Your software stack is like a cairn - a tower of stones. It looks solid from the outside, but its stability relies on dependencies you didn't create and often don't see. The Cairn Index measures the structural integrity of these hidden stones, analysing development history to pinpoint weak spots before the whole stack collapses.
Whether you are a developer, a compliance officer, or an overseer of open-source procurement, Cairnlytics empowers you to make informed, evidence-based decisions.
Follow us on LinkedInSoftware risk scores
Out of 1000
Note: Data presented in this mock-up is for demonstration purposes only.
Historical risk scores
Today
1
1
(all time)
(last year)
Note: Data presented in this mock-up is for demonstration purposes only.
Cairnlytics helps IT companies achieve regulatory compliance by delivering data-driven evidence aligned with key standards like DORA, the UK's Cyber Security and Resilience Bill, FCA PS21/3, SBOM, PCI DSS 4.0, the NCSC Cyber Assessment Framework, and the UK's Software Security Code of Practice. It also tackles NCSC Cross-Cutting Problems by making assessments more data-driven (CC2) and establishing meaningful security metrics (CC3).
Traditional Third-Party Risk Management (TPRM) tools rely on questionnaires and audits - methods that fail with open-source software because there is no vendor to interview. Cairnlytics bridges this gap. Simply enter a repository URL or import your SBOM. We instantly generate objective risk scores and real-time alerts, replacing blind trust with measurable data.
We quantify software supply chain resilience
through non-intrusive, data-driven concentration risk analysis.
Cairnlytics is a pre-spinout from the Edinburgh Decentralisation Index™ (EDI),
a pioneering project at the University of Edinburgh initiated in 2022.
We build upon the EDI codebase, which is open source under an MIT
licence.
EDI website: https://informatics.ed.ac.uk/blockchain/edi