Product Security Desk

CRA Reporting Readiness Sprint

In ten business days, test whether one product team can identify affected releases, assemble supporting evidence, and operate a controlled 24/72-hour reporting workflow.

  • One product or release family
  • Ten business days
  • Fixed €2,500 starting price

Reporting sequence

The clock exposes the process.

24h

Early warning

Can the right owner identify the product, event, and available evidence quickly enough to act?

72h

Notification

Can the team establish affected releases, known impact, mitigations, and unresolved questions?

CRA reporting obligations begin 11 September 2026 for covered actively exploited vulnerabilities and severe incidents. Read the European Commission guidance.

The engagement

A working exercise, not another compliance dashboard.

We use one realistic product-security scenario to find where evidence, ownership, and decisions break down. The output is a bounded operational plan your team can review and improve.

01

Product boundary

Inventory one product or release family, its supported versions, and the evidence sources used during the exercise.

02

SBOM coverage review

Review existing SBOM coverage and quality without replacing your scanners or requiring source-code review.

03

Workflow assessment

Map vulnerability intake, triage, decision, remediation, evidence, and reporting responsibilities.

04

Tabletop exercise

Run an actively exploited third-party component scenario against your current operating process.

05

Reporting runbook

Draft a practical 24/72-hour evidence and reporting workflow with named decision points and escalation paths.

06

Ninety-day plan

Prioritize evidence gaps, assign owners, and sequence the next improvements after the final review.

Material conclusions are designed to receive independent product-security or CRA expert review. Reviewer availability is confirmed before booking.

Cover of the illustrative CRA Reporting Readiness Report

Illustrative sample

See what the sprint produces.

This 12-page synthetic example shows how evidence, timing, ownership, and reporting-field readiness are turned into a decision-ready handover.

  • Executive readiness verdict and priority findings
  • 24/72-hour evidence and reporting-field matrix
  • Responsibility map and reporting runbook excerpt
  • Owned ninety-day action plan
View the 12-page sample report PDF ยท 631 KB

Fictional organization, product, timings, and findings. No customer data.

Engagement fit

Built for a specific product team.

This first offer is intentionally narrow. A short fit call should establish whether the product, pressure, and evidence are suitable before either side commits.

Good fit

  • B2B software delivered on-premise, self-hosted, downloaded, embedded, or as an appliance
  • Current EU customers, distributors, or contractual product-security pressure
  • Roughly 50-250 employees with engineering capacity but no dedicated CRA operations team
  • One bounded product or release family and access to the people who own its evidence

Not this sprint

  • A binding CRA scope opinion, legal advice, certification, CE marking, or declaration language
  • Penetration testing, source-code review, remediation implementation, or an official filing
  • Multiple unrelated products or materially different product architectures
  • Medical, automotive, aviation, or another specially regulated product category

Ten-business-day process

From current evidence to an owned improvement plan.

  1. Before day 1

    Scope and inputs

    Confirm the product boundary, stakeholders, evidence request, confidentiality terms, and exercise scenario.

  2. Days 1-3

    Inventory and workflow review

    Review current releases, SBOM coverage, vulnerability practices, evidence locations, and responsibilities.

  3. Days 4-7

    Tabletop and gap mapping

    Work through the scenario, record decision and evidence gaps, and test the reporting path.

  4. Days 8-10

    Runbook, review, and handover

    Prepare the draft runbook and ninety-day plan, complete material review, and present the findings.

Initial design-partner terms

One product. Ten days. Fixed scope.

The first three engagements are priced to test a repeatable delivery model with real product teams.

2,500 plus applicable taxes
  • 50% at booking
  • 50% on delivery
  • Ten business days after agreed inputs are received
Book a 20-minute fit call

Questions

Before we scope the sprint.

Does the sprint certify CRA compliance?

No. It is an operational readiness engagement. It does not provide legal advice, certification, conformity assessment, CE marking, or a compliance guarantee. The manufacturer retains responsibility for decisions, declarations, remediation, and submissions.

Do we have to share source code?

No. Source-code review is outside scope. We agree the minimum evidence needed before kickoff, prefer customer-controlled scanning where practical, and do not request credentials or undisclosed vulnerability material through this website.

Do you submit reports for us?

No. The sprint tests and documents the reporting workflow. Any official filing or external vulnerability disclosure requires explicit manufacturer approval and remains the manufacturer's responsibility.

When does the ten-day schedule begin?

After scope confirmation, confidentiality terms, receipt of the agreed inputs, and confirmation of reviewer availability.

Next step

Start with a 20-minute fit call.

We will confirm the product boundary, current EU pressure, reporting workflow, and minimum evidence required. If the sprint is not appropriate, we will say so.

Book a 20-minute fit call
Prefer email? hello@productsecuritydesk.com