Why Product Cybersecurity Testing Matters

Modern products are no longer only mechanical or electrical. Many products now include software, firmware, connectivity, user accounts, cloud services, APIs, mobile apps, remote access, update mechanisms and third-party open-source components.

This creates new cybersecurity risks, including:

• Unauthorised access to products or customer data
• Weak default passwords or insecure configuration
• Vulnerable software libraries
• Insecure firmware update mechanisms
• Exposed APIs or cloud interfaces
• Weak encryption or certificate handling
• Missing logging and audit trails
• Insecure mobile applications
• Unpatched vulnerabilities in embedded components
• Supply-chain risks from third-party software and suppliers

Cybersecurity testing helps manufacturers detect these issues before products reach customers, regulators or attackers.

ComplyMarket Cybersecurity Lab Services

ComplyMarket provides a wide range of cybersecurity testing and compliance-support services for digital products.

Cybersecurity Lab Testing Methods

ComplyMarket uses a risk-based testing methodology adapted to the product type, regulatory scope and customer requirements.

Our methods may include:

• Threat modelling
• Architecture and data-flow review
• Attack-surface mapping
• Vulnerability scanning
• Manual penetration testing
• Authentication and authorisation testing
• Role-based access-control testing
• Session management testing
• API object-level access testing
• Input validation testing
• Cryptography and TLS review
• Secure configuration review
• Default credential testing
• Firmware extraction and static review
• Binary and configuration analysis
• Software composition analysis
• SBOM validation
• Container and dependency review
• Update mechanism testing
• Rollback and downgrade-resistance review
• Fuzzing of selected interfaces, parsers or protocols
• Logging and audit trail review
• Cloud and mobile application security review
• Remediation validation and retesting

The objective is to provide clear technical evidence and practical remediation guidance, not only a list of automated scanner results.

Cybersecurity Testing for the EU Cyber Resilience Act

The EU Cyber Resilience Act makes cybersecurity a market-access requirement for many products with digital elements. Manufacturers will need to demonstrate that products are designed, developed and maintained with appropriate cybersecurity measures.

ComplyMarket Cybersecurity Lab supports CRA readiness by testing and reviewing:

• Secure-by-design and secure-by-default implementation
• Protection against unauthorised access
• Product attack-surface minimisation
• Data confidentiality and integrity
• Secure update mechanisms
• Vulnerability handling process
• Security logging and monitoring functions
• Authentication and access controls
• Software supply-chain risks
• SBOM availability and quality
• Customer security instructions
• Technical documentation evidence

Our CRA testing output can be used as supporting evidence for internal conformity assessment, technical documentation preparation and CE-marking readiness. Where formal notified body involvement is required, ComplyMarket can help clients prepare evidence and coordinate with the relevant notified body or accredited laboratory.

Cybersecurity Testing for IoT and Connected Products

IoT and connected products often combine hardware, firmware, mobile apps, cloud services and APIs. A weakness in one layer can compromise the entire product ecosystem.

ComplyMarket tests IoT and connected products across the full product chain:

1.  Device hardware and exposed interfaces

2.  Firmware and embedded operating system

3.  Network services and communication protocols

4.  Mobile application

5.  Web dashboard or customer portal

6.  Cloud backend and APIs

7.  Update and patching mechanism

8.  User account and access management

9.  Logs, alerts and recovery functions

This full-chain approach is especially relevant for smart devices, professional equipment, industrial controllers, laboratory systems, building automation products and connected monitoring devices.

Embedded and Firmware Security Testing

Embedded devices can contain hidden risks that are not visible during normal functional testing. ComplyMarket Cybersecurity Lab helps clients identify firmware and device-level weaknesses such as:

• Hardcoded passwords
• Exposed private keys or certificates
• Insecure debug interfaces
• Insecure boot or update process
• Outdated open-source packages
• Unnecessary network services
• Weak file permissions
• Sensitive data stored in clear text
• Insecure communication protocols
• Missing rollback protection
• Lack of secure logging

Testing can be performed on production-equivalent samples, development devices, firmware images or representative subsystems.

Web, API and SaaS Security Testing

Many products with digital elements rely on web portals, cloud platforms and APIs. These interfaces often provide administrative access, customer data, product telemetry, remote configuration or service functionality.

ComplyMarket tests web and API components for risks including:

• Broken access control
• Broken object-level authorisation
• Account takeover risks
• Authentication bypass
• Session management weaknesses
• Injection vulnerabilities
• Cross-site scripting
• Insecure direct object references
• Excessive data exposure
• Weak password and MFA implementation
• Missing rate limiting
• Insecure file upload
• Misconfigured CORS
• Insecure API keys or tokens
• Insufficient logging and monitoring

The testing approach is aligned with recognised OWASP methods and adapted to the product’s actual business logic.

Mobile Application Security Testing

Mobile apps are often used to control products, monitor devices, receive alerts, configure user accounts or access cloud dashboards. ComplyMarket tests Android and iOS apps for:

• Insecure local storage
• Weak authentication
• Token leakage
• Hardcoded secrets
• Weak certificate validation
• Insecure communication with APIs
• Reverse engineering risks
• Excessive permissions
• Insecure biometric or MFA flows
• Weak session handling
• Business-logic vulnerabilities

Mobile testing can include APK/IPA review, dynamic testing, API interaction testing and review of security-relevant application behaviour.

SBOM and Software Supply Chain Security

Software supply-chain risk is now one of the most important areas of product cybersecurity. Many products include open-source libraries, third-party modules, container images, firmware packages and external services.

ComplyMarket supports clients with:

• SBOM collection and review
• CycloneDX and SPDX format review
• Dependency vulnerability analysis
• License risk overview
• Known vulnerability matching
• Outdated component identification
• Supplier cybersecurity evidence review
• Software component risk classification
• Remediation prioritisation
• Vulnerability monitoring process design

This service helps manufacturers prepare for CRA, customer cybersecurity questionnaires, procurement requirements and internal product security governance.

Vulnerability Handling and Coordinated Disclosure

Cybersecurity compliance does not end when the product is sold. Manufacturers must be ready to receive, assess and fix vulnerabilities throughout the product lifecycle.

ComplyMarket helps companies establish or improve:

• Security contact point
• Vulnerability disclosure policy
• Vulnerability intake workflow
• Severity classification process
• Triage and root-cause analysis
• Remediation and patch release process
• Customer advisory templates
• Coordinated vulnerability disclosure process
• Incident reporting process
• Evidence logs and decision records
• Product end-of-life and support-period communication

This service is especially important for companies preparing for the Cyber Resilience Act, NIS2 customer expectations or critical-sector procurement requirements.

Relevant Standards and Frameworks

Depending on the product, sector and compliance objective, ComplyMarket may use recognised standards and references such as:

ComplyMarket adapts the assessment criteria to the product and the client’s compliance target. When harmonised standards are available for a specific regulation, those standards can be integrated into the test plan and compliance matrix.

Industries Supported by ComplyMarket Cybersecurity Lab

ComplyMarket Cybersecurity Lab is relevant for companies operating in many product sectors, including:

• Electronics
• IoT and smart devices
• Industrial automation
• Machinery
• Laboratory equipment
• Medical and life-science equipment
• Measurement and monitoring devices
• ICT products
• SaaS and software platforms
• Building automation
• Energy equipment
• Consumer and professional connected products
• Robotics and automated systems
• Logistics and tracking systems
• Sensors and gateways

Any company placing digital products on the EU market should assess whether cybersecurity testing is needed as part of product compliance and risk management.

Typical Cybersecurity Lab Deliverables

A cybersecurity lab project may include:

• Product cybersecurity assessment report
• Attack-surface inventory
• Threat model summary
• Web application penetration testing report
• API security testing report
• Mobile application testing report
• Embedded device testing report
• Firmware analysis report
• SBOM/SCA vulnerability report
• Cloud configuration review report
• CRA Annex I cybersecurity evidence mapping
• IEC 62443 gap report
• Vulnerability handling process assessment
• Remediation roadmap
• Retest report
• Executive management summary

Reports include risk-rated findings, affected components, evidence, reproduction steps where appropriate and recommended corrective actions.

What Clients Need to Provide

To perform effective cybersecurity testing, ComplyMarket may request:

• Product description and intended use
• Architecture diagrams
• Data-flow diagrams
• Test environment access
• Test accounts with different roles
• API documentation
• Mobile app packages or test-store access
• Firmware images
• Hardware samples or representative test units
• Update packages
• SBOM files or dependency manifests
• User manuals and installation manuals
• Security configuration guides
• Cloud architecture overview
• Vulnerability disclosure policy and incident workflow

Testing should normally be performed on authorised non-production environments and production-equivalent samples. Real personal data, patient data or confidential customer data should not be used in test environments.

Accreditation and Certification Clarification

ComplyMarket Cybersecurity Lab provides cybersecurity testing, compliance support and technical documentation assistance. Unless expressly agreed in writing, ComplyMarket does not act as a notified body, certification body or market surveillance authority.

Where a regulation, customer or conformity assessment route requires an accredited laboratory or notified body, ComplyMarket can support preparation, coordinate with qualified partners and help clients close gaps before formal assessment.

This gives manufacturers a practical route to readiness while keeping responsibilities clear:

• ComplyMarket supports testing, gap assessment and documentation.
• The manufacturer remains responsible for product conformity and declarations.
• Notified bodies or accredited laboratories perform formal assessments where legally required.

Why Choose ComplyMarket Cybersecurity Lab?

ComplyMarket combines product compliance, cybersecurity testing, supplier data management and regulatory documentation support. This integrated approach helps clients avoid fragmented projects where legal, engineering, cybersecurity and compliance teams work separately.

With ComplyMarket, clients receive:

• A product compliance-oriented cybersecurity assessment
• Practical findings linked to regulatory requirements
• Clear remediation recommendations
• Support for technical documentation
• Testing adapted to the product and risk level
• Cybersecurity evidence suitable for internal compliance files
• Guidance for CRA, IEC 62443, OWASP and related standards
• Support for suppliers and software supply-chain evidence
• Retesting support after remediation

Our objective is to help manufacturers build secure products, reduce market-access risks and prepare strong cybersecurity evidence for customers, authorities and conformity assessment processes.

Recommended Cybersecurity Testing Roadmap

A practical cybersecurity testing roadmap includes:

1.  Identify products, software and digital components.

2.  Define product boundaries and connected services.

3.  Classify products by cybersecurity risk and regulatory relevance.

4.  Review architecture and data flows.

5.  Identify attack surfaces and user roles.

6.  Perform web, API, mobile, firmware, embedded or cloud testing as applicable.

7.  Review SBOM and software supply-chain risks.

8.  Assess vulnerability handling and update processes.

9.  Prioritise findings by risk and compliance impact.

10. Implement corrective actions.

11. Retest critical and high findings.

12. Maintain evidence for technical documentation and post-market monitoring.

Conclusion

Cybersecurity is becoming a core part of product compliance. Manufacturers of connected products, software, IoT devices, embedded systems and cloud-linked platforms need strong technical evidence that their products are secure by design and supported by effective vulnerability handling.

The ComplyMarket Cybersecurity Lab helps companies test digital products, identify vulnerabilities, prepare remediation plans and build evidence for compliance with modern cybersecurity expectations, including the EU Cyber Resilience Act.

Contact ComplyMarket to discuss cybersecurity testing for your products, software, IoT devices, embedded systems or digital product portfolio.

FAQ

What is the ComplyMarket Cybersecurity Lab?

The ComplyMarket Cybersecurity Lab is a cybersecurity testing and compliance-support service for products with digital elements, including software, firmware, web applications, APIs, mobile apps, IoT devices, embedded systems and connected products.

Does ComplyMarket test products for the Cyber Resilience Act?

Yes. ComplyMarket supports CRA readiness through product cybersecurity testing, CRA Annex I mapping, vulnerability handling review, SBOM review, technical documentation support and CE-marking readiness assistance.

Does ComplyMarket provide formal CRA certification?

ComplyMarket provides testing, consulting and documentation support. Formal notified body conformity assessment or accredited certification, where required, must be performed by a duly authorised notified body or accredited certification body.

What types of products can be tested?

ComplyMarket can support testing for web platforms, APIs, mobile apps, firmware, embedded devices, IoT products, industrial controllers, gateways, connected laboratory equipment, monitoring systems and cloud-linked product components.

What standards does ComplyMarket use for cybersecurity testing?

Depending on the product and objective, ComplyMarket may use CRA requirements, IEC 62443, ISO/IEC 29147, ISO/IEC 30111, OWASP ASVS, OWASP WSTG, OWASP API Security Top 10, OWASP MASVS, EN 18031, CycloneDX, SPDX, CIS Benchmarks and ISO/IEC 27001/27002 references.

What is included in a cybersecurity test report?

A typical report includes scope, methodology, tested components, risk-rated findings, evidence, reproduction information where appropriate, affected assets, compliance relevance and recommended remediation actions.

Can ComplyMarket retest after vulnerabilities are fixed?

Yes. ComplyMarket can retest critical and high findings after remediation and issue a retest summary showing whether the findings were closed.

Why is SBOM review important?

SBOM review helps identify open-source and third-party software components, known vulnerabilities, outdated dependencies and software supply-chain risks. It is increasingly important for CRA readiness and customer cybersecurity requirements.

Can testing be done remotely?

Yes. Many software, web, API, cloud and firmware assessments can be performed remotely. Hardware, IoT and embedded device testing may require physical samples, remote lab access or a representative test bench.

What information is needed to start cybersecurity testing?

Useful inputs include product descriptions, architecture diagrams, test accounts, API documentation, firmware images, mobile app packages, hardware samples, SBOM files, update packages, security documentation and access to an authorised test environment.