The third edition of Cyber On Board concluded last night, following three days that confirmed a fundamental shift: embedded cybersecurity is no longer a technical niche reserved for a handful of specialists. It is becoming the focal point where regulatory compliance, technological sovereignty, and the operational resilience of critical industries converge.
Jonathan Brossard, founder and CTO of MOABI, spoke on Wednesday, May 27, during the Software & Drones session on a topic that encapsulates this shift: Practical Vulnerability Triage Under Regulatory Pressure for Modern PSIRTs. Here are the key takeaways and the discussions it sparked with the industry representatives in attendance.
An imbalance that has become structural
The community now agrees on this basic fact: NIST published more than 40,000 CVEs in 2024, which amounts to over 100 new vulnerabilities to address every business day. Meanwhile, regulatory deadlines have tightened drastically: 24 hours for the Cyber Resilience Act and DORA, 72 hours for NIS2, 4 business days for the U.S. SEC Cyber Rule, and 15 days for CISA’s KEV catalog.
The imbalance has become untenable. It is precisely this tension between volume and deadlines that now defines the daily reality for PSIRT teams and product security managers.
The Pitfall of Publisher CVE Feeds
The first limitation highlighted by Jonathan: purely governance-based approaches are no longer sufficient.
Filtering CVEs by base CVSS score (≥ 9.0) and then rescoring them with environmental vectors seems reasonable. In reality, this method systematically eliminates kernel privilege escalation CVEs—all of which are local by definition—on systems not exposed to the Internet, even though they are part of the asset’s actual attack surface.
The deeper issue remains data quality. The presentation was based on a benchmark conducted on Ubuntu 24.04 LTS, using Ubuntu Pro CVEs as a reference:
| Tool | Detected CVE | Precision | Recall |
|---|---|---|---|
| MOABI | 1 329 | 100 % | 100 % |
| OpenSCAP | 1 373 | 100 % | 96,7 % |
| Ubuntu Pro CVEs | 2 084 | 63,7 % | 99,9 % |
Of the 2,084 CVEs reported by the vendor reference source, 755 are false positives, representing a 36.3% error rate. In practical terms, a PSIRT team that relies solely on vendor feeds spends more than a third of its triage time on vulnerabilities that do not affect the targeted system.
The technical reason is clear: matching by package name cannot determine whether the vulnerable symbol is actually present in the deployed binary, nor whether the distribution has backported a fix without changing the version number. Only verification at the binary level can resolve this.
The Fuzzing Wall
Second limitation: fuzzing, sometimes presented as the technical solution to the problem, does not scale.
For CVE-2023-2804, a heap overflow in libjpeg-turbo, AFL++ finds a first crash in 66 seconds, AFLGo (directed fuzzing) in 336 seconds, and SymQEMU (concolic execution) produces 605 crashes after about 25 minutes. Each approach requires a dedicated harness and a set of seeds. And all of this applies to a single CVE.
Empirical studies by the RAND Corporation estimate that developing a complete exploit takes 6 to 37 days. Compare that to the few hours a PSIRT team has per alert.
Fuzzing remains essential for research, but it cannot serve as the mechanism for daily triage. The asymmetry is structural.
A binary approach validated on a large scale
The value of the presentation lay in the method it highlighted for overcoming this obstacle.
Rather than relying on metadata, MOABI analyzes binaries, firmware, and containers as they are deployed. This allows for the generation of SBOMs directly from the executed code, including for statically linked components invisible to package managers (OpenSSL, zlib, libjpeg). It also enables the enrichment and rescoring of CVEs with KEV, EPSS, and SVCC data. Furthermore, it allows for the assessment of the actual hardening of binaries (ASLR, RELRO, NX, FORTIFY, stack canaries), a factor that CVSS cannot express but which radically changes a vulnerability’s priority. And to produce CBOMs (Cryptographic Bills of Materials) to prepare for post-quantum migrations on systems with lifespans of 10 to 20 years.
For high-priority CVEs, the platform integrates with the Witchcraft Compiler Collection (WCC), an open-source framework that Jonathan has been developing for several years. The principle: transform an ELF executable binary into a library loadable via dlopen(), then directly call any function with arbitrary arguments via an embedded Lua interpreter. It takes just three commands to confirm a CVE on a stripped binary, in less than a millisecond, without source code.
The tool has been validated on 3,861 production binaries spanning 14 processor architectures, and is now distributed in Debian, Ubuntu, and Kali Linux. Part of this work is the subject of a doctoral thesis defended at CNAM in 2026 and has already been presented at DEF CON 24, Black Hat Europe 2016, and USENIX WOOT 2024.
Manufacturers who can relate to the problem
The discussion that followed the presentation confirmed what many observers had suspected: regulatory pressure is no longer a theoretical governance issue. It has become a daily operational constraint for product safety teams, and audit automation is no longer an option.
A particularly fruitful discussion took place with the SNCF teams, whose technical expertise and in-depth knowledge of the constraints of rail transport left a lasting impression on the session. The transportation sector clearly illustrates the current challenge: very long product lifecycles, a multitude of suppliers, critical embedded components, and now NIS2 obligations to meet across heterogeneous fleets accumulated over decades.
One message kept coming up in the discussions: it is not so much the detection of vulnerabilities that poses a problem, but the ability to quickly distinguish what is truly urgent from what is merely noise. In an environment where volume will only increase, triage and prioritization are becoming the primary value-added functions of the modern PSIRT. Anything that can be automated upstream should be, to free up teams’ time for decisions that truly matter.
A connection with other presentations at the conference
One of the highlights noted by Jonathan was the presentation by Isabelle Olivier (Thales) on black-box analysis of security components. Her demonstration of chip polishing, a technique that involves going down to the silicon level to conduct security analyses at the hardware level, illustrates an approach that converges with the one advocated by MOABI, albeit at a different level of the technology stack. Two distinct disciplines, one hardware-based, the other software-based,that address the same requirement: to properly assess a component’s security, one must analyze what actually exists, not what is declared.
And then
Cyber On Board 2026 confirms a fundamental trend. Embedded cybersecurity is establishing itself as a cross-cutting strategic issue at the intersection of software, regulation, and industrial sovereignty. The event’s academic format and the caliber of its speakers—bringing together major industry players, institutions, and researchers—make it one of the most influential gatherings in the sector in France.
We would like to thank Cyber On Board and all the organizers for the quality of this third edition, as well as the industry representatives and researchers with whom we had the opportunity to exchange ideas over the course of these three days.
Would you like to conduct a practical assessment of your products’ actual attack surface, or discuss your PSIRT requirements in light of the Cyber Resilience Act? Contact us
