MEOK · Cybersecurity

CRA + SBOM + KEV + SLSA + Sigstore. One signed evidence pack.

Cybersecurity vendors carry the heaviest compliance load of any sector: CRA, NIS2, AI Act (for AI features), SBOM mandates, KEV tracking, supply-chain attestation. MEOK ships all of it as one substrate, HMAC-signed.

Frameworks

EU Cyber Resilience Act (CRA 2024/2847)

Annex I cybersecurity requirements · SBOM · 11 Dec 2027 main obligations cliff. Applies to all products with digital elements.

SBOM (CycloneDX 1.6 + SPDX 3.0)

Machine-readable software bill of materials. Required by CRA + EO 14028 + US DoD + EU AI Act Annex IV.

SLSA v1.0 (Supply-chain Levels for Software Artefacts)

Provenance attestation · Level 1-4 maturity model. Sigstore for keyless signing.

CISA KEV (Known Exploited Vulnerabilities)

BOD 22-01 SLA tracking · 14-day patch for vulns actively exploited in the wild. Required for federal agencies.

MITRE ATT&CK + ATLAS

Adversary tactics catalog + AI-specific attack catalog. STIX 2.1 exportable.

OWASP LLM Top 10

Prompt injection (LLM01) + sensitive info disclosure (LLM02) + supply chain (LLM05). Mapped to MCP server patterns.

12 MCPs in the cybersec bundle

pip install cra-compliance-mcppip install sbom-cyclonedx-mcppip install cisa-kev-mcppip install slsa-supply-chain-mcppip install sigstore-cosign-mcppip install mitre-attack-mcppip install mitre-atlas-mcppip install agent-prompt-injection-firewall-mcppip install firmware-attestation-mcppip install agent-audit-logger-mcppip install agent-policy-enforcement-mcppip install agent-rate-limiter-mcp

Get the bundle

Pro tier is the most common for cybersec vendors (CRA Annex I requires the 9-Article AI Act stack if your product includes AI features). £199/mo. Enterprise for OEM integrators.

Start Pro — £199/mo →

Frequently asked

When does the EU Cyber Resilience Act actually bite?

The CRA (Regulation 2024/2847) main obligations cliff is 11 December 2027, and it applies to all products with digital elements. It mandates Annex I cybersecurity requirements plus a software bill of materials. MEOK ships CRA Annex I evidence, SBOM, and vulnerability handling as one signed substrate via the cra-compliance-mcp and sbom-cyclonedx-mcp servers.

Which SBOM formats does MEOK generate?

MEOK produces machine-readable SBOMs in CycloneDX 1.6 and SPDX 3.0. A machine-readable SBOM is required by the CRA, US EO 14028, the US DoD, and EU AI Act Annex IV — the same artefact satisfies all of them, so you generate once and reuse across frameworks.

How does MEOK handle CISA KEV tracking?

The cisa-kev-mcp server tracks Known Exploited Vulnerabilities against the BOD 22-01 SLA, which requires a 14-day patch window for vulnerabilities being actively exploited in the wild. That SLA is mandatory for US federal agencies and is increasingly expected by enterprise procurement, and MEOK surfaces breaches against it automatically.

How much does the cybersec bundle cost?

The Pro tier is £199/mo and is the most common choice for cybersecurity vendors, because CRA Annex I requires the 9-Article EU AI Act stack if your product includes AI features. An Enterprise tier is available for OEM integrators. The bundle includes 12 MCP servers covering CRA, SBOM, KEV, SLSA, Sigstore, MITRE ATT&CK/ATLAS, and OWASP LLM Top 10.

CSOAI

Initializing...