NetRise unveils Provenance at RSAC 2026, bringing contributor-level visibility to open source to track trust, identity, and the spread of compromised code across systems.
NetRise has launched NetRise Provenance at RSAC 2026, introducing a new layer of visibility into open source software supply chains by mapping not just code, but the people and organisations behind it.
The platform moves beyond traditional tools that focus on components and vulnerabilities, instead identifying individual contributors, their affiliated organisations, and geographic locations, while tracing how far compromised code propagates across enterprise systems.
Built on its binary analysis platform, Provenance extends the Software Bill of Materials (SBOM) with trust and provenance data, enabling visibility even into compiled binaries where source-based tools typically fall short.
This approach addresses a growing industry concern: open source risk is increasingly driven by trust rather than just technical flaws. Attackers often gain credibility within communities, become maintainers, and introduce malicious code into widely used packages.
“Virtually every major software supply chain story in recent years has been a trust problem as much as a vulnerability problem,” said Thomas Pace, Co-founder and CEO, NetRise. “Bad actors gain the confidence of a community… NetRise Provenance replaces that guesswork with a clear view of the extent to which that contributor’s code reaches.”
“The hard problem isn’t finding the compromise, it’s answering ‘where else does this person’s code end up… in minutes instead of weeks,” added Michael Scott, Co-founder and CTO, NetRise.
Key features include maintainer attribution with geographic footprint for compliance, blast radius and dependency analysis, automated CI policy enforcement, and trust indicators based on repository activity and advisory history. The solution is available via the NetRise Platform, with API, CLI, and GitHub Actions integrations for direct pipeline enforcement.
