Official Announcement

TR7 has successfully achieved EAL 4+ (Evaluation Assurance Level 4 Augmented) Common Criteria certification following rigorous independent security evaluation. This certification validates TR7's security architecture and implementation against the highest practical standards for commercial products.

View Official Certificate (PDF)

What This Means for Your Organization

When selecting security infrastructure for enterprise or government deployments, how do you verify that a product's security claims are actually true? Marketing materials and vendor assertions only go so far. This is where independent certification becomes critical.

Common Criteria (ISO/IEC 15408) is the internationally recognized framework for evaluating IT security products. TR7's EAL 4+ certification means our security features have been independently verified through source code analysis, design documentation review, and comprehensive penetration testing by accredited laboratories.

For organizations requiring demonstrable security assurance—whether for compliance, government contracts, or internal security policies—EAL 4+ provides the evidence you need.

Common Criteria PortalISO/IEC 15408 Standard

Global Recognition at a Glance

EAL 4+ certification provides international recognition through mutual recognition agreements, eliminating the need for country-by-country certification.

31
CCRA Countries

Full mutual recognition under Common Criteria Recognition Arrangement

Common Criteria Portal
17
SOG-IS Nations

European mutual recognition up to EAL 4+

SOG-IS Portal
EAL 4+
Assurance Level

Highest practical level for commercial products

ISO 15408
International Standard

Globally accepted evaluation criteria

Understanding EAL Levels

Common Criteria defines seven Evaluation Assurance Levels (EAL 1-7), each representing increasing rigor in security evaluation:

LevelNameKey CharacteristicsTypical Use
EAL 1Functionally TestedBasic functional testingLow-risk commercial products
EAL 2Structurally TestedStructural analysis, developer testing reviewStandard commercial products
EAL 3Methodically TestedSystematic testing, configuration managementModerate security environments
EAL 4Methodically Designed, Tested & ReviewedSource code review, independent testingHigh-security commercial products
EAL 4+Augmented (TR7)EAL 4 plus additional assurance componentsGovernment & critical infrastructure
EAL 5-7Semi-formally/Formally VerifiedMathematical proofs, formal methodsMilitary, intelligence systems
Common Criteria User Guide

What EAL 4+ Evaluation Includes

EAL 4+ goes significantly beyond basic testing. Here's what the evaluation process involves:

Source Code Analysis

Independent laboratories review actual source code, not just documentation. Security-critical functions are analyzed for implementation correctness and potential vulnerabilities.

Independent Penetration Testing

Evaluators conduct their own penetration tests based on publicly available vulnerability information. They don't rely solely on vendor-provided test results.

Design Documentation Review

Complete security architecture documentation is reviewed, including threat models, security policy enforcement, and module interfaces.

Configuration Management

Development lifecycle controls are verified, including version control, build processes, and secure delivery mechanisms.

CCRA: Recognition Across 31 Countries

The Common Criteria Recognition Arrangement (CCRA) is the primary international agreement for mutual recognition of IT security certificates. Originally signed in 1998 by Canada, France, Germany, the UK, and the United States, CCRA has expanded to include 31 member nations across all continents.

Under CCRA, a product certified in one member country is recognized in all other member countries without requiring additional evaluation. This eliminates the prohibitive cost and time of obtaining separate certifications for each market.

CCRA member nations include major markets: United States, Canada, United Kingdom, Germany, France, Australia, Japan, South Korea, India, Singapore, and many others. For organizations operating internationally, this means TR7's certification is valid wherever you deploy.

CCRA Members List

SOG-IS MRA: Full European Recognition to EAL 4+

For European deployments, the Senior Officials Group Information Systems Security Mutual Recognition Agreement (SOG-IS MRA) provides an additional layer of recognition. Unlike CCRA, which provides full mutual recognition only up to EAL 2 for new certificates, SOG-IS MRA provides full mutual recognition up to EAL 4+.

SOG-IS MRA signatories include France (ANSSI), Germany (BSI), Austria, Spain, Finland, Italy, Netherlands, Norway, Sweden, and the United Kingdom. This means TR7's EAL 4+ certification is fully recognized across Europe's most demanding security environments.

For organizations requiring products for EU institutions, European government contracts, or EU-headquartered enterprises with strict security policies, SOG-IS MRA recognition is often a requirement.

SOG-IS MRA Official SiteANSSI International Agreements

Where EAL 4+ Matters Most

Government & Defense

  • US Federal agencies (FedRAMP alignment)
  • NATO member nation deployments
  • EU institution security requirements
  • National critical infrastructure protection

Financial Services

  • Banking regulatory compliance
  • Payment processing infrastructure
  • Trading platform security
  • Insurance data protection

Healthcare & Life Sciences

  • Patient data protection (HIPAA)
  • Medical device connectivity
  • Clinical trial data security
  • Pharmaceutical IP protection

Compliance Framework Alignment

EAL 4+ certification supports and strengthens compliance with other major security frameworks:

PCI DSS v4.0

Requirement 6.4.2 mandates automated WAF protection. Using an EAL 4+ certified WAF provides evidence of security control effectiveness during QSA audits.

NIST Cybersecurity Framework

Common Criteria evaluation aligns with NIST CSF's emphasis on using products with verified security properties in the Protect function.

ISO 27001

EAL 4+ certified products provide documented evidence for Annex A controls related to system acquisition, development, and maintenance.

SOC 2

Using independently certified security products supports the Common Criteria for Security, demonstrating due diligence in vendor selection.

Why Certification Matters

Many vendors claim their products are 'secure' or 'enterprise-ready,' but few undergo the rigorous independent evaluation required for Common Criteria certification. EAL 4+ is not a self-assessment or checklist—it requires months of evaluation by accredited laboratories with full access to source code and design documentation. When evaluating security vendors, ask: 'Is your product Common Criteria certified, and at what level?'

TR7's Certified Security Capabilities

TR7's EAL 4+ certification covers the complete ADC platform, including:

Web Application Firewall

OWASP Top 10 and API security protection with independently verified detection and blocking capabilities.

Application Delivery

Load balancing and traffic management with certified security controls for session handling and SSL/TLS termination.

Access Management

Authentication, authorization, and access control mechanisms verified against security functional requirements.

Security Monitoring

Audit logging, alerting, and security event management with certified integrity protection.

Frequently Asked Questions

EAL 4+ evaluation typically takes 12-18 months from initiation to certification. This includes documentation preparation, laboratory testing, and government scheme review. The rigorous timeline reflects the depth of analysis required.

Requirements vary by country and agency. In many cases, EAL 4 or higher is required for products handling classified or sensitive information. Even when not mandated, EAL 4+ certification is often a differentiator in government procurement evaluations.

CCRA provides mutual recognition among 31 countries, with mandatory recognition up to EAL 2 for new certificates. SOG-IS MRA is a European agreement providing full mutual recognition up to EAL 4+ among 17 member nations. TR7's certification is recognized under both agreements.

Certification provides assurance that security features work as documented and have been tested against known attack patterns. It doesn't guarantee a product is invulnerable—no product is. However, it demonstrates that security has been systematically designed, implemented, and verified by independent experts.

Common Criteria certifications are version-specific. TR7 maintains certification through a rigorous change management process, with security-relevant updates evaluated through Assurance Continuity procedures to ensure ongoing compliance.

Conclusion

TR7's EAL 4+ Common Criteria certification represents a significant investment in demonstrable security. For organizations that require more than marketing claims—whether due to regulatory requirements, government contracts, or internal security policies—this certification provides independent verification that TR7's security architecture and implementation meet the highest practical standards.

With recognition across 31 CCRA countries and full EAL 4+ recognition under SOG-IS MRA in Europe, TR7 provides a globally-deployable security solution backed by internationally recognized certification. When security assurance matters, choose a vendor that can prove it.

Certified Security for Your Enterprise

Learn how TR7's EAL 4+ certified ADC platform can meet your organization's security and compliance requirements. Our team can provide certification documentation and discuss specific deployment scenarios.

Contact Our Team