N
NextGenRails™
Software Integrity Receipt Authority
Terms Verify Receipt
System Active
NEXTGENRAILS™ | SOFTWARE INTEGRITY RECEIPT AUTHORITY

If your SBOM cannot be independently verified later, it is not evidence.

CBOM Compliance converts software manifests into independently verifiable, cryptographically signed receipts that prove what existed at a specific point in time.

An SBOM alone is a claim. A signed receipt is evidence.

Get Signed Receipts → Verify Receipt

10 signed receipts from $49 · instant access after payment

Deterministic verification • signed receipts • independent public-key validation

CycloneDX / SPDX JSON VS Code Extension Scan AI Model Card SHA-384 Fingerprint Merkle Root Derivation Signed Receipt NVD + OSV + GHSA EPSS Exploit Scoring License Risk Flagging Receipt Drift Detection Embeddable Badge Public-Key Verification
Zero Retention Deterministic Outputs Signed Receipts Independent Verification
Why This Matters

What This Prevents

Evidence Layer

Without independently verifiable evidence, software state becomes difficult to defend after the fact. This system exists to give organizations a portable proof artifact they can validate later, outside the original submission session.

Audit Risk
Unverifiable SBOMs
Disputes
No provable record
Incidents
No attributable state
Compliance
Weak evidentiary posture
Key Distinction
Internal artifact = claim • Signed receipt = independently verifiable evidence
System Output

What You Receive

Authority Output

Each verification run produces a portable, signed receipt that serves as independently verifiable evidence of software composition at a fixed point in time.

Receipt Status
SIGNED
Fingerprint
SHA-384
Structure Proof
Merkle Root
Verification Path
Public Key
Issued Artifact
Portable, signed evidence of manifest state with an independent verification path.
Verification Access

Pricing

Built for defense contractors, MSSPs, and software vendors operating under EO 14028, CMMC 2.0, and the EU Cyber Resilience Act. No support tickets. No account managers. The cryptographic receipt is the deliverable.

One-Time Packs
One-Time
Standard Pack
$49
10 signed receipts
  • Proof of software composition at a fixed point in time
  • SHA-384 Merkle commitment
  • RS256 signed JWS receipt
  • Zero retention processing
  • Independent public-key verification
  • CycloneDX / SPDX JSON input

By purchasing you agree to our Terms of Service. All sales final.

One-Time
Advanced Pack
$199
10 signed receipts
  • Proof of composition plus verified vulnerability state
  • Everything in Standard
  • OSV / NVD vulnerability intelligence
  • Component-level risk analysis
  • Confidence scoring across sources
  • Time-aware re-evaluation

By purchasing you agree to our Terms of Service. All sales final.

Monthly Subscriptions
Subscription
Professional
$299/mo
25 receipts per month · Standard tier
  • Continuous issuance of audit-ready cryptographic evidence
  • Standard tier receipts
  • Recurring monthly access
  • Access code issued on purchase
  • Zero retention architecture
  • Cancel anytime

By subscribing you agree to our Terms of Service. Cancel anytime.

Subscription
Professional Plus
$999/mo
100 receipts per month · Standard & Advanced
  • High-volume issuance with continuous re-evaluation capability
  • Standard and Advanced tier
  • Full vulnerability intelligence
  • Time-aware re-evaluation
  • Access code issued on purchase
  • Cancel anytime

By subscribing you agree to our Terms of Service. Cancel anytime.

Enterprise
Enterprise
Enterprise Contract
Custom Pricing
Annual contracts · Volume licensing · Custom DID integration
  • Integrated into compliance workflows and audit pipelines
  • Unlimited receipts — Standard and Advanced
  • Custom DID integration
  • Annual contract · Volume pricing
  • Contact for scope and terms
Contact for Pricing

Signed receipt issuance is usage-metered and access-controlled.  |  Questions: ngr.admin@proton.me

Verification Workbench

Manifest Verification

System Idle

Submit a supported JSON manifest to generate a signed verification receipt.

Verification Tier
Standard = proof of software composition state. Advanced = proof + intelligence + time-aware re-evaluation.
Professional Plus subscribers: select Advanced to access intelligence features.
Controlled Issuance
Signed receipt issuance is usage-metered and access-controlled. Purchase a pack or subscription in the Pricing section to receive your access code.
View Pricing ↓
Upload a CycloneDX or SPDX JSON manifest to generate a signed CBOM receipt.
Sample manifest preview
Click "Load Sample" to preview a test manifest.

Data Handling & Verification Model

Submitted manifests are processed transiently for the sole purpose of generating a signed verification receipt.

No uploaded data is stored, retained, indexed, or shared. Processing occurs in-memory within a serverless execution context and is discarded after computation.

Issued receipts are signed by the system and can be verified independently using the public verification key endpoint.

Verification does not require continued access to this platform or the original upload session.

No persistent storage • No manifest logging • No database retention of uploaded contents

Live Scope

System Status & Receipt Scope

Service
Checking…
Mode
Checking…
Timestamp
Checking…
Protocol
Checking…

Receipt Scope

  • Cryptographically signed verification receipt
  • Manifest SHA-384 fingerprint
  • Merkle-root derivation result
  • Timestamped validation record
  • Public-key verification path
  • VS Code extension manifest scanning
  • AI model card provenance receipting
  • Advanced tier: NVD + OSV + GHSA vulnerability intelligence
  • Advanced tier: EPSS exploit probability scoring
  • Advanced tier: license risk flagging (AGPL, GPL, SSPL)
  • Advanced tier: receipt drift detection and comparison
  • Embeddable verified badge for README and websites

The receipt proves software composition state at issuance time. It does not by itself prove full runtime safety, replace remediation work, or substitute for a complete compliance program.

Public verification key endpoint: /.netlify/functions/public-key
Verification Model
Proof of submitted manifest state at issuance time, with signed output and an independent validation path.
Authority Boundary
This system proves the submitted input and signs the resulting receipt. It does not claim full runtime truth or automatic legal compliance.
Output

Verification Result

No manifest verified yet.
Drift Detection

Compare Two Receipts

Advanced

Paste two signed receipts (JWS) to see exactly what changed between them — added components, removed dependencies, version upgrades, and risk delta. Requires Advanced tier receipts.

Receipt Comparison
System Interpretation

How This Works

Overview

Receipt-issuing evidence layer

CBOM Compliance processes supported JSON manifests and returns a cryptographically signed verification receipt. The output is designed to function as machine-readable, independently verifiable evidence tied to the submitted manifest, not merely a pass/fail screen.

Flow

Verification process

  1. Upload a CycloneDX or SPDX JSON manifest.
  2. The system validates structure and extracts component entries.
  3. A SHA-384 fingerprint and Merkle root are derived from the manifest data.
  4. A signed receipt is issued with timestamp, manifest hash, and verification metadata.
Proof Scope

What the receipt proves

  • That this manifest was processed by the NextGenRails verification system.
  • That the output receipt was signed by the system's private signing key.
  • That the manifest fingerprint and Merkle root in the receipt are deterministic outputs of the submitted data.
  • That the receipt can be verified independently using the public verification key.
Boundaries

What it does not claim

  • It does not certify that software is vulnerability-free.
  • It does not guarantee legal compliance by itself.
  • It does not replace a full security audit or formal attestation framework.
  • It produces cryptographically signed verification evidence for submitted manifests.
Intended Use

Who This Is For

Operational Buyer Fit

This system is built for environments where software claims must be defensible, not just stated.

Defense
CMMC-bound contractors
Supply Chain
SBOM-submitting vendors
Security
Audit-preparation teams
Evidence
Post-delivery proof needs