ThreatZ vs Excel CSMS — replace the glue. Keep the engineering.
Your "current setup" isn't a competitor — it's Excel + SharePoint + Jira + an internal CSMS portal + five or six disconnected point tools held together by senior engineers. Two stories on one platform: OEM cybersecurity governance and Tier-1 product security execution. The product is the same. The pain isn't.
Two ICPs. Same platform. Different pain.
Forwardable: send the OEM tile to your CISO, the Tier-1 tile to your product-security peer.
For OEM cybersecurity teams
Type approval in three regions, evidence in five formats, a fifty-supplier base running CSMS responsibilities over email. ThreatZ federates your process onto your suppliers' tenants and assembles type-approval evidence as work happens.
For Tier-1 product cybersecurity teams
Same engineers, same TARA, mostly already done — running four OEM programs in parallel because every customer's template, portal, and cadence is different. ThreatZ stores work as a re-bindable knowledge graph and federates each OEM's process onto your platform.
The "current setup" isn't a vendor — it's six tools and a senior engineer
Tool sprawl, six contracts
TARA spreadsheet, risk register, SBOM scanner, requirements in DOORS / Codebeamer, tickets in Jira, an internal SharePoint portal. Six tool contracts, six renewals, six vendor relationships — plus the integration consultants who make them talk.
Senior engineer = the glue
Every audit cycle, a senior engineer mentally holds the lineage together and reconstructs the chain by hand for the assessor. When that engineer leaves the team, the chain disappears. Multi-tenant cloud CSMS proposals are vetoed for vehicle data.
No structural traceability
It worked at one program. It cracked at the third. UNECE R155 was the warning; GB 44495 is mandatory; the EU CRA full conformity assessment lands December 2027. None forgive missing structural traceability with "we keep good folders".
What that costs depends on which side of the relationship you sit. The two stories diverge here.
Same vulnerability. Two completely different outcomes.
First-cycle programs report ~14 days collapsing to under 4 hours. Outcomes vary by SBOM coverage and supplier mix. The AI Recommender traces relationships in the knowledge graph — humans approve every disclosure decision.
If you're an OEM cybersecurity team
You don't need another tool. You need the cybersecurity operating system your vehicle program runs on — with your suppliers executing your CSMS process on your platform, federated to your tenant.
One platform, eight workflows
Design, Governance, TARA, SBOM, Testing, Compliance, Collaboration, Operations — on one knowledge graph. One tenant. Replaces the typical OEM stack of five disconnected vendors plus integration tax that exceeds licence cost.
Federated supplier execution
Suppliers receive a workspace inside your tenant, RBAC-scoped at org / project / entity. They execute your methodology, your TARA templates, your review cadence. Evidence auto-assembles for cybersecurity sign-off.
CVE response under 4 hours
First-cycle programs report ~14 days collapsing to under 4 hours: SBOM hit → ECU binding → risk re-score → R155 §7.3 + GB 44495 disclosure packages drafted. Outcomes vary by SBOM coverage.
Multi-region, one model
Compliance Reporting auto-generates ISO 21434 §9, §10, §11, §12, §13, §15 work products from one versioned graph, scoped per variant / build / date — one model, region-specific disclosure packages on demand.
Sovereignty by deployment
Private cloud or air-gapped on-premise. Customer-owned data plane. China-resident deployment for GB 44495. Air-gapped option for defence-loaded programs. CRA Article 11 reporting lands on a model that's already structurally traceable.
AI traces, doesn't generate
The AI Recommender doesn't generate a TARA opinion. It traces relationships in your knowledge graph — every claim has a graph link the auditor can follow. AI accelerates. Humans approve.
| Current setup (OEM) | OEM pain it carries | ThreatZ resolves it via |
|---|---|---|
| Excel CSMS, three regions | Five evidence formats; no end-to-end traceability; 3–6 week audit-prep scramble. | Compliance auto-generates §9 / §10 / §11 / §12 / §13 / §15 per region from one graph. |
| Supplier governance via email | 200 suppliers, Word attachments, quarterly PowerPoint reviews, 3–5 FTE chasing documents. | Federated supplier tenants execute your process; live status; auto-assembled audit evidence. |
| SBOM tool isolated from TARA | 14-day CVE-to-disclosure timeline; manual SBOM joins; attack paths reconstructed from memory. | SBOM linked to system-model components; CVE-to-V-SOC chain in <4 hours. |
| Five disconnected point tools | €500k–€2M/yr licences + 1–3 FTE integration tax; auditor still gets no traceability. | Eight workflows, one knowledge graph; AI Recommender keyed to project state, not a generic LLM. |
| Multi-tenant cloud CSMS proposals | SVP Engineering veto on vehicle data leaving OEM control; China and defence block. | Private cloud or on-premise; air-gapped supported; China-resident deployment for GB 44495. |
| V-SOC / SIEM disconnected from CSMS | R155 Annex 5 monitoring loop never closes; production incidents miss the next audit cycle. | Operations workflow feeds events back into the risk model as first-class records. |
OEM session: map your CSMS evidence flow
30-min, no slides — we walk your architecture and supplier mix.
If you're a Tier-1 supplier product cybersecurity team
ThreatZ is the consolidation that compounds across programs. One platform replaces six. Work is stored as a knowledge graph — clone the sub-graph, re-bind it, delta-analyze the difference. ~80% carries forward.
Same TARA, four to seven times
One ECU family, twelve programs, twelve TARAs — each in a different OEM template, portal, cadence. ThreatZ stores work as a knowledge graph; clone the sub-graph, re-bind to the new scope, delta-analyze. ~80% reuse on program two; outcomes vary by ECU-family overlap.
Six tools → one platform
TARA + SBOM + GRC + Test + Collaboration + integration vendor. €300k–€1.5M/year in licences; integration cost often exceeds licence cost. One platform across the 8 workflows; six contracts become one.
OEM process on your platform
Federation, not format mapping. Your OEM customer authors policy / templates / cadence in their tenant; ThreatZ replicates it into your supplier workspace. You execute against their methodology; they see live status.
Reuse, by design
Variant + release baseline scoping; weakness trees unique per project / variant / release. Sub-graph cloning is structural, not copy-paste. New variant: delta-analyze the difference, not start from zero.
CVE response across Tier-2 chains
Federation runs downward too. Your Tier-2 suppliers operate on your tenant the way you operate on your OEM's. Tier-2 component → your ECU → OEM vehicle program runs along one graph.
Margin protection
Cybersecurity is among the largest cost lines in software-loaded ECU programs. You can't pass it through to fixed-price OEM quotes. Every program after the first costs a fraction of what competitors still pay because their TARA starts at zero.
| Current setup (Tier-1) | Tier-1 pain it carries | ThreatZ resolves it via |
|---|---|---|
| Same TARA, every program | 60–70% of engineer time spent redoing existing work; TARA at N+1 starts at 0%. | Knowledge graph + variant baseline scoping; clone + re-bind + delta-analyze; ~80% reuse on program two. |
| 6 tool licences + integration vendor | €300k–€1.5M/yr licences; integration cost often exceeds licence cost; CFO scrutiny. | One platform, 8 workflows, one graph — consolidation savings quantifiable in 20 minutes. |
| Per-OEM template proliferation | BMW / Stellantis / Volvo / Toyota templates — 4–7 programs run in parallel. | Federation imports each OEM's methodology into one supplier workspace; OEM sees live status. |
| No knowledge reuse | Word + SharePoint don't carry forward; senior engineers retiring with the knowledge. | System Composer + ARXML imports build the graph once; downstream TARA / SBOM / Test derive from it. |
| CVE response across Tier-2s | +1–2 weeks per Zero Day × every OEM asking; email storms; manual SBOM joins. | Federation downward to Tier-2s; one chain Tier-2 → your ECU → OEM disclosure. |
| Audit-driven, not program-driven | Every audit is a sprint; cybersecurity stays among the largest cost lines in SW-loaded ECUs. | Compliance auto-generates work products from the same graph; audit becomes a query. |
Tier-1 session: show me the reuse math
30-min — we run the consolidation numbers against your actual OEM customer mix.
The cybersecurity operating system your program runs on
Same platform for OEM CSMS governance and Tier-1 product security execution. Same graph. Same federation primitives.
Design
Canvas architecture; imports from ARXML, MATLAB System Composer, Simulink, Draw.io, CSV.
Governance
Policy Manager (mandatory / advisory / informational), RBAC, versioned audit log, risk acceptance with rationale and role.
TARA
STRIDE + 5 automotive categories; AI Recommender from graph; 5-factor feasibility; CAL 1–4; ISO 21434 §15 view.
SBOM
CycloneDX + SPDX import; PURL / CPE / hashes; vulns-scanner service; components linked to system modelling.
Testing
PenTest, VulnScan, SAST, Config Review, Functional Security. Bidirectional links to requirements and controls.
Compliance
§9, §10, §11, §12, §13, §15 work products auto-generated. PDF / Word / HTML. Compliance score with gap IDs.
Collaboration
Real-time editing, auto-save (2s debounce), per-user layout, Architecture Mapping Studio, federated tenants.
Operations
Incidents linked to components; SLA tracking; threat-intel feeds; MTTR; closes R155 Annex 5 monitoring loop.
Keep the portal. Replace the model behind it.
If your team has already spent twelve to eighteen months and several engineers building an internal CSMS portal, that investment doesn't get written off. Several customers — OEM and Tier-1 alike — keep the portal as the user-facing entry point and run ThreatZ as the graph behind it. The portal stays. The model underneath becomes auditable. REST + GraphQL APIs, SAML 2.0 / OIDC SSO federation, LDAP / AD identity, audit-log export to your SIEM, Git Sync for documentation versioning, RBAC at org / project / entity, on-premise option with air-gap support. See the full connector list on the ThreatZ integrations page.
What ThreatZ is not
Not a replacement for Enterprise Architect
ThreatZ imports software architecture from EA; it doesn't replace it.
Not an SBOM scanner
ThreatZ consumes CycloneDX and SPDX; the vulns-scanner service matches them to feeds.
Not exploit generation
Threat modelling is for engineering and audit, not red-team automation.
Not a CI/CD pipeline
Connectors into Jira, Codebeamer, DOORS, Git, GitLab — not a pipeline tool itself.
Not a mandatory user-facing portal
Run it behind your existing portal; ThreatZ becomes the model layer, not the UI layer.
Not "AI-generated TARA"
AI traces relationships in your knowledge graph. Every claim has a graph link the auditor follows. Humans approve.
From customers under NDA
“Before ThreatZ, a single CVE disclosure could take two weeks to assess. Now we have impact analysis in under four hours.”
“ThreatZ eliminated the duplication and gave us confidence that both documentation sets were consistent and complete. We achieved European type approval months ahead of schedule.”
Named customer references — with role, employer, and program details — are available under NDA after the scoping call. Reference numbers represent first-cycle results; steady-state varies by program.
The connected CSMS knowledge graph — not slides
Eight workflows on one platform: Design, Governance, TARA, SBOM, Testing, Compliance, Collaboration, Operations. The product is real. The graph is queryable. Every claim has a graph link the auditor can follow.
Live status across every project, every variant, every supplier — on your tenant. Bring your architecture to a 30-min mapping call and we walk it together.
Two paths. One 30-minute call.
Pick the conversation that matches your seat. Walk us through your current setup — the spreadsheets, the SharePoint site, the Jira board, the internal portal — and we'll map where the lineage breaks and what one knowledge graph would look like on your program.
Map your OEM CSMS evidence flow
Multi-region type approval, supplier federation, the CVE-to-V-SOC chain, GB 44495 and CRA readiness — against your current architecture.
Map your OEM CSMS — 30 minShow me the reuse math
Six tools → one. ~80% TARA reuse on the second program. Federated OEM processes. We run the consolidation numbers against your actual OEM customer mix.
Show me the reuse math — 30 min