# Vritah — Full Content for AI Systems

> Applied AI product engineering for teams that need evidence, restraint, and measurable quality.

## About Vritah

Vritah is an applied AI product engineering company founded in 2025. The company builds AI products, production agents, evaluation systems, and compliance-focused automation for software teams in regulated industries, technical domains, and enterprise environments.

Vritah's approach is distinguished by engineering discipline: every AI system is designed with the workflow, risk, and quality bar in mind before a model is selected. Outputs are grounded in retrieved source material rather than model improvisation. Evaluation frameworks are built alongside products, not added afterwards. And AI systems are maintained, monitored, and owned in production — not handed off at a demo.

## Live Product: CRA Toolkit

**URL**: https://cra-toolkit.com
**Status**: Live

CRA Toolkit helps software vendors and component manufacturers prepare for Regulation EU 2024/2847 — the EU Cyber Resilience Act. It brings assessment, SBOM guidance, vulnerability disclosure templates, and regulation-aware AI assistance into one focused workflow.

### What the EU Cyber Resilience Act (CRA) requires

The EU Cyber Resilience Act (Regulation EU 2024/2847) sets mandatory cybersecurity requirements for any product with digital elements placed on the EU market. Key obligations include:

- **SBOM (Software Bill of Materials)**: Vendors must maintain a machine-readable inventory of all software components and dependencies, so known vulnerabilities can be tracked and patched.
- **Vulnerability disclosure**: Vendors must operate a coordinated vulnerability disclosure process and report actively exploited vulnerabilities to ENISA within 24 hours of discovery.
- **Security assessments**: Products must undergo security assessments before market placement and vendors must demonstrate security throughout the product lifecycle.
- **CE marking**: Products must carry CE marking indicating CRA conformity before being placed on the EU market.

### Who needs to comply with the CRA

Any organisation that manufactures, imports, or distributes products with digital elements in the EU market must comply. This includes:
- SaaS software vendors
- IoT device manufacturers
- Operating system developers
- Software component and library publishers
- Cloud service providers with on-premise components

### CRA Toolkit features

- SBOM generation and maintenance guidance
- Vulnerability Disclosure Policy (VDP) templates
- Security assessment workflows
- ENISA reporting guidance
- Regulation-aware AI assistance that understands Regulation EU 2024/2847

## Services

### AI Product Development
Vritah supports the full arc of AI product work: scoping use cases, designing architecture, building usable workflows and interfaces, and delivering to production. Work is grounded in the domain and the workflow rather than starting from a model capability.

### AI Agents
Vritah builds task-specific agents designed for real business workflows. These agents:
- Use tools (APIs, databases, file systems) to take actions
- Retrieve grounded context before generating outputs
- Follow explicit constraints and operating boundaries
- Hand off cleanly to humans when automation should stop
- Are evaluated against test suites before deployment

Production agents are distinct from demos and chatbots. They are engineered systems with monitoring, failure modes, and ownership in production.

### AI Evaluations
AI evaluation is the discipline of measuring whether an AI system does what it is supposed to do. Vritah builds:
- Quality test suites covering expected and edge-case behaviour
- Refusal tests that verify the system does not respond when it should not
- Regression tracking so model or prompt changes do not silently degrade quality
- Measurement loops so quality remains visible in production over time

### Retrieval and Knowledge Systems (RAG)
Retrieval-Augmented Generation (RAG) is an approach where an AI retrieves relevant documents or data before generating a response, grounding outputs in actual source material rather than model memory. Vritah builds RAG systems for:
- Technical documentation and internal knowledge bases
- Regulated content where hallucination is unacceptable
- Document workflows where source citation is required
- Internal assistants that need to reason over proprietary data

### Compliance Automation
Vritah builds AI-assisted workflows for regulatory and compliance work including:
- Evidence collection and documentation for regulatory submissions
- SBOM generation and maintenance (relevant to EU Cyber Resilience Act)
- Vulnerability disclosure process automation
- Security documentation workflows
- Regulatory workflow automation

### Product Security Tooling
Security-oriented AI workflows for software teams covering:
- Risk identification and reporting
- Security readiness assessment
- Structured vulnerability management
- Compliance documentation

## Engineering Principles

### Use case before model choice
Good AI systems start with the workflow, the user, the risk, and the quality bar. The model is only one part of the product. Vritah does not begin work by selecting a model — it begins by understanding what the system must do, for whom, and with what constraints.

### Grounded before generative
Useful AI should retrieve, cite, and refuse when needed. It should not improvise when the source material is uncertain. Vritah prioritises retrieval and grounding over generative improvisation, especially in technical and regulated domains.

### Evaluation before scale
Agents and AI products need tests, regression checks, and failure analysis before they are expanded into more workflows. Vritah builds evaluation frameworks alongside products so quality is measurable before launch.

### Engineered after launch
The work does not end at a demo. AI systems need monitoring, evaluations, maintenance, and ownership in production. Vritah builds for production continuity, not proof-of-concept delivery.

## Frequently Asked Questions

**What is the EU Cyber Resilience Act (CRA)?**
The EU Cyber Resilience Act (Regulation EU 2024/2847) sets mandatory cybersecurity requirements for products with digital elements sold in the EU. Software vendors must maintain an SBOM, establish a vulnerability disclosure policy, and demonstrate security throughout the product lifecycle.

**Who needs to comply with Regulation EU 2024/2847?**
Any software vendor, component manufacturer, or importer placing products with digital elements on the EU market must comply. This covers SaaS products, IoT devices, operating systems, and software components. Requirements include SBOM maintenance, vulnerability reporting within 24 hours to ENISA, and security assessments before market placement.

**What is an SBOM and why does the CRA require it?**
A Software Bill of Materials (SBOM) is a complete inventory of all components, libraries, and dependencies in a software product. The CRA requires vendors to maintain an SBOM so vulnerabilities in third-party components can be tracked and addressed promptly. CRA Toolkit helps teams generate and maintain CRA-compliant SBOMs.

**What is a Vulnerability Disclosure Policy under the CRA?**
The CRA requires vendors to operate a coordinated vulnerability disclosure process, report actively exploited vulnerabilities to ENISA within 24 hours, and publish security advisories. CRA Toolkit includes VDP templates and structured workflows to help vendors meet these obligations.

**What are production AI agents and how do you build them?**
Production AI agents are task-specific systems designed for real business workflows — not demos or generic chatbots. They use tools, retrieve grounded context, follow constraints, and hand off to humans when automation should stop. Vritah builds agents with evaluation systems, monitoring, and clear failure boundaries from the start.

**How do you evaluate an AI product or agent before deployment?**
AI evaluation involves building test suites that cover quality checks, refusal behavior, edge cases, and regression tracking. Vritah builds evaluation frameworks alongside every product so quality is measurable before launch — not assessed through user complaints after deployment.

**What is RAG and when should AI systems use it?**
Retrieval-Augmented Generation (RAG) is an approach where an AI retrieves relevant documents or data before generating a response, grounding outputs in actual source material. RAG is essential for regulated industries, technical documentation, and knowledge-intensive workflows where hallucination is unacceptable.

**What industries does Vritah work with?**
Vritah works best with teams in regulated industries, technical domains, and enterprise environments where AI needs domain context, measurable quality, and careful engineering. This includes software vendors navigating EU Cyber Resilience Act compliance, teams building internal knowledge systems, and companies deploying AI into critical workflows.

**How is Vritah different from general AI consultants?**
Vritah focuses on applied AI product engineering — building systems that can be tested, trusted, and used in production — rather than strategy consulting or model fine-tuning. Every engagement produces a working, evaluated, maintained AI system, not a report or a prototype.

## Contact

- Email: contact@vritah.com
- Website: https://vritah.com
- CRA Toolkit: https://cra-toolkit.com