High-density Evaluator of COTS Applications for Trust and Efficacy (HECATE)
Established in 1963, the R&D 100 Awards is the only S&T (science and technology) awards competition that recognizes new commercial products, technologies, and materials for their technological significance that are available for sale or license. The R&D 100 Awards, celebrating the program's 60th Anniversary this year, has long been a benchmark of excellence for industry sectors as diverse as telecommunications, high-energy physics, software, manufacturing, and biotechnology. This 2022 R&D 100 winner is listed below, along with its respective category.
Category: Software/Services
Developers: Sandia National Laboratories
United States
Product Description:Recent advances in adversary sophistication have led to targeting the software supply chain to inject malicious code into trusted software applications, subverting visibility to developers and users alike. As Hecate was a protector in Greek mythology, such is Sandia’s HECATE platform, protecting organizations by assessing the risk of commercial-off-the-shelf (COTS) applications before they hit the enterprise. Unlike other products that rely solely on the availability of source code to assess supply-chain risk, HECATE’s rigor in generating a software risk profile is amplified through a multifaceted approach to accumulate trust in both compiled COTS and open source software. HECATE assesses software from a system-wide context, curating a list of indicators that enables continual and repeatable measurement of software. These outputs describe a software’s execution and facilitates a full-spectrum analytic capability to aid risk owners, developers and analysts. Essentially, HECATE helps them x-ray their software. The culmination of all these features under the HECATE platform is a novel and critical capability that does not exist in the software supply chain market space today.
Developers: Sandia National Laboratories
United States
Product Description:Recent advances in adversary sophistication have led to targeting the software supply chain to inject malicious code into trusted software applications, subverting visibility to developers and users alike. As Hecate was a protector in Greek mythology, such is Sandia’s HECATE platform, protecting organizations by assessing the risk of commercial-off-the-shelf (COTS) applications before they hit the enterprise. Unlike other products that rely solely on the availability of source code to assess supply-chain risk, HECATE’s rigor in generating a software risk profile is amplified through a multifaceted approach to accumulate trust in both compiled COTS and open source software. HECATE assesses software from a system-wide context, curating a list of indicators that enables continual and repeatable measurement of software. These outputs describe a software’s execution and facilitates a full-spectrum analytic capability to aid risk owners, developers and analysts. Essentially, HECATE helps them x-ray their software. The culmination of all these features under the HECATE platform is a novel and critical capability that does not exist in the software supply chain market space today.

Block diagram depicting the operational flow of the HECATE platform.