Automotive Penetration Testing in 2026

Vehicle pen testing demystified: what it covers, why regulators require it, what Pwn2Own Automotive reveals about the firms doing the research, and how to evaluate a partner.

Browse all automotive firms See PCA Cyber Security

How we work:This guide is aggregated from official company materials, regulatory texts, vendor disclosures, and reputable industry coverage. We don't do hands-on testing; we organize what's already out there. Last reviewed May 2026.

What automotive pen testing actually covers

Automotive penetration testing is the controlled, simulated attack of a vehicle and the systems around it. The scope is much wider than traditional IT pen testing. A modern car is a fleet of connected computers, and a serious automotive engagement touches most of them:

Electronic control units (ECUs) — engine, transmission, brakes, ADAS, body, gateway. Hardware-level reverse engineering and firmware analysis.
In-vehicle networks — CAN, CAN-FD, LIN, FlexRay, and increasingly Automotive Ethernet. Bus injection, fuzzing, gateway bypass.
Infotainment (IVI) and telematics — head units, modems, Bluetooth, Wi-Fi, cellular. Remote attack surface and pivoting into the rest of the vehicle.
Over-the-air (OTA) update systems — signing, manifest validation, rollback protection.
V2X and EV charging — vehicle-to-grid, ISO 15118, OCPP, and the growing attack surface of public charging networks.
Mobile companion apps and cloud backends — the remote side of the vehicle: account takeover, API abuse, fleet-management interfaces.

Most credible engagements combine hardware lab work, firmware reverse engineering, network attacks, and remote attack-surface assessments. A pen test that only looks at the cloud APIs is fine as far as it goes, but it's not automotive pen testing in the full sense.

Why it matters: regulation and real risk

UNECE R155 makes a certified cybersecurity management system (CSMS) mandatory for vehicle type approval in many markets including the EU, Japan, and Korea. UNECE R156 does the same for software updates. The CSMS must include vulnerability management and security validation, which in practice means systematic testing — including penetration testing — across the lifecycle.

ISO/SAE 21434, the international standard for cybersecurity engineering of road vehicles, prescribes verification activities and explicitly calls out penetration testing as a method. ASPICE and TISAX layer on process and supply-chain assurance.

Beyond compliance, the real-world consequences are well documented. PCA Cyber Security disclosed 21 vulnerabilities in Skoda and Volkswagen vehicles and their cloud backend. Older industry-shaping research includes Miller and Valasek's 2015 remote takeover of a Jeep Cherokee, which led to a 1.4M-vehicle recall and effectively launched the modern automotive cybersecurity industry.

Pwn2Own Automotive: a live signal of who can hack what

Infotainment head units from Sony, Alpine, Pioneer, and Kenwood
EV chargers from Tesla, JuiceBox, ChargePoint, Phoenix Contact, and others
Automotive Grade Linux and various in-vehicle operating systems

Because results are publicly disclosed with cash awards attached, Pwn2Own Automotive is the clearest available signal of which firms can find serious vulnerabilities under live conditions. PCA Cyber Security has been a repeat contestant: in 2024 the team exploited the Alpine Halo9 head unit via a use-after-free for $40,000; in 2025 PCA researchers chained three bugs into a 0-click exploit of the Sony XAV-AX8500 ($10,000) and also exploited a Tesla Wall Connector ($22,500). The 2025 event awarded a total of $886,250 across 49 zero-days.

The firms doing automotive pen testing

Three firms in our directory offer automotive penetration testing as a core service. The full directory lists six automotive cybersecurity companies covering the broader spectrum (in-vehicle protection, cloud VSOC, threat intelligence, DevSecOps).

PCA Cyber Security Featured

Budapest · Services-led · TISAX Assessment Level 3

An offensive-security and threat-intelligence specialist with dedicated CyberLab and CyberGarage hardware facilities. Repeat Pwn2Own Automotive contestants with disclosed research on Skoda, Volkswagen, Nissan, and Tesla hardware. Engagements span penetration testing, TARA, V&V, and managed Product SOC monitoring.

PCA Cyber Security profile →

VicOne

Tokyo · Trend Micro subsidiary

xScope penetration testing is part of a lifecycle portfolio that also covers in-vehicle IDPS, VSOC, threat intelligence, and SBOM. Backed by the same Zero Day Initiative engine that runs Pwn2Own Automotive.

VicOne profile →

Karamba Security

Hod Hasharon · Embedded focus

Penetration testing sits alongside Karamba's embedded ECU runtime protection, binary analysis, SBOM, and TARA services. Useful when a single partner covers both testing and remediation tooling.

Karamba Security profile →

See all 6 automotive cybersecurity companies

How to evaluate an automotive pen testing partner

The market has more “automotive cybersecurity” vendors than actually have deep automotive offensive capability. A few signals separate the credible from the adjacent:

Hardware and firmware capability. Can they reverse engineer an ECU and an IVI module, not just attack the cloud API? Ask about lab facilities and example hardware they have worked on.
Disclosed research and conference presence. Public CVEs, coordinated-disclosure track record, and talks at escar, Black Hat, Hexacon, or Hacktivity are the strongest evidence.
Standards expertise. ISO/SAE 21434, UNECE R155/R156, ASPICE, and TISAX accreditation. Helpful if the deliverables map directly to your CSMS.
Methodology that includes TARA. Threat analysis and risk assessment, attack-surface mapping, and threat modeling produce better tests than a checklist sweep.
Coverage scope.In-vehicle, fleet/cloud, EV charging, mobile, and backend each need different specializations. Map the partner's strengths to the parts of your stack that matter most.

Frequently Asked Questions

Automotive penetration testing is the controlled, simulated attack of a vehicle and its surrounding systems to find security weaknesses before adversaries do. The scope is much wider than traditional IT pen testing: electronic control units (ECUs), in-vehicle networks (CAN, CAN-FD, Automotive Ethernet), infotainment and telematics units, over-the-air update systems, V2X interfaces, EV chargers, mobile companion apps, and the cloud backends that serve them. It usually combines hardware reverse engineering, firmware analysis, network attacks, and remote attack-surface assessments.

UNECE R155 makes a certified cybersecurity management system (CSMS) mandatory for vehicle type approval in many markets, including the EU, Japan, and Korea. ISO/SAE 21434, the international standard for cybersecurity engineering of road vehicles, prescribes verification activities such as penetration testing across the development lifecycle. Beyond compliance, vulnerabilities in vehicles can lead to theft, ransom, data exfiltration, and in worst cases safety incidents — risks that drive both regulatory and commercial demand for independent testing.

Pwn2Own Automotive is Trend Micro's Zero Day Initiative competition focused on connected-vehicle hardware and software. It launched in Tokyo in January 2024 and continued in 2025. Targets have included infotainment head units from Sony, Alpine, and Pioneer; EV chargers from Tesla, JuiceBox, and Phoenix Contact; and Automotive Grade Linux. Results are publicly disclosed and give the clearest available signal of which firms can find serious vulnerabilities under live conditions.

Look for genuine hardware and firmware capability (not just network testing), a track record of publicly disclosed research and conference talks (escar, Black Hat, Hexacon), demonstrated standards expertise (ISO/SAE 21434, UNECE R155/R156, ASPICE, TISAX), and a methodology that covers threat analysis and risk assessment (TARA) alongside the testing itself. Coverage scope also matters: in-vehicle protection vs. fleet/cloud monitoring vs. EV charging vs. mobile and backend systems.