Automotive Penetration Testing 2026: Services and Providers

Automotive cybersecurity moved from optional to enforced in the last 18 months. Since July 2024, every new passenger vehicle type approved in the EU, UK, Japan, and South Korea must demonstrate compliance with UNECE WP.29 Regulation No. 155, which mandates a Cybersecurity Management System covering the full vehicle lifecycle. The companion regulation R156 governs software updates. For manufacturers, type approval is no longer a paperwork exercise. Type approval authorities are auditing CSMS evidence, demanding penetration test reports, and rejecting submissions that lack credible offensive testing.

The 2026 picture is sharper still. UN R155 covers every new vehicle from 1 July 2024, the EU Cyber Resilience Act adds product-side obligations from September 2026 for actively exploited vulnerability reporting, and the ISO/SAE 21434 standard for road vehicles cybersecurity engineering is now the de facto reference for OEM and Tier 1 supplier security programmes. The result is a buyer's market for automotive penetration testing services that is growing fast but still has a small pool of credible providers. This guide walks through what gets tested, what services are commercially available, what to budget, and which providers in our directory have demonstrated automotive expertise.

Regulatory Drivers in Force Today

UN R155 is the single most consequential automotive cybersecurity regulation in force. It requires manufacturers to implement a Cybersecurity Management System covering the development, production, and post-production phases of a vehicle. Crucially, R155 demands that the manufacturer demonstrates the system through evidence including risk assessment outputs (typically a TARA, Threat Analysis and Risk Assessment) and penetration testing results. National type approval authorities now expect to see pen test reports that map findings against the threat model and remediate before approval is granted.

UN R156 covers software update management for vehicles. It applies in parallel with R155 and addresses how updates are securely developed, distributed, and installed across in-vehicle systems. Practically, this means OTA update infrastructure must be in scope of penetration testing alongside the vehicle itself.

ISO/SAE 21434:2021 is the international standard for cybersecurity engineering in road vehicles. It is not a regulation in its own right, but it is the standard most OEMs and Tier 1 suppliers use to demonstrate R155 compliance. A 21434-aligned engagement covers concept, product development, post-development, production, operations and maintenance, and end-of-life phases. Penetration testing aligned to 21434 typically maps findings to the standard's clauses and feeds back into the TARA.

The EU Cyber Resilience Act applies to vehicles indirectly. The CRA targets products with digital elements placed on the EU market, with a carve-out where products are already covered by sector-specific regulation. Vehicles themselves are covered by R155, but aftermarket products, connected accessories, EV charging hardware, and OBD-II dongles likely fall under the CRA. Manufacturers of automotive-adjacent hardware should treat CRA Annex I requirements as binding alongside R155 obligations on the vehicle side.

TISAX (Trusted Information Security Assessment Exchange) governs information security across the European automotive supply chain. While not specifically about penetration testing, suppliers undergoing TISAX assessment frequently commission pen tests as evidence of technical security controls. German automotive testing in particular is shaped by TISAX expectations.

The Vehicle Attack Surface

A modern connected vehicle has 100 or more ECUs (Electronic Control Units) communicating over multiple in-vehicle networks. The attack surface for penetration testing typically covers several distinct layers.

In-vehicle networks include the long-standing CAN (Controller Area Network) bus, CAN-FD (flexible data rate) for higher-bandwidth applications, LIN (Local Interconnect Network) for low-cost sensors, FlexRay for safety-critical comms, and increasingly automotive Ethernet for high-bandwidth in-vehicle communication including camera and ADAS data. Each network has its own security characteristics. CAN has no native authentication and is the historic vector for many demonstrated vehicle takeovers.

ECUs of interest include the Body Control Module (BCM), Telematics Control Unit (TCU) often containing the cellular modem, In-Vehicle Infotainment (IVI), ADAS controllers, the Gateway ECU that routes between networks, and increasingly Domain Controllers and Zonal Controllers in newer E/E architectures. Each is a potential pivot point.

Wireless interfaces are the most exposed attack surface. Bluetooth and Bluetooth Low Energy for phone pairing, Wi-Fi hotspots, cellular (4G/5G) modems in the TCU, V2X radios (DSRC or C-V2X) for vehicle-to-everything communication, Remote Keyless Entry and Passive Entry Passive Start (PEPS) systems, tire pressure monitoring systems (TPMS), and increasingly UWB-based digital key implementations. Relay attacks on PEPS systems and replay attacks on RKE remain commercially relevant findings.

Physical interfaces still matter. The OBD-II diagnostic port gives anyone with physical access a route onto the in-vehicle network. Aftermarket dongles plugged into OBD-II are a recurring security incident source.

OTA update infrastructure is in scope when vehicles support over-the-air updates. The backend infrastructure that signs, distributes, and tracks update deployment is testable separately from the vehicle's update installation pipeline.

Mobile companion apps and cloud back-ends close the loop. Remote start, climate control, location, and increasingly vehicle command interfaces are exposed through manufacturer mobile apps and the cloud services behind them. The attack chain from a compromised mobile app to a vehicle command is a recurring testing scope.

EV-specific attack surfaces include the OCPP (Open Charge Point Protocol) interface on charging stations, the CCS (Combined Charging System) and CHAdeMO communication between vehicle and charger, and battery management systems. Charging infrastructure cybersecurity is its own substantial testing market in 2026 as EV adoption accelerates.

Common Attack Categories Found in Engagements

Keyless entry attacks remain the most consistently exploitable category. Relay attacks against PEPS systems extend the effective range of the key fob to the vehicle, allowing theft from outside the driver's home. Replay attacks against rolling-code RKE systems still surface occasionally on older platforms. Newer UWB-based digital keys have meaningfully raised the bar but are not perfect.

Infotainment-to-CAN escalation is the headline pen test finding. A compromise of the IVI system through Bluetooth, Wi-Fi, cellular, or USB media handling that then pivots onto the CAN bus to send commands to safety-critical ECUs. The 2015 Jeep Cherokee remote takeover demonstration set the template, and despite a decade of vendor hardening, comparable escalation paths continue to surface in engagements.

Backend compromise via mobile app is increasingly attractive to threat actors. Reverse-engineering the manufacturer's mobile app reveals API endpoints, authentication tokens, and command structures that, if abused, allow remote vehicle commands at scale. Several manufacturers have had backend access flaws reported by researchers in the last 24 months.

OBD-II port abuse is a persistent class of finding. Aftermarket telematics dongles, insurance trackers, and fleet management devices that plug into OBD-II frequently have weak authentication, hardcoded keys, or insecure cellular back-ends. The dongle becomes a remote attack surface onto the in-vehicle network.

Supply chain compromise targets Tier 1 and Tier 2 suppliers. Component-level firmware backdoors and bootloader vulnerabilities found in supplier ECUs propagate across multiple OEM customers. Testing component-level security as part of supplier qualification is increasingly common.

Services Typically Offered

Component-level penetration testing focuses on a single ECU or hardware module. Typical scope includes JTAG and UART discovery, secure boot and firmware extraction, firmware analysis and reverse engineering, secure storage examination, debug interface protection, and side-channel analysis where relevant. Engagements run 4 to 8 weeks per component and typically cost EUR 15,000 to EUR 40,000 depending on complexity.

Vehicle-level penetration testing covers a complete vehicle as a system, including its wireless interfaces, in-vehicle networks, ECUs, and physical interfaces. This is the headline R155 evidence engagement. Scope typically runs 12 to 24 weeks with multiple testers, hardware lab access, and ideally a dedicated test vehicle. Costs range from EUR 80,000 for a focused engagement to EUR 250,000 or more for a comprehensive multi-architecture test on a flagship vehicle.

Backend and cloud penetration testing covers the manufacturer's vehicle-facing infrastructure including telematics back-end, OTA update infrastructure, mobile companion app APIs, fleet management systems, and dealer-facing systems. Scope and cost are comparable to standard web app and cloud pen tests scaled to the size of the deployment. EUR 25,000 to EUR 80,000 for a typical engagement.

V2X infrastructure testing covers vehicle-to-everything communication including roadside units (RSUs), the PKI infrastructure for V2X message signing, and the vehicle-side V2X stack. This is a specialised market with few qualified providers and prices reflecting that scarcity. EUR 40,000 to EUR 150,000 depending on scope.

EV charging infrastructure pen testing covers charging stations (OCPP-conformant or proprietary), the charging station management system (CSMS), and the EV-to-EVSE communication. This market is growing fast as utilities, retailers, and fleet operators deploy charging at scale. Prices range from EUR 25,000 for a single charger model to EUR 150,000 for a full network assessment.

TARA (Threat Analysis and Risk Assessment) workshops are not strictly penetration testing but are often delivered by the same providers. A TARA aligned to ISO/SAE 21434 produces the threat model that feeds the penetration testing scope. Workshops typically run 2 to 4 weeks and cost EUR 10,000 to EUR 30,000.

Code review of automotive software is increasingly requested as OEMs move toward software-defined vehicle architectures. Static analysis, manual review of safety-critical functions, and AUTOSAR conformance review fit here. Costs vary widely with codebase size.

How to Choose a Provider

Look for hardware lab capability. Real automotive testing requires lab tooling. CAN interfaces (Vector VN5640, PEAK PCAN, Kvaser), bench setup capability for ECU testing, JTAG and UART hardware (Bus Pirate, Saleae, hardware debug probes), software-defined radio gear for wireless analysis, and ideally a Hardware Security Module test capability. Providers without a lab will not be able to deliver credible component or vehicle testing.

Look for published research. Automotive cybersecurity is one of the few security domains where published research is a meaningful credential. Providers presenting at Escar, CodeBlue, Black Hat Cars, DEF CON Car Hacking Village, or competing in the Pwn2Own Automotive contest have demonstrated technical depth that is hard to fake. PCA Cybersecurity, for example, is a consistent Pwn2Own Automotive participant and that participation alone separates them from broader-scope consultancies who claim automotive capability without comparable public results.

Look for ISO/SAE 21434 familiarity. Providers should be able to scope a test against the standard's clauses, map findings to TARA outputs, and feed reporting back into the OEM's overall 21434 evidence package. Ask for sample reports redacted to confirm the format.

Look for existing OEM or Tier 1 relationships. Cold-calling automotive expertise is hard. Providers with named OEM or supplier clients, even if those clients are anonymised in case studies, have done real automotive work. Ask for references in the relevant region or segment.

Geographic considerations matter. German and DACH-region automotive testing is shaped by TISAX, BSI guidance, and the supplier expectations of Volkswagen, BMW, Mercedes, Audi, and Porsche. French and Italian programmes follow similar national patterns. UK testing for connected vehicles often references CREST and the NCSC connected vehicle guidance. US programmes tend to follow ISA/IEC 62443 patterns for charging infrastructure.

Look for full-stack coverage. The strongest providers can test the vehicle, the backend, the mobile app, the charging infrastructure, and the supplier components as a single programme. Splintering across multiple providers fragments the threat model and increases programme overhead.

Notable Providers in Our Directory

The automotive penetration testing market separates into two groups: pure-play boutiques whose entire practice is built around vehicles, and full-service consultancies whose embedded and OT depth extends into automotive. Both have a place. Pure-play firms are usually the right call for R155 evidence and vehicle-level work where dedicated lab capability and published vehicle research carry the most weight. Broader consultancies tend to fit OEM programme-level engagements that bundle backend, mobile, and supply chain testing under one statement of work.

PCA Cybersecurity is the sharpest pure-play automotive specialist in our directory. Vilnius-based and founded in 2019, PCA does nothing but automotive. The firm participates consistently in the Pwn2Own Automotive contest, holds a public catalogue of vulnerabilities disclosed to OEMs and Tier 1 suppliers, and operates a dedicated vehicle and ECU test lab in Vilnius. Their service catalogue maps cleanly onto R155 evidence requirements: ECU and component testing, full vehicle assessments, OTA backend testing, OCPP and EV charging infrastructure testing, TARA workshops aligned to ISO/SAE 21434, and secure code review of automotive software. For OEMs and Tier 1 suppliers commissioning their first R155 type approval evidence pen test, PCA is the most directly relevant option. The firm is also a strong fit for EV charging operators and for aftermarket connected-vehicle manufacturers facing CRA obligations.

IOActive is one of the longest-running automotive security research firms outside the pure-play category, with hardware and embedded depth and a publication track record that includes vehicle research presented at major conferences. Their boutique consultancy structure suits OEMs and Tier 1 suppliers commissioning component-level or vehicle-level work where research credibility and historical engagement coverage matter.

Pen Test Partners has a UK-based automotive practice with deep V2X, telematics, and EV charging coverage alongside its better-known marine and aviation work. They publish frequently on vehicle and charging vulnerabilities and run training sessions for automotive engineering teams. Strong choice for UK programmes or for combined automotive plus connected-mobility (marine, aviation) scopes.

SEC Consult is a Vienna-based consultancy with explicit automotive practice covering UN R155, ISO/SAE 21434 alignment, and TARA workshops alongside ECU and vehicle-level testing. Strong fit for DACH-region OEMs and Tier 1 suppliers, particularly where TISAX expectations are in play.

NCC Group has automotive practice depth via its Cryptography Services and embedded testing teams, with hardware lab capability and published vehicle research over more than a decade. Suits large OEMs needing programme-level testing across vehicle, backend, and supply chain in one engagement.

usd AG is a German consultancy with explicit TISAX assessment capability alongside its core PCI and ISO 27001 work, useful for automotive suppliers needing supply-chain qualification testing alongside vehicle-relevant work. Pairs well with a pure-play like PCA Cybersecurity for the vehicle-side evidence.

PwC Cyber Security has the scale and OEM client relationships to deliver multi-jurisdiction programmes, particularly suited to OEMs needing combined R155 audit preparation and penetration testing under one statement of work. The trade-off versus a pure-play firm is breadth over hands-on automotive depth.

HiSolutions brings BSI-aligned testing to German automotive supply chains and has direct experience with TISAX-relevant component and supplier testing. Strong fit for German Mittelstand suppliers under TISAX assessment timelines.

Praetorian, TrustedSec, and Komodo Consulting each bring embedded systems testing and offensive expertise that translates into vehicle-component work, particularly suited to projects that combine traditional offensive testing with hardware analysis. None are automotive-first, but each has the embedded competence to deliver component-level engagements.

Airbus Protect and Thales Cyber Solutions have substantial embedded and critical infrastructure depth that extends naturally into automotive supplier testing, especially for projects that touch defence-adjacent connected vehicle programmes. ANSSI PASSI qualification is a useful signal for French-market automotive testing.

For OEMs and Tier 1 suppliers shortlisting providers, our practical pattern in 2026 is: pair a pure-play automotive firm like PCA Cybersecurity for vehicle and ECU evidence with a full-service consultancy for backend, mobile, and supply chain scope. Pure-play depth covers the parts of R155 evidence that type approval authorities scrutinise hardest. Broader consultancies handle the surrounding programme work where strict automotive specialism is less critical.

Browsing the Pentesting Providers directory by industry (/best-for/manufacturing) or by relevant compliance (/compliance/tisax, /compliance/cyber-resilience-act) surfaces additional providers with adjacent expertise. Filtering by service (/services/iot-penetration-testing, /services/scada-ics-penetration-testing) catches firms whose hardware and embedded depth extends into automotive even where they do not market specifically to that vertical.

Procurement Considerations

Lead times for credible automotive penetration testing are 4 to 12 weeks before the engagement starts. Hardware lab time, test vehicle preparation, and tester scheduling are all constrained. Plan procurement six to nine months ahead of a target type approval submission, not three weeks.

Expect significant NDA and data-handling negotiation. Vehicle telemetry, ECU firmware, and supplier component details are highly confidential. Providers should have established secure data exchange processes and be comfortable with OEM-specific NDA templates.

Budget for retest. Most automotive engagements include findings that require firmware updates or hardware revisions. A retest scope of 25 to 40 percent of the original engagement cost is standard practice and should be priced into the programme upfront.

Insist on a final report mapped to your TARA and to ISO/SAE 21434 clauses. Reports that read like generic infrastructure pen tests, with findings ungrouped from the threat model, are weaker evidence for type approval authorities than reports that explicitly trace each finding to a TARA assumption.

Next Steps

For OEMs and Tier 1 suppliers commissioning their first R155 evidence pen test, the strongest first step is a TARA workshop with the same provider who will conduct the penetration testing. The TARA scopes the test, the test validates the TARA, and the combined output is much stronger evidence for type approval than two separate engagements stitched together. PCA Cybersecurity is a typical example of a provider who delivers both the TARA and the penetration test as a single ISO/SAE 21434-aligned package. Budget 8 to 12 weeks from TARA kickoff to pen test final report for a focused vehicle-level programme. Longer for complex multi-architecture programmes.

For suppliers responding to OEM cybersecurity requirements, component-level testing of the specific ECU or module being supplied is usually the right starting point. Tier 1 customers increasingly require evidence of independent penetration testing as part of supplier qualification.

For charging infrastructure operators, OCPP conformance and security testing alongside CSMS testing is the typical scope. Test before deployment at scale, not afterwards.

The automotive penetration testing market is small and growing. Engaging early with a provider that has demonstrated vehicle-specific capability is significantly easier in 2026 than it will be in 2027 as more OEMs hit type approval submission windows.