No tracking. No cookie wall.·EU-hosted (Hetzner) · Cloudflare edge under SCCs
Use cases

Sample deferral dossier — the vulnerability you can't patch

AquaSCADA RTU-Link 4 (DEMO) — a fictional water-utility SCADA gateway · a completed production run of the deferral_dossier workflow, re-emitted through the production render pipeline

Scope: one asset, one scanner export · Method: deferral_dossier workflow (contextual scoring + regulatory anchoring + investment simulation) · Status: sample

This is a fictional sample from a real run. AquaSCADA and its operator are invented so we can publish a complete deliverable without exposing a client — but the run is real: a completed production execution of the deferral_dossier workflow over real CVEs. Every score is the risk engine's verbatim output, every regulatory anchor was fetched live from the statute corpus with its source, publisher, and license carried into the evidence register, and the pages below are the production render pipeline's actual output. Risk scoring is experimental decision support and is labeled as such inside the artifact.
Section 1

Why this document exists

On September 11, 2026, CRA Article 14 starts requiring manufacturers to file a 24-hour early warning for actively exploited vulnerabilities, with the main Annex I vulnerability-handling obligations — “address and remediate vulnerabilities without delay” — following on December 11, 2027. The scope is products with digital elements with a direct or indirect data connection, placed on the EU market (Art. 2; sectoral carve-outs apply).

In OT, you can't patch on demand: firmware is certification-frozen, patching means a line stop, the vendor's fix isn't validated for your hardware generation. Today the record of “why we haven't patched, and why that's acceptable” lives in spreadsheets and engineers' heads. The deferral dossier is that record as a defensible document — per-finding evidence that deferrals are managed and invested against, not ignored.

Section 2

The dossier, page by page

Compact and auditor-legible — this run renders to four pages. Every number is the risk engine's own output, every citation was fetched from the statute during the run, and everything the engine declined to do is stated in the artifact itself — down to its refusal to emit an empty VEX when nothing was contextually adjusted.

Dossier page 1 — executive summary and regulatory basis
Position at a glance: 5 deferred findings, 4 KEV-listed, 0 unresolved anchors — and the adjudicated CRA/NIS2/GDPR basis, each anchor carrying its verbatim adjudication.
Dossier page 2 — per-finding deferral records
The deferral records: real CVEs (Log4Shell, Heartbleed, Zerologon class) with engine-verbatim scores, Art. 14 fact flags, and the operator's rationale carried as their assertion.
Dossier page 3 — control-investment plan and immovable floor
The investment plan with the immovable floor — and the VEX section documenting the engine's refusal to emit an empty artifact when nothing was contextually adjusted.
Dossier page 4 — scope limits, evidence register, citation integrity
Scope limits stated plainly, and the evidence register: 7 anchors with source, publisher, and license carried verbatim from the corpus fetch.
Section 3

Records, law, plan — then back into your scanner

  • Per-finding deferral records. Contextual CVSS with KEV and EPSS from the effective-risk engine, the named rules that credited your compensating controls, and your deferral rationale carried verbatim as your assertion. KEV-listed or actively exploited findings get a deterministic Art. 14 flag — a fact statement with both phased dates, not legal advice.
  • Regulatory anchors, fetched live. Applicability is adjudicated before anything is cited. CRA Art. 13, Art. 14, and the Annex I vulnerability-handling points arrive as pin-cites fetched from the corpus at run time — with source, publisher, and license on every row. An anchor that doesn't resolve is labeled unresolved, not invented.
  • The investment plan and the immovable floor. One engine simulation over the deferred set answers which controls verifiably lower it most, in what order — and which findings no modeled control moves, each with the engine's reason, from “patch or replace regardless” down to “no rule covers this yet.” Deferral becomes “mitigated and invested against,” not “parked.”
  • The VEX round-trip. When your export carries component refs, a CycloneDX VEX flows the re-prioritized result back into Dependency-Track — re-prioritized, never suppressed, with exclusions named per CVE.
  • Exploitable, or a false positive? Your agent gathers the evidence — you decide. The same gateway serves what an exploitability call needs: KEV listing, EPSS, known public exploits, CVE details, and contextual scoring against your asset's exposure and controls. Your engineer records the review decision, and the dossier carries it verbatim as the only authoritative disposition — the difference between “the scanner said so” and “we determined it, and here's the evidence.”
Section 4

Nothing in it is fabricated

  • Every score is read verbatim from the engine — re-deriving, averaging, or rounding is forbidden, and the workflow's gates check the fetch happened and the declared totals match the rows.
  • Every citation is fetched during the run and carries its source, publisher, and license. No citation from model memory, ever.
  • The dossier never claims a finding is “not affected” — only a review decision recorded by your own people is ever shown as authoritative.
  • Gaps are named per item: an unresolved anchor, an unscored CVE, a rationale without evidence — each is flagged, none is smoothed over.
Section 5

Run it on your own export

  • 01 · Export your findings. From Dependency-Track (CycloneDX + VEX or a finding export), Trivy, Grype, Snyk, or GitHub Advisories. We consume a scan — we never invent one: an SBOM with no findings is sent back to be scanned first.
  • 02 · Run it from your own agent. Connect Claude Desktop, Copilot Studio, or any MCP client to the Ansvar gateway. You confirm the scope, the asset context, and every deferral rationale before scoring begins — and you review the assembled dossier before the report is generated.
  • 03 · Hand over the artifact. A compact report for the auditor (this sample: four pages), the JSON report for your records, the VEX for your scanner when your findings carry component refs. Register your maintenance-window plan or pen-test as evidence and the dossier cites it with a tamper-evident paragraph reference.
# after connecting your agent to gateway.ansvar.eu:
Here is our Dependency-Track export for the packaging-line SCADA node.
Run a vulnerability deferral dossier — we defer these findings until the
Q4 line stop; our rationale and controls are below.

The deferral dossier runs on the Team tier and up. Have an export? Your first dossier is one session away — or we run it as an operator-reviewed engagement, where a named expert reviews the deliverable before it ships.

The sample above is fictional and says so on every page. Risk scoring is experimental decision support and is labeled as such in the artifact; outputs require review by a qualified expert — in delivered engagements, ours. The dossier records and evidences your deferral position — it does not issue conformity determinations, and its Art. 14 flags are fact statements, not legal advice.