Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
Orcro Limited positions itself as a software supply chain management and compliance service provider, focusing on licensing, governance, processes, tooling, and certification risks around the use of open source software. Its website clearly highlights OpenChain ISO/IEC 5230:2020 compliance and certification, code scanning and compliance reviews, DevOps integration, and support for M&A and regulatory compliance. It is not a traditional firewall, EDR, or cloud security product; instead, it is closer to an “open source compliance / SCA governance / software supply chain risk” consulting and certification service.
In terms of protection scope, Orcro mainly helps reduce risks such as open source license violations, lack of transparency in software composition, failed supply chain due diligence, and regulatory technology exposure. Its services cover requirements related to SBOM generation, and it also notes that SBOMs can support vulnerability management. Deployment is not delivered as a standard software product; rather, Orcro works with a client’s existing DevOps pipeline and tools to design, configure, and implement processes. Its integration capabilities appear strong: the site mentions experience with tools and communities such as Black Duck, Flexera, Mend.io, FOSSology, Quartermaster, and SPDX, making it suitable for organizations that have already invested in SCA but are not getting the desired results.
On the compliance side, Orcro is an OpenChain Partner and states that it is the UK’s first recognized provider of ISO/IEC 5230:2020 compliance certification. It also has legal professional certification backgrounds related to Black Duck and Flexera. Pricing is not published in packages or starting rates. The website says it first seeks to understand the customer’s business culture, risk appetite, and budget before providing a detailed cost estimate, so its pricing is closer to project-based or consulting-based quotes.
Its main strength is the tight combination of legal, process, and technical expertise, making it especially suitable for companies with complex open source licensing needs, strict customer due diligence requirements, or plans for M&A, fundraising, or IPO. Its approach is also relatively mature, emphasizing compliance culture, governance, and long-term processes rather than one-off scanning. The limitations are the lack of public visibility into product interfaces, SaaS capabilities, alerting mechanisms, delivery timelines, and pricing transparency. If a user simply wants to purchase an automated vulnerability scanner or runtime protection tool, Orcro is not a direct replacement.
Orcro is suitable for software vendors, buyers, regulated enterprises, multinational business teams, law firms, and professional services organizations, especially for OpenChain certification, SBOM governance, SCA tool integration, and open source due diligence in M&A. The website does not disclose access conditions from mainland China or payment methods, so these remain unknown. If local contracts, Chinese-language support, or compatibility with China’s MLPS/Xinchuang requirements are needed, further research is recommended. Alternative options include Black Duck, Mend.io, Snyk, FOSSA, Sonatype, and domestic SCA/SBOM vendors in China.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on orcro.co.uk official site.
orcro.co.uk is an United Kingdom Legal & Tax provider. TG4G tracks its product information, an overall rating of 7.0/10, and a China-accessibility score of Workable. Click "Visit Official Site" to reach orcro.co.uk directly.