Book a consult
Until reporting obligations weeks

Compliance,
engineered. A red-team approach for the Cyber Resilience Act.

We guide embedded and software product teams through the complexities of the CRA with proactive security and engineered compliance.

Start a CRA assessment Read the CRA brief

Three services.
One outcome: conformity.

01 / Hardware

RED Device Assessment

Cybersecurity assessment for connected radio products under the Radio Equipment Directive, mapped to the EN 18031 series with technical-file artefacts.

  • EN 18031 series gap analysis (Art. 3.3 d / e / f mapping)EN
  • Secure software update audit (boot, firmware, OTA)SUM
  • Network access control & authentication reviewAUTH
  • Cryptographic implementation audit (TLS, at-rest)CRYPTO
  • Technical file & Declaration of ConformityCE
Engagement
02 / Compliance

CRA Conformity

Gap analysis, technical documentation, and conformity assessment under Annex I & V, ready for your Notified Body.

  • Annex I & V essential-requirements gap analysisGAP
  • Cybersecurity risk assessment (Art. 13(2))RISK
  • Threat modeling & attack-surface mappingTHREAT
  • Technical documentation build-out (Annex VII)TDOC
  • SBOM lifecycle & supply-chain traceabilitySBOM
Engagement
03 / Offensive

Red Team / Vuln Management

A red-team perspective on conformity: adversarial exercises, Article 14 reporting workflows, plus in-house tooling for SBOM and vulnerability management.

  • Red-team exercises & tabletop simulationsDRILL
  • 24-hour Article 14 reporting workflow (ENISA)A14
  • Coordinated disclosure policy & intakeVDP
  • In-house SBOM generator & trackingSBOM
  • Vulnerability management tooling & triageVULN
Engagement
11.12.2027EU
CRA full application · Art. 71

Posture not paperwork.

Regulation (EU) 2024/2847, the Cyber Resilience Act, turns cybersecurity from a discretionary investment into a CE-marking prerequisite. From December 2027, every product with digital elements sold into the Union must demonstrate a posture: not a checklist, but a way of building, shipping and tending to software.

For the embedded teams we work with, this is the largest change since the Machinery Directive. It pulls in firmware, bootloaders, cloud companions, mobile apps, and every dependency in the SBOM. It is not satisfied by a one-off audit.

"Manufacturers must take cybersecurity into account in the planning, design, development, production, delivery and maintenance phase." Article 13 · Essential requirements

What the regulation actually requires is humbler than it sounds. A documented threat model. Secure defaults out of the box. A coordinated vulnerability disclosure policy with a real inbox behind it. A 24-hour incident reporting line to ENISA. Quarterly attention to your own SBOM. None of it is exotic; almost none of it is on the shelf in most embedded shops today.

Our brief to you, then, is straightforward. Start the file now. Build the posture around it. By the time enforcement begins, the compliance binder should be a side effect of how you already work, not a sprint to the deadline.

A clean four-step path.

01/

Scope

We classify your product against CRA Annex III and agree on the conformity route.

02/

Assess

Threat model, code & firmware review, and adversarial testing against the live device.

03/

Document

Technical file, SBOM, risk register, and disclosure policy and more.

04/

Sustain

Readiness tests and post-market surveillance planning to ensure ongoing compliance through the product's expected lifetime.

Send us your SBOM.
We'll send back a plan.

A 30-minute call. A clear scope. No pitch deck.