EU Cyber Resilience Act · Regulation (EU) 2024/2847
Drop your firmware. See what the EU will ask you about.
From December 2027 every product with digital elements sold in the EU needs a machine-readable SBOM and documented vulnerability handling — reporting starts September 2026. Source scanners never see the shipped artifact. We read it directly.
Anonymous uploads join the public corpus. Shipping proprietary firmware? Talk to us first and we’ll set up a private workspace before you upload anything.
router_fw_v2.4.1.img · 24.1 MB · squashfs
└─ squashfs-root/
→ SBOM 47 components · 12 CVEs · 1 secret · machine-readable export
The readiness check
Six answers, straight from the shipped artifact.
Each one maps to an obligation in the regulation — and each one comes from reading the binary, so it’s true for what you actually ship, not for what your build manifest claims.
Component inventory (SBOM)
Every bundled library identified — even in stripped, statically-linked binaries — via five signature surfaces, exported machine-readable.
Annex I §2(1) — SBOM of top-level dependencies
Known vulnerabilities
CVE attribution per component, with severity and per-CVE detail — the list you must handle and document.
Annex I §2(2) — address and document vulnerabilities
Secure-by-default posture
Hardening flags, weak mitigations, debug leftovers, and declared-vs-used privileges surfaced per binary.
Annex I §1 — secure-by-default configuration
Embedded secrets
Baked-in private keys, credentials, and tokens found in the shipped image before an auditor — or an attacker — finds them.
Annex I §1(3) — protection of data & access
Release-over-release drift
Diff two firmware versions: new components, new CVEs, changed capabilities, regressed mitigations — your update-obligation evidence.
Annex I §2(7) — security updates & disclosure
Reporting readiness
A queryable inventory across every release, so a 24-hour ENISA report doesn't start with 'what do we even ship?'
Art. 14 — report actively exploited vulns in 24h
How it works
- 01
Upload the image
Any of 91 firmware and container formats — the extractor unpacks recursively and analyzes every binary inside.
- 02
Read the report
Components, CVEs, hardening, secrets, capabilities — per binary and rolled up per image, in minutes.
- 03
Get the deliverable
The machine-readable SBOM export, the gap list against the checklist above, and the release-diff workflow for every version you ship next.
From one image to the whole estate
Compliance is the wedge.
Coverage is the win.
The engine that reads one firmware reads everything that executes. Start where the deadline is — end with a standing fingerprint of every binary in the enterprise.
One firmware image
Drop it, read the SBOM and the CVE list. Know exactly where you stand today — before an auditor or a customer asks.
Upload an image →Every release you ship
A private workspace, machine-readable SBOM exports, release diffs, and the API in CI. The core CRA obligations, handled — whether you’re the vendor, or the company holding a vendor to it.
See pricing →Every binary in the estate
All your firmware — then every binary that moves through servers, workstations, routers, and devices. A standing fingerprint of everything that executes: when the next CVE drops, “are we shipping this anywhere?” is a query, not a project.
18 months is one firmware cycle.
If the SBOM obligation lands mid-release, you’ll want the inventory before you plan the release — not after. Start with the image you ship today.