighted by severity, KEV status, and EPSS
- Vendor Risk — per-vendor risk aggregation and letter-grading across your SBOM portfolio
- SBOM Drift Detection — baseline-vs-current component change tracking
- License Compliance — GPL/AGPL/copyleft detection and license-risk classification
- MITRE ATLAS Detection — 66 detection rules for adversarial AI/ML threats
- Compliance Gap Assessment — nine frameworks: PCI DSS 4.0, NIST CSF 2.0, SOC 2 Type II, HIPAA Security Rule, EU Cyber Resilience Act, FedRAMP / RMF / CISA, DORA, FDA 524B Premarket Cybersecurity, SEBI CSCRF
- POA&M & FedRAMP Workflow — POA&M dashboard, monthly ConMon package builder, BOD 22-01 SLA tracking, deviation request workflow. Dashboards always available; automated POA&M generation is opt-in from Setup
- Audit-ready exports — FedRAMP POA&M Workbook (R3.0 and R2.1), SSP Appendix M Integrated Inventory, Deviation Request Form (Template 2.1 / Aug 2024)
- Component Search — instant cross-SBOM component lookup (available in the free Community tier)
- Compound Risk — correlates active MITRE ATLAS AI-threat detections with vulnerable components on the same application, surfacing compounding risk neither signal shows alone (Enterprise and Federal Plus)
- AI/ML Bill of Materials — catalogs AI/ML model components from your SBOMs (architecture, training data, lineage) with insecure-serialization-format risk flagging (Professional and above; risk classification detail on Enterprise and Federal Plus)
TIERS
Community (free), Professional, Federal, Enterprise, Federal Plus. Feature availability gated by license tier; contact us for tier comparison.
SUPPORT
GIC Engineering Consultants — contact@gicengineeringconsultants.com