Continuous vulnerability evidence for CRA compliance

If you sell products on the EU market, you need a CRA (Cyber Resilience Act) evidence layer in place before the Article 14 reporting obligations take effect on 11 September 2026.

The CRA requires products to have no known exploitable vulnerabilities at release, effective vulnerability handling across the support period, and 24-hour reporting of actively exploited vulnerabilities to ENISA.

Pentest-Tools.com produces the validated technical evidence that those obligations depend on.

What does the CRA actually require?

The CRA applies to all manufacturers of hardware and software products that sell on the EU market. If you’re reading this, it probably applies to you.

Annex I, Part I, point (2): no known exploitable vulnerabilities at release

Manufacturers must place products on the market without any known exploitable vulnerabilities. This is the release-gate obligation, forcing a pre-release vulnerability assessment with evidence.

Annex I, Part II, point (7): regular security testing

Products require effective and regular tests and reviews of the security of the product. Auditors and notified bodies expect to see the testing cadence and example test results, not just a written policy.

Article 13(8): vulnerability handling across the support period

Manufacturers must handle vulnerabilities effectively for the entire support period - a minimum of five years for most products. Vulnerability handling is a lifecycle obligation, not a release-time check.

Article 14: 24-hour reporting of exploited vulnerabilities

Manufacturers must report any actively exploited vulnerability, as well as any severe incident affecting product security,through ENISA's Single Reporting Platform. Manufacturers must submit an early warning within 24 hours of discovery, a full notification within 72 hours, and a final report within 14 days of releasing a corrective measure.

Where the CRA compliance evidence gap lives

The manual evidence bottleneck

GRC tools hold evidence, but only if someone puts it there. These tools don’t actually generate evidence.

Raw scans aren't audit-proof

Having a vulnerability scanner does not equal producing a validated finding, a retest, or a report. Auditors distinguish between these three things.

Point-in-time tests fail continuous audits

Manual penetration tests produce a point-in-time snapshot. SOC 2 Type II observation periods run for months, meaning a single pentest is structurally insufficient.

False positives stall remediation

Noisy scanners with false positives delay remediation evidence. Every false positive that reaches a developer queue is time not spent on real findings.

The internal asset blind spot

Scanning internal and private cloud assets - where sensitive data lives - requires a deployment model that most cloud-only scanners do not support.

How Pentest-Tools.com closes the CRA evidence loop

Evidence a vulnerability existed

Scheduled scanning lets you set assessments to run on a cadence that matches the manufacturer’s release cycle and the CRA report period. You can show that the scan ran on a defined date, you recorded the finding, and the evidence timestamp exists.

Vulnerability monitoring and diff-based alerting fires when something new appears between scheduled scans. Your evidence record shows how you handled vulnerabilities across the entire support period, not just when you ran a scan.

The Pentest-Tools.com offensive research team builds dedicated scanners for high-impact and actively exploited CVEs and publishes them to the vulnerabilities and exploits database. Once a check exists, you answer "is our product actually affected?" from a scan result, instead of manually mapping the CVE to your components - the slow, error-prone work that eats at the Article 14 response window.Monitoring then alerts you the moment that specific check flags something across your in-scope products.

The VPN Agent operates inside embedded, on-prem, or private-network deployments - you don’t need a permanent on-premises appliance per product line.

Evidence it was validated

The ML Classifier reduces false positives in scanners by 50%. This means security teams don’t waste time cutting noise or over-report detections that aren’t confirmed exploitable, and meet CRA notification requirements in the required timeframe.

Sniper Auto-Exploiter’s proprietary validation marks findings as Confirmed only when HTTP request/response data, PoC payload, or equivalent forensic artifact supports it.

Security teams can provide the technical level of evidence Annex I, Part I, point (2) demands: a validated, timestamped record proving the deployed product version was free of known exploitable vulnerabilities when scanned.

Authenticated and API scanning extends confirmation behind the login wall and across API surfaces, where the most exploitable behavior in deployed products lives. This closes the gap between "the public surface is clean" and Annex I coverage across the full product.

Evidence it was remediated

Retest workflows run a targeted test after remediation. Before-and-after comparisons confirm the fix is effective, completing the Annex I, Part II, point (3) evidence chain:

issue detected → validated → remediated → retested → closed.

Available in PDF, DOCX, or JSON formats, the final report is part of the retest workflow rather than a separate task. The output drops into the technical documentation required by Article 31 and Annex VII without manual reformatting.

Evidence the fix held

Scheduled rescans let you retest fixes during the next scan cycle. You detect any regressions and provide evidence for the entire support period.

API-triggered scans feed existing release pipelines, meaning GitHub Actions block release on critical CVEs. For Annex I, Part I, point (2) release-gate obligation, this is the control applied at the point of release, not after.

Integrations that turn Pentest-Tools.com into a CRA evidence workflow

Integrations are what turn findings into action and action into evidence.

  • Jira: remediation evidence as a workflow by-product

    Validated findings push as issues with severity, CVE reference, and PoC attachments. The vulnerability handling becomes a workflow by-product, not a separate compliance task.

  • AWS: continuous scanning across the cloud footprint

    Import EC2 and S3 assets for continuous scanning. Combined with the VPN Agent for private VPC environments, this covers the full AWS-hosted product footprint.

  • Vanta: sync evidence across parallel programmes

    Evidence syncs to 32 Vanta tests and 2 controls daily (05:00 UTC) for manufacturers running parallel SOC 2 or ISO 27001 programmes. Available on all paid plans.

  • GitHub Actions, CI/CD: block at the point of release

    Scan on every pull request or release; block on critical CVEs at the point of release.

  • Webhooks: route evidence to any endpoint

    Custom triggers on CVE, asset, CVSS, or EPSS score push results as JSON or PDF to any endpoint - evidence repository, SIEM, or product security dashboard. Scales across product lines.

  • Slack, Teams, Discord: instant Article 14 alerts

    Alert rules fire on critical findings or actively-exploited CVE detections, putting Article 14-relevant signals in front of the on-call rotation immediately.

Vulnerability validation built into the scan from the start

Pentest-Tools.com starts the verification work during the scan

As web and network scanning run, findings that can prove to be exploitable get a Confirmed label, backed by request/response data, payload traces, or a proof of concept you can examine. The rest stay unconfirmed, so you always know which is which.

When a finding needs more, validation continues in the same product

Deeper exploitation confirms real impact and also captures the evidence. Assessment and validation under the same roof means that the proof an auditor or a buyer asks for is already attached to the finding.

Built for the entire CRA product lifecycle


Unlike other security regulations that evaluate your organisation's security programme, the CRA evaluates each individual product. Market surveillance authorities want to know whether you’ve ensured each product version is free of KEVs, and whether you have kept them that way across the support period.

  • workspaces

    Evidence organized per product

    Workspaces organize evidence by product or client environment, scheduled scans run on a cadence tied to your release cycle, and vulnerability monitoring runs between scans.

  • Coverage behind the login wall

    Authenticated scanning extends coverage behind the login wall, where most exploitable behaviour lives.

  • No client-side infrastructure to rebuild

    For MSPs and security teams, each client environment gets its own VPN Agent deployment. That means there’s no client-side infrastructure to rebuild between engagements.

See how the VPN Agent works in our SOC 2 webinar


Chasing vulnerabilities manually doesn't scale across a product's five-year support period. In this live demo, our team bypasses the theory and shows how to build an automated workflow that actually fits embedded and private cloud product environments. See exactly how to uncover internal assets, validate findings, and produce the technical evidence the CRA expects, leaving the manual grind behind.

SOC2 webinar 2025

Why Pentest-Tools.com’s European origin matters under CRA

  • Exclamation triangle icon

    EU processing

    Pentest-Tools.com is ISO/IEC 27001:2023 certified and processes data in the EU. Although the CRA doesn’t require EU-resident tooling, that matters.

  • Exclamation triangle icon

    Supply-chain expectations you inherit from customers

    Manufacturers placing products on the EU market increasingly inherit the supply-chain security expectations their own customers carry under NIS2 and DORA.

  • Exclamation triangle icon

    One less category of due diligence

    When your organization becomes a vendor under these frameworks, EU-resident data processing removes a category of due diligence questions before authorities get a chance to ask.

Proof Pentest-Tools.com supports CRA compliance

  • Network scanner icon

    Benchmark-proven accuracy

    Our Network Scanner ranked #1 in a Network Scanners Benchmark for having the highest remote detection accuracy across 128 environments, against Qualys, Nessus, OpenVAS, and others.

  • Website scanner icon

    Deep application scanning

    The Website Vulnerability Scanner covers vulnerabilities like XSS, SQL injection, HTTP Prototype Pollution, Directory Traversal, and 75+ more vulnerabilities in running web applications.

  • Proven global scale

    In 2025, Pentest-Tools.com ran over 6M scans across 2000+ security teams in 119 countries, and sent tens of thousands of reports and exports to clients, teammates, and stakeholders.

  • scans icon

    Immediate, customized response

    Dedicated free scanners for actively exploited CVEs - including regreSSHion CVE-2024-6387 (OpenSSH RCE), LDAPNightmare CVE-2024-49113 (Windows LDAP), and SessionReaper CVE-2025-54236 (Magento 2 / Adobe Commerce) - are operational tools built by the in-house offensive research team, not repackaged public information.

Get the blueprint for compliance reporting

Find out how we map offensive security data directly to compliance controls.

What customers are saying

The scans run quickly and the dashboard is easy to use. I like the attack surface feature. Organizing your scans and data is very simple to follow. Being cloud-based, you can get to the tools from anywhere without lugging around a dedicated device. The ability to generate and customize reports is very helpful.

Dr. Patrick Johnson Linkedin profile

Dr. Patrick Johnson

Business Owner at True North Consulting Group

Dr Patrick Johnson photo

See the CRA evidence trail in action

Start collecting audit-ready evidence yourself, or get a personalized walkthrough for your team's complex environment.

CRA compliance FAQs

Does Pentest-Tools.com generate CRA's Annex I Part II point (1) SBOM?

No. Pentest-Tools.com is a vulnerability assessment and validation layer. It does not generate SBOMs in SPDX or CycloneDX format. Manufacturers typically pair an SBOM tool with a vulnerability assessment tool; Pentest-Tools.com is the latter.

Does Pentest-Tools.com provide the coordinated vulnerability disclosure (CVD) process the CRA requires?

No. Annex I, Part II, point (5) requires a CVD policy and an intake mechanism - typically a security.txt file and a vulnerability submission process. Pentest-Tools.com does not provide that infrastructure. It produces the validated detections that feed into a CVD process, not the process itself.

Does running scans make our product CRA-compliant?

No. The CRA requires manufacturers to demonstrate compliance with the essential requirements of Annex I, complete a conformity assessment, draw up a Declaration of Conformity, and affix the CE marking.

Pentest-Tools.com produces the technical vulnerability evidence layer that several of those obligations depend on, but it does not replace the conformity assessment process or a notified body.

How does Pentest-Tools.com support the Article 14 reporting window?

Two ways. First, our research team publishes dedicated scanners for high-impact and actively exploited CVEs, so once a check exists you get answers from scan evidence rather than manual triage. Second, monitoring and alerting (via Slack, Teams, and webhooks) surface a relevant detection the moment it appears, not on the next scheduled scan. Pentest-Tools.com does not submit Article 14 reports to ENISA on your behalf - the regulation requires the manufacturer to do that directly.

Can Pentest-Tools.com scan internal, embedded, or on-prem product environments?

Yes, via the VPN Agent, deployed inside the product environment (including via the AWS Marketplace). It gives the cloud scanner a local presence without requiring a permanent on-premises appliance.

What does a CRA evidence package from Pentest-Tools.com actually look like?

Detection, validation, remediation, and ongoing monitoring across the support period are all exportable as PDF, DOCX, or JSON with custom report templates formatted for Article 31 and Annex VII.

Does automated scanning alone satisfy Annex I Part II point (7)?

Not on its own. The regulation expects a layered testing programme: 

  • Continuous automated scanning

  • Periodic manual penetration testing

  • Threat modelling at design time 

  • Code-level analysis in development. 

Pentest-Tools.com produces the continuous automated testing evidence stream; combined with periodic manual testing, this satisfies the breadth and cadence that "effective and regular" implies.