Synced 16 Jun 2026 15:24 UTC Account
← Home
ISO/SAE 21434 · UNECE R155 · automotive cybersecurity

Run the vulnerability monitoring your CSMS needs

UNECE R155 requires a Cybersecurity Management System that monitors and patches software across the vehicle lifecycle — and 21434 says how. IsItPatched gives you the inputs: known CVEs per component, what's actively exploited, the minimum safe version, end-of-life dates, and exportable SBOM/VEX/risk evidence.

Scan your SBOM → Monitor your components Export ISO 21434 pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for the whole supply chain

OEMs

Vehicle manufacturers operating a CSMS for R155 type approval. Evidence the operations-phase monitoring of every software component.

Tier 1 suppliers

Support the OEM's CSMS: track third-party components, prove ongoing vulnerability monitoring and ship updates on a defensible basis.

Tier 2 / 3 & software suppliers

Smaller suppliers without a security team get a free, practical way to monitor components and hand up clean evidence.

21434 / R155 activities → what IsItPatched gives you

Continuous vulnerability monitoring (operations & maintenance)

The CSMS phase that lives longest. Monitor your components and get alerted when a new vulnerability lands — with a prioritised update queue and exportable evidence.

Open your dashboard →

Risk assessment inputs (TARA)

IsItPatched flags actively-exploited (CISA KEV) and high-EPSS CVEs and the minimum safe version — the real-world inputs that sharpen your threat analysis and prioritise updates.

See actively-exploited CVEs →

Component / supply-chain transparency

Drop in a CycloneDX or SPDX SBOM for a per-component verdict, and export a CycloneDX VEX to share up and down the supply chain.

Scan an SBOM →

End-of-life across a long lifecycle

Vehicles run 15+ years. End-of-life tracking and minimum-safe-version guidance flag components that can no longer be patched — a core long-tail risk.

End-of-life calendar →

Export your evidence — today, free

  • Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
  • CycloneDX VEX document (exploitability + remediation per component)
  • Software risk register (CSV / print-to-PDF) citing the exact versions you run
  • A prioritised, known-exploited-first update queue — operations-phase monitoring evidence

Sign in (free, no password) to sync your component stack and generate these from your dashboard.

Build your evidence →

Straight with you: IsItPatched is an informational tool built on public vulnerability data (NVD · CISA KEV · OSV · endoflife.date). It supports specific ISO/SAE 21434 & UNECE R155 activities — component vulnerability monitoring, known-exploited prioritisation, end-of-life tracking and SBOM/component transparency — but it is not a TARA, not a CSMS, and not a certification, type approval or legal advice. Work with your cybersecurity and homologation teams. Disclaimer.

ISO/SAE 21434 & UNECE R155 — frequently asked

What are ISO/SAE 21434 and UNECE R155?

ISO/SAE 21434 is the international standard for road-vehicle cybersecurity engineering across the whole vehicle lifecycle — concept, development, production, operation, maintenance and decommissioning. UNECE R155 is the regulation that makes it bite: it requires manufacturers to operate a Cybersecurity Management System (CSMS) to get type approval. R155 has been mandatory for new vehicle types since July 2022 and for all newly produced vehicles in the EU since July 2024. Together they require continuous vulnerability monitoring, risk assessment and post-production software updates — duties shared down the supply chain to Tier 1/2/3 suppliers.

How does IsItPatched help with automotive cybersecurity (21434 / R155)?

The CSMS "operations and maintenance" phase requires you to monitor your software components for new vulnerabilities and update them. IsItPatched gives you the inputs: which components have known CVEs, which are actively exploited (CISA KEV) so your risk assessment can prioritise, the minimum safe version, end-of-life dates across a long vehicle lifecycle, plus an SBOM scan, a CycloneDX VEX and a risk register you can keep as evidence of the monitoring process.

Does IsItPatched make my vehicle or component 21434-compliant or type-approved?

No. IsItPatched is an informational tool built on public vulnerability data. It supports specific 21434 / R155 activities — software component vulnerability monitoring, known-exploited prioritisation, end-of-life tracking and SBOM/component transparency — but it is not a TARA, not a CSMS, not a certification or type approval, and not legal advice. Work with your cybersecurity and homologation teams.

Selling into other regulated markets? See all our compliance editions →