ASSESSMENT
Map your open source blast radius.
Map your open source blast radius before a license change becomes an audit finding. We trace every relicensed or restricted component you run, direct and transitive, and size the exposure each one creates. You leave with a dependency tree you can defend to a vendor, an auditor, or your board.
01 / TRACE
Find every exposed node
We walk the full dependency tree and flag each component whose license has changed since you adopted it, including the transitive ones you never chose directly.
02 / SIZE
Quantify the exposure
We translate each finding into financial and operational terms, so the blast radius reads as a number your board understands rather than a list of package names.
03 / CONTAIN
Plan the response
For each exposed node you get a clear option set: fork, remove, or negotiate, each costed, so the path you choose holds under scrutiny.
Why the blast radius is bigger than one package
A relicensed component is rarely a leaf. It sits inside build pipelines, base images, internal platforms, and customer facing services. When a project changes terms, the risk does not stay where the package name appears in a manifest. It spreads to everything that depends on it. To map your open source blast radius is to follow that spread to its edges, so the question stops being which package changed and becomes which systems are now exposed and by how much.
The recent wave makes this urgent. HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1 as of August 2023. Redis moved to a dual Redis Source Available License and Server Side Public License model as of March 2024. Elasticsearch and Kibana moved to the Server Side Public License and Elastic License in 2021, and MongoDB moved to the Server Side Public License in 2018. Source available is not the same as open source, and none of these are approved by the Open Source Initiative. Each move can apply to software already running in your production estate.
What you receive
The assessment delivers a complete dependency tree with the current license state of each node, a ranked list of findings ordered by exposure, and a costed option set for the highest risk items. It is confidential and buyer side. We are paid only by you, so the findings are written to serve your decision and no one else's. This work is the foundation for our full set of open source license risk services, and it grounds the wider discipline of open source license risk management.
Where to go deeper
If a specific project is driving your concern, start with the relevant pillar: HashiCorp and Terraform licensing, the Redis and Elastic database license changes, or the broader pattern of relicensing exposure. To see how the mapping plays out in practice, read our case studies.
COMMON QUESTIONS
Questions buyers ask.
What does it mean to map your open source blast radius?
To map your open source blast radius is to trace every place a relicensed or restricted component runs, direct and transitive, and size the exposure each one creates. The result is a dependency tree that shows exactly what a license change touches across your estate.
Why does the blast radius matter after a relicense?
A single relicensed component rarely sits alone. It is wired into pipelines, images, and downstream services. The blast radius is the full set of systems exposed by that one change, and you cannot price the risk or plan remediation until you can see it.
Which projects create the most exposure?
The largest recent moves are HashiCorp to the Business Source License as of August 2023, Redis to the Server Side Public License as of March 2024, and Elasticsearch and Kibana to the Server Side Public License and Elastic License in 2021. MongoDB moved to the Server Side Public License in 2018.
Is the assessment confidential?
Yes. The open source license risk assessment is confidential and buyer side. We are paid only by you, and the findings belong to you.
Is this legal advice?
No. This is commercial and licensing risk advisory, not legal advice. For interpretation of license terms and compliance, we recommend your own counsel.
CONTAINMENT
Map your blast radius before it spreads.
A confidential open source license risk assessment. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.
Independent, confidential, buyer side. See how buyers contained their exposure →