Official Website link
Event: DEF CON Singapore 2026 (April 28-30, 2026 · Training April 26-27) Venue: Marina Bay Sands, Singapore Track: Demo Labs Track 4 Format: 45-minute Demo Lab (three sessions) Presenter: Anant Shrivastava | Founder, Cyfinoid Research
Schedule
- Tuesday, April 28, 2026 · 13:00 – 13:45 · Demo Labs Track 4
- Tuesday, April 28, 2026 · 14:00 – 14:45 · Demo Labs Track 4
- Wednesday, April 29, 2026 · 11:00 – 11:45 · Demo Labs Track 4
Audience: AppSec, Defense/Blue Team, DevOps, Offense/Red Team, Purple Team, SecOps
Demo Lab Overview
SBoMPlay is a browser-first, privacy-aware SBOM exploration tool built to make SBOMs usable without extra setup or backend overhead. Most teams get stuck with heavyweight tooling or custom scripts just to explore what an SBOM contains. SBoMPlay avoids that by running entirely in the browser — no server, no uploads, just instant visibility into your software inventory.
The tool can extract SBOMs from GitHub repos, enrich them using osv.dev, deps.dev, and ecosyste.ms, and offers a cross-org, cross-repo view to identify redundant packages, tech debt, license issues, and more. It is designed for developers, security engineers, and decision-makers who need fast answers about their dependencies without friction.
Key Features
- Vulnerability mapping via osv.dev / deps.dev / ecosyste.ms enrichment
- Version drift detection across repositories and organizations
- License breakdowns and compliance analysis
- SBOM quality audits and benchmarking against CISA, BSI, and CERT-In standards
- Single-point-of-failure detection via maintainer aggregation
- Fully client-side execution — no uploads, no backend
The tool was previously presented at Black Hat Europe 2025 and Black Hat Asia 2026 Arsenal; this DEF CON Singapore session demonstrates newer capabilities added since then. Everything runs client-side and is open source.
Resources
- Live URL: SBoM Play
- Source Code: GitHub Repository
