v0.1.0 Alpha — Active Development
ORBIS
OT RISK & SBOM INTELLIGENCE SYSTEM

Your SBOM scanner sees a CVSS 9.8.
ORBIS asks: is it in a Safety Instrumented System?

AI-powered risk triage built for the reality of OT/ICS — where physical consequences change everything.

GitHub — Coming Soon
ORBIS
SCORE
ENGINE
NVD
EPSS
KEV
IEC 62443 CVSS v3.1/v4 CycloneDX · SPDX AI Triage ▶
0
CVE Sources
0
SBOM Formats
0
OT Zone Tiers
0
Frameworks Mapped
01 Live Demo

Watch ORBIS
Think In Real Time

A real scan against a CycloneDX SBOM. No hand-waving — every score is explainable.

orbis — zsh — 120×42
02 Scoring Engine

Not Just CVSS.
Context-Aware Risk.

Five weighted signals fused into one decisive number. The OT zone factor is what no other tool computes.

CVSS
× 35%
Base Severity
+
EPSS
× 25%
Exploit Probability
+
KEV
+30 pts
Known Exploited
+
OT
zone weight
IEC 62443
=
ORBIS
0 – 100
Risk Score

Weight Breakdown

CVSS
35%
EPSS
25%
CISA KEV
30pts
OT Zone
up to ×7
Reachable?
−15

Risk Tiers

90–100
Critical
Halt release · patch within 24 h
65–89
High
Patch within current sprint
35–64
Medium
Next quarterly cycle
0–34
Low
Accept & document
03 Risk Intelligence

Data That
Drives Decisions

Not a list of CVEs. A prioritised action queue with context your team can act on immediately.

Typical SBOM Scan Distribution DEMO DATA
ORBIS vs CVSS — OT Zone Impact SAME CVE
EPSS Exploit Probability vs ORBIS Score — Sample Portfolio SCATTER
04 Framework Alignment

Built On What
Industry Trusts

ORBIS doesn't reinvent risk — it operationalises five established frameworks into a single workflow.

IEC
62443
IEC 62443 — Industrial Cybersecurity
Zone/conduit model maps directly to ORBIS OT zone weighting. Security Level targets (SL-T) define acceptable residual risk thresholds per component. ORBIS is the first open tool to operationalise this in SBOM scanning.
Zone/Conduit SL-T Mapping OT-Native
NIST
CSF
NIST CSF 2.0 — Cybersecurity Framework
ORBIS outputs map to Identify (asset inventory via SBOM), Protect (risk prioritisation), Respond (triage queue), and Recover (remediation actions). Ready for CSF compliance reporting.
Identify Protect Respond
CISA
KEV
CISA Known Exploited Vulnerabilities
Every CVE is cross-referenced against the CISA KEV catalogue in real time. A KEV flag adds 30 points to the ORBIS score and triggers immediate triage escalation — including ransomware campaign tagging.
Active Exploit Ransomware Tag Daily Sync
EPSS
v3
FIRST EPSS — Exploit Prediction Scoring
EPSS v3 probability scores are fetched daily from FIRST.org and weighted at 25% of the ORBIS composite score. Critically, high EPSS with low CVSS — a common blind spot — is correctly surfaced.
Probability-Based ML-Driven Daily Feed
CVSS
v4
CVSS v3.1 / v4.0 — Common Vulnerability Scoring
Base scores from NVD 2.0 API with CVSS v4.0 support. Rather than using CVSS as the sole signal (the industry's biggest mistake), ORBIS treats it as one of five inputs — correctly reflecting its intended use.
v3.1 + v4.0 NVD 2.0 API Contextualised
Framework Coverage Comparison
ORBIS
Grype/Trivy
Manual Review
05 OT Zone Model

The Layer That
Changes Everything

IEC 62443 zone classification multiplies ORBIS scores — because physical context is everything in OT security.

SAFETY Safety Instrumented Systems
CONTROL PLCs / DCS
SUPERVISORY SCADA / HMI 3.5×
DMZ ICS DMZ
ENTERPRISE
↑ PHYSICAL CONSEQUENCE INCREASES ↑
Same CVE.
Different Reality.

A CVSS 7.0 in a Safety Instrumented System controlling a gas turbine is a stop-the-line emergency. The same CVE in an enterprise email server is a patch-next-sprint issue.

Every existing open-source SBOM tool treats these identically. ORBIS doesn't. The IEC 62443 zone weight multiplies the base score by up to — ensuring your team's attention goes where the physical risk actually lives.

Max zone multiplier (Safety)
5
IEC 62443 zone tiers mapped
100%
Explainable — every score has a rationale
0
Other open tools do this
Early Access

ORBIS IS
COMING

Be the first to know when v0.1.0 drops publicly. No spam — one email when it's ready.

Your email won't be shared. Unsubscribe any time.
GitHub repository — coming soon · Apache 2.0 license