Onboarding Guide: CRA Setup, SBOM Import, First Assessment
Welcome! This guide walks you through the quickest path to value: account creation, workspace setup, SBOM import, your first CRA assessment, and turning findings into action.
For regulation scope and obligations, use the CRA Compliance Guide. Harden your build inputs with SBOM Best Practices and close the loop with the Vulnerability Management Guide. Browse more materials in the Resources hub.
Overview
The platform helps you operationalize EU Cyber Resilience Act readiness. You'll centralize assessments, automate evidence, connect software bill of materials (SBOM) data, and manage remediation with deadlines and ownership.
- Create your account and verify your email
- Name your organization and choose a plan (start Free)
- Import an SBOM (CycloneDX or SPDX) for one product
- Start the CRA assessment and answer the guided questions
- Review vulnerabilities and create an initial remediation plan
Create your account
Go to /register. Enter your name, work email, and a strong password. If you were invited, the invite link pre‑fills your organization.
Verify your email
Check your inbox for a verification email. Click the link to activate your account. This protects access and enables secure notifications.
Set up your workspace
After login, you’ll land on the dashboard. Open Admin → Organizations to review your organization profile and legal contacts. Configure your timezone and preferred language if applicable.
- Confirm organization name and contact email
- Set timezone and language (if available)
- Review role‑based access (RBAC) defaults
Invite your team
Go to Admin → Settings → Users and invite collaborators by email. Roles control permissions across assessments, evidence, and remediation.
- Admin – Full access, can manage billing and retention.
- Maintainer – Manage assessments, assets, and remediation plans.
- Viewer – Read‑only access to dashboards and reports.
Import your SBOM
Navigate to Assets and upload a CycloneDX or SPDX SBOM. We’ll parse components and link known vulnerabilities automatically, so your risk picture is available instantly.
- Export SBOM from your build pipeline or security tool
- Upload the file (XML or JSON)
- Confirm component count & ecosystem
Run your first assessment
Open Assessments and create a new CRA assessment. Follow the guided question set. Attach relevant evidence directly to answers when prompted.
- Create an assessment and define scope (product/system)
- Answer the guided controls
- Attach evidence (documents, screenshots, logs)
- Generate a preliminary report from the Reports section
Triage vulnerabilities & plan remediation
Go to Remediation to create plans from detected vulnerabilities. Assign owners, set due dates, and track progress. Severity and exploitability help prioritize high‑impact fixes.
Notifications & reminders
Configure alerts under Account → Notifications. You can receive reminders for upcoming remediation deadlines and assessment milestones.
Data retention & evidence
Evidence retention ensures you can demonstrate compliance while meeting privacy obligations. Admins can review settings in Admin → Settings → Retention.
Plans & billing
Start on the Free plan and upgrade when your scope grows. Review usage and change plans anytime under Billing.
- Free: evaluation with limited scope
- Pro: small teams validating readiness
- Enterprise: scale across products and teams
Troubleshooting
- Can’t sign in? Use Forgot password and check for the email in spam/junk.
- SBOM upload errors? Ensure valid CycloneDX/SPDX format and size within limits.
- Missing data? Reload the dashboard; background jobs may still be processing.
- Permission issues? Ask an Admin to confirm your role in Admin → Settings → Users.