OEM CSMS without manual evidence reconstruction
One connected CSMS for ISO/SAE 21434, UNECE R155, GB 44495 and EU CRA — covering type approval evidence, federated supplier execution, and CVE-to-V‑SOC response in hours, not weeks.
One ECU family, one OEM template, the rest of your stack untouched.
In plain terms: ThreatZ gives your CSMS team one traceable model across suppliers, programs, vulnerabilities, controls, tests, and type-approval evidence — without replacing your existing EA, ARXML, DOORS, Jira, or supplier portal.
Smallest pilot scope: one architecture, one supplier slice, or one CVE response scenario.
One model, three regulators, every supplier — authored once, audit-ready in every jurisdiction.
What changes when the chain is connected
Four operational outcomes OEM cybersecurity teams report in first-cycle programs. Outcomes vary by SBOM coverage, supplier mix, and existing toolchain.
Three regions. Five evidence formats. Dozens of suppliers. No single traceable chain.
TARA in documents. Risk in spreadsheets. SBOMs in CycloneDX, SPDX or custom exports. Controls in a wiki. V-SOC findings disconnected from design-time risk. When the assessor asks for one variant’s cybersecurity case, the team reconstructs truth from tools never built to behave like one CSMS.
Three regions, three timelines
UNECE R155 type approval, GB 44495 — China type-approval enforced from January 2026 (phased rollout for in-production types through 2027), EU CRA vulnerability handling and incident reporting obligations from 11 September 2026; full conformity assessment from 11 December 2027. Same evidence, three regulator formats, three audit cadences.
Five evidence formats, no chain
TARA in Word, risk register in Excel, SBOMs from forty suppliers in CycloneDX exports, residual-risk acceptance in a SharePoint folder, controls in a wiki page nobody updates after the audit closes.
Two weeks per public CVE
A CVE drops Tuesday. UNECE R155 §7.2.2 vulnerability handling and Annex 5 Part B threat mitigation demand a disclosure assessment. By Friday: 200-supplier coordination via Teamcenter, Windchill, vendor portals — none of which carry the cybersecurity model. Manual SBOM joins, attack paths reconstructed from memory. Two weeks later, you have a partial answer for one region.
The risk is not missing documents. The risk is not being able to prove the chain when it matters.
A new CVE drops. The team needs to know which components are affected, which ECUs and variants include them, which scenarios and controls are relevant, whether tests prove mitigation, and whether a disclosure package is owed in each region. Without a connected CSMS model, that answer becomes emails, manual SBOM joins and late-night evidence packaging.
| Step | Current setup — manual reconstruction | ThreatZ — one connected model |
|---|---|---|
| CVE lands | Watch the feed, manually triage which programs care. | Ingested into the graph; PURL / CPE / SHA-256 match runs automatically. |
| Supplier exposure | 40–200 supplier coordination via Teamcenter, Windchill, vendor portals — none of which carry the cybersecurity model. Reconcile PDFs by hand. | Supplier-delivered CycloneDX / SPDX already bound to components. |
| ECU & variant binding | Architecture knowledge lives in two senior engineers’ heads. | Component → ECU → variant → release, queryable. |
| R155 §7.2.2 disclosure | ~14 days, late-night packaging, partial answer for one region. | R155 & GB 44495 disclosure drafts in under 4 hours (internal exposure assessment; coordinated supplier disclosure follows normal timelines). |
ThreatZ connects the work of CSMS — not just the documents of CSMS.
Six platform positions, each paired with what delivers it in the product.
Eight workflows, one CSMS knowledge graph. Every node, every edge, every claim resolves to the same model — no integration tax between Design, Governance, TARA, SBOM, Testing, Compliance, Collaboration, and Operations.
Connected, not fragmented
Eight workflows — Design, Governance, TARA, SBOM, Testing, Compliance, Collaboration, Operations — on one knowledge graph. One tenant, one model, one identity surface. Versus the typical OEM stack of five disconnected vendors plus the integration tax that exceeds license cost.
Architecture-centric
Import your system model once. ARXML (network plane) and MATLAB System Composer + Simulink (function + behavior plane) ingest as orthogonal sources joined at the asset graph. TARA, SBOM, test coverage and compliance reporting all derive from the same model. Supported: AUTOSAR Classic 4.2.x / 4.3.x / 4.4.x System Description + ECU Extract; AUTOSAR Adaptive SOME/IP service descriptions; DBC fallback for legacy CAN. Bus types: CAN, CAN-FD, FlexRay, Ethernet/SOME-IP, LIN.
Federated supplier execution
Your suppliers don't just receive your templates. They receive a workspace inside your tenant, scoped by RBAC at org / project / entity. Your methodology, your review cadence, your evidence schema — live status, not quarterly PDFs.
CVE response under four hours
First-cycle programs report ~14 days collapsing to under 4 hours for internal exposure assessment + draft disclosure package: PURL / CPE / SHA-256 match against SBOM, component-to-ECU-to-variant binding, risk re-score, and R155 §7.2.2 + Annex 5 Part B + GB 44495 disclosure packages drafted for cybersecurity sign-off. Coordinated supplier disclosure and OTA campaign decisions follow normal timelines.
Sovereignty by deployment
Private cloud or air-gapped on-premise. Customer-owned data plane. China-resident deployment for GB 44495. Air-gapped option for defense-loaded programs. SAML / OIDC / LDAP / AD for identity. Audit-log export to your SIEM. See /security/.
AI that traces, doesn't generate
The AI Recommender doesn't generate a TARA opinion. It traces relationships in your knowledge graph — CVE to component to ECU to variant to threat scenario to control to test. AI accelerates. Humans approve. Every claim has a graph link the auditor can follow. AI Recommender runs in customer tenant; no telemetry or training data egress in private-cloud / on-prem / air-gapped deployments. Model keyed to project knowledge graph, not a generic LLM.
Bring your current evidence flow to a 30-min map
No slides — we walk your architecture and show where the chain breaks for the assessor.
“The architecture-mapping piece — auto-suggesting bindings from our EA model — saved weeks per program. ThreatZ replaced four spreadsheets and a Jira board with one queryable graph the assessor could walk.”
Practitioner quoted under NDA. Named references available after the scoping call.
From global CVE to vehicle impact, risk decision, and V-SOC evidence.
A new vulnerability drops. Walk the chain. Every node is an actual module; every edge is an actual graph relationship.
Ten queryable nodes, one connected chain. Feeds ingested: NVD, CISA KEV, EUVD (ENISA), Auto-ISAC advisories, vendor PSIRT, customer-configured. VEX statements consumed alongside SBOM. From CVE ingestion through SBOM match and binding to disclosure packaging — every edge is a graph relationship the assessor can walk.
Ingest
Ingest from NVD, CISA KEV (Known Exploited Vulnerabilities), EUVD (ENISA EU Vulnerability Database), Auto-ISAC advisories, vendor PSIRT feeds, and customer-configured feeds. VEX (Vulnerability Exploitability eXchange) statements consumed alongside SBOM. Disclosure flow aligned with ISO/IEC 29147 (coordinated vulnerability disclosure) and ISO/IEC 30111 (vulnerability handling processes), customer’s PSIRT cadence preserved.
SBOM match
PURL, CPE, SHA-256 / MD5 match across supplier CycloneDX + SPDX.
Binding
Component → ECU → variant → release, via Architecture Mapping Studio. EA → ThreatZ mapping via XMI 2.4 export + MDG technology, with auto-suggested system-node bindings (brownfield projects start at 30–40% match and improve as schema profile establishes; ~80% on clean greenfield models).
Re-score
Feasibility (5 factors) × Impact (S/F/O/P) → CAL re-check.
Surface
Affected attack paths and controls surfaced from the graph; AI accelerates, humans approve.
Record
Decision typed into the graph — role, identity, timestamp, Policy Manager rules.
Draft disclosure packages
R155 §7.2.2 + Annex 5 Part B + GB 44495 disclosure packs auto-drafted for cybersecurity sign-off — from the same graph that fed ISO 21434 evidence.
Your suppliers execute your process. On your platform. With scoped access.
One tenant, scoped sub-workspaces, one auditable graph — no more quarterly PDF reconciliation.
How it works
A Tier-1 is invited via the Supplier Manager persona. RBAC scopes them to one project (or one entity inside it). Your methodology, TARA templates, Risk Treatment policy, and Security Catalog of controls are pre-loaded.
What they deliver
CycloneDX or SPDX SBOM ingested directly. Threat scenarios in your STRIDE + automotive taxonomy. Attack paths scored against the 5 ISO 21434 feasibility factors you mandated. Tests linked to your requirements and controls.
What you see
Live status across every supplier and every program. The R155 type approval evidence packet auto-assembles from supplier-delivered evidence as it lands — with the lineage the assessor needs.
Suppliers don't email PDFs — they receive a workspace inside your tenant, RBAC-scoped to their entity. Your methodology, your templates, your review cadence. Live status. Audit evidence auto-assembles in one graph.
From asset to incident. Every clause linked.
The chain the assessor walks. Every node is a real module in the product, not a diagram label.
Click any node, the assessor sees the trace. One highlighted path shown here; the model carries every node.
Asset → Risk
Asset, Damage, Threat (STRIDE + automotive), Attack Path, Feasibility (5 ISO 21434 factors), CAL 1–4, Impact (S/F/O/P), Risk.
Goal → Test
Goal (§9 Concept), Requirement (§10 Product Development), Control (§10, from Security Catalog), Claim, Test (PenTest, VulnScan, SAST, Config Review, Functional Security), Verification (§10.4.2), Validation (§11 Cybersecurity Validation).
Work product → loop
Cybersecurity Case (§6.4.8, auto-generated as a §15 distributed-activity work product when suppliers are in scope), Field Monitoring (§13 Operations & Maintenance + R155 Annex 5), Incident, looping back into Risk. Every arrow is a queryable graph edge — not a diagram label.
Keep the portal. Replace the disconnected model behind it.
Your team’s user-facing portals stay. ThreatZ becomes the cybersecurity knowledge graph behind them, federated via REST / GraphQL / SAML / OIDC / LDAP / Git Sync.
APIs first, UI optional
REST and GraphQL APIs expose every entity in the graph. SAML / OIDC SSO federation against your IdP. Audit-log export to your SIEM. Git Sync for documentation versioning. RBAC at org / project / entity.
On-premise or air-gapped
Customer-owned data plane. China-resident deployment for GB 44495. Air-gapped option for defense-loaded programs. Your portal stays the user-facing surface; ThreatZ owns the model behind it.
Private cloud, on-premise, or air-gapped for sovereignty-sensitive programs.
ThreatZ supports customer-owned data planes, China-resident deployment for GB 44495, private cloud for enterprise programs, and air-gapped installation for high-sovereignty environments.
| Capability | Private Cloud | China-Resident | On-Premise | Air-Gapped |
|---|---|---|---|---|
| Identity | SAML / OIDC against your IdP | SAML / OIDC, in-country IdP | SAML / OIDC / LDAP / AD | Local LDAP / AD |
| Audit logs | Export to your SIEM | In-country SIEM | Your SIEM, your retention | On-box, exportable |
| Data plane ownership | Customer tenant | China-resident, customer tenant | Customer infrastructure | Customer infrastructure, isolated |
| Supplier access | Federated sub-workspaces | Federated, in-country | Federated via VPN / DMZ | Federated via offline package exchange |
| Compliance package generation | R155, ISO 21434, EU CRA | GB 44495, R155 projection | All regions | All regions, offline rendering |
For OEM procurement teams with AWS commitments: ThreatZ Team and Pro tiers are available via AWS Marketplace as a procurement channel (EDP burndown eligible). Same ThreatZ, two deployment modes: AWS Marketplace for authoring and pilots, private cloud or on-premise wherever vehicle data lives. Enterprise programs remain direct.
UNECE R156 (Software Update Management System / SUMS) is the matched twin VTA to R155. ThreatZ supports R156 evidence — release-baseline binding, update-impact analysis, and OTA campaign audit trail — alongside R155 evidence.
China-resident deployment supports MLPS 2.0 (等保2.0) network security graded protection, PIPL (Personal Information Protection Law) data-export controls, and the Automotive Data Provisions (2021). In-country compute + in-country IdP + CATARC-compatible compliance reporting.
Air-gapped federation via signed CycloneDX + VEX bundle exchange + tagged JSON evidence packages; manual import scheduled by site cybersecurity officer.
| Available today | Scoped per customer |
|---|---|
| TARA workflows + risk-relationship graph | Enterprise Architect integration (XMI + MDG) |
| SBOM ingestion (CycloneDX, SPDX) | MATLAB / System Composer model mapping |
| R155 + ISO/SAE 21434 + GB 44495 compliance reporting | DOORS / Codebeamer / Polarion bidirectional sync |
| Federated supplier execution + RBAC | Jira / ALM workflow sync |
| Risk + evidence linking | V-SOC / SIEM integration |
Sovereignty, supplier mix, identity provider — we’ll scope it
One call, one architecture. We map the supplier set against private-cloud, on-premise or air-gapped before any commitment.
Six questions your R155 assessor will ask
| Assessor question | Current setup answer | ThreatZ answer |
|---|---|---|
| Cybersecurity case for variant X, build Y, date Z (§6.4.8) | Senior engineer reconstructs from Git history, SharePoint, and three TARA spreadsheets. 5–10 days. | Variant + release baseline scoping: weakness trees unique per project/variant/release. Time-travel query against the graph. Minutes. |
| Walk me through one §8–§11 chain end-to-end, including the §15 distributed activities | The chain exists across four tools and one shared drive. Reconstruction = email thread + screenshots. | Asset → Damage → Threat → Attack Path → Feasibility → CAL → Risk → Goal → Requirement → Control → Claim → Test → Verification. Click any node. |
| How is each supplier's CIA (Cybersecurity Interface Agreement) / DIA (Data Interface Agreement) rolled into the OEM case? | Suppliers email signed PDFs. OEM cybersecurity engineer manually maps to the OEM case. Quarterly. | Supplier executes in your tenant. CIA / DIA artefacts live as graph objects, bound to components, version-controlled, signed. |
| Residual-risk acceptance record: who, what role, when? | Email approval, sometimes a PDF signature, often missing for risks accepted three years ago. | Policy Manager defines who can accept which risk class. Acceptance is a typed event in the graph: role, identity, justification, timestamp. Immutable. |
| R155 Annex 5 monitoring evidence, past 12 months, with dispositions | Pulled together from ticketing, V-SOC notes, and CVE response emails. Coverage gaps are common. | Operations workflow links incidents to component, severity, MTTR (Mean Time To Resolution), disposition; feeds back into the risk model. |
| Project the cybersecurity case into the GB 44495 package format for China homologation | Six weeks of consulting to reformat into the Chinese regulatory schema. Whole-team task. | One model, many projections. GB 44495 templates ship with the platform; the package renders from the same graph that fed your R155 file. China-resident deployment supported. |
Focused, not fragmented
Six categories ThreatZ deliberately doesn't live in. We integrate with the tools you already trust; we don't try to replace them.
Not a replacement for Enterprise Architect
ThreatZ imports software architecture from EA. UML modelling stays where it is. Architecture Mapping Studio is the bridge.
Not an SBOM scanner
ThreatZ consumes CycloneDX and SPDX. The vulns-scanner service matches components to feeds; generation stays with your scanners.
Not exploit generation
Defensive cybersecurity engineering data, not red-team automation. No PoC pipelines, no offensive tooling.
Not a CI/CD pipeline
Integrates via Git Sync, Codebeamer, DOORS — doesn’t run your build. ALM and pipeline tools stay where they are.
Not a mandatory user-facing portal
Can run behind your internal portal as the model layer. APIs first; UI optional.
Not multi-tenant for your vehicle data
Private cloud or on-premise — air-gapped supported. Customer-owned data plane. Vehicle data stays inside your tenant.
What OEM cybersecurity leadership tells us
“We stopped reconstructing evidence the week before each audit. The cybersecurity case for any variant is a query now, not a project.”
“ThreatZ eliminated the duplication and gave us confidence both documentation sets were consistent and complete. We achieved European type approval months ahead of schedule.”
Practitioners quoted under NDA. Named references available after the scoping call. Outcomes vary by program scope, supplier mix, and existing toolchain.
The graph is real. The trace is queryable.
Eight workflows, one connected model. Click an asset, see every threat, control, test, and disclosure pack downstream. Bring your architecture and we walk one trace together in 30 minutes.
Project status, supplier sub‑tenants, CVE chain, evidence packs — one tenant, one queryable model. Book a Traceability Review →
Keep exploring
Eight workflows. One knowledge graph.
How the platform connects Design · Governance · TARA · SBOM · Testing · Compliance · Collaboration · Operations — and what the graph stores between them.
Excel + SharePoint + Jira — where it breaks
The honest comparison against your current setup. Side by side, on the questions an R155 assessor actually asks.
Prove the chain in 6–8 weeks
One vehicle program. One supplier slice. End-to-end traceable chain — before any platform commitment.
Keep your EA, ARXML, DOORS, Jira
ARXML, MATLAB System Composer, Simulink, CycloneDX, SPDX, Enterprise Architect, Codebeamer, DOORS, Git Sync, SAML / OIDC — ThreatZ federates, doesn’t replace.
Private cloud, on-premise, air-gapped
SAML / OIDC SSO. SIEM export. Encryption posture. Data residency. China-resident option for GB 44495.
What your Tier-1 suppliers see
The sister ICP page — how Tier-1 product cybersecurity teams reuse one CSMS case across every OEM customer.
Bring one program. We will trace the evidence flow end-to-end.
In 30 minutes, Uraeus maps your current CSMS evidence flow across one architecture, one supplier slice, or one CVE response scenario. We identify where the trace breaks, which evidence packages can be generated from a graph, and what a federated tenant would look like for your supplier set.
Best attendees: Head of Vehicle Cybersecurity + one TARA lead + one type-approval owner. 30 minutes.