CRA Built for the EU Cyber Resilience Act window

Ship release evidence
your security buyers
actually accept.

Product-security evidence packs for EU-facing SaaS teams. From late 2027, the EU Cyber Resilience Act requires manufacturers of products with digital elements to maintain SBOMs, handle vulnerabilities, and report actively exploited issues. VulnTrail turns the artifacts your CI already produces into a signed, customer-ready evidence pack for every release.

See the workflow ->

✓ EU-hosted, single-region ✓ OpenVEX-compatible ✓ No source code stored ✓ No repository access

~/products/payments-api - vt evidence

$ vt evidence bundle \

--release 2.4.1 \

--sbom ./build/sbom.cdx.json \

--findings ./build/grype.json,./build/trivy.json \

--notes ./RELEASE_NOTES.md

Reading inputs...

✓ CycloneDX 1.5 - 220 components - 198 with purl

! 3 components missing version - flagged in coverage report

✓ Findings - 38 unique - 2 KEV - 6 above EPSS 90th pct

✓ Hashing artifacts - sha-256, signed

Bundle ready -> evidence-2.4.1-7f3a91.vtb

size: 1.2 MB - digest: sha256:7f3a91d4...

$ vt upload evidence-2.4.1-7f3a91.vtb

Built for vendors fielding

CRA Article 14 reporting NIS2 supplier requests SOC 2 vendor reviews Enterprise security questionnaires Customer SBOM & VEX asks

// The pattern

A buyer asks for your SBOM and CVE status. The thread sits for nine days.

Your scanners catch everything. Your team triages quietly in Slack. But every customer security review ends with someone hand-assembling a PDF that will not match the next release.

// Today

Triage lives somewhere. Evidence lives nowhere.

SBOMs regenerate each build but nobody saves them per release.
CVE decisions are buried in Jira tickets, Slack threads, and one engineer's head.
"Not affected" never has a written justification when the auditor asks.
Each customer review is a 4-hour scramble to rebuild what you knew last month.

// With VulnTrail

One bundle per release. Receipts for every decision.

Your CI emits a signed evidence bundle on every tag: SBOM, findings, release metadata, and hashes.
Reviewers attach OpenVEX-correct decisions with linked evidence and approval state.
Export a customer-ready evidence pack as PDF, JSON, or CSV the same day the request lands.
Hash-chained audit trail. Delete or export on demand. No source code uploaded.

// EU Cyber Resilience Act

The CRA enforcement window is already in your release cycle.

Regulation (EU) 2024/2847

Vulnerability handling, SBOM documentation, and incident reporting obligations land in production over the next two release cycles. The teams that wait will hand-assemble paperwork. You will not.

Sept 11 - 2026

Reporting obligations begin

Manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA's Single Reporting Platform.

Dec 11 - 2027

Full application

SBOM, vulnerability handling, secure-by-default, and conformity assessment requirements apply to products placed on the EU market.

Every release - today

Customers ask early

EU buyers and downstream integrators are already requesting SBOM, VEX, and incident-handling evidence in security reviews.

CRA Annex I Section 2(1)

Maintain an SBOM for each product.

Documented, machine-readable, covering at minimum the top-level dependencies of products with digital elements.

CycloneDX import - coverage warnings

CRA Annex I Section 2(2-7)

Handle vulnerabilities without delay.

Identify, document, and remediate with a coordinated disclosure process and free security updates for supported releases.

VEX decisions - reviewer trail

CRA Article 14

Report actively exploited vulnerabilities.

Early warning within 24 hours, vulnerability notification within 72 hours, and a final report within 14 days to ENISA's SRP.

Hash-chained timeline - export

VulnTrail organizes the operational evidence the CRA expects you to hold. It is not a conformity-assessment service and does not certify compliance. It gives your team, auditor, counsel, and customers a defensible paper trail per release.

// How it works

Local/CI-first by design. Three commands and one upload.

VulnTrail never sees your source. The CLI runs where your build runs: in CI, on a laptop, behind your firewall. We only process the artifacts you choose to send.

In your CI

Bundle release artifacts locally

The Evidence CLI validates your CycloneDX SBOM, normalizes scanner output from Grype, Trivy, OSV-Scanner, or Dependency-Track, and stamps everything with hashes and release metadata.

# .github/workflows/release.yml
- name: Generate evidence
  run: |
    vt evidence bundle \
      --release ${{ github.ref_name }} \
      --sbom ./sbom.cdx.json \
      --findings ./grype.json \
      --sign

In the portal

Triage with VEX-correct decisions

The portal imports your bundle, dedupes findings across scanners, and surfaces KEV, EPSS, and fix availability. Reviewers attach not_affected, affected, fixed, or under_investigation with mandatory justification.

CVE-2025-30811  KEV high
  package: pkg:npm/lodash@4.17.20
  reviewer: alex@acme.co
  status: not_affected
  justification:
    vulnerable_code_not_in_execute_path
  evidence: commit ab12c9f - approval ok

For your buyer

Export the evidence pack

Generate a customer-ready evidence pack: product inventory, component summary, prioritized findings, decision log with reviewers and timestamps, and a hash-chained audit trail.

PDF

payments-api - release 2.4.1

evidence-pack-7f3a91.pdf - 8 pages - signed

JSON

decisions.json

38 findings - 36 decisions - 2 open

// The product

One workspace for every release, every finding, every decision.

A workflow that survives a customer security review and the next one after that.

vulntrail.com/acme/payments-api/releases/2.4.1

products / payments-api / 2.4.1 / findings

38 findings across 220 components

sha256:7f3a91d4...-Imported from Grype 0.85, Trivy 0.55-2 KEV - 6 high-EPSS

AdvisoryComponentSeverityEPSSSignalStatus

CVE-2025-30811pkg:npm/lodash @ 4.17.20High94.2%

KEVnot_affected

GHSA-7xqp-rqcgpkg:pypi/cryptography @ 42.0.5Critical88.1%

KEVaffected

CVE-2024-21620pkg:golang/jwt-go @ 3.2.0High71.6%

fix availfixed

CVE-2025-11204pkg:npm/axios @ 1.6.2Medium42.0%

reviewunder_investigation

GHSA-vmqg-72m9pkg:npm/postcss @ 8.4.31Low6.1%

noneopen

products / payments-api / 2.4.1 / findings / CVE-2025-30811

CVE-2025-30811 - lodash prototype pollution

KEVHigh-EPSS 94.2%-Reviewer: alex@acme.co

OpenVEX status

Required

not_affected

Product is not impacted. Requires justification or impact statement.

affected

Impact confirmed. Action and remediation note required.

fixed

Patched in this or an earlier release.

under_investigation

Triage in progress. Default state for new findings.

Justificationvulnerable_code_not_in_execute_path

Impact statementLodash _.merge() is loaded but only invoked against schema-validated request bodies in the public API surface. The vulnerable code path requires attacker-controlled prototype keys, which the gateway strips before application code executes.

Decision metadata

reviewerAlex Park

roleHead of ProdSec

approved_bySam Liu (CTO)

approved_at2026-05-14 09:42 UTC

applies_to2.4.1, 2.4.0

Linked evidence

commit ab12c9fPR #2189test: gateway.spec.tsadvisory GHSA-jf85runbook: prototype-pollution

Each link is hashed at attach time and re-checked when the evidence pack is generated.

products / payments-api / 2.4.1 / evidence pack

Export evidence pack

Generated against bundle sha256:7f3a91d4...-36 of 38 findings have approved decisions

Include in pack

Product & release overview SBOM summary & coverage warningsCycloneDX Prioritized findings (KEV / EPSS / fix) VEX decision log with justifications36 Reviewer & approval history Hash-chained audit trail

Release evidence pack

acme - payments-api - 2.4.1 - 2026-05-14

Product overview

Productpayments-api

Release2.4.1

Bundle digest7f3a91d4...

SBOM summary

Components220

With purl198 (90%)

Coverage warnings3

Findings breakdown

not_affected - fixed - affected - under_investigation38

Reviewer approvals

Alex Park - Head of ProdSec28

Sam Liu - CTO8

// Why teams pick VulnTrail

The release-evidence layer your scanners and your buyers were both missing.

No source. No tokens.

We do not hold a GitHub app, OAuth token, repository URL, source upload, or secrets. Your CI generates the bundle; we read JSON artifacts.

// scope = artifacts only

OpenVEX, done correctly.

Only the four valid statuses: not_affected, affected, fixed, and under_investigation. Justifications are not custom statuses.

// status in four states

EU-region by default.

EU-hosted infrastructure for EU tenants, with a published subprocessor list, DPA, deletion/export, and a 30-day diagnostic retention default.

// region = eu-central

Evidence, not opinion.

VulnTrail organizes operational evidence and reviewer decisions. It does not certify CRA, NIS2, SOC 2, or ISO 27001, and exports say so plainly.

// claims = operational

// Security & trust

A trust model you can defend to your own security team.

Every assertion in VulnTrail carries source, timestamp, actor, artifact hash, and approval state. The audit log is hash-chained and exportable. Cross-tenant access is tested, not assumed.

Tenant isolation, tested

Database-level org scoping with central authorization helpers and tests that attempt cross-tenant access.

Hash-chained audit log

Every event carries previous hash and current hash. Export the chain and verify it offline.

30-day default retention

Diagnostic bundles auto-delete after 30 days unless a subscription extends retention.

Parser hardening

Strict schema validation, size limits, content-type checks, malformed-input fixtures, and no shell execution.

audit-trail - release 2.4.1chain ok

eventvex.decision.approved

actorsam@acme.co - cto

objectCVE-2025-30811 - not_affected

ts2026-05-14T09:42:18Z

prev_ha04c...91f2

cur_h7f3a...d491

exportverified - offline

// Engage

One offer. One fixed fee. One release.

Start with a paid diagnostic. Walk away with a customer-ready evidence pack you can hand to your next enterprise buyer and a clear map of every gap found along the way.

CRA-ready evidence - fixed fee

CRA Product-Security Evidence Diagnostic

We run one of your products and one of your releases end to end. You leave with the evidence pack your next enterprise security review is going to ask for plus a clear map of every evidence gap.

Price€3,000 - €7,500

Duration2 - 3 weeks

Access modelLocal / CI tooling - sanitized artifacts only

DeliverableSigned, customer-ready evidence pack

// You leave with

Product and release inventory
SBOM baseline with coverage warnings
Vulnerability evidence snapshot
VEX-style triage template, populated
Evidence-gap report with named owners
Customer-facing readiness summary (PDF)
Hash-chained audit trail you can verify offline

After the diagnostic, the workflow stays.

Most customers do not stop at one evidence pack. They move the workflow into CI and turn it into how every release goes out the door.

Evidence for every release

The CLI moves into your CI. Every tag ships with a signed bundle and a fresh evidence pack.

90% faster on the next customer security review

A workflow your whole team runs

Add products, reviewer queues, role-based access, and approval workflows as security-review volume grows.

1 source of truth across engineering, security, and GTM

A trust posture buyers respect

SSO, advanced integrations, custom retention, customer-portal exports, and procurement-friendly contracting come later.

Win the review without overclaiming

Booking a diagnostic is the first conversation. We will map where the workflow can go for your team and your buyers.

// FAQ

Questions buyers and engineers actually ask.

Do you scan my source code or repos?+

No. VulnTrail does not run a GitHub or GitLab app, does not request repository OAuth, does not accept source uploads, and does not run scanners against your code. We import artifacts your CI already produces.

Is this a CRA or NIS2 compliance certification?+

No. VulnTrail organizes operational evidence the CRA expects you to hold: per-release SBOMs, vulnerability handling decisions, coordinated-disclosure records, and a hash-chained audit trail. Every export carries that scoping note explicitly.

Why local-first instead of hosted scanning?+

Your team already runs Grype, Trivy, OSV-Scanner, or Dependency-Track in CI. VulnTrail imports their output instead of duplicating the work, so no source code leaves your perimeter.

Which SBOM and scanner formats do you support?+

CycloneDX JSON for SBOMs in MVP. For scanners: Grype, Trivy, OSV-Scanner, and Dependency-Track JSON. We extract purls, dedupe components per release, surface coverage warnings, and never silently swallow parse errors.

How is data handled and where is it hosted?+

EU-region infrastructure by default for EU tenants. Bundles auto-delete after 30 days unless a subscription extends retention. You can export or delete data on demand.

How is this different from ASPM, Dependency-Track, or a trust center?+

ASPM tools aggregate scanners across a security team. Trust centers package public-facing security pages. VulnTrail sits between them: per-release evidence packaging that turns scanner output into something a buyer's security review can accept.

Stop hand-assembling PDFs the night before a security review.

Book the founding diagnostic. We will run one release end to end and hand back the evidence pack your next enterprise buyer is going to ask for.

Read the docs

€3,000 - €7,500 fixed - 2 - 3 weeks - evidence pack delivered