My understanding is that it's not _just_ a tool, but a whole infrastructure around it that the clients use. So presumably, before deploying to a target, it would need to go through NSO infrastructure, so they could vet there.