TRACEABLE COMPLIANCE INTELLIGENCE
Scanner findings to auditor-ready proof — every fix traced from commit to production. CRA, NIS 2, DORA, SOC 2, ISO 27001.
Your data never leaves your premise · Self-hosted · EU-first
WHY CVET
Connect Trivy, Snyk, Wiz, or Checkov. CVET normalises findings, maps them to controls across five frameworks, and generates audit packs — continuously.
No new scanners to deploy. No evidence to chase. Remediation traced from ticket to PR to production.
200 → 20 hrs
Monthly compliance engineering time
5 min
To first evidence graph after connecting a scanner
€0
New tools to buy — works with your existing stack
WHY NOW
Three EU mandates. One enforcement wave. Click any card to learn what it means for your team.
Jan 2025
Enforcement began
Digital Operational Resilience Act
ICT risk management for 20 categories of EU financial entities. Evidence obligation is immediate and auditable.
Banks, payment processors, insurers, and crypto providers must prove continuous vulnerability management and remediation traceability. Supervisory authorities can request evidence at any time.
160,000+
Organisations in scope
Network & Information Security Directive
160,000+ enterprises across 18 critical sectors. Supply-chain security and board-level accountability are mandatory.
Covers energy, transport, healthcare, digital infrastructure, and more. Boards are personally liable for non-compliance. Fines up to €10M or 2% of global turnover.
24 hrs
Vulnerability reporting window
EU Cyber Resilience Act
Mandatory 24-hour vulnerability reporting and SBOM requirements for all products with digital elements sold in the EU.
Security-by-design obligations, coordinated vulnerability disclosure, and full enforcement by December 2027. If you sell software in Europe, this applies to you.
EU-first
Data residency by default
EU Data Residency & Sovereignty
EU enterprises increasingly require that compliance evidence stays within European borders. US-only platforms are losing deals.
GDPR Article 25 data protection by design, Schrems II implications, and growing demand for European cloud infrastructure (Hetzner, Scaleway, OVH). CVET is EU-hosted by default.
THE PLATFORM
Automation without traceability is just faster guesswork. CVET traces every finding to a control, every fix to a deploy.
Normalise and contextualise scanner output from Snyk, Wiz, Checkov, and Trivy. One system of record for all findings.
All Frameworks
One control satisfies multiple frameworks. Map findings to SOC 2, ISO 27001, NIS 2, DORA, and CRA automatically.
All Frameworks
Structured graph linking findings, controls, owners, and remediation states. Live posture score with drill-downs.
NIS 2 · DORA
Track finding → ticket → PR → deployment with auditable lineage. End-to-end proof that risks get fixed.
DORA · SOC 2
Generate auditor-ready evidence packs continuously. Pre-organised, timestamped, tamper-evident packages.
ISO 27001 · SOC 2
Push engineering-grade evidence into Vanta, Drata, and Secureframe. Your compliance platform, powered by real data.
CRA · NIS 2
FRAMEWORKS
HOW IT WORKS
STEP 01
Trivy, Snyk, Wiz, Checkov — connect what you already run. First evidence graph in under five minutes.
STEP 02
Every finding maps to controls across CRA, NIS 2, DORA, SOC 2, and ISO 27001. Gaps surface automatically.
STEP 03
Evidence packs generate continuously. Every fix traced from ticket to PR to deploy. Hand it to the auditor, not a spreadsheet.
Early access. Founder pricing. Your first evidence graph in five minutes.