Hardware & IoT Security Consulting
Is your device secure? Or do you just think it is.
Hardware and IoT security audits for product teams shipping connected devices — before the market, the regulator, or an attacker answers for you.
EU CRA 2027 · ETSI EN 303 645 · IEC 62443 · OWASP IoT Top 10
Security usually ends up on the last line.
Most hardware teams build great products. Schedules are tight, the BOM is optimised, firmware ships. Security would happen — if there were time for it.
The EU Cyber Resilience Act doesn't give you more time. From 2027, every product with digital elements must meet verifiable security requirements — or it cannot reach the European market.
We help you understand where your product stands today, what's missing, and the shortest path to market.
Services
What we test
You don't receive a technical list — you get solutions to your specific business risks. Every test defends against a business problem.
Hardware Penetration Test
Physical-layer attack simulation: what can an attacker extract from your device with physical access — before they show you.
Firmware & Software Audit
We find hardcoded secrets, vulnerable components, and weak points in your OTA update chain. SBOM generation with CVE scanning.
Communication & Network Test
We verify that what your device sends to the cloud cannot be read or modified in transit. BLE, Zigbee, Wi-Fi, LoRa analysis.
CRA Compliance Package
We tell you where your product stands today, what's missing, and the shortest path to market. Gap analysis, ETSI audit, IEC 62443 SL determination.
Compliance Matrix
Which test covers which standard
Business risk, technical test, and legal compliance in one table.
| Technical test | Business risk | EU CRA | ETSI EN 303 645 | IEC 62443 | NIS2/GDPR |
|---|---|---|---|---|---|
| UART/JTAG lockdown | Prevent firmware & IP theft | ✓ | ✓ | ✓ | — |
| Secure Boot validation | Block malicious firmware updates | ✓ | ✓ | ✓ | — |
| Fault Injection / Glitching | Prevent crypto key leakage | ◐ | — | ✓ | — |
| Network encryption audit | GDPR compliance, user data protection | ✓ | ✓ | ◐ | ✓ |
| SBOM & CVE scanning | Identify vulnerable components | ✓ | ✓ | ◐ | — |
Methodology
How we work
A structured, repeatable process — not a one-off audit, but a documented security programme.
- 01 — Kickoff & Scope — We define what's tested, to what depth, and by when. Clear scope — no surprises.
- 02 — Architecture review — Schematic, BOM, and data flow review — before the device arrives. Pre-analysis accelerates the physical work.
- 03 — Physical & firmware analysis — Device arrives, hardware mapping, debug port identification, and firmware reverse engineering begins.
- 04 — Dynamic testing — Live traffic interception, protocol fuzzing, injection techniques. Real attack scenario simulation.
- 05 — Report & remediation roadmap — Structured audit report: CVSS-scored findings, compliance status table, prioritised remediation steps. Executive Summary for decision-makers, technical details for developers.
The 2027 deadline is closer than you think
The EU Cyber Resilience Act mandatory compliance deadline is September 2027. A full security review and remediation — from experience — takes 6–18 months depending on product complexity.
Start now and you have time to prepare. Wait six months and you may be paying for a delayed market entry instead.
Find out where your product stands today →About
We think like hardware engineers
OrionRND is run by hardware security specialists who have worked across ESP32-based systems and enterprise red team operations. We understand devices from the inside — from chips to firmware architecture to the communication stack.
We don't do generic IT security consulting. Our speciality is embedded systems security and EU compliance for IoT products.
We believe cybersecurity is not just about preventing attacks — it's about empowering our clients to take control of their own security posture.
Projects
References
January 2026IoT Device Security Assessment
Full hardware and firmware audit for industrial sensor manufacturer.
Read case study → View all projectsFind out where your product stands today
In a free 15-minute consultation, we review your product and identify its three biggest risks — no commitment required.
Find out where your product stands today →Response within 24 hours on business days. NDA available from the first call.