Recent advances in adversary sophistication have led to targeting the software supply chain to inject malicious code into trusted software applications, subverting visibility to developers and users alike. As Hecate was a protector in Greek mythology, such is Sandia’s HECATE platform, protecting organizations by assessing the risk of commercial-off-the-shelf (COTS) applications before they hit the enterprise. Unlike other products that rely solely on the availability of source code to assess supply-chain risk, HECATE’s rigor in generating a software risk profile is amplified through a multifaceted approach to accumulate trust in both compiled COTS and open source software. HECATE assesses software from a system-wide context, curating a list of indicators that enables continual and repeatable measurement of software. These outputs describe a software’s execution and facilitates a full-spectrum analytic capability to aid risk owners, developers and analysts. Essentially, HECATE helps them x-ray their software. The culmination of all these features under the HECATE platform is a novel and critical capability that does not exist in the software supply chain market space today.