Sovereign infrastructure / private demo

Software distribution built for resilience on European infrastructure.

A sovereign update server for security-critical software delivery. Distribute binaries, verify signatures, and track the EU Cyber Resilience Act as it crystallises — hosted on European infrastructure, audited end to end.

Request a demo See how it works
Region EU / EEA
Aligned with CRA · NIS2 · PLD
Stack Rust · Axum · Postgres
Status Demo open
Watch

See Fleet in action.

A short walkthrough of the demo instance — signed distribution from the CLI, SBOM ingestion, a live CRA assessment with the AI advisor, vulnerability tracking, and the ENISA single-reporting flow, end to end.

Early access

Stay in the loop.

Fleet is in early access. Leave your email and we'll keep you posted — new capabilities, CRA milestones, and your invitation when a demo instance opens up.

We'll only use this to email you about Fleet — no spam, unsubscribe anytime.

Capabilities

A single platform for signed delivery and provable compliance.

Most update servers solve one problem: getting bytes to a device. Fleet solves the second problem too — proving, on demand and to a regulator, that the bytes were the right ones.

01

Signed binary distribution

Upload, sign, and deliver binaries through a CDN you control. Cryptographic verification on every install and update, with full audit trails for every release.

02

SBOM viewer & ingestion

Ingest SPDX and CycloneDX software bills of materials at release time. Surface known vulnerabilities, track dependency drift, and export evidence packs on demand.

03

CRA requirement tracking

Map every Annex I obligation to evidence inside your platform: secure-by-design controls, vulnerability handling, and the documentation a notified body or market surveillance authority will ask for.

04

Observability built-in

Grafana-backed dashboards for system logs, delivery metrics, and alerting. Runtime visibility for the operations team, not just the compliance team.

05

Terminal-first distribution

A TUI-driven management interface for engineers who never wanted a dashboard in the first place. Scriptable, auditable, and at home in a CI pipeline.

06

European hosting & data residency

Hosted on EU infrastructure. Data stays in the EEA. Suitable for organisations subject to NIS2, sector-specific resilience regimes, or public procurement sovereignty requirements.

How it works

From build artefact to compliant delivery, in four steps.

STEP 01

Publish

Push your release artefact to Fleet from your CI pipeline. Attach the SBOM and signing keys. Fleet records the release, the operator, and the moment.

STEP 02

Verify

Every binary is signed, hashed, and recorded against a tamper-evident manifest. Verification runs at upload, at download, and at install.

STEP 03

Distribute

Devices and endpoints pull updates from a sovereign update server. Roll-out controls, channel separation, and instant rollback are built in, not bolted on.

STEP 04

Evidence

Generate the documentation auditors and notified bodies actually ask for: vulnerability handling logs, update history, declaration-of-conformity attachments — in one click.

Regulatory alignment

Built against the CRA as the standards take shape.

The Cyber Resilience Act — Regulation (EU) 2024/2847 — has been in force since December 2024. Its vulnerability-reporting duties apply from September 2026 and full conformity from December 2027. What's still being written are the harmonised standards that operationalise it. Fleet tracks the obligations in Annex I and the conformity-assessment routes in Article 32, and adjusts as those standards crystallise.

  • Secure-by-default delivery (Annex I §1) Signed binaries, integrity verification, and update authenticity enforced at the protocol level.
  • Vulnerability handling (Annex I §2) Coordinated disclosure workflow, SBOM-driven advisory tracking, and a documented patching path tied to release records.
  • Technical documentation (Annex VII) Documentation packs generated from real release data, mapped to the structure regulators expect to see.
  • NIS2 operational alignment Audit logs and access controls structured to support reporting obligations for essential and important entities.
  • PLD evidentiary support Tamper-evident records that hold up as a chain of custody if a defect or harm claim ever needs to be reconstructed.
Regulation timeline
Sep 2026
Vulnerability reporting First CRA obligations apply — manufacturers must report exploited vulnerabilities and severe incidents.
Dec 2026
PLD transposition Member States transpose the revised Product Liability Directive — strict liability for defective software in scope.
Dec 2027
CRA full application All products with digital elements on the EU market must comply with Annex I and carry CE marking.
Access

A private demo instance is open to qualified evaluators.

Fleet is currently in a controlled rollout with a small set of design partners. We're opening additional demo instances for organisations with concrete CRA exposure or sovereign-distribution needs.

Demo instance

A walkthrough of the full platform on a private instance, with your team's use case loaded in.

  • 30-minute scoped briefing with engineering
  • Live tour of the compliance dashboard, SBOM viewer, and TUI
  • Read-only access to a sandbox tenant
  • Optional CRA-scope assessment for your product portfolio

Leave your email and we'll set up your demo instance.

Production engagement

For organisations ready to deploy Fleet against a defined compliance deadline or distribution use case.

  • Dedicated tenant on EU infrastructure
  • Onboarding with a CrabNebula forward-deployed engineer
  • Integration with your existing CI and SBOM tooling
  • Pricing scaled to fleet size and release cadence

Leave your email and our team will reach out about a production engagement.