Go to main content | Go to main menu

About the Project

The Cybersecurity Certification and Assessment Tools (CCAT) project empowers producers, consumers, and regulators to better understand and improve cybersecurity by enhancing open-source tools for continuous security checks and regulatory compliance

Strategic Goals

  • Adapt and integrate advanced open-source tools (TLS-Scanner, SCRUTINY, ALVIE, sec-certs) for continuous cybersecurity assessment aligned with evolving EU regulations (EU Cybersecurity Act, EU Cyber Resilience Act)
  • Foster collaboration between academia and industry to refine the CCAT tools based on real-world needs
  • Optimize the CCAT tools following a human-centered, usable security approach for improved user experience
  • Support users in navigating the cybersecurity certification landscape for faster, more coordinated adoption of EU cybersecurity regulations
  • Enable efficient implementation of cybersecurity certification frameworks across ICT products, services, and systems through continuous security evaluation
  • Provide training on tool usage for cybersecurity professionals and stakeholders
  • Strengthen resilience against emerging vulnerabilities in modern digital ecosystems

CCAT at a glance

Project duration: 01/01/2026 – 31/12/2028
Funding programme: HORIZON EUROPE Civil Security for Society
Call: HORIZON-CL3-2024-CS-01
Topic: HORIZON-CL3-2024-CS-01-01 - Approaches and tools for security in software and hardware development and assessment
Coordinated by: Masaryk University, Czechia
Consortium size: 9 partners, incl. Coordinator & 2 Associated Partners
EU contribution: € 4 223 156.08
Illustrative graphic showing a person using a smartphone and laptop with floating digital icons representing analytics, charts, and business tools.

What We Do

1) Advance TLS-Scanner, a tool for the assessment of security systems in operation, with easy interpretation of results and usable recommendations to improve security.

TLS-Scanner is an open-source tool developed since 2016 for evaluating TLS clients and servers through modular probes, each analyzing a specific property of an implementation. CCAT will enhance the tool to extend coverage of regulatory guidelines, improve result reports with actionable configuration guidance, optimize runtime via custom scan profiles, and support scanning of specialized, low-power, legacy, and large-scale endpoints. A web-based interface will also allow public evaluation of TLS servers.

Read more about TLS-Scanner

2) Advance SCRUTINY, a toolset for versatile assessment of cryptographic implementations in hardware devices and software libraries, including black-box setups, enabling validation of security properties throughout the product lifecycle.

SCRUTINY is an open-source framework for in-depth analysis of the correctness and performance of cryptographic implementations embedded in hardware devices such as smartcards. Within CCAT, the tool will be extended with standardized, transparent, and repeatable testing workflows to improve usability for non-academic stakeholders, and with origin attribution mechanisms that support traceability across multi-step evaluation processes involving vendors, testing laboratories, and end users throughout the product lifecycle.

Read more about SCRUTINY

3) Advance ALVIE, a tool for the assessment of embedded security architectures, offering a configurable approach to testing devices against high-level vulnerabilities.

ALVIE is an open-source tool released in 2024 to bridge formal methods and vulnerability research for Sancus, an embedded security architecture with known implementation flaws. Originally limited to simulated Sancus implementations, ALVIE will be extended in CCAT to analyze other networked embedded devices, including RISC-V, and to operate on FPGA implementations, improving speed, efficiency, and practical applicability for real-world security assessments.

Read more about ALVIE

4) Advance sec-certs, a tool to analyze the certification landscape, assess relationships between certification documents and certified products, and confront certification systems and results with emerging vulnerabilities.

Sec-certs is an open-source tool released in 2022 to provide detailed analysis of certification landscapes for academic research. Its insights have clear relevance for ICT producers, cybersecurity solution providers, certification authorities, and ICT consumers. Within CCAT, sec-certs will be enhanced with a redesigned user interface for broader usability, integration of large language models to support information retrieval and question answering, and inclusion of the EU trust list to track changes in trust entries and related Common Criteria certifications.

Read more about sec-certs

5) Establish an innovative usable-security experimental lab to guide the development of user experience and user feedback for CCAT cybersecurity tools.

User Experience and Usability are key focus areas for CCAT, as interface complexity has been identified as a major barrier to broader adoption beyond academia. UPB and MUNI will leverage their expertise in human-centric cybersecurity to improve tool accessibility. Planned actions include heuristic evaluations to identify usability barriers, observation of training and use-case implementation to pinpoint weak spots, comparative studies across tool releases to measure improvements, and active engagement of users and usability experts in co-development to enhance interface design, tool coverage, and overall adoption.

6) Facilitate uptake of CCAT tools in the public and private sectors to strengthen ICT security and enhance the transparency and trustworthiness of EU cybersecurity certification.

Industry and Regulatory Engagement is a key focus for CCAT, as the tools, while primarily developed and used in academia, have already been recognized by cybersecurity solution providers for reinforcing product development reliability. Within CCAT, efforts will focus on engaging regulatory authorities to explore the tools’ potential in supporting certification schemes, promoting adoption through dedicated workshops and participation in academic-industry platforms, and continuing open-source development to ensure transparency, accessibility, and broad usability.

Diagram showing a project structure with several work package connected to five central tasks ranging from exploring user demand to deploying tools and training users.

How We Work

Infographic titled “Project Development Cycle WP1–WP4” showing five numbered steps in a vertical timeline: 1) exploring user demand, 2) setting development priorities, 3) upgrading the tool, 4) training and demonstrations, and 5) deployment of the tool and user training.

The development of the four CCAT tools follows an iterative methodology structured around three development cycles of approximately one year each. Each cycle comprises four coordinated phases:

  1. User needs are explored by deploying the current tool versions in selected use-case scenarios. Feedback is collected to identify functional gaps, usability issues, and improvement opportunities.
  2. Development priorities are defined by assessing user requirements in terms of relevance, feasibility, and resource implications. The resulting update plan is reviewed and validated through project governance.
  3. Agreed priorities are implemented during the development phase, resulting in upgraded tool versions.
  4. Updated tools are demonstrated and deployed through targeted user training, enabling feedback to feed directly into the next cycle.

After the final cycle, targeted training will be provided to interested users outside the consortium, with a focus on practical deployment and effective use of the CCAT tools.

Who We Train

  • Regulation authorities & policy makers
  • Certification bodies
  • Evaluation laboratories
  • Companies delivering cybersecurity solutions
  • ICT producers, vendors or companies developing any products with networked digital elements
  • Providers of academic and public ICT(-related) services
  • Institutional (incl. governmental) users of cybersecurity solutions
  • Academia and non-government institutions

Applicable Industries

  • Financial Services
  • Telecommunications
  • Healthcare
  • Government & Public Services
  • Energy & Utilities
  • Transportation

Interested in training on TLS-Scanner, SCRUTINY, ALVIE, or sec-certs? Contact us!

Contact form

You are running an old browser version. We recommend updating your browser to its latest version.

More info