Compliance

CRA compliant, developer approved.

Endor Labs cuts vulnerability noise so your security team stops flooding
developers with findings that don't matter and starts focusing on the ones that do.
Book a Demo
Take a Platform Tour
Dashboard showing a Vulnerability Prioritization Funnel with sections for All Vulnerabilities, Not in Test, and Fix Available, including options to add Reachability and EPSS filters.
Loved by security teams, painless for developers at:

How Endor Labs reduces your CRA burden

Free devs from false positives
Reachability analysis filters out unexploitable vulnerabilities, so developers only fix what's real and security stops being a bottleneck.
Auto-generate evidence
Be ready with SBOM and VEX docs built into every scan, so you don’t scramble if an authority comes asking.
Faster remediation
Policy-driven routing sends findings directly to where devs already work, so fixing vulnerabilities doesn't require a context switch or a ticket war.
Endor Labs greatly reduced our CVE backlog, which helps satisfy the near zero tolerance for vulnerabilities often seen in highly regulated markets."
Joshua Domagalski
CISO, Astronomer
Prioritize
Fix what's real, skip what's not
The CRA focuses on exploitable vulnerabilities, and the key word is exploitable. Endor Labs traces vulnerable code paths through your application to determine what's actually being used, so developers get a short list of real problems instead of hundreds of findings to argue about.
70-80% average reduction in remediation workload
Up to 90% reduction in container vulnerability noise
VEX annotations document exploitability context for regulators
Manage
One vulnerability, one ticket, one fix
Endor Labs automatically monitors your dependencies, correlates findings, and routes them directly to developer workflows, so your team spends time fixing vulnerabilities instead of triaging them.
Continuous monitoring against NVD, GHSA, and OSV
Automatic deduplication of findings across scan types
Policy-driven routing to developer workflows
Dashboard displaying 3.7K security findings categorized by severity with detailed code snippet and explanation panel.
Document
Document
Evidence that holds up under scrutiny
The CRA requires SBOMs, VEX documents, and technical documentation maintained for 10 years. With every scan, Endor Labs auto-generates these artifacts so you can be prepared for conformity assessments or market surveillance.
SBOM generation in CycloneDX and SPDX formats
VEX annotations that document exploitability context
Automated generation through CI integration
Book a Live Demo

FAQs

We've been told the CRA requires us to fix every vulnerability our scanners find. Is that right?

Not quite, and the distinction matters enormously for your team's workload. The CRA requires manufacturers to identify and remediate exploitable vulnerabilities, not every CVE in your dependency tree. A vulnerability in a function your code never calls is not exploitable in your application. Endor Labs' function-level reachability analysis identifies which vulnerable functions are actually reachable, so your team focuses on vulnerabilities that pose genuine risk and can document the rest as non-exploitable using VEX.

What does the CRA actually require, and when does it take effect?

The EU Cyber Resilience Act (Regulation 2024/2847) establishes mandatory cybersecurity requirements for all products with digital elements sold in the EU market. Reporting obligations begin September 11, 2026. Full compliance and enforcement begins December 11, 2027. The three core obligations are:

  • Secure by design (products must ship without known exploitable vulnerabilities)
  • Vulnerability management (manufacturers must identify, document, and remediate vulnerabilities without delay for a minimum support period of five years)
  • Transparency and reporting (manufacturers must notify ENISA within 24 hours of discovering an actively exploited vulnerability and maintain an SBOM for every product).
How does Endor Labs help us meet the CRA's SBOM requirements?

The CRA mandates SBOMs in a machine-readable format (CycloneDX or SPDX are the safe choices), maintained throughout the product lifecycle and available to customers and regulators. Endor Labs generates complete SBOMs in both formats with every scan, integrated directly into your CI/CD pipeline. SBOM Hub provides centralized management across all your products, with automated updates every time a new build ships. VEX annotations accompany every SBOM, documenting which discovered vulnerabilities are not exploitable in your specific application.

How do we hit the CRA's "without delay" remediation standard for critical vulnerabilities?

The biggest driver of missed remediation timelines is spending time on vulnerabilities that don’t need to be fixed. By reducing your actionable findings by an average of 92%, Endor Labs gives your team more time to focus on what's real and urgent. For the fixes that remain, Upgrade Impact Analysis predicts whether an upgrade will introduce breaking changes before your team commits. When a full upgrade cannot be completed within the required window, Endor Patches provide backported security fixes that keep you compliant while the larger work continues.

Does the CRA apply to us if we are not headquartered in the EU?

Yes. The CRA applies to any manufacturer selling products into the EU market, regardless of where they’re headquartered. If you sell into the EU directly or through distributors, you are in scope. You can designate an EU-based authorized representative to handle communications with authorities, but the core compliance obligations around secure design, vulnerability management, and SBOM maintenance remain yours. EU distributors and importers carry their own obligations too, and will increasingly demand compliance evidence from their supply chain.

Related Resources

How the EU Cyber Resilience Act (CRA) rewrites the rules of software liability
Read the blog
EU Cyber Resilience Act
Download guide
Understanding the Cyber Resilience Act
Read the blog

See for yourself why Endor Labs is the fastest growing AppSec company ever.