Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
ComplianceHBOM

Software runs on hardware. Know what hardware runs your software.

A Hardware Bill of Materials inventories every physical component your software depends on — CPUs, chipsets, firmware, and embedded controllers. Critical for supply chain risk in IoT, embedded, and critical infrastructure.

Hardware Component Inventory
2 vulnerable
Intel Xeon E5-2690 v4CPU
Intel · FW: Microcode 0x2d
Spectre v2
Samsung PM9A1 NVMeStorage
Samsung · FW: GXA7401Q
Clean
Mellanox ConnectX-5Network
NVIDIA · FW: 16.35.1012
Clean
AMI MegaRAC BMCBMC
AMI · FW: 2.00.00
CVE-2023-34329
Infineon SLB 9670TPM
Infineon · FW: 7.85.0
Clean
HARDWARE COMPONENT INVENTORY

CPUs, chipsets, firmware. Every physical layer inventoried.

Identifies every processor, chipset, and storage controller your software runs on — manufacturer, model, stepping, microcode version — across cloud instances, bare metal, and embedded devices.

CPU/chipset model and stepping across all environments
NVMe/storage controller firmware versions tracked
Network card firmware and driver versions recorded
Continuous re-inventory when hardware changes
O3 · Hardware Inventory
2 vulnerable
Intel Xeon E5-2690 v4CPU
Intel · FW: Microcode 0x2d
Spectre v2
Samsung PM9A1 NVMeStorage
Samsung · FW: GXA7401Q
Clean
Mellanox ConnectX-5Network
NVIDIA · FW: 16.35.1012
Clean
AMI MegaRAC BMCBMC
AMI · FW: 2.00.00
CVE-2023-34329
Infineon SLB 9670TPM
Infineon · FW: 7.85.0
Clean
FIRMWARE VULNERABILITY CORRELATION

Spectre. Meltdown. Rowhammer. Found below the OS.

Correlates your hardware inventory against known hardware CVEs — Spectre variants, Meltdown, Rowhammer, CPU microarchitectural side channels, and BMC firmware CVEs that software-only scanners completely miss.

Spectre/Meltdown variant correlation per CPU model
BMC firmware CVE correlation (IPMI vulnerabilities)
GPU driver and firmware CVE matching
Microcode version vs. patch status tracked
O3 · Hardware CVE Correlation
8 CVEs found
CVE-2017-5715Spectre v2
Intel Xeon E5-2690 v4
Patch: microcode update required
Critical
CVE-2023-34329AMI MegaRAC BMC
Authentication bypass · CVSS 9.1
Critical
CVE-2018-3615L1TF/Foreshadow
Intel Xeon
Patch: available
High
CVE-2022-0001LFENCE/JMP
Intel Xeon
Patch: kernel flag needed
High
Microcode update for Spectre v2 reduces performance by ~8% — trade-off documented.
EMBEDDED CONTROLLER MAPPING

BMCs, PLCs, ECUs. The hardware no one inventories.

Maps embedded controllers including BMCs, ECUs, PLCs, and microcontrollers — the hardware components most frequently overlooked in software-centric security programs and most frequently targeted by nation-state attackers.

Baseboard Management Controllers (BMCs) identified and tracked
Industrial PLCs with firmware version and CVE status
ECUs and microcontrollers in IoT and embedded fleets
Out-of-band management interfaces (IPMI) inventoried
O3 · IEC 62443 Embedded Controllers
2 CVEs
47
Hardware components
23
Firmware versions
8
Known CVEs
5
Patch available
Siemens S7-1500 PLCFW: V3.0.1 · CVE-2022-38465
Critical
Schneider Modicon M340FW: V3.60 · CVE-2022-45788
High
Rockwell CompactLogix 5380FW: 33.011
Clean
IOT & COMPLIANCE REPORTING

IoT inventory that meets NERC CIP and IEC 62443.

Inventories hardware components in IoT devices — SoCs, wireless chipsets, co-processors — and generates hardware inventory reports formatted for NERC CIP, IEC 62443, and sector-specific mandates.

SoC and wireless chipset inventory for IoT fleets
CVE correlation per IoT hardware component
NERC CIP hardware inventory report generation
IEC 62443 asset register export in required format
O3 · Compliance Report Export
IEC 62443
Hardware Inventory Report — Industrial Control System
Generated
2026-05-27
Scope
Production OT environment
NERC CIP-002-5: Asset identification
Complete
IEC 62443-2-1: Asset management
Complete
NIST SP 800-82: HW inventory
Complete
Formatted for NERC CIP · IEC 62443 · NIST SP 800-82
FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • A Hardware Bill of Materials (HBOM) is a structured inventory of every physical hardware component that a software system depends on, including CPUs and their microarchitectures, chipsets, firmware (BIOS/UEFI, NIC firmware, storage controller firmware), embedded controllers like BMCs and PLCs, and co-processors. It extends supply chain visibility below the software layer to the hardware that software runs on.
  • IoT and operational technology (OT) systems often run on hardware with firmware that is rarely updated and seldom inventoried. Hardware-level vulnerabilities like Spectre, Meltdown, and BMC vulnerabilities (e.g., CVE-2023-34329 in AMI MegaRAC) are not captured in software SBOMs. Without an HBOM, these attack surfaces are invisible to security teams, a significant blind spot exploited by nation-state actors targeting critical infrastructure.
  • Yes. NERC CIP-002 requires asset identification for bulk electric systems, and IEC 62443 requires component inventories for industrial control systems. An HBOM provides the hardware component inventory required by both standards, including manufacturer, model, firmware version, and known vulnerability status, formatted for compliance reporting.
  • O3 uses multiple discovery methods: SMBIOS/DMI data for server hardware identification, IPMI and Redfish APIs for BMC and out-of-band management components, OS-level hardware enumeration, network device fingerprinting for IoT and OT environments, and integration with asset management platforms. Each discovered component is correlated against CVE databases for known hardware vulnerabilities.
  • Yes. O3 records the installed firmware version for every hardware component it discovers and maintains a continuously updated vulnerability database for hardware firmware. When a new firmware CVE is published for a component in your inventory, O3 surfaces it with the affected version range, the available patched version, and the potential impact to your specific deployment.