Resources

Guides for CRA-ready product security.

Practical guides for Cyber Resilience Act readiness, SBOM evidence, vulnerability review, remediation tracking, and retained product-security records.

Start with the CRA guide Browse all guides

Start here

Three guides to understand the evidence workflow.

Follow the path from CRA readiness context into SBOM evidence and vulnerability review history.

CRA readiness

What the Cyber Resilience Act means for software product teams

Understand CRA readiness, product-version evidence, SBOMs, vulnerability handling, remediation history, and the 2026/2027 readiness timeline.

For product security, compliance, and engineering teams· 10 min read

Read guide

SBOM evidence

How SBOMs support CRA readiness

Learn how CycloneDX and SPDX records become useful evidence when they are validated, linked to product versions, retained, and connected to vulnerability review.

For engineering and product security teams· 8 min read

Read guide

Vulnerability review

Why vulnerability review needs evidence history

See how CVE triage, ownership, SLA pressure, review decisions, and remediation updates become retained product-security evidence.

For product security and compliance teams· 9 min read

Read guide

Workflow mapping

From guide to workflow

Each guide maps to a part of the CRA Ledger evidence workflow.

CRA readiness

Understand product-version evidence and readiness timelines.

Product mappingProduct-version records

SBOM evidence

Learn how CycloneDX/SPDX records support retained evidence.

Product mappingSBOM intake and component records

Vulnerability review

Connect CVE triage, ownership, and remediation decisions.

Product mappingFinding review and evidence history

Readiness output

Prepare structured evidence summaries for internal and customer reviews.

Product mappingReadiness reporting

Resource library

Continue with practical guides and workflows.

The first path covers the evidence basics. These resources go deeper on retained records, manufacturer coordination, formats, and operating workflows.

Product security evidence

Product security evidence checklist

A practical checklist for artifacts, decisions, activity history, and product-version records.

For release and compliance reviews· 6 min read

Read guide

CRA readiness

How manufacturers can prepare product-security records for CRA

How product-version records, SBOM retention, and vulnerability handling support readiness workflows.

For manufacturers and compliance leads· 7 min read

Read guide

SBOM evidence

CycloneDX vs SPDX for CRA readiness workflows

How supported SBOM formats can feed intake, normalization, vulnerability review, and retained evidence.

For SBOM and platform owners· 6 min read

Read guide

Vulnerability review

Vulnerability remediation evidence checklist

A structured process guide for tracking vulnerability remediation, SLA targets, and retained evidence.

For engineering and product security teams· 6 min read

Read guide

Release readiness

Release readiness evidence checklist

Chronological release checklists to prepare structured security evidence before release reviews.

For product security and compliance leads· 7 min read

Read guide

SBOM evidence

SBOM management for product teams

How product leads and engineering leads can organize software component ingestion and retention.

For product managers and engineering leads· 6 min read

Read guide

CRA ReadinessSBOM EvidenceVulnerability ReviewProduct Security EvidenceRelease ReadinessGuides & Checklists

Next step

Turn CRA readiness guidance into an evidence workflow.

Join early access or book a focused walkthrough of the SBOM-to-evidence workflow.

Join early access Book a CRA readiness demo