Early Access — All features free while spots last. Join Now
All articles
SBOM CycloneDX SPDX Cyber Resilience Act CRA PCI-DSS ISO 27001 SOC 2 compliance remediation release notes

What's New in SentriKat — SBOM Export, Compliance Reports, and Remediation Workflows

Sprint 4 and Sprint 5 add CRA-ready SBOM export (CycloneDX, SPDX, STIX), signed gap-analysis reports for PCI-DSS, ISO 27001 and SOC 2, full remediation assignments with SLA tracking, and multi-tracker integration with Jira, GitHub, GitLab and YouTrack.

Denis Sota · · 5 min read

Two sprints, one release. SentriKat 0.2.0 ships the three things enterprise buyers ask about the moment they start comparing vulnerability management platforms: a Software Bill of Materials they can actually use, compliance reports an auditor will accept, and a remediation loop that doesn’t need a second tool.

Here’s what changed, why it matters, and where to find it.

SBOM export — CycloneDX 1.5, SPDX 2.3, STIX 2.1

One click. Three industry-standard formats. Every host in your fleet.

  • CycloneDX 1.5 — the OWASP SBOM standard, referenced by the U.S. Executive Order 14028 and by the EU Cyber Resilience Act
  • SPDX 2.3 — the Linux Foundation standard, now ratified as ISO/IEC 5962
  • STIX 2.1 bundle — for threat-intelligence handoff to a SOC or sector ISAC

Why it matters: the EU Cyber Resilience Act enters into force on 11 September 2026 and it requires every company that sells software (or products with digital elements) in the EU to produce an SBOM for each supported version. The fines for non-compliance are substantial — up to 2.5% of global annual turnover.

Tenable, Qualys and Rapid7 sell SBOM export as a paid add-on inside larger enterprise bundles. Wiz only supports it in the cloud. SentriKat includes it on every paid plan, in all three formats, from the same endpoint your dashboard already uses.

Compliance reports — now five frameworks, all signed

SentriKat has had NIS2 and CISA BOD 22-01 reports since launch. Sprint 5 adds three more frameworks that unlock enterprise sales conversations:

  • PCI-DSS v4.0 — Requirements 6.3 (identify and address vulnerabilities) and 11.3 (vulnerability scanning)
  • ISO/IEC 27001:2022 — Annex A.8.8 (management of technical vulnerabilities), A.8.16 (monitoring activities) and A.5.24 (incident management planning)
  • SOC 2 — CC6.6 (logical access), CC7.1 (monitoring), CC7.2 (anomalies) and CC7.4 (incident response)

Every report is exported as JSON or PDF with a PASS / PARTIAL / FAIL verdict on every individual control, plus an HMAC-SHA256 integrity block that an auditor can independently verify. If a report gets modified after generation — one byte, anywhere — the verification fails. That’s the kind of detail a SOC 2 auditor or a PCI QSA will notice.

The three new frameworks are available through the Compliance Pack add-on (€199/mo, free during Early Access) on top of any Pro, Business or Enterprise plan.

Remediation workflows — the missing loop

Detecting a vulnerability is only half the job. Sprint 4 closes the other half:

  • Remediation Assignments — a full page with CRUD, filters, pagination, inline status change and a modal for detail/edit. Every open assignment lives in one place.
  • SLA Policies — define your remediation SLAs once; due dates are computed automatically for every new assignment based on severity.
  • Multi-tracker integration — Jira, GitHub Issues, GitLab Issues, YouTrack, and a generic webhook — up to four simultaneous destinations. Pick the tool your developers already use.
  • Risk Exceptions — the “accept-the-risk” workflow auditors ask for. Justification is mandatory, expiry is optional, and every exception is audit-evidence for ISO 27001 and SOC 2.

No more exporting CSVs into Jira by hand. No more arguing about who owns which CVE.

The boring-but-important stuff

A few more things shipped that won’t make marketing copy, but they matter if you run SentriKat at scale:

  • Agent delta scan — the agent computes a SHA-256 hash of the inventory and only sends the full payload if something actually changed. ~90% bandwidth reduction on stable hosts.
  • Gzip compression — with zip-bomb protection (10 MB decompressed / 2 MB compressed limits).
  • Store-and-forward — failed heartbeats spool locally and replay chronologically once the link comes back. Up to 50 files.
  • Patch Tuesday automation — a monthly digest (2nd Wednesday, 09:00 UTC) with the Microsoft CVEs that affect your fleet, delivered straight to the inbox that already gets your daily KEV alerts.
  • Vulnerability trending dashboard — daily snapshots, a Chart.js widget with three views (total / by severity / open vs resolved). Show the board that the curve is going down.
  • Product aliasesopenssl, openssl-libs and openssl3 now roll up to a single canonical record. Fewer duplicates, cleaner dashboards.

All of this runs on the same self-hosted stack, same auditable script agents, same EU data sovereignty. Nothing moved to the cloud, nothing turned into a paid add-on (except the Compliance Pack, where the business case is explicit).

Early Access is still free

Every feature in this release is free during the Early Access program — including the Compliance Pack. New prices kick in only after Early Access ends, and existing subscribers are grandfathered at their original price forever.

If you were waiting for SBOM, PCI-DSS or SOC 2 reports before putting SentriKat in front of your auditors, the wait is over. Join Early Access or read the changelog for the full list.

Ready to automate your vulnerability management?

Deploy SentriKat on-premises in minutes. Track CISA KEV vulnerabilities, generate NIS2 compliance reports, and protect your infrastructure.

Request a Demo
Discuss this article: Community Forum