SAN JOSE, Calif. – August 27, 2025 – Cycuity, Inc., a leader in advanced hardware security solutions, introduces Radix-ST, a new product in its Radix portfolio of security solutions designed to leverage static analysis techniques to identify potential weaknesses early in the design cycle without requiring simulation or emulation.
As hardware designs become increasingly complex and security threats grow, semiconductor design teams require effective tools capable of proactively identifying issues during the development process. Analogous to functional verification, security assurance can greatly benefit from a spectrum of complementary technologies. While dynamic methods such as Radix-S and Radix-M are most powerful by leveraging simulation and emulation, Radix-ST’s static analysis only requires RTL (Register Transfer Level) source code and can be applied as early as first design components are being developed. Although static methods can only find specific types of security issues they are considerably more efficient and can detect problems that are challenging to identify using dynamic techniques.
Radix-ST processes the design RTL and produces a detailed report that highlights detected weaknesses, pinpoints their locations in the source code, and automatically maps them to the relevant hardware CWE (Common Weakness Enumeration) from the MITRE-maintained public database of root cause weaknesses. Radix-ST goes beyond basic source code linting by focusing on deep security issues and integrating its application into the overall Radix security assurance workflow and user interface.
“Radix-ST offers an effective static security analysis solution that complements our Radix-S (simulation) and Radix-M (emulation) products”, stated Mitch Mlinar, Vice President of Engineering at Cycuity. “By providing a powerful and user-friendly source code analysis capability, we can further assist our customers in efficiently addressing security as early as possible in the design cycle, thereby minimizing cost and increasing productivity.”
“Using Radix-ST, we have been able to start our security analysis very early in our verification cycles,” said Mark Labbato, Senior Lead Engineer at Booz Allen Hamilton, Inc. “We can bring up the design even before we have a full simulation environment online, proactively helping us identify areas in the design where we might need to focus more or make targeted improvements.”
Radix-ST is now available as part of Cycuity’s portfolio of hardware security products. Please contact info@cycuity.com for more information.
Cycuity, Inc. is a pioneer in hardware security delivering security assurance for semiconductor devices, a rapidly increasing target for remote cyberattacks. Cycuity’s innovative Radix software products and services specify, integrate and verify security across the hardware development lifecycle to ensure robust protection for the chips powering today’s sophisticated electronic systems. Radix uncovers security weaknesses across all levels, from block and subsystem to full system-on-chip (SoC) and firmware, enabling our customers to identify and resolve risks prior to manufacturing. Serving both commercial and defense industries, Cycuity provides the broadest security assurance across the design supply chain.
The MITRE Corporation recently announced the availability of the 2025 Most Important Hardware Weakness (MIHW) list. This is the first data-driven list of root-cause hardware security weaknesses ever created, and I am really excited to see it finally released. This list was developed through a cross industry collaboration of security experts, and I was grateful to be a part of the effort.
The Common Weakness Enumeration (CWE) is a MITRE-maintained but industry developed public database of root cause weaknesses. Its history stems from about 2006 in the software domain, and it is widely used across the software security ecosystem for enabling security development lifecycles (SDLs) and better categorization of the root causes of publicly disclosed Common Vulnerabilities and Exposures (CVEs).
In 2020, hardware weaknesses were introduced to the CWE ecosystem, filling an extremely important, missing gap in the way organizations classify hardware vulnerabilities and providing needed infrastructure for the hardware security development lifecycle (HSDL).
A year after hardware weaknesses were introduced, the industry immediately started looking for guidance on how to prioritize these weaknesses. To address this need, I participated in the creation of the first ever “Most Important Hardware Weaknesses” list in 2021. This data was a huge first step to help with prioritizing weaknesses. However, as time went on, many within the hardware security community quickly noticed that most of the data for the 2021 weakness list was from surveys only. With the increasing number of public disclosures of vulnerabilities and security advisories, we unanimously agreed that a refresh to this list based on real vulnerability data was needed.
The 2025 MIWH list categorizes weaknesses that should be treated with the highest priority by the industry. The list is a refresh of the original list created in 2021, specifically by using industry-available security advisories and vulnerabilities to support each weakness’s importance with real data.
The 2025 list was created by a working group of 15-20 individuals across the hardware security industry, including myself. The working group dug through hundreds of security advisories and publicly disclosed vulnerabilities (CVEs) and performed root-cause weakness mapping for each (when needed). Some CVEs and advisories already had CWE entries added, which was great! However, many did not and the working group was tasked with assigning the most suitable one.
We also surveyed industry experts to ensure nothing was missing. For example, a new weakness may have been created based on very recent security disclosures. We wanted to make sure we did not miss this type of information in our final results.
MITRE did a great job of documenting the complete methodology on this page, for those that are interested in the details: https://cwe.mitre.org/topHW/archive/2025/2025_MIHW_methodology.html.
To me, the #1 benefit of the 2025 MIHW list is to provide industry stakeholders with better prioritization of root-cause weaknesses. With 110 hardware weaknesses available in hardware CWE as of writing this blog, it’s challenging for many new to security to sift through and identify where to start. The MIHW really provides much clearer guidance on exactly how to go about this prioritization because it is based on real vulnerabilities and security advisories.
Cycuity’s Radix software has broad hardware CWE coverage, covering about 80% of all hardware CWEs. In addition, Radix covers 9 out of the 11 MIHW in the 2025 list – making it a great solution for providing a systematic approach to hardware security assurance. More details on Radix can be found here: https://cycuity.com/solutions/#how-radix-is-different.
