Embedded Security · Compliance

Your product has to pass. We make sure it does.

Aceman builds the firmware-level security, software updates and audit-ready evidence the EU Cyber Resilience Act requires, so you ship on time and compliant without hiring a security team you can’t find.

We build the engineering. The evidence comes from your build, not from a form.

The deadline

The deadline is real. The scramble is optional.

CRA reporting obligations begin on 11 September 2026; the main obligations apply from 11 December 2027. PSTI and the RED cybersecurity rules already apply today. The firmware is the hardest part, and it is the part many teams have no one in-house to own.

What this means for your product
Time until reporting obligations

11 September 2026

·
Days
·
Hrs
·
Min
·
Sec

Actively exploited vulnerabilities must be reported within 24 hours from this date.

Choose your path

One deadline. Three ways to meet it.

Every team gets there differently: some want it done, some want to own it, some want to learn it. Pick the path that matches yours, or take the two-minute check and it will point you to one.

Fastest to compliant
For teams without security firmware skills in-house

We build it for you

Readiness assessment, then we implement the secure boot, signed updates, SBOM and vulnerability handling, and hand over an audit-ready technical file.

You get: a fixed-price plan, the engineering done, an audit-ready technical file.
See the service path
Free to start
For firmware teams who want to own it

You build it, with Firmproof

Point our platform at the build you already produce. It generates your SBOM, watches your components for vulnerabilities, and assembles the evidence as you work.

You get: a founding place, your first gap report within days, and founding pricing locked before public launch.
Explore Firmproof
For engineers
For engineers making this their skill

Learn to build it

The Academy teaches the builder’s side of embedded security: the same mechanisms and evidence we deliver in real engagements, taught by the engineer doing the work.

You get: module-by-module skills, real artifacts, founding-member pricing from the list.
See the Academy
Why Aceman

We build what the auditors check.

Whichever path you take, the same discipline stands behind it: built to the standard, evidenced for the assessor, learned where firmware is not allowed to fail.

Built to the standard

Secure boot, signed updates, SBOMs and vulnerability handling, implemented to satisfy the CRA’s essential requirements rather than approximate them.

Assessor-aligned evidence

Every deliverable maps to what a notified body or test lab expects to see: the technical file, the traceability, the test reports.

Automotive-grade rigour

The discipline of the industry with the least tolerance for firmware that fails, brought to your connected product.

Insights

Field notes on building compliant firmware.

Practical, specific, and grounded in real implementations: the part most write-ups skip.

Cyber Resilience Act

What the CRA actually requires of your firmware

The thirteen essential requirements, in plain terms, and what each one means for the code on the device.

Coming soon
SBOM

Generating a CRA-ready SBOM from a Yocto build

A real walkthrough: from build metadata to a machine-readable bill of materials you can actually maintain.

Coming soon
Origin

What automotive functional safety taught me about the CRA

A career spent where firmware isn’t allowed to fail, and why connected products are about to learn the same lessons.

Coming soon

Ship it secure. Skip the scramble.

Two minutes tells you where you stand. The rest becomes a plan.