ISO/SAE 21434 · UNECE R155/R156

Threat Analysis & Risk Assessment,
engineered for automotive cybersecurity.

One workbench for Officers, Managers, and Engineers. TOE modeling, damage and threat scenarios, attack trees, risk assessment, security goals, and review ticketing — all aligned to ISO/SAE 21434 §8–§10 and UNECE R155 Annex 5.

  • Tier-1 supplier-grade
  • SOC 2 in progress
  • Tenant-isolated data
ATTACK TREE · L4-AUTODRIVECSE
Compromise CAN bus
AT-01
Spoof gateway ECU
AT-02
Replay diag command
AT-03
Bypass auth challenge
Feasibility
4.2
Risk
High
Owner
CSE-Halzubaidi

Trusted by automotive teams shipping under R155

AudiBMWTeslaWaymoNissanBoschContinental
The TARA bottleneck

Automotive cybersecurity teams are drowning in spreadsheets.

R155 entered into force in 2024 across UNECE members. Every type-approved vehicle now needs a Cybersecurity Management System spanning concept, development, production, and post-production phases.

The reality on most programs: TARA lives in branched Excel workbooks, attack trees in Visio, scenarios in Word, reviews in email. Nothing reconciles. Nothing audits.

TARA Workbench is one structured workbench for the entire ISO/SAE 21434 lifecycle — built so an Officer, a Manager, and an Engineer all see the same truth.

Before
After
  • 14 Excel files per program1 workbench
  • Manual mapping to R155 §Auto-traced
  • Review by emailTickets with state machine
  • Reports in WordOne-click export
End to end

How a vehicle program runs through TARA Workbench.

Five phases, mapped 1:1 to ISO/SAE 21434 work products. Not a checklist — a connected lifecycle.

TOE GRAPH · L4-AUTODRIVETOE
GATEWAY
Central Gateway
BCM
Body Control
ADAS
ADAS Domain
TCU
Telematics
CAN-HS
100BASE-T1
LIN-2
What's inside

Six modules. One audited source of truth.

Every module exports to the others. Change a damage scenario, the linked threat tree picks it up. Update an asset, the risk recomputes.

TOE & Asset Modeling

Visual asset graphs with React Flow. CIA tagging, sub-system grouping, and canonical ECU library built in.

Read more

Damage & Threat Scenarios

Generate, rate, and link scenarios end-to-end. Impact across Safety / Financial / Operational / Privacy.

Read more

Attack Tree Editor

Author and score attack feasibility on a structured canvas. AND/OR nodes, mitigation overlays, peer review baked in.

Read more

Risk Assessment

Compute, treat, and trace risk through to security goals. Configurable risk matrices per program.

Read more

Review Ticketing

Phase-gated reviews (CSPR/CSDR/CSCR/CSSR/CSAR) with comment threads, state machine, and audit snapshots.

Read more

Question Library

170+ pre-loaded questions across SeRA / SeCa / SeCo / SeDP / SeTP. Editable. Versioned. Re-usable across programs.

Read more
See it work

Two minutes inside the workbench.

Watch a CSE author a TARA, a CSM open a review, and a CSO sign the dossier — without leaving the page.

TARA Workbench · Walkthrough
1:48 · captioned
One platform, four roles

Built for the way automotive cybersecurity teams actually work.

Each role gets a workspace tuned to their decisions — and they all see the same evidence underneath.

PA

Platform Admin

Owns the tenant. Provisions teams, organizations, and access.

  • Tenant configuration
  • User & role management
  • Audit logs
View workflow
CSO

Cybersecurity Officer

Sets policy. Signs off on dossiers. Owns standards alignment.

  • Org-level dashboards
  • Policy gates
  • Compliance posture
View workflow
CSM

Cybersecurity Manager

Runs the program. Coordinates milestones, reviews, supply chain.

  • Milestone tracking
  • Review orchestration
  • Supply-chain CS
View workflow
CSE

Cybersecurity Engineer

Ships the analysis. TOE, threats, attack trees, security goals.

  • TARA modeling
  • Attack tree authoring
  • Security concepts
View workflow
Aligned, not improvised

Designed against the standards your team is already chasing.

Every artifact in TARA Workbench traces back to a clause. Evidence packs export ready for type approval.

ISO/SAE 21434

Coverage of §8 (Concept) through §10 (Cybersecurity Validation). Every artifact in the workbench traces back to a clause.

UNECE R155

Annex 5 threat categories pre-mapped. CSMS evidence packs export-ready for type approval.

UNECE R156

Software update governance: version traceability, OTA campaign manifest, post-production change auditing.

Also aligned with
ISO 21434UNECE R155UNECE R156ISO 26262ASPICETISAX
What pilots are seeing

Numbers from real programs running on TARA Workbench.

Anonymized across pilot accounts in Q1 2026. Named case studies on /customers.

reduction in TARA cycle time

Internal benchmark, Q1 2026

faster R155 evidence packaging

Customer interview

reviews per week per program manager

Median across pilot accounts

Plays with the toolchain

Sits alongside the systems you already trust.

No data lock-in. Every artifact exports as ReqIF, xlsx, or JSON. SSO via your existing IdP.

Polarion (Siemens)
ALM
Available
Jira
Issue tracking
Available
Confluence
Documentation
Available
DOORS Next
Requirements
Available
Jenkins / GitLab CI
Pipeline events
Available
Microsoft Entra ID
SSO
Available
Keycloak
SSO
Available
SCIM 2.0
Provisioning
Beta
Security & trust

Built like the systems you're shipping it for.

Tenant-isolated by JWT. Audited end-to-end. Hosted in your region.

Read the full trust center

Tenant-isolated data

Every query filtered by JWT-bound tenant ID. No cross-tenant joins exist in the codebase.

SSO via Keycloak / OIDC

Production SSO with Microsoft Entra, Okta, Auth0, and Google Workspace.

Full audit trail

Every state change snapshotted with author, timestamp, and before/after diff.

EU + US data residency

Pick your region at provisioning. Frankfurt and Virginia available; APAC on roadmap.

SOC 2 Type II in progress

Audit period H1 2026. Q3 2026 attestation expected.

At-rest + in-transit encryption

AES-256 at rest. TLS 1.3 in transit. KMS-managed keys.

Pricing

Transparent, per-user, no surprises.

All tiers include unlimited projects, ISO 21434 alignment, and full audit trail.

Team

For pilots and small evaluation teams.

€499
per month, billed annually
  • Up to 10 users
  • All modules
  • 1 region
  • Email support
Start trial
Most popular

Program

For one full vehicle program.

€2,400
per month, billed annually
  • Up to 50 users
  • All modules
  • 1 region
  • 24h response SLA
Start trial

Enterprise

For multi-program OEMs and Tier-1s.

Custom
annual contract
  • Unlimited users
  • All modules + dedicated support
  • All regions + custom data residency
  • 4h response SLA + named CSM
Talk to sales
See the full feature comparison →
FAQ

What teams ask before adopting.

Resources

Stay current on the standards your buyers ask about.

Long-form guides, blog posts, and the live changelog.

Browse the library
Guide

The R155 Type-Approval Evidence Pack: a 47-page primer

Everything you need to assemble a CSMS evidence pack — clause-by-clause — without re-running your last audit.

47-page PDF · Updated April 2026

Blog

Mapping ISO/SAE 21434 §15 to your TARA artifacts

How to keep §15 supply-chain interface evidence in sync with your in-house damage and threat scenarios.

12 min read · By Halzubaidi, CTO

Changelog

What shipped in TARA Workbench, May 2026

Question library now versioned. Attack tree mitigation overlays. R156 OTA manifest exporter.

May 8, 2026

Ship TARA the way ISO 21434 actually intended.

One workbench. Four roles. Every artifact traceable.

Book a demoTry a sample TARA