An open standard, in development

Software Bill of Behavior

The runtime companion to the Software Bill of Materials. Vendor-neutral, machine-checkable, designed for EU Cyber Resilience Act and NIS 2 readiness.

prescriptive behavior
machine-verifyable
made for CRA & NIS 2

The standard Talk to us

The standard

What SBoB is

SBoMs describe what is in the software. The Bill of Behavior prescribes what the software is intended to do at runtime — expressing intent in the form of signed yaml profiles, suitable for detection engineering, supply-chain assurance, and emerging compliance regimes (EU Cyber Resilience Act, NIS 2).

The vendor declares the behavior in a prescriptive manner. The end user verifies it. Defenders get up-to-date detection rules with every release.

Where things live today

github.com/billofbehavior — COMING SOON documentation
github.com/k8sstormcenter/bobctl — reference CLI (contact us for access)
github.com/k8sstormcenter — research

Get involved

The standard is open and currently expressed as a pseudo spec. We will soon release the first draft of the specification.

Research

Sovereign Cloud Security

The Kubernetes Storm Center combines mature eBPF projects to form an adaptive detection stack with tunable signal-to-noise.

Research is currently ongoing as part of NetIdee and FFG projects, in affiliation with research partners.

github.com/k8sstormcenter — research code & deliverables

Workshops & Training

Bring SBoB into your team

Secure AI-Coding

Practical workshop on safe AI-assisted development for engineering teams.

CRA-Readiness Check for Kubernetes

Half-day or full-day session — gap analysis against Cyber Resilience Act obligations.

Trainings are delivered by FusionCore. Interested? Write to info@fusioncore.ai.

Speaking

Conference appearances

You can book Dr. Constanze Roedig to speak at your event for a fee — write to info@fusioncore.ai.

Upcoming

European Resilience Summit, Vienna 2026 — Open Source as Strategic Infrastructure: Enabling a Federated, Resilient Digital Europe ↗
Cloud Native Zurich 2026 — June 11–12, 2026 ↗
SecurityNative Europe 2026 — Munich Edition panellist ↗
Cloud Native Linz — May 2026 ↗
IKT Linz 2026 — Sept 2026 ↗
Cloud Native Austria 2026 ↗

Past

KubeCon + CloudNativeCon Europe 2026 workshop — Attack Defense with rich context
KubeCon + CloudNativeCon Europe 2026 poster — Instant Anomaly Detection for Kubernetes with SBOB
OpenSource Security Con Europe 2026
KubeCon NA Atlanta 2025 — Multimessenger Security: Adaptive Kubernetes SOC ↗
KubeCon NA Atlanta 2025 panel — Security Panel
Cloud Native Denmark keynote — BobCTL — Bill of Behavior ↗
DevOpsCon Munich — Resilience from Verifiable Trust
Cloud Native Days Austria — SBoB: Bill of Behavior, Harbor and OCI ↗
KCD Sofia — SBoB: Bill of Behavior ↗
IT-Security Summit — Verifiable Trust — Bill of Behavior, Supply Chain Security ↗
IT Forum Wien — CloudNative Security Best Practices

About

Who builds this

The Bill of Behavior standard, the bobctl reference implementation, and the workshops above are created by FusionCore — an independent defensive-security research initiative.

Contact

Get in touch

info@fusioncore.ai
Vienna, Austria

GitHub · fusioncore.ai