Engicam  ·  Production Ready

The ultimate secure Yocto layer
for industrial IoT

Designed for EU Cyber Resilience Act  ·  IEC 62443  ·  Production Grade

From prototype to secure, field-deployed product. Atenys delivers a hardened Embedded Linux foundation with the traceability toolchain you need to become EU CRA ready — without starting from scratch.

Get Started See Architecture
🔒 Secure Boot
♻️ A/B Updates
🛡️ CVE Inspection
🔐 Storage Encryption
🏭 Yocto-Based
⚖️ CRA Ready
$ bitbake-layers add-layer meta-atenys
NOTE: Adding Atenys security layer...
NOTE: Secure Boot enabled ✓
NOTE: RAUC A/B configured ✓
NOTE: CVE check pipeline ready ✓
# Hardened RootFS build complete
$
4
Core Security Pillars
A/B
Atomic Fail-Safe Updates
0
Downtime on Update
CVE Monitoring 24/7
Core Features

Everything you need to
ship secure embedded Linux

A complete security stack built directly into your Yocto workflow.

🔒
Secure Boot
Protect your IP and ensure firmware integrity. Atenys verifies every stage of the boot process — from hardware root of trust to signed FIT image — ensuring only trusted code runs on your hardware.
♻️
A/B System Updates
Downtime is not an option. Atenys implements a robust A/B switching mechanism with RAUC, allowing fail-safe atomic updates that roll back automatically if an error occurs.
🛡️
CVE Inspection
Security isn't a guessing game. With integrated cve-check tools, developers can audit images for known vulnerabilities directly during the build phase, not after deployment.
🔐
Storage Encryption
Atenys integrates full storage encryption into the Yocto build pipeline, ensuring that confidential assets and credentials remain inaccessible even if the physical device is compromised.
Architecture

The security
architecture

Each subsystem is designed to work independently or as part of a unified hardened pipeline.

01
Secure Boot Chain
Secure Boot Chain diagram
02
A/B System Updates
A/B System Updates diagram
03
CVE Inspection Pipeline
CVE Inspection Pipeline diagram
Services & Expertise

Beyond the layer

Atenys provides the baseline; Engicam experts handle the complexity of your specific hardware.

Integration journey

Select a step to see the details

01
Product Requirements Analysis
Security and compliance needs mapped to your product constraints
02
Atenys Porting
Layer integration and board-level customization
03
Active CVE Audit
Identification and resolution of active vulnerabilities
04
Continuous CVE Monitoring
Ongoing surveillance and automated alerts
05
CVE Fixing
Patch development, backporting and validated OTA delivery
06
OTA Management
End-to-end management of over-the-air update infrastructure and rollout
01
Product Requirements Analysis

Before any code is written, we map your product's security and compliance requirements — regulatory targets, threat model, hardware constraints and supply-chain risks.

Regulatory Mapping
Identify applicable standards: EU CRA, IEC 62443, ISO/SAE 21434, FDA cybersecurity guidance.
Threat Modelling
Define the attack surface for your hardware, connectivity and deployment environment.
Scope Definition
Agree on the security baseline and deliverables before porting begins.
02
Atenys Porting

We integrate meta-atenys onto your custom board, enabling Secure Boot, A/B OTA and storage encryption from day one — without disrupting your application layer.

Hardware Bring-up
Kernel tuning and bootloader configuration tailored to your SoC and peripherals.
Security Feature Activation
Secure Boot chain, dm-crypt/LUKS encryption and RAUC A/B update slots configured for your partition layout.
QA Validation
Full regression testing of I2C, SPI, Wi-Fi/BT and network stack within the hardened Yocto environment.
03
Active CVE Audit

A point-in-time deep-dive into the vulnerabilities present in your software stack at release — separating real threats from scanner noise.

False Positive Filtering
We identify backported patches and configuration mitigations that generic scanners miss.
Attack Surface Reduction
Assess reachability given your hardware isolation and network topology.
Prioritised Patching
Ranked remediation plan focusing your team's effort on real-world threats.
04
Continuous CVE Monitoring

Security is a process, not a milestone. Once deployed, your product is watched around the clock and your team is alerted the moment a new risk emerges.

NVD & Feed Tracking
Constant surveillance of the National Vulnerability Database and vendor advisories for your exact SBOM.
Expert Contextualisation
Every new CVE is evaluated against your specific board configuration before an alert is raised.
Automated Reporting
Structured reports with severity, impact and recommended action delivered to your team.
05
CVE Fixing

When a vulnerability is confirmed as a real threat, our engineers take ownership of the fix — from patch development to validated, signed OTA delivery on your deployed fleet.

Patch Development
Writing and testing upstream patches adapted to your specific kernel version and build configuration.
Backporting
Porting security fixes to older library or kernel versions already deployed in the field.
OTA Delivery
Signed, validated update bundles delivered via RAUC A/B — atomic and fully rollback-safe.
06
OTA Management

A managed service to design, operate and evolve your over-the-air update infrastructure — from server setup to rollout strategy and fleet monitoring, fully integrated with your CI/CD pipeline.

Update Server Setup
Deployment and configuration of custom update server, self-hosted or cloud-based, integrated with your release pipeline.
Rollout Strategy
Staged rollouts, canary deployments and fleet segmentation to minimise risk when pushing updates to production devices.
Fleet Monitoring
Real-time visibility into update status, success/failure rates and device firmware versions across your entire deployed base.

Available packages

Package 1
Customer Product Cybersecurity Requirements Analysis
A dedicated consulting engagement to map your product's security obligations before any development starts. We identify the applicable standards, define the threat model and agree on the security scope.
Step 01 — Requirements
Request a quote
Package 2
Customer Board Porting.
Project Onboarding & Security Hardening
A complete one-time engagement to bring your product to a production-ready security baseline — from Atenys porting on your custom board to a fully hardened, CVE-audited Yocto image.
Step 02 — Porting Step 03 — CVE Audit
Request a quote
Package 3
Customer CVE Monitoring, Maintenance & Remediation
A continuous managed service that keeps your deployed product secure over its entire lifecycle. New vulnerabilities are tracked, assessed and reported — then our team handles patch development, backporting and validated fixes for your specific stack.
Step 04 — Continuous monitoring Step 05 — CVE Fixing
Request a quote
Package 4
Extra Software Customer Maintenance
Security patches and package updates applied to the underlying OS or middleware layers can occasionally introduce behavioral changes that impact the customer's own software application — including API changes, library incompatibilities, or regressions in validated workflows. This package covers all the engineering activities required to analyse such conflicts, adapt the application code accordingly, and re-validate the impacted software components, ensuring that the customer product continues to meet its functional and safety requirements after each update cycle.
Request a quote
Package 5
OTA Management
End-to-end management of your over-the-air update infrastructure — from server setup and rollout strategy to fleet monitoring and automatic rollback.
Step 06 — OTA Management
Request a quote
Target Industries

Deploy with confidence
where it matters most

Ready to harden your embedded project for critical infrastructure.

Medical Devices
Medical-grade embedded systems demand uncompromising software integrity. Atenys helps you work towards IEC 62304 and FDA cybersecurity compliance by providing a traceable, reproducible build chain with verified boot and encrypted patient data storage.
IEC 62304 · FDA Cyber
Industrial Automation
OT environments require long-lifecycle stability and resistance to targeted attacks. Atenys hardens the Linux runtime against lateral movement, enforces strict partition integrity, and supports zero-downtime field updates across large machine fleets.
IEC 62443 · OT Security
Smart City Infrastructure
Public infrastructure nodes are high-value targets exposed to untrusted networks. Atenys reduces the attack surface at the OS level, automates CVE remediation, and guarantees that only signed firmware runs on traffic, energy, and safety-critical nodes.
Public Safety · CVE Automation
IoT Edge Gateways
Edge devices are deployed at scale in remote or physically accessible locations. Atenys combines secure boot, encrypted storage, and A/B OTA updates to keep every node in the fleet current and tamper-resistant without requiring on-site intervention.
OTA · Tamper Resistance
Food & Beverage
Production lines and quality-control systems in food manufacturing must be resilient against tampering and unplanned downtime. Atenys helps you work towards IFS, BRC, and industry cybersecurity guidelines, protecting recipe data, process parameters, and traceability records stored on embedded controllers.
IFS · BRC · Traceability
Automotive
Modern vehicles integrate Linux-based systems for infotainment, ADAS, and telematics. Atenys supports the security baseline required to work towards ISO/SAE 21434 and UN R155 compliance, providing a hardened, updatable software platform for in-vehicle and roadside embedded units.
ISO/SAE 21434 · UN R155
Remote Sensing
Satellites, drones, and ground-based sensor networks operate in isolated or physically unattended environments where over-the-air integrity is critical. Atenys provides cryptographically signed firmware updates and encrypted telemetry storage, ensuring that data collected in the field cannot be altered or intercepted.
OTA · Encrypted Telemetry
AI Applications
Edge AI inference runs on Linux-based accelerator boards that process sensitive inputs — video feeds, biometric data, industrial signals. Atenys secures the runtime environment hosting AI models, protects proprietary weights from extraction, and guarantees that only authenticated model updates are deployed to production devices.
Model Protection · Secure Inference
Digital Signage & Kiosks
Unattended public terminals are exposed to physical tampering, rogue USB devices, and browser exploits. Atenys locks down the OS to a minimal, read-only runtime, blocks unauthorized boot media via secure boot, and encrypts local content and transaction logs — ensuring only verified software runs on every screen, regardless of who has physical access to the cabinet.
Kiosk Lockdown · Physical Security
And Many More…
Any product running embedded Linux on custom hardware can benefit from Atenys. If your industry isn't listed, the same principles apply: verified boot, encrypted storage, and safe OTA updates are universal requirements for any connected device that handles sensitive data or operates in a regulated environment.
Any Linux · Any Hardware
  • Energy & Smart Grid metering
  • Railway & rolling stock
  • Building automation & HVAC
  • Defense & aerospace
  • Agricultural machinery
  • Retail POS terminals
  • Telecoms infrastructure
  • Wearables & portable devices
Engicam Ready to harden your project?

Secure your embedded
Linux. Ship with confidence.

Contact the Engicam team to integrate Atenys into your Yocto workflow or explore our services for custom board support.

Contact Us engicam.com