We implement autonomous agents that generate versioned SBOMs, triage CVEs with reachability analysis, and maintain audit evidence synchronized with the actual state of the repository.
The typical software compliance stack combines scanners (SCA, SAST, secret scanning), a ticketing system, and manual correlation work. The friction is not in the individual tools — it is in the layers that require judgment:
A deep agent, in the context of this implementation, has three properties that distinguish it from an LLM call with tools:
Works on tasks spanning hours or days, maintaining state across invocations: virtual filesystem, structured plan, execution memory.
A principal agent decomposes the problem and delegates to specialized sub-agents — dependency analysis, control mapping, evidence writing — each with its own isolated context.
Access to repos via Git, execution of static analysis, queries to NVD/OSV/GHSA, PR generation, writing versioned documents.
| Task | Traditional pipeline | Deep agent pipeline |
|---|---|---|
| SBOM generation | On-demand, variable format, unsigned | CycloneDX/SPDX signed per build, attestation via Sigstore, semantic diff against previous version |
| CVE triage | Raw list sorted by CVSS | Reachability analysis over AST, prioritization by actual exposure, upgrade path proposal |
| Audit evidence | Dedicated sprint before the audit | Incremental evidence tied to controls, generated on each merge |
| License compliance | Monthly static report | PR validation against policy-as-code, automatic blocking of incompatible licenses |
| Control documentation | Outdated wiki | Documents regenerated from the current state of the repo |
The agent integrates into the CI pipeline. Each build produces a complete SBOM — including transitive dependencies, hashes, licenses, and provenance — signed with cosign and stored as an OCI attestation alongside the artifact. The agent compares against the previous SBOM, identifies deltas (new dependencies, upgrades, removals) and generates a natural-language changelog. For new dependencies, it runs an evaluation subroutine: package age, release frequency, maintainer distribution, CVE history, presence in typosquatting databases.
When a new CVE affects a dependency present in the SBOM, the agent determines whether the client's code actually invokes the specifically vulnerable functions. This is done by combining advisory data (affected function/class when available) with static analysis of the codebase. The output is a classification: exploitable, present-but-not-reachable, needs-manual-review. For exploitable findings, the agent evaluates the upgrade path (semver, breaking changes documented in the package changelog, existing tests) and, if risk is low, opens a PR with the update.
The agent maintains a map between target framework controls and verifiable artifacts in the repository: branch protection rules, CI workflow code, PR review policies, secret scanning configuration, etc. When the auditor requests evidence for a specific control, the agent assembles the package: configuration snapshot, examples of PRs that demonstrated the control in action, relevant logs, and a narrative of how the control is implemented in that particular stack.
Defines an acceptable license policy (e.g. permissive licenses OK, weak copyleft with review, strong copyleft blocked in proprietary code). The agent validates on each PR, and for ambiguous cases — custom licenses, dual-licensing, modified licenses — performs analysis of the actual license text against the policy.
Secure SDLC, dependency management, vulnerability disclosure, incident response. The agent drafts policies aligned with what the team actually does — extracted from the repo and observable processes — rather than generic templates. Policies are versioned alongside the code and regenerated when underlying practices change.
15 years building enterprise software for clients in MX, US, and UK. Deep stack in .NET, infrastructure, and multi-agent orchestration (Semantic Kernel, MCP, custom systems).
We are not a generalist AI consultancy — we are engineers who have spent years in production systems and built these tools because we needed them ourselves first.
We review your current stack, your target compliance frameworks, and evaluate whether a deep agent implementation makes sense for your case. If your volume does not justify it or your stack is not compatible, we will tell you directly.