The Cyber Resilience Act (Article 13(6)) requires manufacturers to ensure effective and regular testing and review of the security of the product with digital elements. While requirements testing (RT) verifies that specified security controls work as designed, security testing goes further by actively searching for vulnerabilities and weaknesses that were not anticipated during design, including those introduced through implementation errors, configuration drift, or evolving attack techniques. Without both automated and human led security testing, an organization's view of the product's security posture remains incomplete.

Integrate automated security testing appropriate to the product's architecture and technology stack into the development process. This can include traditional tooling such as static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA), as well as emerging AI driven approaches that can autonomously discover vulnerabilities across code and running applications. Complement automation with penetration testing performed by qualified testers using product specific test scenarios, particularly when the product's risk profile warrants it and following significant product changes. The combination of automated breadth and human led depth is essential; neither approach alone is sufficient to uncover the full range of potential vulnerabilities.

Triage and risk assess findings from all security testing activities and feed them into the defect management process to ensure they are tracked, prioritized, and resolved. Review security testing coverage periodically and adapt it to reflect changes in the product, its dependencies, or its threat landscape. Retain testing evidence and results as part of the product's technical documentation (Annex VII), providing a demonstrable record that the organization is meeting its obligation to regularly test and review the product's security.