Software-security compliance, the practical way
The regulations differ; the work doesn't. Know your software components, monitor them for vulnerabilities, patch on a defensible basis, and keep the evidence. IsItPatched does that once — and speaks each framework's language.
1046 actively-exploited CVEs across 613 tracked products right now
Which editions apply to me?
Agentic AI security
Teams shipping AI agents
Score your agent against the OWASP Agentic Top 10 (ASI01–ASI10) and AIVSS v0.8 — a free, in-browser readiness check + lethal-trifecta quick screen.
Open edition → EU · in force 2026EU Cyber Resilience Act
Makers of products with digital elements
Spot actively-exploited (reportable) vulnerabilities and export the SBOM, VEX and evidence ahead of the 11 Sep 2026 reporting duty.
Open edition → Industrial / OTISA/IEC 62443
Asset owners, integrators, suppliers
Risk-based patch management (62443-2-3) and SBOM/component transparency (4-1/4-2) for industrial automation & control systems.
Open edition → US · medical devicesFDA Section 524B
Medical-device makers (sponsors)
SBOM/component vulnerability analysis, known-exploited prioritisation and postmarket vulnerability-management evidence for premarket submissions.
Open edition → AutomotiveISO/SAE 21434 & UNECE R155
OEMs and Tier 1/2/3 suppliers
The operations-phase vulnerability monitoring your CSMS needs, with SBOM transparency across the automotive supply chain.
Open edition → EU · essential/important entitiesNIS2 Directive
Operators of essential & important services + suppliers
Evidence the supply-chain security and vulnerability-handling measures (Article 21) with SBOM scanning, risk-based patching, EOL tracking and exports.
Open edition → US · federal softwareExecutive Order 14028
Software producers selling to US agencies
SBOM (NTIA elements) + vulnerability-management evidence to support your SSDF self-attestation for federal software.
Open edition → US · risk-based patchingCISA BOD 26-04
FCEB agencies & their software vendors
Risk-based remediation (10 Jun 2026, replaces BOD 22-01): rank by exposure × exploitation × automation × impact, exploited-first, with an exportable remediation record.
Open edition → Payments · card dataPCI DSS 4.0
Merchants, service providers, processors
Requirement 6 software inventory (6.3.2), risk-ranked vulnerability identification (6.3.1) and timely patching (6.3.3), with QSA-ready evidence.
Open edition → SaaS · trust reportSOC 2
SaaS vendors & service organisations
Vulnerability detection (CC7.1) and patch / change-management (CC8.1) evidence for the Security Trust Services Criteria your customers ask for.
Open edition → Global · ISMSISO/IEC 27001
Any organisation certifying an ISMS
Technical vulnerability management (Annex A 8.8) and ICT-supply-chain transparency (A.5.21) from an SBOM, with auditor-ready evidence.
Open edition → EU · financial sectorDORA
Financial entities + their ICT providers
Identify, prioritise and remediate vulnerabilities in your ICT assets (Art. 9), with component transparency for third-party assessments. Applies since Jan 2025.
Open edition → US · federal / defenseNIST CSF 2.0 & CMMC
Defense contractors & CSF adopters
Software inventory (ID.AM / 800-171 3.4.1), vulnerability identification (ID.RA / 3.11.2) and flaw remediation (PR.PS / 3.14.1), with assessment evidence.
Open edition → Best practice · globalCIS Controls v8
Any security program (IG1–IG3)
Software asset inventory (Control 2) and continuous vulnerability management (Control 7) from an SBOM, with risk-ranked remediation evidence.
Open edition → UK · NCSC schemeCyber Essentials
UK orgs & government suppliers
The Security Update Management control: keep software supported, patch high/critical (CVSS ≥7) within 14 days, flag end-of-life — with assessor evidence.
Open edition → Australia · ACSCEssential Eight
Australian government & suppliers
The "Patch applications" and "Patch operating systems" strategies: inventory, prioritise exploited vulns, patch in timeframe, remove unsupported software.
Open edition → US · healthcareHIPAA Security Rule
Covered entities & business associates
Software-vulnerability risk analysis & risk management (§164.308(a)(1)) for systems handling ePHI — with exportable evidence. Never touches ePHI.
Open edition → UK · voluntary codeUK Software Security Code
UK software & SaaS vendors
Act on the Code: manage component vulnerabilities, ship the minimum safe version, and communicate support / end-of-life — with evidence.
Open edition →Guidance only — most teams are subject to more than one, and a single IsItPatched account covers them all. Confirm your obligations with a qualified advisor.
One shared foundation
Every edition draws on the same free capabilities — that's why a single account covers several frameworks at once.
SBOM scanning
Drop in a CycloneDX or SPDX SBOM for a per-component verdict, matched against OSV — parsed in your browser. Scan →
Vulnerability monitoring
Get alerted when a component you track becomes vulnerable or actively exploited. Monitor →
Known-exploited first
CISA KEV + EPSS rank what truly warrants an urgent or out-of-cycle patch. See exploited →
End-of-life tracking
Flag components that can no longer be patched — a risk every framework cares about. EOL calendar →
Evidence exports
CycloneDX VEX, a software risk register (CSV / PDF) and a prioritised patch queue. Export →
Free & private
No account needed to scan; a free passwordless account syncs your stack and unlocks exports. Sign in →
Straight with you: IsItPatched is an informational tool built on public vulnerability data (NVD · CISA KEV · OSV · endoflife.date). It supports specific, concrete activities each framework requires — but it is not a certification, conformity assessment, type approval, or legal advice. Confirm your obligations with a qualified advisor. Disclaimer.
Compliance editions — frequently asked
Which compliance edition do I need?
It depends on what you make, who you sell to and where: the EU Cyber Resilience Act applies broadly to products with digital elements sold in the EU; NIS2 to operators of essential and important services; DORA to the EU financial sector and its ICT providers; ISA/IEC 62443 to industrial and OT systems; FDA Section 524B to connected medical devices; ISO/SAE 21434 to road vehicles; EO 14028 to software sold to US federal agencies; PCI DSS to anyone handling card data; SOC 2 to SaaS vendors proving security to customers; ISO/IEC 27001 to any organisation certifying an ISMS; NIST CSF 2.0 / CMMC to US federal and defense work; the CIS Controls as a best-practice baseline anywhere; Cyber Essentials and the UK Software Security Code of Practice in the UK; the Essential Eight in Australia; and the HIPAA Security Rule to anyone handling US health data. Many teams are subject to more than one — the underlying work (know your components, monitor vulnerabilities, prioritise patches, keep evidence) is the same, which is why one IsItPatched account covers them all.
Is the compliance tooling really free?
Yes. The SBOM scanner, vulnerability monitoring, known-exploited prioritisation, end-of-life tracking and the VEX / risk-register exports are free, and the SBOM is parsed entirely in your browser — the file never leaves your device. A free passwordless account lets you sync your component stack and generate exports from your dashboard.
Does IsItPatched make me compliant?
No. IsItPatched is an informational tool built on public vulnerability data. It supports specific, concrete activities each framework requires — software bill of materials, vulnerability monitoring, risk-based patch prioritisation, end-of-life tracking and exportable evidence — but it is not a certification, conformity assessment, type approval, or legal advice. Confirm your obligations with a qualified advisor.