Who it’s for: Makers of software or connected products who need a clear, technical path to CRA readiness—without turning engineers into policy writers.
What you get (deliverables)
- SBOM & vulnerability triage design: scripts and a reference workflow to generate SBOMs, match known vulnerabilities, and queue what matters. You integrate; we don’t run your pipelines.
- VEX with evidence: “affected / not affected” statements for priority issues, backed by simple proofs (e.g., code paths, configs, logs, or test IDs).
- Update integrity pack: practical evidence that only signed firmware/software runs and downgrades are blocked (tamper/downgrade attempts rejected).
- Vulnerability handling & reporting runbook: who-does-what, and ready-to-use forms for fast notifications.
- Recorded handover + one re-read: a 90-min walkthrough and one follow-up review within 30 days after you integrate.
How we work
We work with your engineers and DevOps to design and deliver the above. We review your existing processes and tools, identify gaps, and provide practical, stack-based statements on what Bill of Materials components can be stated as “not affected.” We provide scripts, reference workflows, and reports; your team wires them into CI/CD.
Pricing: from €35k per product.