The problem
Your OEM won’t sign off without a defensible cybersecurity case under ISO 21434. Standard compliance auditors don’t understand your C/Rust stack. Standard developers don’t know how to write a TARA. The work stalls in the gap between them — and your contract stalls with it.
I’ve lived on both sides of that gap for fifteen years. I write the TARA and I understand the code it describes.
What you get
TARA generation — fixed scope, fixed price
A complete Threat Analysis and Risk Assessment for your item or ECU: asset identification, threat scenarios, attack-path analysis, impact and feasibility rating, and risk treatment. Scoped and priced up front, so it unblocks the contract instead of becoming an open-ended cost.
Cybersecurity concept & goals
The cybersecurity goals and claims that follow from the TARA, expressed so your engineers can implement them and your OEM can accept them.
Attack-path validation — the differentiator
Because I also do offensive security, I don’t stop at a spreadsheet of theoretical threats. Where it matters, I demonstrate whether an attack path is actually reachable on the real target — so you spend your mitigation budget on the risks that are real, not the ones that merely sound scary.
Work products & OEM audit preparation
The ISO 21434 work products in the form your OEM expects, plus a walk-through so your team can defend them in the assessment without me in the room.
Interface to ASPICE
As an Automotive SPICE assessor, I wire the cybersecurity work into your existing ASPICE processes and traceability instead of running it as a disconnected side activity. This pairs naturally with Engineering-as-Code.
A note on scope
Cars themselves are carved out of the CRA — but ISO 21434 and OEM cybersecurity requirements bite just as hard on the components you ship. If you’re a Tier-1 or Tier-2 supplier, this is the regulation that gates your contracts, and this is where my TARA work and ASPICE assessor credential live.