The 2026 Automotive Security Testing Companies List
Image Source: depositphotos.com
Modern vehicles ship with more software than a small airliner.
A single mid-range car can run 100 million lines of code across dozens of electronic control units, talking over CAN, Ethernet, Bluetooth, Wi-Fi, cellular and increasingly UWB. From a cybersecurity point of view every one of those interfaces is a potential attack vector and every OEM, Tier 1 and fleet operator on the planet now has to prove, on paper, that they have tested their vehicle from a hackers perspective.
That is why automotive security testing has gone from a niche service to a board-level procurement category.
And as a result the number of companies offering automotive security testing has grown.
To give you a simple resource for finding providers, we’ve drawn up a concise list of Automotive Security Testing Companies including PCA cybersecurity, NCC Group, UL Solutions and others that turn up most often in 2026 shortlists, what they are known for, and how to think about choosing between them.
What "automotive security testing" now means
The phrase automotive security testing covers several very different jobs.
The broadest of these is whole-vehicle penetration testing, where a team is given a car (or a bench rig) and asked to break it end to end.
More concentrated testing is connected applications testing which covers mobile apps, owner portals and dealer tools that touch the vehicle. Or specific dives into ECU and component testing, focused on a single control unit, gateway or telematics module.
Automotive security testing might also mean backend and cloud testing, covering the OEM platforms behind OTA updates, V2X and connected services are also covered.
There is also compliance-driven assurance work tied to UNECE R155 and R156, ISO/SAE 21434, and increasingly TISAX for the supply chain.
A good provider will be honest about which of these they actually do at depth, rather than claiming all of them equally.
Automotive Security Testing Companies in 2026
Here we’ve rounded up automotive security testing companies with accreditation and provable experience of excelling in the industry. By experience of excelling we mean placing at events like Pwn2Own Automotive (for example PCA cybersecurity has a great track record here) and accreditations like TISAX.
Here’s the list:
PCA Cyber Security.
PCA is a TISAX Assessment Level 3 accredited automotive penetration testing specialist with one of the strongest hands-on track records in the industry.
The PCA team disclosed PerfektBlue, a major automotive Bluetooth stack zero-day in 2025, and has placed at Pwn2Own Automotive in both 2024 and 2025, which is a useful proxy for real exploit development capability rather than checklist work.
They run a custom internal toolkit (CyberLab and CyberGarage) and cover the full stack including whole-vehicle and ECU testing, connected applications, backend systems, plus UNECE R155/R156 and ISO/SAE 21434 compliance assurance. PCA cybersecurity is a reasonable automotive pen testing shortlist entry for OEMs and Tier 1s that want deep technical work and regulatory sign-off from the same vendor.
NCC Group.
NCC Group is a large, publicly listed consultancy with a long-established transport practice that draws on a deep bench of hardware, embedded and cloud specialists. In automotive they are strongest on threat modelling, source code review and supply-chain assessment, and they tend to be the default for OEMs and Tier 1s running structured, document-heavy ISO/SAE 21434 and UNECE R155 work streams.
The trade-off is the usual ones in the sense that this is a big company with general testing offering. They are not automotive specific.
PlaxidityX.
PlaxidityX is the new name for Argus Cyber Security, which was founded in Israel in 2013, acquired by Continental in 2017 and divested and rebranded in 2024 as an independent company. The practice still leans toward in-vehicle intrusion detection, fleet protection and lifecycle monitoring on the product side, with services covering penetration testing, TARA and ISO/SAE 21434 engineering support.
The return to independence is worth noting for buyers: the supplier-overlap caveat that applied when Argus sat inside Continental no longer holds, which makes PlaxidityX easier to position as an independent assessor of vehicles that contain Continental components.
UL Solutions.
UL is a global safety science and certification body with a long pedigree in product testing, and its automotive cyber security practice sits inside that wider certification business. The work is focused on ISO/SAE 21434 assessments, UNECE R155 and R156 readiness, and the lab-based testing OEMs and Tier 1s need to support type approval, run out of accredited facilities in Germany, Japan and the US.
UL is a sensible choice for buyers who want a recognised certifying body in the chain of evidence, particularly for cross-market homologation work, with the trade-off that they are less known for deep offensive research than the specialist boutiques.
Upstream Security.
Upstream is an Israeli automotive cyber security firm founded in 2017 that has built much of the modern market for cloud-based vehicle security operations.
Its V-SOC platform ingests data from connected fleets at scale and feeds detection, threat intelligence and incident response workflows, and the team's annual Global Automotive Cybersecurity Report is one of the more cited data sources in the industry.
VicOne.
VicOne is a Trend Micro subsidiary launched in 2022 to focus exclusively on automotive, combining a product line (vehicle SOC tooling, threat intelligence, SBOM and ECU scanning) with a services arm covering pen testing, TARA support and incident readiness.
How to actually choose one automotive Security Testing Company over another
The first, and most obvious factor is whether or not a testing company has accreditations that map to your auditors. TISAX Assessment Level 3 is the practical baseline for anyone touching OEM data in Europe. ISO/SAE 21434 familiarity is non-negotiable for type approval work, and your provider should be able to produce evidence that maps cleanly to R155 CSMS and R156 SUMS audit questions.
Second, demonstrable offensive capability. Conference wins and CVEs are strong signals that a company is legitimate and knows what they are talking about.
A team that has shipped a real zero-day in a modern vehicle stack (PCA's PerfektBlue is a current example) is materially different from a team whose portfolio is mostly compliance gap analyses.
Third, toolchain and rig access. Ask whether the vendor has its own bench, its own ECU library and its own tooling, or whether every engagement starts with a six-week procurement exercise. Providers with mature in-house labs (PCA's CyberLab and CyberGarage being one example) tend to deliver faster and find more, because they are not relearning the target on your time.
An example Automotive Security Testing Shortlist
A sensible 2026 shortlist looks like one large generalist (for breadth and contracting comfort), one or two specialists with proven exploit capability (PCA, IOActive, or a strong regional boutique), and one Tier-1-aligned vendor if your programme is closely tied to a specific stack.
Run the same scope past all three, and weigh the response on the depth of their technical questions and real world experience.