Skip to content
Melina Security

FAQ

Should we do TARA before ECU pentest?

Yes, if you have the time and the system is non-trivial. TARA (Threat Analysis & Risk Assessment) per ISO/SAE 21434 surfaces architectural issues that ECU-level penetration testing alone cannot find, and it shapes the testing scope so that engineering time goes into the highest-risk paths first. For a single ECU in a known threat model, TARA can be lightweight; for a multi-ECU subsystem with novel attack surface, it pays for itself many times over.

Short answer

Yes, if you have the time and the system is non-trivial. TARA (Threat Analysis & Risk Assessment) per ISO/SAE 21434 surfaces architectural issues that ECU-level penetration testing alone cannot find, and it shapes the testing scope so that engineering time goes into the highest-risk paths first. For a single ECU in a known threat model, TARA can be lightweight; for a multi-ECU subsystem with novel attack surface, it pays for itself many times over.

The tradeoff

Buyers often see TARA as documentation overhead and pentest as "the real work." That framing inverts what actually happens. TARA identifies the attack paths most worth pentesting; pentest validates whether the paths are exploitable. Skipping TARA and doing a pentest "everywhere" produces broad shallow coverage — useful for catching basic findings, less useful for catching architectural issues.

A practical sequencing pattern:

1. **TARA first** (2-4 weeks for a typical subsystem). Outputs: damage scenarios, threat scenarios per attack path, risk values, treatment decisions. 2. **Pentest scoped from TARA outputs** (3-6 weeks). Tests the high-risk paths TARA surfaced. 3. **Verification re-test** (60 days later). Validates remediations.

If you skip TARA you can still do a useful pentest, but you'll be in scope-by-feature mode rather than scope-by-risk mode. The pentest report will surface findings; the threat model that contextualizes them will live in your engineering team's head, not in a documented artifact. That's a problem at certification time, at design-review time, and at the moment a future engineer asks "why is this control here."

When you can skip TARA

- The system is a minor change to a previously assessed system and you can reuse the existing TARA with deltas - You already have an internal TARA produced by a competent in-house team - You're doing a pre-launch sanity check on a non-production prototype where the goal is rapid feedback, not certification evidence

What we typically recommend

For ISO/SAE 21434 certification work or for systems being assessed for the first time, we run TARA and pentest as a single engagement. For follow-on engagements, we update the TARA delta and scope pentest accordingly. For pre-launch prototypes, we sometimes skip TARA in favor of rapid attack-surface exploration.

Related FAQs

- ISO 21434 readiness vs certification (P1.5) - What does an automotive ECU pentest actually test (P1.5)

Related services

- Automotive Security - Methodology: Threat Modeling

---