Cyber Asset Management
SBOM & data exports
Not everything you need to share is a formatted report. This page covers the two kinds of raw output ThreatWeaver produces: a software bill of materials (SBOM) for an application, and data exports — findings and asset inventory downloaded as spreadsheets or machine-readable files.
What it's for
- See what's inside an app — the components discovered during an application assessment, and which ones have known advisories.
- Hand the SBOM to a standard tool — export it as JSON, CSV, or CycloneDX.
- Pull the raw data — export assets, vulnerabilities, and inventory datasets for your own spreadsheets and pipelines.
Software bill of materials
A software bill of materials is the component inventory found inside an application. It lives on an individual assessment in AppSec: open an assessment and go to its Software Bill of Materials tab.
A Generated at {timestamp} line above the table shows when the SBOM was last
built.
Summary cards
Four cards summarize the inventory:
| Card | What it counts |
|---|---|
| Total Components | Every component discovered in the assessment. |
| Vulnerable | Components whose detected version has known advisories. |
| Clean | Components whose detected version had no advisories. |
| Unknown | Components with a missing version or where the advisory check couldn't run. |
Advisory status comes from a public vulnerability advisory database (OSV), matched against each component's detected version.
The component inventory
The table lists each component with its version and where it was found. Use the status buttons above the table — All, Vulnerable, No advisories, and Version unknown — to narrow the list.
| Column | What it shows |
|---|---|
| Component | The component name and detected version, its ecosystem, a confidence percentage for the detection, its package URL (purl) when known, and which detection source(s) found it. |
| Status | Whether the detected version is vulnerable, clean, or unknown. |
| Severity | The highest advisory severity affecting the component. |
| Advisories | Each known advisory affecting the component — its CVE ID, severity, a short summary, and, when known, a Fixed in line naming the version(s) that resolve it. |
| Found At | The file paths and source URLs the component was detected in, plus a Linked findings count when the component ties back to specific findings. |
Exporting the SBOM
Three export buttons sit at the top of the tab. Each downloads the full component inventory:
| Button | What it produces |
|---|---|
| Export JSON | A machine-readable JSON file. |
| Export CSV | A spreadsheet-friendly CSV file. |
| Export CycloneDX | A standards-based CycloneDX SBOM file for use in other tools. |
Data exports
Data exports give you the underlying rows — assets, vulnerabilities, and other datasets — as files rather than formatted reports.
Exports from findings and asset pages
You can start an export from the Vulnerabilities and Cyber Asset Management pages. Each export runs in the background and, when ready, appears in the Reports → Results list under the Exports type, where you can download it. See Generating reports for how Results works.
Cyber Asset Management dataset exports
Cyber Asset Management has its own Reports hub with a set of ready-made Excel dataset exports over your unified asset inventory.
The available datasets include:
| Dataset | What it contains |
|---|---|
| Asset inventory | Every asset with identity, operating system, ownership, and per-source columns. |
| Coverage gaps | Expected endpoints missing one or more required agents. |
| Source diff | Assets seen by one source but not another, for any two connected sources. |
| Policy compliance | The latest coverage-policy result for every asset in scope. |
| Reconciliation | Pending reviews, identity conflicts, and applied merges. |
| Source health | Connected sources with their sync schedule, last run status, and errors. |
| Coverage trend | Coverage numbers over time, one row per captured snapshot. |
| Coverage point-in-time | The exact assets in a past coverage snapshot. |
Each dataset row offers:
| Control | What it does |
|---|---|
| Format | Chooses the output format — XLSX, CSV, or JSON. |
| Generate | Starts the export now; it appears on the hub's Results tab when ready. |
| Schedule | Sets the export up to run and deliver on a repeating cadence. |
| Open builder… | (Point-in-time and other datasets that need a choice.) Opens a builder to pick a snapshot or options before exporting. |
Source diff shows two source pickers — Source A and Source B — inline on its row; pick two different sources before generating. Picking the same source for both shows the validation message Pick two different sources to compare.
Use the toolbar's Search, category chips (All / Excel / PDF / Evidence), and Refresh to find a dataset, and the Results tab to download finished files.
Common workflows
Workflow: export a CycloneDX SBOM for an app
-
Open the application's assessment in AppSec and go to its Software Bill of Materials tab.
Step 1 — the SBOM tab for an assessment -
Review the summary cards and, if you like, filter the table to Vulnerable components.
Step 2 — the component inventory filtered to vulnerable components -
Click Export CycloneDX. The SBOM downloads to your device.
Workflow: export the asset inventory as a spreadsheet
- Open Reports in Cyber Asset Management and stay on the Templates tab.
- Find the Asset inventory dataset, set its Format to XLSX, and click Generate.
- Switch to the Results tab and download the file once it finishes.