Sign in

EU Cyber Resilience Act · Regulation (EU) 2024/2847

Drop your firmware. See what the EU will ask you about.

From December 2027 every product with digital elements sold in the EU needs a machine-readable SBOM and documented vulnerability handling — reporting starts September 2026. Source scanners never see the shipped artifact. We read it directly.

Upload a firmware image

Anonymous uploads join the public corpus. Shipping proprietary firmware? Talk to us first and we’ll set up a private workspace before you upload anything.

firmware unpack

router_fw_v2.4.1.img · 24.1 MB · squashfs

└─ squashfs-root/

├─ bin/busybox 1.31.04 CVEs
├─ lib/libssl.so.1.1 1.1.1k3 CVEs
├─ usr/sbin/dropbear 2019.782 CVEs
├─ lib/libcurl.so.4 7.61.1EOL
├─ sbin/nvram_daemon strippedidentified
└─ etc/ssl/device.key private key

SBOM 47 components · 12 CVEs · 1 secret · machine-readable export

Sep 11, 2026Reporting obligations begin — actively exploited vulnerabilities and severe incidents must be reported
Dec 11, 2027Full obligations — machine-readable SBOM, documented vulnerability handling, CE marking
€15M / 2.5%Maximum fines — €15 million or 2.5% of global turnover, whichever is higher

The readiness check

Six answers, straight from the shipped artifact.

Each one maps to an obligation in the regulation — and each one comes from reading the binary, so it’s true for what you actually ship, not for what your build manifest claims.

Component inventory (SBOM)

Every bundled library identified — even in stripped, statically-linked binaries — via five signature surfaces, exported machine-readable.

Annex I §2(1) — SBOM of top-level dependencies

Known vulnerabilities

CVE attribution per component, with severity and per-CVE detail — the list you must handle and document.

Annex I §2(2) — address and document vulnerabilities

Secure-by-default posture

Hardening flags, weak mitigations, debug leftovers, and declared-vs-used privileges surfaced per binary.

Annex I §1 — secure-by-default configuration

Embedded secrets

Baked-in private keys, credentials, and tokens found in the shipped image before an auditor — or an attacker — finds them.

Annex I §1(3) — protection of data & access

Release-over-release drift

Diff two firmware versions: new components, new CVEs, changed capabilities, regressed mitigations — your update-obligation evidence.

Annex I §2(7) — security updates & disclosure

Reporting readiness

A queryable inventory across every release, so a 24-hour ENISA report doesn't start with 'what do we even ship?'

Art. 14 — report actively exploited vulns in 24h

How it works

  1. 01

    Upload the image

    Any of 91 firmware and container formats — the extractor unpacks recursively and analyzes every binary inside.

  2. 02

    Read the report

    Components, CVEs, hardening, secrets, capabilities — per binary and rolled up per image, in minutes.

  3. 03

    Get the deliverable

    The machine-readable SBOM export, the gap list against the checklist above, and the release-diff workflow for every version you ship next.

From one image to the whole estate

Compliance is the wedge. Coverage is the win.

The engine that reads one firmware reads everything that executes. Start where the deadline is — end with a standing fingerprint of every binary in the enterprise.

Free

One firmware image

Drop it, read the SBOM and the CVE list. Know exactly where you stand today — before an auditor or a customer asks.

Upload an image →
Pro

Every release you ship

A private workspace, machine-readable SBOM exports, release diffs, and the API in CI. The core CRA obligations, handled — whether you’re the vendor, or the company holding a vendor to it.

See pricing →
Enterprise · Fleet

Every binary in the estate

All your firmware — then every binary that moves through servers, workstations, routers, and devices. A standing fingerprint of everything that executes: when the next CVE drops, “are we shipping this anywhere?” is a query, not a project.

18 months is one firmware cycle.

If the SBOM obligation lands mid-release, you’ll want the inventory before you plan the release — not after. Start with the image you ship today.

Upload a firmware image