The company that asks the question most software teams can't answer: what, exactly, is inside the code and AI you ship?
It is 2026, and the average application is less written than assembled. Hundreds of open-source libraries, a few vendor components, maybe an AI model dropped in last quarter that nobody fully vetted. When something breaks - or worse, when something is breached - the first question is the hardest: what is actually in here? Manifest exists to make that question boring. Its platform builds and maintains a live bill of materials for every piece of software and AI an organization builds or buys, so the answer is already on the screen before anyone has to panic.
Manifest is a software and AI supply chain security company. It generates, imports, enriches and monitors SBOMs (Software Bills of Materials) and AIBOMs (AI Bills of Materials), then turns that inventory into something useful: vulnerability alerts, vendor risk scores, license tracking and compliance evidence. The pitch is almost suspiciously simple. Know what's inside.
It's no longer acceptable to deploy software or AI without knowing what's inside.
Modern software supply chains are a polite fiction. Everyone agrees they're risky, and almost no one can draw a map of theirs. The industry learned this the expensive way - SolarWinds, Log4j, a parade of incidents where the dangerous component was buried three dependencies deep and nobody knew it was there until it was. Regulators noticed too, and SBOMs went from nice-to-have to, increasingly, the law.
The trouble is that a bill of materials, left alone, is just a spreadsheet that ages badly. It tells you what was inside on the day it was generated and nothing about the morning a new CVE drops. Then AI arrived and made the gap worse: models pulled from public hubs, with training data and provenance that few teams can account for. A black box inside a black box.
Deploying software without visibility is like buying a house without an inspection or maintenance records.
Translation: you can absolutely buy that house. You just shouldn't be surprised by what's living in the walls.
Manifest's founders did not arrive at supply chain risk from a whiteboard. Marc Frankel and Daniel Bardenstein came out of Palantir and national security work, where tracing a breach back to a single rogue software component meant lost time, lost money, and a lot of late nights. They had lived the problem from the response end. The bet they made was that the same pain could be turned into a discipline: if you maintain transparency continuously - before the incident - the panic-driven forensics mostly disappears.
Sets the company's direction and its blunt thesis that shipping blind is no longer acceptable.
Brings the Pentagon-and-Palantir engineering lens to building transparency at scale.
Part of the founding team that turned lived breach pain into a product.
FIG. 2 - Three people who decided the bill of materials deserved better than a forgotten tab in a spreadsheet.
Manifest isn't a one-time scan. It's a system of record for everything inside your software and AI, refreshed as the world changes. Generate or import an SBOM, enrich it, watch it, and let the platform tell you the moment a component becomes a liability. Then do the same for the AI models nobody can quite account for.
Generate, import, enrich and share Software Bills of Materials across the full lifecycle.
Inventory GenAI models, track provenance and enforce governance with an AI Bill of Materials.
Find and fix supply chain vulnerabilities, including the post-launch ones everyone forgets.
Real-time risk insight on third-party and supplier software before you trust it.
Continuous CVE monitoring, prioritization and automated response workflows.
Watch OSS components, licenses and risk across every library you depend on.
Automate and maintain SBOM and supply chain compliance with government and industry rules.
FIG. 3 - Seven modules, one stubborn idea: an inventory you forget about isn't an inventory, it's a liability.
You can tell a lot about a security company by who trusts it with the scary stuff. Manifest's roster leans toward organizations where an unknown component isn't an inconvenience but a headline: the U.S. Air Force, the Department of Homeland Security, and Fortune 500 enterprises in automotive, defense, medical devices and financial services. These are buyers with auditors, regulators and adversaries all watching at once.
FIG. 4 - A small team, a large blast radius. Mission-critical work tends to run lean.
The same idea that runs manufacturing - know your parts - finally arrives for software and AI.
Manifest's stated mission is to uncover risk in the software and AI you build and buy. Underneath that is a quieter ambition: to make supply chain transparency so routine that nobody calls it a feature anymore. The grocery aisle has had ingredient labels for a century. Cars have had recall systems for decades. Software, somehow, has run on trust and crossed fingers. Manifest is betting that era is ending - partly because customers demand it, partly because regulators are writing it down.
There's a neat irony in the work. The most advanced AI systems on earth are being deployed by organizations that can't always tell you what's inside them. Manifest's job is to be the unglamorous adult in the room, handing over the manifest before anyone signs for the cargo.
Every new AI model dropped into production is another component with murky origins. Every regulation tightening around software bills of materials moves transparency from optional to mandatory. The market Manifest is building for isn't shrinking - it's compounding, one dependency and one model at a time. The company's bet is that the organizations who can answer "what's inside?" instantly will simply outlast the ones still searching for the spreadsheet.
So go back to that security team, the one opening a piece of software with no ingredient list. With Manifest, the scene changes. The bill of materials is already there. The vulnerable component is already flagged. The vendor's risk is already scored, and the compliance evidence is already filed. The panic never starts, because the answer was waiting. That's the whole point - and it's a duller, far better way to run a software supply chain.
Know what's inside. Then nothing inside can surprise you.