VicOne and Saphira Link Supply Chain Vulnerabilities to Live TARA Updates

The collaboration links component vulnerability detection to live TARA, triggering reassessment when supplier risks change.

DETROIT, MI, UNITED STATES, May 28, 2026 /EINPresswire.com/ -- VicOne, an automotive cybersecurity solutions leader, and Saphira, a provider of model-driven safety and Threat Analysis and Risk Assessment (TARA) software, today announced a collaboration that links supply chain vulnerability detection with live TARA updates. The collaboration helps automotive OEMs and Tier 1 suppliers keep cybersecurity cases current as new vulnerabilities emerge across supplier components, software libraries, and connected vehicle systems.

Modern vehicles are built on software and components from dozens of suppliers. According to VicOne’s 2026 Automotive Cybersecurity Report, 1,384 automotive vulnerabilities were reported in 2025 alone. Many of these vulnerabilities can become supply chain exposures when they appear in shared components, third-party software, or software libraries reused across vehicle programs.

For OEMs managing software across multiple vehicle programs and model years, manually reconciling that volume of new risk data with static TARA documentation is no longer a viable approach. Yet the tools that detect supply chain vulnerabilities and the workflows that update TARA often operate separately, leaving teams to do exactly that.

Regulations and standards such as UN R155 and ISO/SAE 21434 are pushing manufacturers to maintain cybersecurity risk management processes and keep supporting evidence current as threats and vulnerabilities change. For OEMs and suppliers, this turns each new supplier vulnerability into more than a patching question. It is also a TARA question, a compliance case question, and, in some architectures, a safety assurance question.

To address this gap, the collaboration connects VicOne’s xZETA platform with Saphira’s model-driven TARA software. When xZETA identifies a vulnerability in a supplier component, including zero-day and undisclosed vulnerabilities, cross-referenced against a vehicle’s SBOM using CycloneDX or SPDX identifiers, Saphira triggers reassessment of the affected assets, attack paths, risk ratings, cybersecurity goals, and mitigation workflows in the living TARA record.

The updated system impact context feeds back into VicOne’s VVIR-based prioritization engine, helping security and compliance teams understand not only which components are exposed, but how each supplier risk changes the vehicle’s overall compliance case. While CVSS helps measure vulnerability severity, VicOne’s VVIR adds vehicle system context, helping teams distinguish a critical risk in a safety-relevant controller from a lower-priority exposure in a less connected component.

The result is a feedback loop, not a one-way integration: vulnerability intelligence improves the TARA, and TARA context improves how vulnerabilities are prioritized.

“For OEMs managing software from dozens of Tier 1 and Tier 2 suppliers, a new vulnerability is never just a patching question,” said William Dalton, Vice President & Managing Director, VicOne North America and Europe. “It is a TARA question, a compliance case question, and, in some architectures, a safety assurance question. Together with Saphira, we are helping teams move directly from supply chain vulnerability signal to live TARA updates.”

The collaboration is designed for the realities of automotive supply chain security. SBOM-based component identity via CycloneDX and SPDX standards helps map vulnerabilities to the components in a specific vehicle program, rather than treating every CVE as a fleet-wide concern. Role-based access control, configurable automation gates, and human-in-the-loop approval workflows for risk treatment decisions allow teams to automate reassessment while preserving engineering judgment over final compliance calls.

“TARA should be a living system of record for safety and cybersecurity decisions, not a static document created for the next audit or release gate,” said Akshay Chalana, Chief Executive Officer at Saphira. “By connecting VicOne’s vulnerability intelligence with Saphira’s model-driven risk assessment platform, joint customers can keep cybersecurity cases current as components, architectures, and software risks evolve.”


About VicOne

With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry. Purpose-built to address the rigorous needs of automotive manufacturers and suppliers, VicOne solutions are designed to secure and scale with the specialized demands of the modern vehicle. As a Trend Micro subsidiary, VicOne is powered by a solid foundation in cybersecurity drawn from Trend Micro’s 30+ years in the industry, delivering unparalleled automotive protection and deep security insights that enable our customers to build secure as well as smart vehicles. For more information, visit vicone.com.


About Saphira

Saphira provides AI-driven safety, cybersecurity, and compliance workflow software for automotive, robotics, industrial automation, and other regulated engineering domains. The company helps OEMs and suppliers accelerate standards-aligned workflows including ISO/SAE 21434, ISO 26262, ISO 21448, ISO 13849, and related safety and cybersecurity processes by transforming unstructured engineering inputs into traceable, audit-ready work products. Saphira’s model-driven platform supports dynamic TARA, HARA, FMEA, safety case development, change impact analysis, and continuous compliance monitoring, enabling engineering teams to maintain living systems of record as architectures, software, and risks evolve. For more information, visit saphira.ai.

Ling Cheng
VicOne
344002265 ext.
email us here

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.