Date: December 10, 2025 Event: BlackHat Europe 2025 Arsenal Presenter: Anant Shrivastava
SBOM Play is a browser-first, privacy-aware SBOM visualization and enrichment tool designed to showcase the real potential of SBOMs beyond just vulnerability tracking.
Instead of relying on server-side infrastructure or custom scripts, SBOM Play runs entirely in the browser. It enables users to extract SBOMs from GitHub repositories, enrich them with data from osv.dev, and analyze dependencies across repositories and organizations in a unified view.
Whether it’s reducing tech debt, surfacing redundant packages, or evaluating license compliance, SBOM Play makes software inventory exploration accessible to developers, security engineers, and decision-makers alike.
Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This Arsenal demonstration at Black Hat Europe 2025 showcases SBoM Play, an open-source, fully client-side SBoM exploration and intelligence extraction platform built by Cyfinoid Research. The tool takes a simple GitHub organization, user, or repository URL as input and produces a comprehensive dashboard with dependency analysis, vulnerability tracking, license compliance monitoring, author attribution, geographical distribution, and version sprawl detection — all running entirely in the browser with no backend required.
Key Topics Covered
Tool Philosophy and Design:
SBoM is fundamentally an inventory — the value lies in extracting intelligence from that inventory
Designed to demonstrate SBoM’s usefulness in non-infosec scenarios, proving value through visualization rather than theoretical arguments
Fully client-side: runs entirely in the browser with no backend or server, preserving privacy and eliminating deployment barriers
Simple Input Model:
Accepts a GitHub organization, user, or repository in multiple formats: shortform (user/repo, org/repo, username, org name) or full GitHub URL
Only requirement: GitHub Dependency Graph must be enabled on target repositories
One-field interface — deliberately minimal to lower the barrier to entry
Under-the-Hood Processing:
Fetches dependency graph data via GitHub’s API
Creates nested SBoMs by recursively resolving dependency trees
Processes and correlates data entirely on the client side
Dashboard and Visualization Capabilities:
10K-foot dashboard: high-level overview of the organization’s dependency landscape
Dependency view: drill into individual packages and their relationships
Vulnerability view: identify known vulnerabilities across all dependencies
Repository view: per-repository breakdown of dependency health
License compliance: audit license types across all components
License change tracking: detect when dependency licenses change between versions
Author details: attribution and contributor information for dependencies
Geographical view: map of dependency author locations for geopolitical risk assessment
Version sprawl: identify cases where multiple versions of the same package are used across different repositories
Beyond Vulnerabilities:
The tool intentionally goes past vulnerability scanning to cover license risk, author trust, geographical concentration, version inconsistency, and organizational dependency patterns
Positions SBoM as a strategic intelligence source, not just a security compliance artifact
Actionable Takeaways
Try SBoM Play at cyfinoid.github.io/sbomplay — enter your GitHub organization or repository to get an instant, privacy-preserving view of your dependency landscape.
Use SBoM Play’s license compliance and license change views to catch licensing risks before they become legal problems, especially for organizations with strict open-source policies.
Monitor version sprawl across your repositories — multiple versions of the same package increase maintenance burden and can mask security issues.
Leverage the geographical view for geopolitical supply chain risk assessment, identifying concentration of critical dependencies in specific regions.
Use the author details view to assess single-maintainer risk and understand the human trust chain behind your most critical dependencies.
Enable GitHub Dependency Graph on all organizational repositories to make them accessible to SBoM Play and similar tooling for automated inventory analysis.
Demonstrate SBoM’s value to non-security stakeholders by sharing SBoM Play’s visual dashboards — the license, version sprawl, and author views resonate with legal, compliance, and engineering leadership.
