CyberRisk Canvas

Visual threat modeling for CRA compliance

SaaS

Visit WebsiteSee on Product Hunt

Hi Product Hunt! If you build software or connected hardware for the European market, you probably know the headache: new regulations like the EU Cyber Resilience Act (CRA) and NIS-2 are coming. They require companies to produce complete threat modeling and risk assessments for audits. In reality, this leads to two massive problems: No security experts: Most smaller or mid-sized teams can't afford full-time security specialists. The work falls on regular developers or product managers. Excel Hell: Teams end up staring at massive spreadsheets for days, trying to manually map threats to legal paragraphs instead of building features. Why another tool? Yes, there are already plenty of threat modeling tools on the market. But most of them are highly technical, bloated, and built exclusively for security pros. What is completely missing is the combination of easy team collaboration, direct mapping to compliance frameworks, and a strict focus on documentation for passing audits. That’s why I built CyberRisk Canvas. It brings the system architecture drawing and regulatory data into one place. How it works You sketch your system architecture on a visual canvas. For example, you drag an "IoT Device" and a "Cloud" component and connect them. The tool detects the connection (like MQTT) and automatically suggests threats in plain English—for example: "Data can be intercepted because encryption is missing." No confusing jargon. In the background, the tool automatically maps this threat to the correct requirements of the CRA. Making it "Audit Ready" Auditors want hard proof, not promises. The tool includes features to automate the paperwork: Traffic-Light Matrix: A simple compliance table. A red row means a mitigation or test proof is missing. One click filters out completed items so you only see your exact to-do list. Link Evidence: You can paste a link to a test report or a Jira ticket directly into the mitigation framework for the auditor to see. Risk Acceptance: If a problem cannot be fixed technically right away, you can officially accept the risk by entering a justification and the owner's name. Freeze Versions (Baselines): Once everything turns green, you freeze the project as Version 1.0. It enters a read-only mode so nobody can accidentally change anything before the audit. Behind the scenes To be completely transparent: AI helped me a lot with writing the code, but building a stable, logical workflow still took months of hard work and fine-tuning. The tool uses the Claude API to help generate the contextual threat suggestions, but the actual decision-making always stays with the user. I'd love your feedback! CyberRisk Canvas is currently in a 60-day open beta, and it is completely free during this period. Please give it a try and hit me with your brutal, honest feedback here in the comments. What is missing? What annoys you in the workflow? Thanks for your support! 🙏