Path two · Do it yourself
Founding programme · a few teams at a time

Firmproof

BY ACEMAN

The compliance-evidence platform that proves it from your build. Send Firmproof the firmware you already produce and get the evidence the CRA asks for. It works with Yocto, Zephyr, Cargo, or any SBOM you can export, and it is being built in the open with its founding members.

SBOMs generated and maintained from your real build, not typed into a form
Your components watched against NVD, OSV and GitHub advisories, including the ones with no CVE identifier at all
A triage workflow with an audit trail: the vulnerability-handling record Annex I requires
Evidence packs and the 24/72-hour reporting workflow, ready before you need them
Founding places are limited and onboarded personally: your first gap report is free, and founding pricing is locked before public launch.
Rather have it done with you? Every readiness assessment includes three months of Firmproof. Want your team to master the underlying skills? That’s the Academy.
Questions

Firmproof, answered plainly.

Firmproof, by Aceman, is our compliance-evidence platform. It generates SBOMs from your actual build, watches your components against vulnerability databases (including components that have no CVE identifier), runs your triage workflow with a tamper-evident audit trail, and assembles the evidence packs the CRA requires. It is in its founding programme: we onboard a few teams at a time, run their first SBOM through the platform together, and lock founding pricing before public launch.

Three ways, one destination. If you need it done and have no security-firmware capability in-house, start with the readiness assessment and we build it for you. If your engineers will own compliance, request a founding place with Firmproof and get your first gap report from your build. If you are building the skill itself, join the Academy. The two-minute readiness check will point you to the right one.

The firmware. Secure boot, signed and recoverable updates, a software bill of materials from the build, and a working vulnerability-handling process are the elements many teams have no one in-house to own. They’re also exactly what an assessor checks.

Proof from your build, not from a form.

Request a founding place: your first gap report is free, and founding pricing locks before public launch.