11 · 09 · 2026CRA reporting starts 11-09-2026

A finding is not a decision.

Maldini links every security signal to products, versions, owners
and evidence, so your team can decide within hours.

Control in
every case:
Scanner-neutralHuman approvalAudit trailEU-firstTraceable
The problem

The scanner finds it.
Then the work begins.

A component match does not define product scope. Engineering, security, quality and legal then search Jira, Git, Excel, ERP and supplier emails for the same truth.

ScopeProduct, firmware and hardware
ImpactInstalled base, customers and countries
EvidenceSources, tests and approval
When the clock startsfragmentation creates uncertainty

Maldini unites teams, product data and evidence before competing versions of the truth emerge.

See the approach
Workflow

From signal to defensible product decision.

Maldini links vulnerability, component, build, firmware, hardware, product model, installed base, owner, decision and evidence in one workflow.

  1. Detect01
  2. Define scope02
  3. Decide03
  4. Prove04

Detect

Import scanner data and SBOMs. Maldini links every signal to components, versions and builds.

↳ Start assessment
Friday, 16:42. A severe vulnerability may affect several product lines. Eleven possible matches appear. Nobody knows the exact scope.
Critical caseSecurity · Engineering · Legal · Quality
Built on your tools

No additional scanner.
No replacement for Jira.

Maldini works above your existing stack. Every tool keeps its role; Maldini connects product scope, decisions, deadlines and evidence.

  1. 01
    Scanner detects the signal

    SCA platforms, SBOM systems and internal analysis provide components and potential vulnerabilities.

  2. 02
    Jira drives technical tasks

    Engineering plans and completes tests, patches and releases in Jira or Azure DevOps.

  3. 03
    Maldini drives the decision

    Maldini tracks scope, installed base, evidence, the legal timeline and human approval.

Under time pressure

From scattered data to control.

The vulnerability does not change. Your way of working determines how much time, certainty and evidence you retain.

Four departmentsSix systemsSeparate files

Without Maldini

Teams search spreadsheets, emails and tickets. Each team uses a different scope, while nobody owns the full decision.

One impact caseClear ownersHuman approvalComplete evidence

With Maldini

Your team works from one product scope, sees missing evidence and closes the case with a traceable decision.

Why now

The clock will not wait for your process.

From 11 September 2026, CRA reporting obligations apply to actively exploited vulnerabilities and severe security incidents.

The rules require an early warning within 24 hours and a full notification within 72 hours. Your organisation must define the right product scope before an incident occurs.

Not every CVE requires a notification.

24 hoursEarly warningAfter awareness
72 hoursFull notificationWhen the criteria apply
FAQ

Questions, answered.

See how Maldini works with scanners, Jira, SBOM data and human decision-making without replacing your existing systems.

Does Maldini replace our scanner?

No. Maldini imports findings from scanners, SCA platforms and SBOM systems. Your team then links each finding to product scope, actions and evidence.

We already use Jira. Why Maldini?

Jira manages tasks. Maldini preserves product scope, firmware context, supplier evidence, approvals and the final decision.

Does every CVE fall under the CRA?

No. The CRA covers specific actively exploited vulnerabilities and severe security incidents. Authorised experts make the reporting decision.

Must our SBOMs be perfect?

No. Start with critical product families. Maldini exposes missing relationships and evidence and gives every conclusion a visible evidence level.

Does Maldini submit reports automatically?

No. Maldini tracks deadlines, gathers information and prepares draft documentation. An authorised employee reviews and submits every external report.

MALDINI PILOTLimited design partner places

Test Maldini with
your product data.

Bring one real vulnerability. We map product scope, tasks and missing evidence in one controlled case.

What do you want to examine first?
Where does your current process fail?
By submitting, you agree to our privacy policy.