Quickstart process

Sign in

When you create your account, you’ll automatically be enrolled in multi-factor authentication (MFA), also known as two-factor authentication (2FA). This means that you’ll need to provide a code from an authentication app. If you don’t already have an authentication application installed on your smartphone, you’ll need to choose one (e.g., Google Authenticator).

You’ll receive a welcome email, inviting you to sign in to your Helm account.
After signing in, you’ll be prompted to enable your MFA for security. At that time, you’ll be provided with recovery codes in case your phone is lost or stolen. Make sure to copy and paste these recovery codes into a safe place.
When you first sign in and until you’ve uploaded your first SBOM, you’ll see a get started prompt. Choose the path that best suits you. If you accidentally closed that get started modal, don’t worry. You can always access it from Help item in the sidebar.

Need to use SSO? Helm supports Single Sign-On (SSO) if you have an identity provider set up on your end. to enable this on our end.

Step 1: Upload your Software Bill of Materials (SBOM) file:

Got an SBOM ready? to Helm.

Don’t have an SBOM yet? We've got you covered:

to use our SBOM generation tool.
Generate a or using our open-source tool suggestions.
Manually create your SBOM.
If you’re still unsure how to get started, so we can assist you.

Your component list should automatically refresh as your SBOM is being processed. If you don't see any components showing, check the .

Step 2: Ensure all of your components are matched to known software in the NVD

Once you’ve uploaded your SBOM, Helm will try to match your components to the NVD (National Vulnerability Database). Only components that are matched to the NVD will show vulnerabilities.

To view vulnerabilities for components that are Matched to NVD, click Vulnerabilities in the sidebar. This will display all vulnerabilities for these components.

To resolve other match statuses, click each status badge to start the resolution process.

For components that have a , but no NVD badge, this could indicate that there are no published vulnerabilities for those components. However, components can also be named differently in the NVD, so you should check the NVD to see if there actually is a match.
Try to , as this indicates Helm was unable to find a match in the NVD.
When you determine the appropriate matches, for each component so that these will be auto-matched for all future SBOMs.

Step 3: Helm auto-enriches your data for enhanced vulnerability identification accuracy (Automatic)

There are many ways that Helm auto-enriches your data, including:

If we identify inaccurate CPEs or PURLs in your SBOM, Helm will automatically attempt to provide an enriched CPE or PURL that matches to the correct software. You can or your .
Helm will automatically update vulnerabilities with severity, exploitability, and source information.
Helm will automatically update components with source information.
For Windows vulnerabilities, Helm provides Windows KB patch recommendations.

You can also prompt Helm to auto-enrich information:

to auto-update support level and EOS/EOL across all products.
to automatically add missing licenses for any components that do not already have associated licenses. Helm does not overwrite existing licenses.

Step 4: Prioritize your most exploitable vulnerabilities

. You can receive daily, weekly, and/or monthly updates.
across your selected product version. If desired, you can also .
.
Enable the Date updated to keep track of updated vulnerabilities. You can to view these updates.

Step 5: Patch Windows vulnerabilities with WinKB recommendations

If you already know which Windows KBs to add to your digital product, you can .
To patch individual vulnerabilities, KB patch to Patch available. You can view these across all products or select a product version.
.

Step 6: Remediate vulnerabilities

You can remediate with CycloneDX and/or CycloneDX VEX statuses.

vulnerabilities within a product, across products, or target a particular component's vulnerabilities with the click of a button, enabling you to speed triage and ensure remediation consistency of particular vulnerabilities across your product portfolio.
If desired, .

Step 7: Monitor your progress on your dashboard (Optional)

Quickly identify threats and track your progress on your , accessible via the Home icon on the sidebar.

Quickly prioritize and remediate threats to your most impacted products and components
Zero in on critical vulnerabilities
Track progress on vulnerabilities you still need to remediate

Step 8: Export your FDA SBOM or other FDA-ready reports

Export your to ensure a smooth FDA submission.
Export .
Export or .

Integrate to your CI/CD process (Optional)

API: to automate many tasks, such as creating product versions, uploading SBOMs, returning all vulnerabilities and generating reports, as well as returning only unmatched components or only CISA KEV vulnerabilities.
GitHub: your CI/CD process or use it independently to automate product version creation and SBOM uploads.

Check whether you are impacted by a particular vulnerability (Optional)

, and if so, which products you'll need to focus on. Just enter the vulnerability ID in the global search bar at the top of any page.

Check whether your products contain a particular component (Optional)

Check, and if so, which ones. Just enter the component name in the global search bar at the top of any page.