Our Product
EU Cyber Resilience Act
compliance, automated.
The EU Cyber Resilience Act requires manufacturers to demonstrate ongoing cybersecurity governance. Kunnus automates the workflows that make that possible — without drowning your team in documentation.
What it automates
The five workflows the CRA demands.
SBOM Management
Generates machine-readable Software Bills of Materials in CycloneDX and SPDX formats for all your products and their dependencies.
Vulnerability Response
Manages the full lifecycle from discovery through coordinated disclosure — meeting the CRA's strict 24-hour and 72-hour ENISA reporting windows.
Threat Modelling
Documents cybersecurity risk evaluations per CRA Annex I requirements — structured, auditable, and always up to date.
CSAF Advisory Generation
Creates Common Security Advisory Format documents for vulnerability disclosures — the machine-readable standard expected by regulators.
ENISA Reporting
Streamlines mandatory early warnings and notifications to the European Union Agency for Cybersecurity within the required timelines.
Compliance Documentation
Generates the technical documentation required for EU declarations of conformity and CE marking — ready for auditors.
Who it's for
If you make products with digital elements, this applies to you.
The CRA covers any hardware or software product with network connectivity placed on the EU market — from IoT devices to enterprise software. The scope is broader than most manufacturers expect.
Kunnus is built to support organisations of all sizes: microenterprises and startups get dedicated guidance, while enterprises with complex portfolios benefit from workflow automation at scale.
Open source
kunnus-scanner
Apache 2.0 · Free · No account required
A free, open-source CLI tool that generates standards-compliant SBOMs across 30+ programming ecosystems. Reads your lockfiles, resolves direct and transitive dependencies, cross-references the OSV vulnerability database, and outputs CycloneDX or SPDX — in seconds.
Built on Google's osv-scalibr library — the same engine powering large-scale production vulnerability scanning pipelines. kunnus-scanner is also the scanning foundation that powers the Kunnus platform itself.
Install
brew install think-ahead-technologies/tap/kunnus
docker run --rm -v $(pwd):/workspace \
ghcr.io/think-ahead-technologies/kunnus-scanner:latest \
sbom --output /workspace/sbom.spdx.json Usage
# Generate SBOM for current projectkunnus sbom# CycloneDX output to a specific filekunnus sbom --format cyclonedx-1-5 --output sbom.cdx.json
Supported ecosystems
Languages & Package Managers
OS Packages
Output Formats
Multi-architecture Docker images available for linux/amd64 and linux/arm64. GitHub Actions integration included for CI/CD pipelines.
Free resources
The most comprehensive CRA knowledge base available.
Beyond the platform, Kunnus publishes free reference material that has become a go-to resource for compliance teams and legal advisors across the EU.
CRA compliance
before the deadline.
The September 2026 vulnerability reporting deadline is closer than it looks. Start building your compliance infrastructure now.