Software supply chain risk doesn’t stop at the container boundary. Most organizations still run a meaningful share of production workloads on virtual machines across legacy services, data pipelines, and infrastructure that was never containerized. The Upwind Platform creates SBOMs at runtime, delivering greater accuracy than build-time tools by continuously monitoring your live environment.
Format adds a second layer of friction. Instead of chasing down disparate data models or hand-converting files to meet audit requirements, you can now generate an SBOM in the exact format your auditor or customer questionnaire demands, instantly. Without native export flexibility, teams end up hand-converting SBOMs to satisfy different consumers of the same underlying data.

Extending Resource SBOM Coverage to Virtual Machines
SBOMs are the cornerstone of modern security compliance, providing essential visibility into licenses, vulnerabilities, and supply chain risks. The Upwind Platform generates these SBOMs at runtime, delivering superior accuracy over traditional build-time tools by continuously monitoring your live environment. This approach allows you to track dependencies in real time, instantly detect drift between operational and documented states, and maintain a consistent package inventory across containers, VMs, and serverless functions.
By correlating SBOM components with live runtime activity and reachability, Upwind cuts through the noise, helping you prioritize the vulnerabilities that actually impact your security posture.
This visibility is backed by total export flexibility. Whether you’re delivering an SBOM to an auditor, a customer, or an internal security pipeline, you can now generate it directly in the required format across JSON, SPDX, or CycloneDX from a single, trusted source of truth.
Full Visibility, in the Format You Need
Resource SBOM for VMs brings image-level inventory depth to virtual machines, so teams get the same packages, versions, licenses, CPEs, and OS details for a VM that they already rely on for images. Coverage spans AWS EC2, Google Cloud VM, and Azure VM, plus scaling infrastructure. That means when a new CVE drops, teams can check exposure across the whole environment in one place.

Multi-Format SBOM Export lets any SBOM, image or VM, be pulled in JSON, SPDX, or CycloneDX directly from the resource or image detail view. So when a customer questionnaire calls for CycloneDX or an auditor wants SPDX, the data is already in the right format.

Unlock Runtime Visibility Across Your Environment
Runtime visibility means understanding exactly what is running in your environment at any given moment. With Upwind, you get deep, real-time insights into your packages, licenses, and CPE details across every VM, ASG, and image. This unified view gives you granular inventory for all your assets, from legacy servers to ephemeral infrastructure ensuring you have the accurate data you need for compliance reviews or customer requests.
To see full-environment SBOM coverage in action, schedule a demo.
