Mosaic — asset intelligence
Mosaic consolidates IT asset, security, vendor and SBOM data from over 20 sources into an auditable asset graph. With a built-in AI layer for correlation and compliance statements. Apache 2.0, exit-ready, on-premise-capable.
One picture from over 20 sources. Mosaic brings together all relevant asset, security, vendor and compliance sources of your enterprise into a graph-based master — with a built-in AI layer for lineage, correlation and auditable statements. A data foundation for compliance and security processes, not the processes themselves.
Mosaic is the open-source asset intelligence platform from datatactics. It consolidates IT security, IT asset, vendor, crypto and SBOM-related data from all source systems of your organization into a single, auditable asset graph. Plus an AI-driven correlation and visualization layer that turns the static master into a learning graph. Mosaic delivers the trustworthy master view on which your security, compliance and risk processes only then perform reliably — and replaces none of those tools.
What Mosaic does
Multi-source consolidation. Connect arbitrary CMDB, asset, vulnerability scanner, risk, compliance and SBOM sources. Apache Camel-based middleware with configuration instead of code deployment for new sources. More than 20 standard source types are covered in the typical cyber-compliance stack.
Graph-based asset master. 13 asset types with defined relationships — from application through service, tech unit, hardware to FQDN. Searchable from business level down to infrastructure. Every piece of asset information is embedded in its context, not in isolated records.
AI correlation layer. Links tickets, changes, events and assets to one another. Makes recurring problems and drift visible, suggests patterns, visualizes relationship clusters. The static master becomes a learning graph — without that becoming its own ML project.
Specialized use cases on top. On the same data foundation, modules with their own depth run — cryptography inventory with CBOM and post-quantum readiness, and SBOM tracking with Dependency-Track integration for software supply-chain visibility. Both modules use the same asset graph, the same interface services, the same AI layer.
A cross-cutting property across all capabilities: configuration over codebase. New data sources, new asset types, new scoring logic come via configuration in Apache Camel routes — no code deployment, no release cycle.
In productive use
The productive implementation has been running for several years in a cyber-compliance program in 24/7 operation. Mosaic is the group-wide asset master for IT security and IT asset management there, the data foundation for the Cyber Defence Center and all ISO teams, middleware between vulnerability scanners, ticketing system and risk-management tools — and the source for compliance statements in DORA, NIS-2 and ISO 27001 audits. The lessons learned from this program have flowed into the current platform structure.
Open source and entry
Mosaic runs on Apache Camel and JanusGraph — both open-source standards with active communities. No platform licenses, no vendor lock-ins, exit-ready in standard formats. You operate on-premise, in any cloud or hybrid. The asset graph stays yours: data in open formats, integration logic in Apache Camel routes, visualization in a React frontend.
The entry runs through the Tactical Assessment: 30 minutes online, an experienced engineering lead listens and gives the read still in the call. If it fits, the Architecture Sprint follows with a validated implementation plan plus a fixed-price proposal for the engineering phase.
