Vulnerability Scanning
Prioritise what to fix — EPSS-ranked, VEX-tracked.
After every SBOM scan, CRAReady automatically matches your components against NVD, EUVD, OSV, and GHSA to surface known CVEs. Each finding is enriched with EPSS exploitation probability and CVSS v3.1 scores so you can focus remediation on the vulnerabilities most likely to be exploited.
Start ScanningEverything you need
Automatic vulnerability matching after every SBOM scan
EPSS scores and percentiles for exploitation probability ranking
CVSS v3.1 scores with vector strings from NVD, EUVD, OSV, and GHSA
VEX status workflow: affected / not_affected / fixed / under_investigation
Bulk VEX status update across multiple findings
CycloneDX VEX document export
Org-wide dashboard sorted by EPSS — see your highest-risk findings first
How it works
1
Scan completes
Every SBOM scan automatically triggers vulnerability matching across four threat intelligence sources.
2
Review ranked findings
Findings are sorted by EPSS probability. Focus on the 1% most likely to be exploited in the wild.
3
Track with VEX
Set VEX status and justification per finding. Export a CycloneDX VEX document for your auditor.
Ready to get started?
Join manufacturers already using CRAReady to manage their CRA compliance obligations.
Start Scanning