TISAX Compliance

TISAX Penetration Testing

Automated pentests mapped to VDA ISA controls for TISAX Assessment Levels 2 and 3. Satisfy your OEM's security testing requirements and pass TISAX audits with documented evidence.

Start a TISAX pentestHow AI pentesting works

Why TISAX pentesting matters now

TISAX is the mandatory information-security assessment for German and European automotive suppliers handling OEM data, prototype information, or connected-vehicle components. Assessment Levels 2 (standard) and 3 (high / very-high protection need) require documented technical testing of all systems processing protected information. VW, BMW, Daimler, Audi, and Porsche all require TISAX labels from their suppliers — and audit cycles are 3 years.

TISAX clause-by-clause coverage

Every Matproof finding is mapped to the specific TISAX clause it informs. Your auditor sees the control, the evidence, and the remediation in one report.

VDA ISA 1.4 — Information Security Policies

Technical testing of security policies

Requirement: Policies for information security must be defined, reviewed, and tested for effectiveness.

How Matproof covers it: Continuous pentesting verifies policies are implemented in systems — not just documented.

VDA ISA 5.2 — Secure Configuration Management

Systems must be securely configured and tested

Requirement: Systems and applications must be securely configured in accordance with their function and criticality.

How Matproof covers it: Matproof tests cloud and on-premises configurations against CIS benchmarks and VDA ISA baselines.

VDA ISA 5.2.4 — Vulnerability Management

Technical vulnerabilities must be managed

Requirement: Known technical vulnerabilities of information systems must be identified and assessed.

How Matproof covers it: Continuous SAST/DAST/SCA scanning identifies vulnerabilities with CVSS scoring — the exact artefact TISAX auditors review.

VDA ISA 5.3 — Protection against malware

Systems must be tested for malware vectors

Requirement: Technical and organisational measures must protect systems from malware and malicious code.

How Matproof covers it: Pentest findings include insecure deserialisation, uploaded-file execution, and code-injection risks — the common paths for malware ingress in automotive supplier systems.

Prototype Protection (VDA ISA 8.x)

Prototype data systems require elevated testing

Requirement: Systems processing prototype data (Assessment Level 3) must have elevated access controls and regular technical testing.

How Matproof covers it: Matproof's authenticated testing covers prototype-handling systems — CAD repositories, PLM integrations, and supplier portals — validating access controls and data segregation.

What Matproof tests for TISAX

  • Supplier portals and OEM-integration APIs
  • PLM / CAD / product data systems
  • Connected-vehicle backend APIs (for Tier 1 suppliers)
  • Cloud infrastructure hosting protected data
  • Authentication to OEM-facing systems (SSO, federation)
  • Prototype-data handling systems (AL 3 engagements)

Audit-ready TISAX reports

  • Findings mapped to VDA ISA 1.4, 5.2, 5.2.4, 5.3, and 8.x controls
  • Assessment-Level-appropriate evidence (AL2 standard, AL3 high/very-high)
  • Prototype-protection coverage where scoped
  • Export format accepted by ENX-accredited TISAX auditors
  • 3-year evidence retention aligned with TISAX audit cycle

TISAX Penetration Testing — FAQ

Is penetration testing required for TISAX?

VDA ISA 5.2.4 requires vulnerability management, and Assessment Level 3 (prototype/very-high protection) explicitly expects technical testing of in-scope systems. While TISAX does not name 'penetration testing' by that exact term, auditors universally request recent pentest evidence for AL2 and AL3 assessments.

What's the difference between TISAX Assessment Levels 2 and 3?

AL2 applies to standard confidential information (most suppliers). AL3 applies to high / very-high protection needs — typically prototype data, connected-vehicle data, or safety-critical components. AL3 requires stronger technical controls and more frequent testing. Matproof supports both.

Will my ENX-accredited TISAX auditor accept Matproof reports?

Yes. Matproof reports include the VDA ISA mapping, CVSS scoring, proof-of-exploit, and remediation tracking that ENX-accredited auditors (DEKRA, TÜV Rheinland, TÜV NORD, TÜV SÜD) expect. Cross-framework mapping with ISO 27001 is included.

Can Matproof cover OT/automotive-specific protocols?

Matproof covers web, API, cloud, and code layers used by virtually all automotive supplier systems (supplier portals, PLM integrations, telemetry backends). For specialised automotive protocols (CAN, FlexRay, Automotive Ethernet in-vehicle networks), we partner with automotive-OT specialists — findings flow into the same dashboard.

Related articles

Explore Matproof

Ready to make TISAX pentesting continuous?

Start a free scan in minutes. Get your first TISAX-mapped findings the same day.

Start a TISAX pentest