Ship to the EU with Confidence.
Your OSS Due Diligence, Sorted.

We provide audit-ready security assessments for every open source component in your stack—signed by a 25-year industry veteran, mapped to CRA Annex I requirements.

Assess My Stack See a Sample Report

The Challenge: The EU Cyber Resilience Act

Manufacturers must perform and document due diligence on every third-party component, including open source. Annex I and Recital 34 specify what that means.

500+

open-source dependencies in the average commercial product

Each One

requires documented due diligence under the CRA

€15M

or 2.5% of global revenue — the penalty for non-compliance

The CRA Timeline

Key enforcement dates are approaching. Where does your team stand?

Dec 2024

CRA entered
into force

Sep 2026

Reporting obligations
begin

Dec 2027

Full enforcement
& penalties

Penalties for non-compliance: up to €15M or 2.5% of global revenue.

How It Works

Tell Us Your Stack

Upload your SBOM or share your dependency list—we'll tell you exactly where you stand.

Receive Expert Reports

We deliver expert-assessed, audit-ready reports for every component in your stack.

Stay Compliant

Your compliance team has the documentation auditors require for CRA technical documentation (Annex VII).

Learn more about our methodology → See the full due diligence checklist →

Two Tiers. Clear Pricing.

Choose the assessment level that fits your component's risk profile.

Standard

$499 / component

Best for general-purpose utilities, UI frameworks, data libraries

CVE analysis, SAST & credential scanning
Ecosystem health & license analysis
SBOM & VEX (vulnerability exploitability) deliverables
Safe usage recommendations
Executive summary
Expert-signed CRA assertion

High-Criticality

$999 / component

Best for crypto, networking, privileged data handlers

Everything in Standard
Extended SAST (CodeQL) & binary hardening
Malware scan & CI workflow audit
Crypto analysis (CBOM) & threat model
AI anomaly detection & dep review

Volume pricing available for 10+ components. See full pricing →

Already in Our Library

Pre-assessed components ready for immediate delivery.

Browse Full Library

Why a Scanner Isn't Enough

Auditors expect professional judgment, not raw tool output.

What a Scanner Gives You

× Raw CVE list with no context
× No CRA regulatory mapping
× No expert review or signed assertion

What Our Reports Deliver

✓ CVE analysis with reachability + VEX
✓ SAST + credential scanning with expert triage
✓ Expert-signed assertion — audit-ready

See the full comparison →

Don't Let a Missing Document Stall Your Product Launch.

Ensure your product is compliant and your supply chain is secure. Tell us about your stack and we'll send a proposal within 24 hours.