Blog
The Finite State Blog

Practical insights and articles from our SMEs to help product security teams cut triage noise, fix what matters faster, and deliver audit-ready proof to customers and regulators.

5 results

A dark automotive ECU control module with a glowing teal wireframe twin hovering above it, mostly aligned with the physical device below, illustrating the gap between a supplier's claimed component list and what's actually inside..
Compliance

Trust but Verify: A Practical Guide to Supplier SBOM Validation

Supplier SBOMs are often incomplete. Here's why manufacturers verify them against the actual binaries, and how that holds up under CRA, FDA, ISO 21434...

Doc McConnell
Doc McConnellJULY 13, 2026
Overhead view of a dense array of dark, unlit connected devices—PLCs, gateways, cameras, routers—linked by cables, with one device in the center glowing bright orange while every other device stays dim, representing a single reachable vulnerability flagged among many.
Compliance

EPSS and CRA Triage: What to Do When a Vulnerability Lands

Under the CRA, vulnerability triage is a risk-based, documented decision. See how EPSS and reachability show which CVEs warrant action and which can w...

Doc McConnell
Doc McConnellJULY 8, 2026
X-ray 3/4 view of a connected vehicle, the dark car body shown in shadow while its internal electronics — infotainment unit, telematics module, OBD-II dongle, and dashcam — glow orange and are revealed by scan line passing through the car.
Compliance & RegulationsCompliance

Cyber Resilience Act for Automotive Suppliers: The Car Is Exempt, but What's Inside Isn't

Most suppliers hear "automotive is exempt" and move on. The CRA carves out the finished vehicle, but a meaningful share of what they sell still falls ...

Doc McConnell
Doc McConnellJUNE 24, 2026
Large warehouse full of outdated IoT devices. Caption reads "Supported doesn't mean finished."
Compliance

CRA Flips the Timeline: Why Retroactive Vulnerability Management Is the Real Challenge

Most CRA prep focuses on new products. The harder obligation reaches back across everything you have already shipped—and the September 11, 2026, deadl...

Doc McConnell
Doc McConnellJUNE 10, 2026
Illustration of an hourglass labeled “Article 14” with golden sand flowing downward beside a transparent digital map of Europe. Glowing network connections and security icons overlay the map against a dark background with faint EU stars, symbolizing a regulatory compliance deadline.
Compliance

CRA Vulnerability Reporting: September 2026 is Around the Corner

Starting September 11, 2026, manufacturers must notify ENISA within 24 hours of an actively exploited vulnerability. Most don't have the four operatio...

Doc McConnell
Doc McConnellMAY 28, 2026
Finite StateFinite State

Finite State is the Product Security Automation Platform that functions as an autonomous Product Security OS: design → verify → prove, grounded in what you ship.

Platform

Platform Overview
Ground Truth Inventory
Exploitability-Based Prioritization
Design-Time Architecture Security
Automated Evidence-Backed Compliance

Solutions

Device Manufacturers
Automotive
Medical Devices
Energy & Utilities
Government
Industrial

Resources

Blog
Resource Library
Webinars & Videos
Events
Documentation

Company

About Us
CareersHIRING
Press & News
Contact Sales
Media Inquiries
X

© 2026 Finite State. All rights reserved.

Privacy PolicyTerms of UseCustomer Terms and Conditions
Finite StateFinite State
Finite StateFinite State
Get a DemoGet a Demo