Skip to content
OX Security

OX Security

Category: ASPM
License: Commercial
Visit OX Security
Suphi Cankurt
Suphi Cankurt
+8 Years in AppSec
Updated April 30, 2026
6 min read
Key Takeaways
  • OX Security is an Active ASPM platform that monitors CI/CD pipelines in real time and blocks risky deployments, reporting up to 97% reduction in security debt.
  • Pipeline Bill of Materials (PBOM) extends traditional SBOM by capturing build configs, artifact signatures, deployment targets, and developer identities for full provenance.
  • Co-created the OSC&R framework with security experts from Google, Microsoft, and GitLab β€” an ATT&CK-like model for software supply chain threats.
  • Maps findings to EU Cyber Resilience Act, CISA SSDF, NIST 800-53, SOC 2, and FedRAMP with no-code workflow automation for policy enforcement.

OX Security introduced Active ASPM, moving past passive aggregation to autonomous posture management. VibeSec, their AI-driven security agent, continuously enforces security policies within CI/CD pipelines.

Their Pipeline Bill of Materials (PBOM) tracks full software lineage from code to deployment.

OX Security pipeline bill of materials showing software delivery chain visibility

The company also created the OSC&R framework in collaboration with security experts from Google, Microsoft, and GitLab β€” an ATT&CK-like model for describing software supply chain threats.

What is OX Security?

Most ASPM platforms collect vulnerabilities and display them. OX Security goes further by actively monitoring the development pipeline and blocking risky deployments before they reach production.

Active ASPM
Real-time pipeline monitoring, automatic policy enforcement, and deployment blocking. Prevents vulnerabilities from reaching production rather than just tracking them after the fact.
PBOM
Pipeline Bill of Materials captures the entire build process β€” source components, pipeline configs, CI/CD tool versions, artifact signatures, deployment targets, and developer identities. Goes well beyond standard SBOM.
VibeSec AI
Analyzes code patterns for vulnerability context, assesses exploitability based on architecture, correlates findings across tools, and generates remediation guidance tailored to your codebase.

OX Security reports up to 97% reduction in security debt for organizations using the platform.

What are OX Security’s key features?

Active ASPM

The “active” part distinguishes OX Security from most competitors:

ActionHow it works
Real-time monitoringWatches pipeline activity and detects policy violations as they occur
Deployment blockingPrevents risky builds from reaching production based on configurable policies
Automated remediationTriggers fix workflows and routes findings to the right teams
Anomaly detectionAlerts on unusual pipeline behavior that could indicate compromise
Active vs. passive ASPM
Traditional ASPM platforms ingest findings and present dashboards. Active ASPM intercepts the pipeline and takes action: blocking a deployment that fails policy, triggering a scan when a high-risk change is detected, or routing a finding to the right team automatically.

Pipeline Bill of Materials

PBOM captures the full software delivery chain:

What PBOM recordsWhy it matters
Source code components and dependenciesStandard SBOM coverage
Build pipeline configurationsDetect pipeline injection risks
CI/CD tool versions and pluginsTrack build environment integrity
Artifact signatures and checksumsVerify artifact provenance
Deployment targets and configurationsMap what runs where
Developer and approver identitiesAudit trail for compliance

This record supports incident investigation, compliance evidence, and supply chain attack detection.

OX Security connectors showing integration options across the SDLC

No-code workflows

OX Security has a visual workflow builder for security automation:

FeatureDescription
Drag-and-drop policiesCreate security rules without writing code
Conditional logicBuild complex decision trees for different scenarios
Integration actionsTrigger Jira tickets, Slack alerts, or custom webhooks
Approval gatesRequire manual sign-off for sensitive operations
Audit trailsFull history of every workflow execution and outcome

OSC&R framework

The Open Software Supply Chain Attack Reference provides structured taxonomy for supply chain threats:

CategoryExamples
Compromise vectorsSource code, build systems, dependencies
Attack techniquesTyposquatting, dependency confusion, pipeline injection
Detection strategiesBehavioral analysis, integrity checking, provenance verification
Mitigation controlsCode signing, pipeline hardening, dependency pinning

Security teams use OSC&R to assess their defenses against known attack patterns.

Compliance support

OX Security maps findings and controls to major frameworks:

FrameworkCoverage
EU Cyber Resilience ActSBOM/PBOM generation, vulnerability tracking
CISA SSDFSecure development lifecycle evidence
NIST 800-53Security control documentation
SOC 2Security monitoring and incident response
FedRAMPContinuous monitoring requirements
OX Security reporting dashboard with security posture overview

How much does OX Security cost?

OX Security does not publish list pricing on ox.security β€” every commercial tier sits behind a “request a demo” or “contact sales” form, which is the standard pattern for enterprise ASPM. Plan on a custom annual contract sized by repository count, pipeline count, and connected cloud accounts.

The platform is sold as an enterprise SaaS SKU; smaller-team or Pro-level options are not surfaced publicly on ox.security/pricing at the time of this update. Standard enterprise tier features (SSO, role-based access control, audit trails, SOC 2) are included rather than sold as add-ons. Verify tier shape and any per-pipeline or per-repo dimension with the vendor at evaluation.

OX Security vs alternatives

If OX Security does not fit your stack, four ASPM platforms cover overlapping ground.

  • Legit Security β€” The closest direct competitor; Legit publishes its own Legit vs OX Security comparison page. Legit leans into AI-developed-code guardrails (VibeGuard) and enterprise-SDLC mapping; OX leans into Active ASPM with deployment blocking and PBOM-style supply chain provenance.
  • Apiiro β€” Better fit if you want a Gartner ASPM Magic Quadrant Leader with a Risk Graph, AutoFix Agent, and AI-prompt guardrails. Apiiro is more mature on prioritization than OX and lighter on pipeline-blocking enforcement.
  • Cycode β€” Better fit if you want native scanning (SAST/SCA/secrets/container) plus ASPM correlation in one platform. Cycode’s supply chain depth (CI/CD security, source code leakage detection) overlaps with OX’s PBOM angle.
  • Phoenix Security β€” Better fit if you want ACPM (Application and Cloud Posture Management) framing with strong reachability analysis and explicit risk-based budgeting rather than deployment blocking.

For a wider sweep, the ASPM hub lists every active platform alongside OX.

OX Security funding and history

OX Security was founded in 2021 in Tel Aviv by Neatsun Ziv and Lior Arzi. In May 2025, the company raised a $60 million Series B led by DTCP, bringing total funding to roughly $94 million across rounds. Customers cited at the time of the Series B announcement included a mix of Fortune 500 and SaaS companies. The OSC&R framework (Open Software Supply Chain Attack Reference) was published in collaboration with Google, Microsoft, and GitLab security teams and remains an active open-source project at oscar.io.

OX Security FAQ

What is PBOM? Pipeline Bill of Materials β€” OX Security’s extension of the standard SBOM concept to the build pipeline itself. PBOM records source components, pipeline configurations, CI/CD tool versions, artifact signatures, deployment targets, and developer/approver identities. SBOM tells you what is in the artifact; PBOM tells you how the artifact got built.

What is the OSC&R framework? Open Software Supply Chain Attack Reference β€” an ATT&CK-style structured taxonomy for software supply chain threats. OX Security helped create OSC&R in collaboration with Google, Microsoft, and GitLab to give security teams a shared vocabulary for compromise vectors, attack techniques, detection strategies, and mitigation controls.

When was OX Security founded? 2021, in Tel Aviv, by Neatsun Ziv and Lior Arzi.

Who is the CEO of OX Security? Neatsun Ziv, who co-founded the company.

What does “Active ASPM” mean? Active ASPM monitors pipeline activity in real time and takes action β€” blocking risky deployments based on policy, triggering scans on high-risk changes, and routing findings to the right teams automatically. Traditional (passive) ASPM aggregates findings into a dashboard but does not enforce gates.

What does OX Security integrate with?

Source code management
GitHub GitHub
GitLab GitLab
Bitbucket Bitbucket
Azure Repos Azure Repos
CI/CD pipelines
GitHub Actions GitHub Actions
GitLab CI GitLab CI
Jenkins Jenkins
CircleCI CircleCI
Azure Pipelines Azure Pipelines
Cloud and infrastructure
AWS AWS
Azure Azure
GCP GCP
Kubernetes Kubernetes
Terraform Terraform

How do I get started with OX Security?

1
Connect your SCM and CI/CD β€” Link GitHub, GitLab, Bitbucket, or Azure DevOps. OX Security begins monitoring pipeline activity immediately.
2
Define security policies β€” Use the no-code workflow builder to create policies. Set conditions for blocking deployments, triggering scans, or routing findings.
3
PBOM generation starts β€” OX Security automatically records the full software delivery chain for every build, creating an auditable artifact history.
4
Enforce and remediate β€” Active ASPM blocks non-compliant deployments. VibeSec AI prioritizes findings and Agent OX generates fix suggestions.

When to use OX Security

OX Security makes sense when passive ASPM isn’t enough.

If vulnerabilities keep reaching production despite detection, if you need supply chain visibility beyond standard SBOM, or if compliance mandates (EU CRA, CISA guidelines) require build provenance, OX Security’s active approach fills those gaps.

Best for
Organizations that need active pipeline enforcement, software supply chain provenance (PBOM), and compliance mapping for EU CRA, CISA SSDF, or FedRAMP.

If you mainly need vulnerability aggregation without pipeline enforcement, ArmorCode or DefectDojo are simpler options.

If you want built-in scanning rather than pipeline governance, Aikido or Jit take that approach.

Visit OX Security

Frequently Asked Questions

What is OX Security?
OX Security is an Active ASPM platform that goes beyond passive vulnerability aggregation. It monitors CI/CD pipelines in real time, enforces security policies automatically, and blocks risky deployments before they reach production. The platform reports up to 97% reduction in security debt.
What is Pipeline Bill of Materials (PBOM)?
PBOM extends traditional SBOM by capturing not just software components but the entire build process: pipeline configurations, build parameters, artifact signatures, deployment targets, and developer identities. This provides full artifact provenance from code to production.
What is VibeSec?
VibeSec is OX Security’s AI engine that analyzes code patterns for vulnerability context, assesses exploitability based on application architecture, correlates findings across tools, and generates remediation guidance specific to your codebase.
What is the OSC&R framework?
OSC&R (Open Software Supply Chain Attack Reference) is an ATT&CK-like framework developed by OX Security with security experts from Google, Microsoft, and GitLab. It provides structured taxonomy for software supply chain threats including compromise vectors, attack techniques, and detection strategies.
Does OX Security support compliance?
Yes. OX Security maps findings to EU Cyber Resilience Act, CISA SSDF, NIST 800-53, SOC 2, and FedRAMP. PBOM generation and vulnerability tracking support compliance evidence requirements across these frameworks.
How I review tools Suggest an edit

Other ASPM Tools

AccuKnox
AccuKnox

ASPM with runtime visibility built on KubeArmor (eBPF/LSM)

CrowdStrike Falcon ASPM
CrowdStrike Falcon ASPM

Runtime-driven ASPM with shadow AI detection, inside the Falcon platform

Phoenix Security
Phoenix Security

Threat-centric ASPM with ownership attribution and AI PR remediation

Legit Security
Legit Security

AI-Native Software Supply Chain ASPM

ArmorCode
ArmorCode

AI-Powered Risk Correlation

Cycode
Cycode

Complete ASPM with 94% Fewer False Positives

See all ASPM tools

Complement with SAST

Pair posture management with static analysis for broader coverage.

Veracode
Veracode

Binary Analysis AppSec Platform

Corgea
Corgea

AI-native SAST with automatic vulnerability detection and code fix generation

See all SAST tools

Learn More

ASPM vs ASOC What is ASPM? How to Build an AppSec Program on a Budget

Explore all ASPM guides and tools