Book a Demo
Download Our Free Security Law Guide

Security compliance
Doesn't end at launch.
Neither does Lucerna.

Persistent, audit-ready vulnerability management for your products — built by engineers who live with the same challenge every day.

Book a Demo
Download Our Free Security Law Guide

Rufilla is trusted by teams building smart products for:

Visual Portfolio, Posts & Image Gallery for WordPress
Curtiss Wright Logo

Smart products live for years. Vulnerabilities never stop.

Embedded products live for years in the field. The CVE databases that affect your platform update every single day. Without a clear, documented record of which vulnerabilities you reviewed and what you decided, you’re either re-doing the same triage work every sprint, or you’re flying blind.

And if a regulator, a customer’s procurement team, or an auditor asks you to prove your security decisions? A spreadsheet won’t cut it.

That's exactly why we built Lucerna.

red partnership icon

Every CVE decision recorded, timestamped, and retrievable

red arrow

Works with Yocto-style CVE JSON manifest and standard SPDX formats

The rules have changed. Security compliance is now
a legal requirement.

Connected products are now subject to mandatory cybersecurity obligations in both the UK and EU. Regulators increasingly expect manufacturers to prove how vulnerabilities are identified, assessed, and managed over time.

Everything You Need to Know About the New Smart Product Security Laws

Download our free guide

Get the guide

See Lucerna in Action

See exactly how Lucerna fits into your workflow and what your audit trail would look like.

Book a Demo

What Lucerna actually does

Lucerna gives you a single, persistent home for every CVE decision your team makes across your product’s entire lifetime. Every triage action is recorded with who made the call, when, and why, creating the documented audit trail that PSTI and EU CRA auditors look for.

It’s not another scanner that floods you with alerts. It’s the place where those alerts get turned into defensible decisions.

Upload and baseline in minutes

Focus only on what changed
Import Yocto-style CVE JSON manifest or standard SPDX formats and Lucerna automatically builds a baseline from your first scan.
Stop re-reviewing old vulnerabilities

Future uploads become deltas, helping teams focus on newly introduced risk instead of repeating old triage work.

Triage that actually sticks

Every decision is recorded
Each CVE action includes rationale, timestamp, and ownership.
Previously reviewed issues stay closed
Triaged vulnerabilities only reappear if upstream statuses change or your team intentionally reopens them.
Four clear actions
When you triage a CVE, you choose a category and record your reasoning. Every call is documented, versioned, and retrievable, so your team always knows where each decision came from and why.

Filter for what actually matters

Prioritise genuine risk
Filter by CVSS, EPSS percentile, attack vector, package, or other criteria.
Share views across teams
Generate a PDF report to share with internal teams and subcontractors, a clear snapshot of exactly where your product stands.
red box icons

Overnight alerts without the noise

Lucerna performs overnight scans and flags newly discovered high-severity vulnerabilities through concise summary emails with direct links back into the platform.

You can also integrate Lucerna into CI workflows, preventing critical unresolved vulnerabilities from passing through builds unnoticed.

Generate evidence instantly

Generate evidence instantly
Export a compliance report in PDF at any point.
Keep your decision history
Every report includes open vulnerabilities, dismissed issues, and recorded rationale.
Built for real-world audits
The goal isn’t certification, it’s proving your team has a structured security process that can help in such scenarios.

Core capability

Yocto-style JSON and standard SPDX formats
Persistent CVE triage with mandatory rationale
Multi-product vulnerability tracking
Role-based access and audit history
REST API for CI integration and build gating
Overnight high-severity alerts
Bulk triage operations
Bulk triage operations PDF compliance reporting
red box icons

Built By People Who Actually Use It

We built Lucerna because we needed it ourselves.

We work on long-life embedded products where security audits can happen years after deployment. Explaining every vulnerability decision through spreadsheets and disconnected processes simply wasn’t sustainable.

So we built the platform we wanted to use ourselves.

Lucerna is used internally across Rufilla projects every day, which means the roadmap is driven by real engineering needs, not abstract feature lists or marketing trends.

See Lucerna in Action

See exactly how Lucerna fits into your workflow and what your audit trail would look like.

Book a Demo
Oxford Instruments Sets the Standard for Embedded Security Compliance with Rufilla Lucerna

by Joe Nicholson

Managing Director & Founder

Oxford Instruments Sets the Standard for Embedded Security Compliance with Rufilla Lucerna

May 1, 2026

Oxford Instruments has always held itself to a high standard. When it comes to embedded security, they’re not waiting to be told what to do. They’re already doing it.
 
The company has taken out an annual licence for Lucerna, putting the infrastructure in place to build the documented, auditable security record that regulators and customers increasingly expect to see — across a product portfolio with deployment timelines measured in years.
 
“We built Lucerna because we needed it ourselves. Working on long-life embedded products, we understood that staying compliant over time is the genuinely hard part. Oxford Instruments has understood this from the outset, and we’re proud to be supporting them in building exactly the kind of structured, continuous security process their products deserve.” — Joe Nicholson, Founder and Managing Director, Rufilla

Frequently Asked Questions

Does Lucerna work with build systems other than Yocto?
Lucerna is built specifically around Yocto Linux and ingests native Yocto JSON natively, alongside SPDX and CycloneDX formats. If your build system outputs SPDX or CycloneDX, you can upload those directly. If you’re working on a Buildroot or custom BSP setup, get in touch and we can talk through what’s possible.
Does Lucerna certify our product as compliant?
No. Lucerna doesn’t certify products or replace security engineering work.
What it does provide is a structured, auditable record of the vulnerability decisions your team makes over time, including rationale, ownership, and history. That evidence is increasingly important for PSTI, EU CRA, procurement reviews, and customer security assessments.
We're a small team. Is Lucerna going to add a lot of overhead?
The honest answer is that it depends on how you manage vulnerability triage now. If you’re currently doing it ad-hoc or in spreadsheets, Lucerna will actually reduce the time you spend on it — particularly through bulk operations, overnight diff alerts, and persistent triage decisions that mean you never re-examine the same CVE from scratch. If you have no existing process, there’s a short setup phase, but most teams are running smoothly within a day or two.
Can multiple team members and subcontractors use the platform?
Yes. Role-based access controls let you define who can triage, who can view, and who gets read-only access. Subcontractors can be given a shareable filtered URL for a specific project view without needing a full account if the project is set to read-only.
How long does it take to get started?
From signing up to your first baseline scan is typically a matter of hours, not weeks. Incorporate the Lucerna Yocto layer into your build, run your first scan, upload the output, and the platform creates your baseline. Everything from there is a delta on top of that first snapshot.
What happens when a CVE I've already triaged changes?
If the NVD score on a previously triaged CVE changes materially, Lucerna automatically returns it to your Open list so it can be re-reviewed in light of the updated information. Nothing falls through the gaps between build cycles.
Does Lucerna need to connect to the internet or our internal systems?
No. Lucerna deploys on-premises via a single Docker Compose command and runs in fully air-gapped environments. Your build data stays on your infrastructure. If you need to share a filtered view with an external subcontractor, the read-only shareable URL feature handles that without requiring them to have an account or access to your full project.
What compliance frameworks does the audit trail support?
The triage audit trail — with timestamps, user IDs, and free-text rationale stored in PostgreSQL — is designed to satisfy the documentation requirements of UK PSTI, the EU Cyber Resilience Act, and IEC 81001-5-1 for medical devices. It also holds up well against the kind of security questionnaires that enterprise procurement teams and insurers are increasingly sending out before contracts are signed.

See Lucerna in action.

We’ll walk you through the platform with your build environment and use case in mind. If you’ve got a SBOM you’d like to run through it, bring it along.

In 30 minutes you’ll see exactly how Lucerna fits into your workflow and what your audit trail would look like.

What to expect: a live walkthrough tailored to your sector and stack, an honest conversation about what compliance looks like for your specific product, and clear next steps with no hard sell.

Prefer to talk first? Call us on +44 (0)1865 601201 or email hello@rufilla.com