Your software was not built by you. Are you in control of it?

Basic-Fit, Odido, and patient records holder Chipsoft are just a few of the latest examples of cyberattacks affecting Dutch companies and their customers. As the scale of cyber threats grows, an Eindhoven-based startup is looking at this problem from another perspective: the software supply chain. 

TraceGuard is working on a platform that maps and monitors the web of software components that underpins every digital system in use today. Their message is clear: the software your company relies on was not written by you, and vulnerabilities accumulate somewhere in this chain of dependencies. 

Nowadays, any software application – whether built by a firm, a startup, or a government ministry — is assembled from thousands of third-party components. These pieces depend on other components, resulting in an elaborate supply chain nobody monitors from end-to-end. "We kept encountering the same fundamental question," says Anirudh Ekambaranathan, co-founder and CEO of TraceGuard. "How do you actually manage risk in a software supply chain you don’t control?"

Getting a full overview of the software supply chain

TraceGuard's platform works by scanning a client's codebase – a collection of tools and documentation behind any software — to extract the components it relies on, mapping the full dependency tree — including what those components themselves rely on. The system then monitors this software supply chain around the clock, scanning for newly discovered vulnerabilities and alerting clients when something in their chain is at risk. 

Crucially, the founders did not want to build just another compliance tool or a dashboarding product. “Most tools show you what’s there,” says co-founder Evgeni Kharitonov. “We focus on what you do next — who owns the risk, how important it is, and what decision needs to be made. Where possible, those actions can be automated or directly triggered from the platform.”

Taking action against vulnerabilities

When a vulnerability is spotted, the platform starts a mitigation process, guiding clients towards a fix. A firmware upgrade, a patched dependency, a flagged supplier. The goal is that over time, as the software runs continuously in the background, the number of vulnerabilities in a client's environment measurably decreases.

One early client story captures the stakes well. A company operating critical hardware infrastructure, the details of which are undisclosed for privacy reasons, had previously hired a cybersecurity firm to manually audit its systems. The firm found nothing remarkable. TraceGuard's software spotted a critical vulnerability — one embedded across multiple firmware versions — within moments of going live. The fix, it turned out, was straightforward and avoided any damage to the organization. But as the Ekambaranathan puts it: "Unless you know about it, there's no reason to act on it."

The platform took around six months of focused development to build, and has been running inside client organizations almost from launch. Onboarding is designed to be frictionless — a single-click install that slots into existing developer workflows.

TraceGuard did not begin as a product. The founders started as consultants, working inside organizations across different sectors to understand the problem firsthand. Those early conversations shaped everything that followed. Ekambaranathan holds a PhD in cybersecurity from the University of Oxford. Kharitonov has a background in Commercial Economics at Fontys University of Applied Sciences, as well as business and project management. They had long wanted to build something together. The platform that exists today is the result of that shared ambition meeting a very real market need.

TraceGuard's co-founders: Evgeni Kharitonov and Anirudh Ekambaranathan - © IO+

Regulation as a tailwind

The current regulatory environment is calling for solutions like TraceGuard’s. European frameworks, such as the NIS2 directive and the Cyber Resilience Act (CRA), require organizations to enforce their cybersecurity capabilities. Crucially, demonstrating continuous monitoring of their digital infrastructure is one of the obligations — particularly for banks, energy companies, and government bodies — something the startup can offer. 

Drawing on its experience working with municipalities, including Eindhoven’s, TraceGuard has consistently found that government bodies face a paradox: they are among the most exposed organizations to software supply chain risk, yet among the least equipped to detect it. Civil servants are managing a vast range of responsibilities simultaneously. Cybersecurity rarely sits at the top of the list — until something goes wrong.

"The government is seeing that cybersecurity defenses need to step up. And with the CRA, the 24/7 monitoring part applies to everyone. Because imagine something happens: you want to know where it happened, when it happened, and from where it came," adds Kharitonov.  

A collaborative approach to cybersecurity

Securing a robust cybersecurity system can’t happen without a collaborative approach. Ekambaranathan underlines how cybersecurity in the Netherlands today is siloed — municipalities, government agencies, and private companies each managing their own piece of the problem, often without visibility into what their counterparts are doing. 

"If you bring all these different organizations and products onto the platform," he says, "we can have a more collaborative and integrated look at cybersecurity together." The goal, ultimately, is not just to sell software but to foster a more coherent national approach to digital resilience — one in which the dots are connected and no critical vulnerability can hide undetected in the shadows of someone else's codebase. 

In five years, Ekambaranathan and Kharitonov want TraceGuard to be the platform securing the full Dutch national digital infrastructure — every government body, every critical organization, monitored and protected through a single system. 

It is a grand ambition, especially for a bootstrapped two-man band, but one that the founders speak of with quiet conviction rather than bravado. "We really want to do something that can make an impact in society," says Ekambaranathan. "That was very important to us from the start." In the digital age, the supply chain is the frontier. TraceGuard intends to lead it.