Automotive Pen Testing Is Different in 2026

Automotive pen testing used to be very much an extra service. An OEM or manufacturer might test a vehicle in a very broad way i.e perhaps doing a general scan for known vulnerabilities.

Today however, a modern vehicle runs tens of millions of lines of code across dozens of electronic control units, exposes attack surfaces over CAN, Ethernet, Bluetooth, Wi-Fi, cellular and UWB, ships with companion mobile apps and dealer tools, and connects to OEM cloud platforms that handle telematics, OTA updates and V2X services.

Securing all of that is also now a regulated activity.

For example, UNECE R155 type approval requires every new vehicle in regulated markets to have a documented Cyber Security Management System backed by evidence of testing across the lifecycle, and R156 does the same for software updates.

PCA Cyber Security. A TISAX Assessment Level 3 accredited specialist with a strong offensive track record. PCA disclosed PerfektBlue, a major automotive Bluetooth stack zero-day, in 2025 and has placed at Pwn2Own Automotive in both 2024 and 2025, which is a useful indicator of real exploit development capability rather than checklist work. They cover the full stack (whole-vehicle and ECU testing, connected applications, backend, and UNECE R155/R156 and ISO/SAE 21434 compliance assurance) and run a custom internal toolchain in CyberLab and CyberGarage. A natural fit when a buyer wants deep technical work and regulatory sign-off from one vendor.

That’s why automotive penetration testing has matured into a distinct pen testing service with specialist automotive pentesting companies like PCA Cyber Security (who discovered the PerfektBlue exploit in 2025) and sought after accreditations like TISAX defining the market.

For anyone considering how automotive pen testing works, here’s a quick recap.

Automotive penetration testing covers a broad range of testing situations

The phrase automotive pen testing is broad enough to mean very different things depending on who is using it. In practice, engagements tend to fall into five categories, and serious providers will be explicit about which of the five they are quoting for.

Whole-vehicle penetration testing.

The team is given a complete car, a body-in-white prototype or a full bench rig and asked to break it end to end. Scope typically includes the external attack surface (key fob, TPMS, Bluetooth, Wi-Fi, cellular, charging ports, USB and OBD-II), lateral movement across the in-vehicle network, and depth into safety-relevant ECUs. This is the most resource-intensive form of testing and the closest analogue to a red team engagement in enterprise security.

ECU and component testing.

A single control unit, gateway, telematics module, infotainment system or charging controller is taken apart in the lab. Work usually includes firmware extraction, hardware-level analysis (JTAG, SWD, glitching, side channel), bus-level fuzzing and protocol reverse engineering. This is where the deepest bugs tend to come from, and where the gap between strong and weak providers is widest.

Connected applications testing.

The mobile apps, owner portals, dealer tooling and third-party integrations that touch the vehicle. Standard web and mobile pen testing methodology applies, but with extra weight on identity, vehicle binding, key management, command authorisation and the security of the link between the app and the vehicle.

Backend and cloud testing.

The OEM platforms behind OTA, V2X, connected services and fleet management. This is conventional cloud and API security work but with safety-critical consequences when it goes wrong, because a backend flaw can affect every vehicle on the platform at the same time.

Compliance-driven assurance.

Work that maps directly to regulatory requirements: TARA under ISO/SAE 21434, CSMS evidence for UNECE R155, SUMS evidence for R156, and the supplier-side audits that fall under TISAX. This is less about finding new bugs and more about producing the artefacts an auditor will sign off on.

Most real programmes combine several of these. A typical year for an OEM platform might include one whole-vehicle assessment, two or three ECU deep dives, continuous testing on the connected app, periodic backend assessments and a rolling compliance work stream.

An automotive pentesting engagement contains multiple phases

A typical mid-sized engagement spans roughly six to twelve weeks.

The first phase is scoping and threat modelling, where the provider works with the OEM or Tier 1 to define targets, sign data handling agreements (TISAX matters here) and agree which interfaces are in scope.

The second is hands-on testing in the provider's lab or on customer premises, usually broken into reconnaissance, vulnerability discovery, exploitation and lateral movement, with daily or weekly check-ins. The third is reporting, where findings are written up against an agreed risk model (CVSS, ISO/SAE 21434 attack feasibility, or both) with retest and proof-of-fix support included or priced separately.

The artefacts that come out of this matter as much as the findings themselves, because they are what feeds the auditor.

A good report will trace every finding back to a specific TARA entry, document the test environment and tooling clearly enough to be reproducible, and produce evidence that maps cleanly to the relevant R155 CSMS or R156 SUMS audit questions.

What to look for when choosing an automotive pen testing provider

Three filters tend to separate the strong providers from the polished pitches.

First, accreditations that match what your auditors expect to see. TISAX Assessment Level 3 is the practical baseline for handling OEM data in Europe, and ISO/SAE 21434 familiarity is non-negotiable for type approval work.

Second, demonstrable offensive capability. Conference wins (Pwn2Own Automotive is the obvious one) and disclosed CVEs in real vehicle stacks are harder to fake than slideware. A team with a recent zero-day in production code (PCA's PerfektBlue is one current example) is materially different from a team whose portfolio is mostly compliance gap analyses.

Third, lab and toolchain maturity. Ask whether the provider has its own bench, its own ECU library and its own internal tooling, or whether the first six weeks of every project go on procurement. In-house capability is the single biggest predictor of finding density and on-time delivery.

The market has matured fast, and there is now genuine choice. The work in 2026 is to match the type of engagement you actually need to a provider that can deliver it at depth, rather than buying a generic "pen test" and hoping the report holds up under audit.