Services · Done for you

The engineering that makes your product pass.

You bring the product and the deadline. We bring the security engineering: a fixed-price assessment of exactly where you stand, then hands-on implementation of secure boot, signed updates, SBOMs and vulnerability handling, in your codebase and your CI.

Fixed scope, agreed up frontUK & EU · remote-first from LeedsFounder-delivered
When teams call us

If any of these sound familiar, you’re in the right place.

You ship connected products into the EU or UK, and nobody on the team owns compliance.

A customer or distributor sent a security questionnaire you can’t answer yet.

Your product has radio and sells into the EU, but EN 18031 wasn’t part of its design. Those rules have applied since August 2025.

Updates are unsigned, or a failed update in the field can brick the device.

Nobody can produce a bill of materials for what’s actually running on the device today.

Compliance lives with one overloaded engineer, and the deadline is doing the planning.

Two or more? Take the two-minute readiness check, or go straight to booking the assessment. Either way, you’ll know exactly where you stand.
The service path

From where you are to shipped and compliant.

Three stages. Each has a fixed scope, each stands alone, and you can stop after any of them. The deadline becomes a plan instead of a panic.

01 · ASSESS

Readiness assessment

We map your product against the CRA’s essential requirements, and PSTI and RED where they apply, then hand you the plan.

  • Gap report, mapped to the regulation clause by clause
  • Prioritised remediation plan any team can run
  • A summary you can put in front of the board
  • Three months of Firmproof included
Fixed price · the report is yours to keep
02 · BUILD

Implementation

We build the mechanisms in your codebase and your CI, and write the evidence as we go, not after.

  • Secure boot for your silicon
  • Signed, recoverable software updates
  • SBOM generated from your actual build
  • Vulnerability handling & disclosure policy
  • Audit-ready technical file
In your repos · handover included
03 · SUSTAIN

Stay compliant

Compliance decays without attention. Firmproof watches your components, and we stay on hand as the standards and the threats evolve.

  • Continuous vulnerability monitoring
  • Evidence kept current, release by release
  • Support-period obligations tracked
Powered by Firmproof
Auditors verify. Paperwork tools file. We build the mechanisms, and Firmproof generates the proof from your build.Book an assessment
Have the engineers, just not the tooling? Start with Firmproof. Building the capability in-house? The Academy teaches it.
The deadline

The deadline is real. The scramble is optional.

The Cyber Resilience Act’s reporting obligations begin on 11 September 2026, and its main obligations apply from 11 December 2027. No CE marking means no sale in the EU, with fines of up to €15M or 2.5% of turnover.

And two regimes already apply today: the UK’s PSTI rules have covered consumer connectable products since April 2024, and the Radio Equipment Directive’s cybersecurity requirements (EN 18031) have applied to internet-connected radio equipment since 1 August 2025.

The firmware is the hardest part of meeting all of it: secure boot, signed updates, a bill of materials from your build, a working vulnerability process. It’s also the part many teams have no one in-house to own.

Too many teams meet this with a last-minute scramble, or with paperwork and portals detached from the product: evidence that looks like compliance but doesn’t make anything pass. There’s a better way. Build it right, in time, with evidence generated from the product itself, guided by someone who’s done it where firmware isn’t allowed to fail.
Time until reporting obligations

11 September 2026

·
Days
·
Hrs
·
Min
·
Sec

Actively exploited vulnerabilities must be reported within 24 hours from this date. Full conformity follows on 11 December 2027, and legacy products already on the market are in scope.

How it starts

From first call to a plan, without a sales gauntlet.

STEP 1

Fit call · 20 minutes

Technical, free and straight: what you ship, which rules apply, and whether we can help.

STEP 2

Fixed-price proposal

Scope, deliverables and price in writing before any work starts. No day-rate drift.

STEP 3

Assessment

The gap report and the prioritised plan. It stands alone, so you can take it to any team.

STEP 4

Build, if you want us

We implement the plan in your codebase and hand it over working, documented and evidenced.

One line we never cross: we don’t audit or certify. Notified bodies verify, and they’re barred from also building the solution. We do the engineering that makes you ready for them.
Who does the work

Built by the engineer, not handed to a bench.

Aceman is founder-led. The engineer you meet on the first call is the one in your codebase: eleven years of embedded systems, trained in automotive, where firmware is not allowed to fail.

That background matters here. Safety-critical engineering runs on exactly what the CRA now demands of everyone: traceability, disciplined process, and evidence generated by the work itself.

Meet the founder
Spec sheet
Embedded systems engineering11 YEARS
Functional-safety backgroundAUTOMOTIVE
Embedded LinuxYOCTO
RTOSZEPHYR
LanguagesC · C++ · RUST
Security mechanismsSECURE BOOT · SIGNED OTA
Evidence toolingSPDX · CYCLONEDX · CI
EducationM.ENG · LEEDS
Questions

Straight answers.

A fixed-price review that maps your product against the CRA’s requirements (and PSTI/RED where they apply), identifies the gaps, and gives you a prioritised plan to close them. It stands alone, so you can take the plan to any team, and it’s the natural first step if you’d like us to implement it. It includes three months of Firmproof.

No. Notified bodies verify and certify, and they’re barred from also building the solution. We do the engineering that makes a product pass, so you’re ready when the assessor arrives.

Vulnerability and incident reporting obligations begin on 11 September 2026, and the main obligations apply from 11 December 2027. Products placed on the EU market from that date must meet the essential requirements, and the reporting obligations also cover products already on sale.

If your product has digital elements and connects to a device or network, and you place it on the EU market, it almost certainly does. The reporting obligations cover products already on sale; anything you place on the market from December 2027 must meet the essential requirements. Some classes are treated as “important” or “critical” and may need a notified body. The readiness check is a fast way to see where you stand.

Two regimes are already in force: the UK’s PSTI product-security regime has applied to consumer connectable products since April 2024, and the Radio Equipment Directive’s cybersecurity requirements (EN 18031) have applied to internet-connected radio equipment since 1 August 2025. If your product connects and sells in the UK or EU, the odds are something already applies. The readiness check covers all three regimes.

Ship it secure. Skip the scramble.

Start with a readiness assessment: a fixed-price map of exactly what your product needs to pass.

Tell us where you are

Prefer to talk first? Book a 20-minute technical fit call (booking link coming online)

Or email directly: hello@acemansolutions.co.uk

Not ready to talk? Run the two-minute readiness check and get the gap report by email.