Setting the standard for recovery.

The Cyber Recovery Authority (CRA) defines how institutions rebuild trust after a systemic cyber compromise, when traditional disaster recovery is no longer enough.

Explore CRA Architecture View Certifications

What is CRA?

CRA is an independent standards body for cyber recovery – architecture, practice, and professional certification focused on restoring trust, not just uptime.

Why the Cyber Recovery Authority exists

Modern attacks don’t just cause outages, they corrupt identity, poison infrastructure, and invalidate backups. When prevention fails, most organisations have no standard to follow.

Beyond traditional DR

Disaster recovery assumes systems and data can be trusted. Cyber recovery assumes the opposite, that nothing in production or DR can be taken at face value.

Bridging a standards gap

There is no global authority for post-compromise reconstruction. CRA defines the principles, reference architectures, and qualifications for this discipline.

Aligned with regulators

CRA provides the structure and vocabulary needed to satisfy and interpret emerging regulatory expectations on tertiary backup, air-gapped recovery, and integrity verification.

What CRA provides

A coherent ecosystem for cyber recovery design, practice, and assurance.

CRA Architecture

A sterile-first reference model for post-compromise rebuilds: three-plane separation, clean data ingestion, non-persistent compute, and deterministic workflow.

CRABoK

The Cyber Recovery Authority Body of Knowledge, the canonical source for theory, practice, and governance across the discipline.

CRA Certification

Professional credentials at Foundations, Practitioner, and Architect levels for those designing, operating, or assuring cyber recovery capability.

CRA Architecture

A modern, sterile-by-default approach to rebuilding trust after compromise.

Core principles

  • Sterile by default & non-persistent compute
  • Three planes of separation: control, data, and network
  • Pull-based, validated data ingestion with a forensic airlock
  • Rebuild over restore for operating systems and identity
  • One-way egress to prevent reinfection during recovery
  • Deterministic, testable recovery workflow

Reference standard

CRA Architecture v1.0 defines a clear target state for cyber recovery ready environments. It is designed to be technology agnostic and regulator friendly, providing a common language for practitioners, vendors, and supervisors.

Read CRA Architecture v1.0 →

Certification pathways

CRA certification recognises individuals who can design, execute, or assure post-compromise recovery.

CRA-F: Foundations

For operations, infrastructure, and security teams who need a grounded understanding of cyber recovery concepts, terminology, and the CRA model.

CRA-P: Practitioner

For those responsible for implementing CRA-aligned architectures, recovery workflows, and clean data ingestion in live environments.

CRA-A: Architect

For senior practitioners, regulators, and assurance leads who set recovery strategy, sign off designs, and govern institutional capability.

Learn more about CRA certification →

CRA Maturity Model

A structured way to understand where your organisation stands, and what it will take to become recovery-ready.

Five levels of capability

From ad-hoc backup reliance to exemplar, fully orchestrated cyber recovery capability aligned with CRA Architecture and regulatory expectations.

  • Level 1: Initial
  • Level 2: Developing
  • Level 3: Compliant
  • Level 4: Advanced
  • Level 5: Exemplar

Assessment and improvement

The CRA Maturity Model provides criteria and guidance for assessing current posture, identifying gaps, and planning improvements across architecture, process, and governance.

View CRA Maturity Model →

CRA Institute

The CRA Institute delivers training, masterclasses, and practitioner development programmes grounded in CRABoK and CRA Architecture.

Courses range from foundational awareness to deep technical and governance-focused tracks for senior leaders and regulators.

Explore CRA Institute →

CRA Registry

The CRA Registry provides a transparent record of certified professionals, accredited organisations, and recognised platforms that meet CRA standards.

It is designed to support due diligence, regulatory dialogue, and vendor selection.

Browse the CRA Registry →

News & updates

Early-stage announcements, drafts, and calls for participation from across the CRA ecosystem.

CRA Architecture v1.0 released (draft)

The initial reference standard for cyber recovery architecture is now available in draft form for review and feedback from practitioners and regulators.

CRA certification pathways announced

CRA-F, CRA-P, and CRA-A define a clear progression for individuals specialising in post-compromise recovery.

Call for contributors

CRA publishes a reference architecture, a practical Body of Knowledge (CRABoK), a maturity model, and a certification framework. Explore the CRA Body of Knowledge →