Automate Daily Vulnerability Chaos with ONEKEY

• Over 100 new software vulnerabilities (CVEs) every day
• Rule-based automation, validation and documentation cut time and cost
• ONEKEY streamlines vulnerability management — saving time, effort and stress

Düsseldorf, 18 November 2025 — More than 100 new software vulnerabilities(CVEs) are identified every day—over 40,000 last year alone. For manufacturers of connected devices, machines and systems, separating relevant vulnerabilities from the noise is increasingly challenging. The EU Cyber Resilience Act (CRA), due to apply by the end of 2027, will require precisely this clarity: knowing which CVEs affect your products—and proving how you address them.

With typical product development cycles of two to three years, now is the time for industry to address cybersecurity for Internet of Things (IoT) and Operational Technology (OT) products. The CRA calls for a security architecture that is built in from the outset—security by design and by default—and maintained throughout the entire product lifecycle.

Delivering on this requires an up-to-date view of Common Vulnerabilities and Exposures(CVEs). In practice, corporate security teams spend considerable time triaging a daily flood of new CVEs, even though their own products are seldom affected.

Structured Decisions Instead of CVE Chaos

In response to the "vulnerability or CVE chaos", the Düsseldorf-based cybersecurity company ONEKEY has expanded its cybersecurity analysis platform for device software (firmware). The platform now enables companies to automatically identify and prioritize vulnerabilities and directly evaluate and document them, a process known as triage. The platform also includes extended Software Bills of Materials (SBOMs) and the import of manufacturer information on vulnerabilities (VulnerabilityExploitability Exchange, or VEX). Standardized text suggestions during processing simplify editing and save time.

"This provides development and security teams with a simple, systematic, and traceable process for tracking vulnerabilities," said Jan Wendenburg, CEO of ONEKEY. "All decisions can be documented on the platform and accompanied by a justification for the assessment in relation to the respective product. This achieves the transparency and traceability required by the CRA,and teams no longer waste time on irrelevant vulnerabilities.”

False Alarms Can Be Reduced by More Than 60 Percent

From ONEKEY’s early deployments of the new capabilities, false alarms have been reduced by more than 60 percent. Here, a “false alarm” refers to cases where device software appears to be affected by a newly disclosed CVE but, on inspection, is not.

By rapidly identifying and classifying irrelevant CVEs, teams can focus on vulnerabilities that could realistically be exploited. “The key benefits are faster vulnerability response with fewer resources, and decision-making that is both auditable and transparent,” said Jan Wendenburg.

Rule-Based Automation, Validation, and Documentation

The new Vulnerability Management extension is part of the ONEKEY strategy, which aims to simplify CVE management for digital product manufacturers through rule-based automation and validation. The main advantages are saving time and costs, ensuring consistency in handling vulnerabilities and documentation, and guaranteeing compliance.

These advantages include contextual risk assessment of CVEs, prioritization based on real-world impact, enrichment of the software bill of materials (SBOM) with meaningful additional information, and complete traceability of all decisions through appropriate documentation. For each decision, feedback from vendors,comments from analysts, and risk mitigation measures can be documented. Thesefeatures enable traceability, improve cross-team collaboration, and demonstrateto customers and regulators how vulnerabilities are handled.

CEO Jan Wendenburg explained: "ONEKEY has evolved its platform from a leading solution for embedded software vulnerability detection to vulnerability management. This allows companies to map the entire process — from automatic detection and assessment to documented decisions — within a single, auditable workflow.”