Cairnlytics Logo

CAIRNLYTICS

Understand Open-Source Risk

Edinburgh Decentralisation Index Logo
What's Your Open-Source Risk?
XKCD comic #2347, titled 'Dependency'

Image: xkcd.com/2347

Quantifying software supply chain resilience through non-intrusive data-driven concentration risk analysis. Cairnlytics is a spin-out of the Edinburgh Decentralisation Index (EDI), an ongoing project at the University of Edinburgh, initiated in 2022. EDI is a registered trademark in UK, US and Switzerland.
EDI website: https://informatics.ed.ac.uk/blockchain/edi

Organisations struggle to objectively assess resilience in their software supply chains. Vulnerabilities like Log4j and Heartbleed revealed systemic risks from overreliance on shared open-source libraries. Cairnlytics assesses cyber resilience in a quantitative, non-intrusive and data-driven way for IT companies, risk underwriters and insurers, by pinpointing points of failure and measuring concentration risk.

Software risk scores

Out of 1000

Firefox124
Docker Not maintained for 4 months
512
Kubernetes201
OpenVPN579
TensorFlow53
Node.js658
OpenSSL973
!
PostgreSQL159
Apache Kafka301
Vim177
OpenSSL973/1000

Historical risk scores

02004006008001000 Jan-10Mar-10May-10Jul-10Sep-10Nov-10Jan-11Mar-11May-11Jul-11Sep-11Nov-11
Author
Merge committer
Line changes
Last commit
Today
Developers
1
Reviewers
1
Contributors
(all time)
4!
Contributors
(last year)
2!
Time to patch after vulnerability disclosure: 3 weeks (avg)
Achieve Regulatory Compliance

Cairnlytics helps IT companies achieve regulatory compliance by delivering data-driven evidence aligned with key standards like DORA, FCA PS21/3, SBOM, the NCSC Cyber Assessment Framework, and the UK's Software Security Code of Practice. It also tackles NCSC Cross-Cutting Problems by making assessments more data-driven (CC2) and establishing meaningful security metrics (CC3).

Unique Selling Point: Unlike manual audits or historical GRC tooling, Cairnlytics delivers automated, quantifiable risk metrics using non-intrusive, proprietary models, enabling cost-effective supplier due diligence at scale.

About the Project

Cairnlytics is at the pre-spinout stage and plans to build on top of the EDI codebase, which is open source under an MIT license.

Follow us on LinkedIn

Mojtaba Tefagh - Commercial Lead, Technology Transfer & Go-to-Market Strategy

Email Linkedin

Laura Antunes - Lead Researcher, Supply Chain Risk Analytics

Email Linkedin