.jpg "ONEKEY GmbH")
Automate Daily Vulnerability Chaos with ONEKEY
Automate Daily Vulnerability Chaos with ONEKEY
- Over 100 new software vulnerabilities (CVEs) every day
- Rule-based automation, validation and documentation cut time and cost
- ONEKEY streamlines vulnerability management — saving time, effort and stress
Düsseldorf, 18 November 2025 — More than 100 new software vulnerabilities (CVEs) are identified every day—over 40,000 last year alone. For manufacturers of connected devices, machines and systems, separating relevant vulnerabilities from the noise is increasingly challenging. The EU Cyber Resilience Act (CRA), due to apply by the end of 2027, will require precisely this clarity: knowing which CVEs affect your products—and proving how you address them.
With typical product development cycles of two to three years, now is the time for industry to address cybersecurity for Internet of Things (IoT) and Operational Technology (OT) products. The CRA calls for a security architecture that is built in from the outset—security by design and by default—and maintained throughout the entire product lifecycle.
Delivering on this requires an up-to-date view of Common Vulnerabilities and Exposures (CVEs). In practice, corporate security teams spend considerable time triaging a daily flood of new CVEs, even though their own products are seldom affected.
Structured Decisions Instead of CVE Chaos
In response to the "vulnerability or CVE chaos", the Düsseldorf-based cybersecurity company ONEKEY has expanded its cybersecurity analysis platform for device software (firmware). The platform now enables companies to automatically identify and prioritize vulnerabilities and directly evaluate and document them, a process known as triage. The platform also includes extended Software Bills of Materials (SBOMs) and the import of manufacturer information on vulnerabilities (Vulnerability Exploitability Exchange, or VEX). Standardized text suggestions during processing simplify editing and save time.
"This provides development and security teams with a simple, systematic, and traceable process for tracking vulnerabilities," said Jan Wendenburg, CEO of ONEKEY. "All decisions can be documented on the platform and accompanied by a justification for the assessment in relation to the respective product. This achieves the transparency and traceability required by the CRA, and teams no longer waste time on irrelevant vulnerabilities.”
False Alarms Can Be Reduced by More Than 60 Percent
From ONEKEY’s early deployments of the new capabilities, false alarms have been reduced by more than 60 percent. Here, a “false alarm” refers to cases where device software appears to be affected by a newly disclosed CVE but, on inspection, is not.
By rapidly identifying and classifying irrelevant CVEs, teams can focus on vulnerabilities that could realistically be exploited. “The key benefits are faster vulnerability response with fewer resources, and decision-making that is both auditable and transparent,” said Jan Wendenburg.
Rule-Based Automation, Validation, and Documentation
The new Vulnerability Management extension is part of the ONEKEY strategy, which aims to simplify CVE management for digital product manufacturers through rule-based automation and validation. The main advantages are saving time and costs, ensuring consistency in handling vulnerabilities and documentation, and guaranteeing compliance.
These advantages include contextual risk assessment of CVEs, prioritization based on real-world impact, enrichment of the software bill of materials (SBOM) with meaningful additional information, and complete traceability of all decisions through appropriate documentation. For each decision, feedback from vendors, comments from analysts, and risk mitigation measures can be documented. These features enable traceability, improve cross-team collaboration, and demonstrate to customers and regulators how vulnerabilities are handled.
CEO Jan Wendenburg explained: "ONEKEY has evolved its platform from a leading solution for embedded software vulnerability detection to vulnerability management. This allows companies to map the entire process — from automatic detection and assessment to documented decisions — within a single, auditable workflow.”
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated Software Bills of Materials (SBOMs) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated ONEKEY Compliance Wizard already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.
Weitere Informationen: ONEKEY GmbH, Sara Fortmann, E-Mail: sara.fortmann@onekey.com, Toulouser Allee 19A, 40211 Düsseldorf, Deutschland, Web: https://onekey.com
PR-Agentur: euromarcom public relations GmbH, Mühlhohle 2, 65205 Wiesbaden, Deutschland, E-Mail: team@euromarcom.de, Web: www.euromarcom.de
- - - -