When ‘What’s Inside the Software?’ Becomes a Buying Requirement
Cybeats Technologies (CSE: CYBT)
Disclaimer: I own shares of this company at the time of publication. This content is for informational purposes only and is not investment advice. My positions may change at any time without notice. Please do your own research before making investment decisions.
Software runs everything — from your car and phone to the hospital down the street — yet few people know what’s inside it. Beneath many apps live a patchwork of open-source parts built by strangers, shared across industries, and constantly updated. When one of those parts breaks, the ripple can hit millions of systems overnight. That’s the problem Cybeats is solving: it helps organizations finally see what’s inside their software, understand which pieces are safe or vulnerable, and act before small cracks turn into global security headlines. And with new U.S. and European rules soon requiring this kind of visibility by law, that quiet plumbing layer is about to become a multi-billion-dollar market — one that Cybeats is already wiring itself into.
By the Numbers
Ticker (Exchange): CYBT (CSE)
Reporting currency: CAD
Q2 FY25 revenue: C$745K (+52% y/y)
Post-Q2 financing: C$3.2M Private Placement (closed Aug 7, 2025)
NRR goal (≥120%) / last disclosed (148% FY2024)
Next catalysts: ARR growth, SBOM consumer references, partner adds/expansions
An everyday problem with a simple name
A Software Bill of Materials (SBOM) is the ingredient label for software: a machine-readable list of all the components—open-source libraries, versions, and licenses—inside an app or device. You already live with the analog: think the nutrition label on a cereal box.
Now imagine a flaw discovered in a common login component used by apps everyone touches—your banking app, grocery delivery, airline booking, and smart-TV streaming. Those services don’t share codebases, but they do reuse the same open-source piece for “sign in.” Without SBOMs, teams guess where the vulnerable version lives. With SBOMs, they query inventories in minutes and patch with precision. Triage gets sharper with VEX (Vulnerability Exploitability eXchange)—a compact, machine-readable note that says whether a known bug is exploitable in a specific product/configuration. If the risky feature is disabled or the code path isn’t reachable, teams reduce panic work and focus where it matters.
This is why different parts of the enterprise care. Application Security (AppSec) needs a live component inventory to map new vulnerabilities to exact products and versions. Compliance and procurement must prove to customers and regulators that ingredients and licenses are documented and governed—an increasingly explicit buying prerequisite. Operations teams in Information Technology (IT) and Operational Technology (OT) need SBOM data tied to real assets—devices, servers, applications—so they can answer the only question that counts in a crisis: “What’s affected right now?” And increasingly, SBOM/VEX evidence is being written into contracts and RFPs—not just security runbooks.
Cybeats fits one layer above the tools that generate SBOMs. The platform ingests SBOMs from many sources, normalizes and corrects them, enriches them with context (including VEX), monitors them continuously as software changes, and binds that intelligence to assets through SBOM Consumer so operations can act. Because most enterprises use multiple scanners—and rarely standardize on one—Cybeats’ scanner-agnostic posture is the point: a neutral system of record above whatever generators a company already uses.
A relatable example — the “ingredient label” behind your banking app
Think about the app you use to check your bank balance every morning. It feels like a single product, but under the hood it’s a stack of components stitched together from open-source and third-party parts. That invisible list of ingredients is the Software Bill of Materials (SBOM) — the software equivalent of a nutrition label.
Here’s what a simplified SBOM for a mobile banking app might look like:
Now imagine a vulnerability is discovered in one of those shared ingredients — say, OpenSSL. Without an SBOM, teams must hunt through codebases to guess where the problem lives. With an SBOM, they can query an inventory and patch with precision.
That visibility is why SBOMs are becoming mandatory in regulated industries. They give security, compliance, and operations teams a single source of truth — so when a headline vulnerability hits, they can answer the only question that matters: “What’s affected right now?”
Cybeats operates one layer above the scanners that generate those SBOMs. It ingests them from many tools, normalizes and enriches the data (including VEX context that flags whether a vulnerability is exploitable), and binds that intelligence back to real assets. In a fragmented world of multiple tools and suppliers, this neutrality turns compliance paperwork into operational visibility — exactly where enterprise value starts to form.
Snapshot — where Cybeats plays and how it behaves
Cybeats sells a two-sided suite: SBOM Studio for software producers and SBOM Consumer for software users (asset owners). It positions itself as a neutral SBOM management/intelligence layer—partner-friendly and scanner-agnostic. Recent cadence is what we want from a micro-cap at this stage: sequential revenue growth from Q1 to Q2 FY25, year-over-year expansion near 50%, a meaningfully narrower Q2 loss, and a post-Q2 financing (~C$3.2M) that extends runway and simplifies parts of the balance sheet. This isn’t a hype cycle; I believe it’s a procurement standard in slow motion.
How the machine works — one layer above scanners
Think of Cybeats as the librarian and air-traffic controller for SBOMs. It ingests SBOMs in common formats (SPDX/CycloneDX) from multiple generators. It normalizes and corrects internal hierarchies so components roll up cleanly to product versions. It enriches each bill with VEX and license context. It monitors this living catalog as modern CI/CD (Continuous Integration / Continuous Delivery) pipelines produce new SBOMs, versions, and patches—sometimes many times a day. And crucially, it binds SBOM intelligence to assets across OT and IT so teams can prioritize true exploitability and push fixes where they reduce risk.
Why this matters now: This is crossing from policy docs into contracts and operational runbooks.
Image from company website
Go-to-market (GTM) — how this reaches customers
Cybeats tries to meet customers where their SBOMs already live. The playbook is simple: integrate, source, then expand. Integrations with scanners and software-composition tools aren’t just a feature checklist; they’re designed to become demand channels. If those partners truly pull their weight, we should see a rising share of partner-sourced opportunities and visible co-sell or reseller motions by region (like the Keysight partnership, casually referenced in the company’s latest LIFE offering document). From the first purchase order, early value tends to arrive quickly—days or weeks to ingest the first SBOM—while full asset linkage takes longer and varies by whether the environment is OT or IT. The commercial rhythm I’d prefer to track is the percentage of commitments that are live within two quarters. If those numbers move the right way, the rest of the funnel generally follows.
Pricing & packaging (shape, not numbers)
Without disclosing rates, the structure matters. SBOM Studio for producers usually scales with the amount of software under management—think throughput and product lines—plus the roles that need to touch the data. SBOM Consumer for asset owners more often maps to the breadth of the fleet—sites, device families, and the depth of monitoring and policy. Expansion, in both cases, tends to come from familiar places: more product lines, more SBOM volume, more assets, or a wider footprint across divisions.
Why now — regulation that turns compliance into operations
In the United States, Executive Order 14028 (Improving the Nation’s Cybersecurity) kicked off a multi-year push, with NIST and CISA turning principles into procurement guidance. Federal buyers now expect SBOMs for supply-chain transparency, and suppliers are aligning.
At the U.S. Food & Drug Administration (FDA), medical-device submissions are expected to include cybersecurity documentation and SBOM information. The FDA reinforced this with 2025 updates and a “Refuse to Accept” posture when submissions omit required cyber content—creating expectation, leading to enforcement, driving normalization.
In the European Union, the CRA (Cyber Resilience Act) puts SBOM obligations into law for “products with digital elements,” with a compliance horizon running toward 2027. NIS2 tightens supply-chain obligations in critical sectors, and DORA (Digital Operational Resilience Act) has applied since January 17, 2025 across EU financial entities. So, what does this mean? SBOMs (and VEX) are moving from policy into contracts, budgets, and daily workflows. I can’t speak for everyone, but this is starting to feel sticky, a good signal for Cybeats.
Executive leadership — the tone at the top
CEO Justin Leger reads as a values-driven operator: plain-spoken on capital needs, disciplined on spend, and consistent in framing SBOMs as “software food labels.” That temperament fits regulated markets and long enterprise sales cycles. CTO Dmitry Raidman is an architecture-first leader who talks about the hard parts customers feel—hierarchy correction, “stitching” many SBOMs into product-level truth, continuous monitoring, and bidirectional remediation with partners (e.g., Veracode). Commercial ownership: CEO-led today; as partner motions scale, a visible head of partnerships would be a positive tell.
Who is Scryb — helpful anchor, with a governance footnote
Scryb Inc. (formerly Relay Medical) acquired Cybeats in 2021, helped the shift toward SBOM tooling, and remains a large shareholder post-listing. At times Scryb provided secured bridge financing that was later converted or settled as Cybeats raised equity. Upside: aligned, long-horizon support and company-building resources. Caution: related-party—any new Scryb-linked financings should be overseen by independent directors (pricing, collateral, warrants). These are important to keep an eye on for any minority investors.
Commercial proofs — signals that the story is real
The company has started to show the right kinds of footsteps. Emerson expanded on the producer side, which is the kind of land-and-expand you want to see in an industrial context. A water-infrastructure customer increased its footprint by roughly 34%, and there was a renewal/expansion with a U.S. government agency. On the partner front, Veracode is an important example: scanners create findings and, in many cases, SBOMs; Cybeats’ role is to ingest those SBOMs, correct hierarchies, enrich with context such as VEX, monitor over time, and feed remediation back into developer and security workflows. That loop is the scanner-agnostic thesis made tangible.
The company does a good job of announcing wins. Below shows the progression dating back to December 2022.
Market & Competition — where Cybeats fits and what really sets it apart
The SBOM market is widening fast, but it’s messy. Most of the big cybersecurity vendors—Anchore, JFrog, Snyk, Synopsys—build SBOM generators and vulnerability scanners. Their focus is “what’s inside” the code. Cybeats sits one layer higher: it manages, normalizes, and enriches the flood of SBOMs those scanners produce. Think of it as the librarian rather than the author—turning stacks of raw lists into usable intelligence that ties back to real assets.
That positioning gives Cybeats two things competitors don’t fully have yet:
Scanner-agnostic ingestion. It can take SBOMs from any source and make them coherent, which appeals to large enterprises already using multiple tools.
Asset linkage (OT + IT). Most peers stop at software inventories. Cybeats binds those inventories to operational assets—where risk lives.
The durability of that edge depends on whether the big suite vendors decide to stay closed or open. If Anchore, JFrog, or Snyk make their APIs truly open and add asset binding, Cybeats’ neutrality moat shrinks. For now, neutrality and data quality remain its core differentiators—valuable in regulated, multi-vendor environments where buyers want independence and auditability.
In plain English: Cybeats wins when complexity rises. The more SBOM sources, asset types, and compliance frameworks an organization juggles, the more useful a neutral manager becomes. The risk is that simplicity eventually wins—if large vendors bundle “good enough” SBOM management into existing platforms.
Bottom line: Cybeats’ advantage is real but still early-stage. It’s a function of openness, accuracy, and trust rather than raw technology. Until the category settles and buyers standardize on a few ecosystems, that neutrality buys time and relevance—but not yet permanence.
Core drivers — what will move value from here
We want to see at least 60% of signed commitments live within two quarters. We also want NRR at or above 120%, alongside a growing logo count—not concentration disguised as retention. Balance-sheet hygiene matters: twelve months of runway at current burn is a sensible floor (candidly it’s probably longer than that). And we prefer to see top-customer ARR below 25% and top-three below 50% to avoid single-name risk. Beyond those hard gates, two qualitative tells will carry weight: named SBOM Consumer references funded by asset-owner budgets in telecom, healthcare, or defense, and a clear uptick in partner-sourced ARR that confirms integrations drive distribution, not just demos.
Financial profile — the signal in the numbers
The near-term picture is straightforward. Revenue stepped from C$681K in Q1’25 to C$745K in Q2’25 (about 50% year-over-year growth), while the Q2 net loss narrowed to C$856K. That progress came with lower sales/IR and share-based compensation versus last year—early signs of some cost discipline while the base is forming. Two hygiene tells deserve a line in each quarterly update: gross margin direction (software-like and stable is what we want; slippage hints at mix or services) and receivables/DSO behavior (ballooning DSO often foreshadows stress; stability suggests healthy collections and implementation). After quarter-end, the ~C$3.2M financing and related clean-ups extended runway and simplified obligations—oxygen to bridge to the next proof points.
Valuation lens — what’s priced in today
As of the latest data, Cybeats trades at a market capitalization of roughly CA $26M. For the trailing twelve months (TTM), the company generated about CA $2.4M in revenue (with ~40.7% year-over-year growth). That suggests the company is valued at approximately 10.5× revenue.
Because the company is still unprofitable, much of the value appears to be built on execution of growth and the regulatory/market optionality around the software supply-chain/security. Thus, the revenue multiple implies the market is already expecting meaningful ramp-up in ARR and margin improvement. If growth stalls or the business fails to convert into scale, downside risks could be significant; if the company executes ahead of expectations and captures the regulatory tailwinds, upside could be meaningful.
Balance sheet & capital structure — a clean snapshot
The capital stack is typical of a micro-cap still building its base, so it’s messy. The August 2025 raise of roughly C$3.2M helped extend runway; post-quarter settlements and conversions reduced complexity, including portions of historical related-party lending from Scryb. On equity, options outstanding sit around 27 million, with a meaningful warrant stack across various strikes and maturities (45 million). For readers thinking about position size and timing, the fully diluted lens—basic shares plus in-the-money options/warrants and recent conversions—along with a simple calendar of the largest expiries over the next 12–18 months will set expectations for potential selling pressure.
Operational risks unique to SBOMs
There are a few execution risks that are specific to this category. SBOM quality varies by generator; if the upstream document is inconsistent or partial, the manager inherits the mess, which is exactly why hierarchy correction must work at scale. Asset-owner value also depends on suppliers reliably providing SBOMs; contracts and procurement muscle help, but adoption can lag and needs active management. Standards will continue to evolve—SPDX, CycloneDX, and VEX are living things—so staying current is both a moat and a maintenance tax. Finally, open-source alternatives like Dependency-Track keep improving; the way to hold the line is to demonstrate clear advantages in asset binding, remediation workflows, and auditability in customer stories rather than in slides.
What could go right
Two upside paths are worth naming. If cyber insurers or OEM warranties begin to require SBOM and VEX evidence as part of underwriting or support, the conversation shifts from compliance to economic mandate. And if an ISAC or similar industry body standardizes how a vertical exchanges SBOMs, the adoption of SBOM Consumer could accelerate as asset owners move together rather than one at a time.
Balanced Diligence — Leadership, Structure, and Thesis Fragility
Leadership:
CEO Justin Leger comes across as a disciplined operator with enterprise and defense-sector roots. Since taking the helm in late 2023 he’s delivered repeat wins and expansions across regulated verticals (Rockwell, Emerson, U.S. Gov). The only gap is ownership clarity—roughly 1 % estimated, pending SEDI confirmation—so insider alignment still needs a line check.
Capital & Structure:
Cybeats remains funding dependent. Share count climbed roughly 47 % (YTD) with ~74 M options and warrants reserved, leaving an equity overhang until cash generation or non-dilutive financing emerges. Q2 revenue (C$745 K, +52 % y/y) is growing but still micro-scale, meaning one delayed enterprise deal could move results. Further transparency on ARR, deferred revenue, and churn would help close the credibility gap.
Thesis Fragility:
Three macro levers carry most of the risk weight:
Regulatory timing – SBOM mandates are real but enforcement may slide into 2026-27.
Competitive neutrality – scanner vendors (Anchore, JFrog, Snyk) could be closing the feature gap, eventually.
Financing runway – likely ≤ 12 months; another raise before proof of ARR scale would reset the narrative.
Counter-weights: clear policy momentum, early enterprise validation, and a management team that has so far executed methodically.
Verdict — where I stand now
Leger’s execution track record and a tightening policy tailwind offset—but don’t erase—the capital-structure risk. The setup remains an execution-sensitive microcap: upside if ARR bridges and renewals confirm stickiness; downside if regulation drifts or dilution returns early.
Cybeats is still early in its journey, but it’s starting to show the right signs. The leadership is credible, the wins are real, and the policy tailwind is getting stronger. The challenge is less about whether SBOMs matter—it’s about how quickly that demand turns into recurring, self-funding revenue.
⚠️ Disclaimer
I own shares of this company at the time of publication.
This post is for informational and educational purposes only and should not be considered investment advice. Nothing here constitutes a recommendation to buy, sell, or hold any security.
All information is believed to be accurate at the time of writing but may include errors or omissions.
Investing involves risk, including potential loss of principal.
Readers should conduct their own due diligence or consult a licensed financial professional.
👉 Read the full disclaimer here.