top of page
Search

Security Pattern Releases Powerful ARIANNA Platform Update

Published on: August 14, 2025

Estimated reading time: 4 minutes



ree

Over the past months, we have consistently updated the ARIANNA platform with new features to ease our customers’ prioritization efforts and to increase the number of environments we support.


This release is particularly powerful, since it will help our customers prioritize vulnerabilities even better while saving time. 


In this post, we summarize the new features just released to all our customers:


Improved Prioritization Mechanism based on Exploitability


We’ve enhanced our vulnerability prioritization to help you focus only on the threats that truly matter, saving you time and effort.


  • Exploitability-based prioritization ensures that attention is given to vulnerabilities that are more likely to be exploited, rather than just those with high severity scores.

  • This approach is aligned with regulations, standards, and industry best practices.

  • The 'High Priority' filter is now configurable (navigate to the 'policy' tab), so you can tailor it to your specific risk tolerance and operational needs.


The 'High Priority' filter is configurable in the 'Policy' tab of the project.
The 'High Priority' filter is configurable in the 'Policy' tab of the project.

ree

Penetration Testing


Security Pattern also offers a Pen Testing service to verify if specific vulnerabilities are exploitable in the real system. For embedded systems, software updates can be risky and expensive. If after careful (theoretical) analysis of vulnerabilities in-platform the vulnerability seems exploitable, a targeted pen test could confirm this. If the pen test is

unsuccessful, the customer will likely accept the vulnerability and the software update won’t be needed.    



New User Notification System


We’ve introduced a notification mechanism to alert users about new high-priority vulnerabilities by email. In-platform notifications remain active as well.


  • Stay informed about new vulnerabilities by email, without the need for constant platform monitoring.

  • The system will provide dedicated emails and weekly summaries, according to user preferences.



Comprehensive and Customizable Exports for Compliance


We've made significant upgrades to our SPDX, CycloneDX and CSV SBOM exports to give our users more comprehensive information and more flexibility in the exports. Use the exported document without any adjustments for compliance. 


  • Select a subset of components to be included in the report generation.

  • SPDX and CycloneDX outputs will only include the selected components.


Select a subset of components to be included in the report generation.
Select a subset of components to be included in the report generation.

Our SBOM exports are NTIA-compliant. In this release, we made updates for the fields:

  • Supplier information: Identify the suppliers of your software dependencies more easily.

  • Package URLs (pURLs): More precisely locate and identify packages with added pURLs.

  • Dependency information: Gain a clearer understanding of your project's intricate dependency relationships.


VEX reports


We have added the option to extract a VEX report. The Vulnerability Exploitability eXchange (VEX) format is an industry-accepted and standardized way to describe and communicate vulnerabilities.


These reports describe the status of all identified vulnerabilities (resolved, exploitable, in triage, false_positive, not affected etc.), along with associated 'justification' and 'detail' information provided by automated and/or manual analysis. For example, in cases where vulnerabilities have been resolved, there would be remediation details (for example 'fixed' or 'patched') and in cases where a vulnerability was identified as not affected or not exploitable, the extra information would provide details on why the component is not impacted by the vulnerability, within the context of that specific environment.


These Vex reports are essential artefacts for compliance with standards such as CRA and RED.


Increased number of Supported Environments


In support of the ARIANNA platform, we provide on-premise tools for generating an accurate device model. We believe it's important to identify both hardware and software components and to accurately identify forks and dependencies. Our SCA tools are by design, separate on-premise tools, because we believe most of our customers prefer not to upload large archives, images or containers, containing data they'd rather not share.


We also recognize that many software development environments (such as Yocto, buildroot, etc.) now provide metadata that accurately identifies build components, along with information about which vulnerabilities have been patched for their forked components or are not exploitable for other reasons. We always try to leverage this data, when available (either from within the build environment or from an external source) and we provide tailored solutions and tools for the most common frameworks, in order to:


  • Create the most accurate SBOM+HBOM possible

  • Map software components to their corresponding hardware in order to automatically identify and close vulnerabilities that are not applicable due to missing or disabled attack vectors.

  • Automatically close vulnerabilities when patches have been applied

  • Automatically identify some vulnerabilities as not exploitable

  • Provide triage information for other vulnerabilities



ARIANNA Platform - SBOM, HBOM, and Vulnerability Management for Device Manufacturers


ARIANNA is a product security management platform built for intelligent connected devices and systems across industries such as automotive, consumer electronics, industrial automation, and medical technology. It supports compliance with major cybersecurity standards and regulations including ISO/SAE 21434, ETSI EN 303 645, IEC 62443, RED DA, CRA, and FDA requirements.

   

Developed by the experts at Security Pattern, ARIANNA empowers device manufacturers to implement sustainable security processes by identifying, triaging, addressing, and reporting vulnerabilities efficiently. The platform integrates a robust vulnerability management process, offering continuous monitoring, exploit intelligence, and remediation guidance. 


ARIANNA enables users to maintain detailed software and hardware component inventories (SBOM/HBOM), prioritize vulnerabilities based on exploitability, and share results in machine-readable formats. Its focus on automation and compliance helps organizations streamline their security workflows and maintain a strong cybersecurity posture throughout the product lifecycle.


Key Features of the platform include:

  • SBOM and HBOM creation and management

  • Vulnerability identification

  • Vulnerability triaging and prioritization

  • Mitigation and remediation guidance

  • Extensive up-to-date vulnerability intelligence

  • Exploit maturity intelligence, including CISA KEV

  • Continuous vulnerability monitoring

  • Machine-readable export formats (CycloneDX, SPDX, VEX)

  • Compliance reports for major standards and regulations

  • Tailored solutions for common embedded software SDKs and development frameworks



Schedule a Demo


Want to see the ARIANNA Product Security Management Platform in Action? Contact us to schedule a one-hour demo and discuss your specific use case.​


Discover how device manufacturers ensure the cybersecurity and compliance of their interconnected products throughout various teams, business sectors, and stages of their lifecycle.





ree

 
 
 

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page