Track Post-Deployment Vulnerabilities Across Your Live Environments

Expose Your Real-Time Attack Surface

Patch OSS Vulnerabilities Before Hackers Attack

Ortelius Vulnerability Evidence Store

Traditional security tools focus on catching vulnerabilities before software is deployed, but threats don’t stop there. New vulnerabilities in open-source packages are disclosed daily, long after software has been released into production. That’s where Ortelius steps in.

Ortelius continuously maps your software supply chain and actively monitors live environments to detect vulnerabilities that emerge post-deployment, when the risk is highest and time is critical. Unlike static SBOM solutions or pre-release scanners, Ortelius gives you a dynamic view of what’s actually running in production, staging, and test environments.

It connects the dots between CVEs reported by OSV.dev, deployed OS packages, and affected systems, providing:

  • Precise Impact Mapping – Instantly identify which applications, containers, or microservices are exposed to new CVEs

  • Actionable Intelligence – Understand exactly where vulnerable components are running across all environments

  • Faster Remediation Cycles – Reduce MTTR by focusing efforts on live, high-risk threats

With Ortelius, you’re no longer blind to what happens after deployment. You gain real-time, operational awareness of your software attack surface, so your teams can act fast and stay ahead of emerging threats.

The Ortelius Community, managed by the Continuous Delivery Foundation, maintains the latest version, with corporate support from DeployHub a Continuous Vulnerability Management platform designed to expedite remediation patches for the Enterprise.

Expose Your Real Time Attack Surface


Modern software is assembled from hundreds of components (i.e microservices, containers, libraries, AI Agents) each with potential security risks. Ortelius reveals where each component is running and what’s at risk when a new vulnerability hits.
  • Visualize your live software footprint
  • Track every package across all environments
  • Detect high-risk CVEs after release
  • Know instantly which assets are vulnerable

Why Post-Deployment Visibility Matters


Pre-release scans aren’t enough. New vulnerabilities are disclosed after deployment—often days or weeks later. Ortelius fills this critical gap by continuously tracking what’s live, what’s vulnerable, and what needs fixing.

  • Real-time CVE exposure
  • Live attack surface mapping
  • Risk prioritization per environment
  • Immediate action for remediation

The Ortelius Edge


Deployed Software Intelligence
Know exactly what version of each component is deployed and where.

Real-Time CVE Mapping
Connect new CVEs to deployed components across systems.

Attack Surface Awareness
View your threat exposure across all environments in real time.

Build-to-Deploy Traceability
Map software from code to CI/CD to deployment with full SBOM lineage.

Built for DevSecOps and cATO


Ortelius supports your DevSecOps pipeline and security compliance:

  • Zero Trust enforcement
  • NIST 800-53 and 800-171 support
  • Continuous Authority to Operate (cATO) readiness
  • SBOM and RMF reporting
  • DoD and civilian security mandates

Ortelius Use Cases

Identify and Neutralize Threats

Read more …

Strengthen Your OS Supply Chain

Read more …

Maintain Persistent Surveillance of Changes

Read more …

Jenkins and Ortelius

Extend Jenkins for Continuous Post Deployment Security

Ortelius extends Jenkins by adding continuous vulnerability monitoring for deployed applications. Unlike traditional SCA tools that scan source code or container images during the build, Ortelius focuses on what matters most: what’s actually running in production and is the most vulnerable to attack.

Ortelius

Sign-up and Get Started Managing Post Deployment CVEs

From discovering where open-source packages are being used, to federating OpenSSF Scorecard and Application Security Posture Management data, Ortelius serves as a central hub for managing, evaluating, and responding to vulnerabilities, and understanding the risk associated to consuming open-source packages from code to cloud.

Get started with Ortelius using the free SaaS version. Take a quick tutorial and see it in action.

Get Involved

Contribute

Read more …

Open an Issue

Read more …

Attend Out Community Meetings and Events

Read more …

SecureChainCon, Now Available On-Demand


Level Up Your Security Skills

Welcome to SecureChainCon, the premier online micro-conference for DevOps and Security professionals, proudly hosted by the Ortelius open-source community! View our half-day of engaging sessions and invaluable learning designed to keep you ahead in the fast-paced world of software security, AI, and DevOps automation. Our lineup of expert speakers from top organizations will share their insights, best practices, and real-world case studies on seamlessly integrating security into DevOps workflows.

KeyNote:

As software development ecosystems grow increasingly complex, the need for intelligent DevOps automation in script analysis and dependency management becomes critical. Join Jon Willis as he explores cutting-edge tools and techniques that leverage AI-driven code parsing and semantic analysis to enhance DevOps workflows. He will discuss the application of Large Language Models (LLMs) such as GPT-4, CodeBERT, and OpenAI Codex in parsing infrastructure and automation scripts, including Jenkinsfile, Dockerfile, Makefile, GitHub Actions, and Terraform. These models facilitate the identification of dependency installations (e.g., apt-get install, pip install, npm install) and pinpoint update points within scripts.

Job Seeker's Toolkit


JobSeekers Webinar

Webinars and Resources

As you work through the process of finding a new role, there are an increasing number of resources available to you. The Ortelius team has curated these resources into useful categories. Most are free or offer initial free access, with some offering paid services.

Get Resources and Links on Job Hunting.

Job Seekers Webinar Episodes:

Episode 1 - View Now Building Your LinkedIn Personal Brand to Get Noticed, Presented by Darrin Straff, CareerStation

Episode 2 - View Now Secrets Unveiled: How Employers Find (and Hire) Top Talent, Presented by Erin Lovern and Buffie Gresh

Attend CDCon June 23-25,2025


Join Open Source Developers in Denver

Attend CDCon, held at Open Source Summit 2025 in the mile high city of Denver Colorado.

Why You Should Attend:

Open Source Summit is the premier event for open source developers, technologists, and community leaders to collaborate, share information, solve problems, and gain knowledge, furthering open source innovation and ensuring a sustainable open source ecosystem. It is the gathering place for open-source code and community contributors.

Open Source Summit is a conference umbrella, composed of a collection of events covering the most important technologies, topics, and issues affecting open source today including CDCon where DevOps is explored and improved.

Our Inspiration


Abraham Ortelius

Abraham Ortelius

Abraham Ortelius made his name by collecting data from scientists, geographers, and cartographers of his time and transforming it into what the world now knows as a world Atlas. His Atlas, titled Theatrum Orbis Terrarum (Theatre of the World), was published on May 20, 1570. His Atlas disrupted the way the world was seen, with the first concepts imagining continental drift. Also of interest are the sea monsters shown in the water – mythical creatures that were a subject of fascination in Ortelius’ generation.

A Thought Leader in Sharing

Ortelius also in some ways created on open source community of his day. To accomplish his goal, he was the first cartographers to give credit to his fellow scientists by adding their names to the Atlas. Ortelius was known to have corresponded with other professionals throughout Europe and pulled together their knowledge to create his publication and a truly global view of the world.

Thank you Abraham Ortelius for showing us the way.