diff --git a/README.md b/README.md
index 5ee1f49276a..fd7d7160d9f 100644
--- a/README.md
+++ b/README.md
@@ -46,17 +46,19 @@ The NVD API has enforced rate limits. If you are using a single API KEY and
multiple builds occur you could hit the rate limit and receive 403 errors. In
a CI environment one must use a caching strategy.
-### Sonatype OSS Index API Token Now Required for usage
+### Sonatype OSS Index mandatory authentication and migration to Sonatype Guide
-Since September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a
-subsequent migration to Sonatype Guide began.
+In September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a
+subsequent migration to Sonatype Guide began, kicking off a transition to use of Sonatype Guide API Tokens that are
+planned to replace the legacy OSS Index API keys/tokens before the end of 2026.
-If you wish to use Sonatype OSS Index you must configure Dependency-Check and consider implications for migration to
-Sonatype Guide. See the [analyzer documentation](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html)
-for more information.
+Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation
+for the CLI, Maven, Gradle, or Ant integrations on how to set the analyzer credentials for use of a Sonatype Guide token
+or legacy OSS Index API key.
-Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation
-for the cli, maven, gradle, or ant integrations on how to set the OSS Index credentials.
+If you wish to use Sonatype OSS Index (via Guide) you must configure Dependency-Check and consider implications for the
+migration to Sonatype Guide; whose commercial/usage model has changed. See the [analyzer documentation](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html)
+for more information.
### Gradle build Environment
diff --git a/pom.xml b/pom.xml
index f30ee01530a..78d746e486b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -212,7 +212,7 @@ Copyright (c) 2012 - Jeremy Long
org.apache.maven.plugins
maven-enforcer-plugin
- 3.6.2
+ 3.6.3
org.apache.maven.plugins
diff --git a/src/site/markdown/analyzers/oss-index-analyzer.md b/src/site/markdown/analyzers/oss-index-analyzer.md
index 473300dbbc2..b6de189cd8e 100644
--- a/src/site/markdown/analyzers/oss-index-analyzer.md
+++ b/src/site/markdown/analyzers/oss-index-analyzer.md
@@ -22,9 +22,8 @@ During this migration users will need to make some minor changes.
- login with OSS Index account credentials to the Sonatype Guide platform to validate your account has been migrated
- migrate OSS Index analyzer base URL to Sonatype Guide platform
- override Dependency-Check configuration OR
- - upgrade to Dependency-Check `12.2.1`+ (if using defaults)
- - review API usage within Sonatype Guide to determine whether continued free usage is possible (new API limits apply from April 28 2026 onwards)
- - consider [cache/restore of Dependency-Check's data directory](../data/cacheh2.md) between runs to retain the OSS Index cache, and reduce API load
+ - upgrade to Dependency-Check `12.2.2`+ (if using defaults)
+ - review API usage within Sonatype Guide to determine whether continued free usage is possible (new API limits apply from April 28, 2026 onwards)
- _Before_ December 31, 2026
- migrate to using a Sonatype Guide API token for authentication rather than the legacy OSS Index API token
- For **new** users
@@ -35,3 +34,15 @@ For more details on this migration see:
- [Sonatype OSS Index product page](https://www.sonatype.com/products/sonatype-guide/oss-index-users)
- [Sonatype Migration timeline](https://help.sonatype.com/en/oss-index-migration-to-sonatype-guide.html)
- [Using Sonatype Guide personal access tokens for OSS Index API](https://help.sonatype.com/en/using-guide-personal-access-tokens-with-oss-index-api-integrations.html)
+
+### Managing Sonatype Guide credit usage
+
+In contrast to the earlier completely free OSS Index solution, Sonatype Guide gives a limited number of credits on free
+accounts; and effectively charges per component report. You can review your credit usage in your Sonatype Guide account.
+
+To reduce your credit usage:
+- consider [cache/restore of Dependency-Check's data directory](../data/cacheh2.md) between runs to retain the OSS Index cache, and reduce API load
+- consider retaining OSS Index cache entries longer by extending the analyzer's `validForHours` configuration setting beyond the 24-hour default
+ - extending cache time, will reduce credit usage at the cost of slower notification about potential new vulnerabilities
+- consider reducing frequency of running OSS Index analysis on builds
+ - for example, you may want to disable OSS Index analysis on local dev or per-commit/merge CI builds, and enable only for a daily or weekly scheduled build