Karamba Security's Penetration Testing Service is a professional security testing offering targeting automotive and IoT OEMs and Tier-1 suppliers, designed to validate product security before Start of Production (SOP). The service supports continuous, automated vulnerability scanning integrated into CI/CD pipelines, and can be conducted on-premise or at Karamba's testing labs. Testing is performed across multiple levels: vehicle, subsystems, and component software. The service addresses compliance with cybersecurity regulations including ISO/CSMS, UNR (UN R155), and Chinese GB standards. Three testing methodologies are offered: - Gray Box: Researchers assist external testers with documentation, images, and keys - Black Box: Simulated attacker perspective with a status report - White Box: In-depth testing based on extensive code review The engagement is structured in four stages: 1. Setup – Document review, attack scenario simulation, and TARA-based prioritization 2. Fuzzing and Interface Testing – Invalid/random data injection and vulnerability assessment 3. Reverse Engineering – Binary image analysis to identify implementation vulnerabilities 4. Report and Presentation – Findings delivery with severity ratings, reproduction steps, and remediation guidance Coverage areas include in-vehicle connectivity (CAN, LIN, Ethernet), firmware upgrade processes, HSM and key management, Secure Boot, diagnostics, OS/BSW, VMs, and external libraries. The final report includes test methods, vulnerability details with severity, reproduction instructions, recommended fixes, and validation evidence suitable for submission as part of UN R155 Work Products packages.