Frequently Asked Questions
about VicOne and automotive cybersecurity

VicOne is an automotive cybersecurity company that provides software and services for automotive OEMs and Tier 1 suppliers. As a subsidiary of Trend Micro, VicOne builds on over 30 years of cybersecurity expertise to help organizations secure software-defined vehicles (SDVs) and the connected technologies that power them.

VicOne is headquartered in Tokyo, Japan, with regional offices in Taiwan, Germany, and the United States.

VicOne helps automotive companies secure connected vehicles by providing solutions that support threat detection, risk management, and security operations across the vehicle lifecycle.

VicOne's platform enables in-vehicle monitoring, fleet-level threat analysis, and compliance with automotive cybersecurity standards and regulations such as ISO/SAE 21434 and UNECE WP.29. This allows OEMs and Tier 1 suppliers to identify risks, respond to incidents, and maintain security from development through post-production.

VicOne offers a portfolio of automotive cybersecurity solutions designed to protect SDVs across the vehicle lifecycle. VicOne's core products include:

• xAurient — an automotive threat intelligence platform that provides visibility into emerging threats and vulnerabilities
• xCarbon — an in-vehicle intrusion detection and prevention system (IDPS) that monitors ECU behavior and in-vehicle network traffic for signs of cyberattack
• xNexus — a vehicle security operations center (VSOC) platform for real-time threat monitoring and response
• xZETA — a software bill of materials (SBOM) and vulnerability management platform for software supply chain security

VicOne also provides penetration testing and professional services to support OEM and Tier 1 cybersecurity programs from development through post-production.

VicOne's products — xCarbon and xNexus — are purpose-built for the automotive industry and are not adapted from enterprise IT or general-purpose cybersecurity platforms.

Automotive cybersecurity presents unique technical constraints: vehicles rely on protocols like CAN bus rather than standard IP networking, ECUs have limited computing resources, and threat detection must function reliably without constant connectivity. VicOne's platform is designed specifically to address these constraints, ensuring detection logic, telemetry formats, and response workflows align with how vehicles actually operate.

VicOne xAurient is an action-ready automotive threat intelligence (TI) platform designed for OEMs, Tier 1 suppliers, and product security teams. Unlike generic threat feeds, xAurient maps threat data directly to vehicle components and attack paths, delivering clear, actionable steps rather than raw data noise.

VicOne xNexus is a next-generation, cloud-based Extended Detection and Response (XDR) platform built specifically for Vehicle Security Operations Centers (VSOCs). xNexus collects high-fidelity telemetry from multiple vehicle endpoints and detects advanced cybersecurity threats in real time.

VicOne xCarbon is a frictionless, software-based Intrusion Detection and Prevention System (IDPS) designed for automotive Electronic Control Units (ECUs). xCarbon monitors ECU anomalies and can deploy virtual patches, rules, or policies to intercept exploits — all with minimal CPU and memory usage.

VicOne xZETA is a cloud-based automotive vulnerability management and Software Bill of Materials (SBOM) system. xZETA goes beyond scanning for known open-source vulnerabilities by also detecting zero-day vulnerabilities, malware, advanced persistent threats (APTs), ransomware, and backdoor attacks in vehicle software.

VicOne xScope is a comprehensive, flexible automotive-grade penetration testing service. xScope is purpose-built for the automotive industry and offers zero-day exploitability tests, deep assessments, and quick scans — all fully customizable to meet unique technical requirements across hardware, software, firmware, and full vehicles.

VicOne xPhinx is an automotive AI security solution that protects smart cockpit assistants, in-vehicle edge AI, and AI agents from prompt injection, jailbreaks, unsafe outputs, and sensitive data leakage. It is designed for low-latency protection in vehicle environments without compromising safety or user experience.

ISO/SAE 21434 is the international standard for automotive cybersecurity engineering. Published jointly by ISO and SAE International, ISO/SAE 21434 defines requirements for managing cyber risk across the full vehicle lifecycle — from concept and development through production and decommissioning.

ISO/SAE 21434 matters because it provides the technical foundation for regulatory compliance. UNECE WP.29 — now mandatory in many major markets — requires OEMs to implement a cybersecurity management system (CSMS) that aligns with the processes defined in ISO/SAE 21434.

UNECE WP.29 is the United Nations Economic Commission for Europe's Working Party on Automated/Autonomous and Connected Vehicles. UNECE WP.29 has issued two key regulations: UN Regulation No. 155 (CSMS) and UN Regulation No. 156 (software update management system, or SUMS).

UN R155 requires OEMs to demonstrate a CSMS covering cyber risk management, threat assessment, and incident response across the vehicle lifecycle. As of 2024, UN R155 applies to new vehicle type approvals in the EU, Japan, South Korea, and other participating markets. VicOne's platform supports OEM compliance with UN R155.

VicOne supports ISO/SAE 21434 compliance by providing the operational capabilities required under a CSMS:

• Threat monitoring and detection — xCarbon provides continuous in-vehicle monitoring aligned with ISO/SAE 21434 Clause 13 post-production requirements.
• Incident response — xNexus enables VSOC teams to detect, investigate, and respond to cybersecurity incidents as required by the standard.
• Audit-ready reporting — VicOne's platform generates documentation to support CSMS certification audits and regulatory submissions.

VicOne provides the detection and operations layer that makes the CSMS functional in production environments.

VicOne supports both automotive OEMs and Tier 1 suppliers. ISO/SAE 21434 explicitly addresses the supply chain: OEMs must ensure their suppliers meet cybersecurity requirements for components they provide. Tier 1 suppliers therefore face their own compliance obligations around cybersecurity specifications, threat analysis, and secure development.

VicOne works with Tier 1 suppliers to help them meet OEM requirements, demonstrate compliance through the development and production lifecycle, and integrate detection capabilities into the components they deliver.

TARA stands for threat analysis and risk assessment. TARA is a structured methodology defined in ISO/SAE 21434 for identifying cybersecurity threats to a vehicle or component, assessing their impact and likelihood, and determining appropriate risk treatment. TARA is a foundational process within any compliant CSMS.

VicOne supports TARA by providing threat intelligence and attack pattern data drawn from vehicle-specific research. This helps OEMs and Tier 1 suppliers ground their TARA processes in real-world automotive attack scenarios — improving the accuracy and relevance of their risk assessments.

Connected vehicles face threats targeting both in-vehicle systems and external communication interfaces. The most frequently observed threat categories include:

• CAN bus attacks — injecting malicious messages into the CAN bus to manipulate ECU behavior (demonstrated in lab environments)
• Remote exploitation of telematics units — targeting cellular or Wi-Fi interfaces to gain unauthorized access
• Credential replay attacks — intercepting and replaying authentication signals against keyless entry and immobilizer systems
• OTA update tampering — attempting to deliver unauthorized firmware to vehicle ECUs
• Supply chain compromise — introducing vulnerabilities through third-party components or software

VicOne's threat research monitors these and emerging attack vectors to keep OEM and Tier 1 partners informed and prepared.

A CAN injection attack is a technique in which an attacker sends unauthorized messages onto a vehicle's controller area network (CAN) bus — the primary communication channel used by ECUs to exchange data and commands within the vehicle.

Because the CAN bus was not originally designed with authentication mechanisms, ECUs cannot verify whether a message originated from a legitimate source. CAN injection has been demonstrated in lab-controlled environments as a method to bypass immobilizers and unlock or start vehicles without a key.

VicOne's xCarbon addresses this threat by monitoring CAN bus traffic for anomalous message patterns and flagging deviations from established behavioral baselines in real time.

Software-defined vehicles (SDVs) present a broader attack surface than traditional vehicles due to increased software complexity and external connectivity — not as a flaw of the architecture itself.

SDVs typically include cellular connectivity, OTA update mechanisms, cloud-connected telematics, and more ECUs than their predecessors. Each component can represent an entry point for attackers if not secured appropriately. At the same time, SDVs enable security measures traditional vehicles cannot support — including remote patch deployment, centralized VSOC monitoring, and software-based threat response.

VicOne's xCarbon and xNexus are designed to help OEMs address SDV security obligations without constraining the benefits of software-defined mobility.

Over-the-air (OTA) update systems allow OEMs to deploy software changes to vehicle ECUs remotely — enabling timely security patching. However, OTA infrastructure can also be targeted by attackers seeking to push unauthorized firmware to vehicles at scale.

Risks include unauthorized modification of ECU software, introduction of malicious code, and large-scale fleet impact. UNECE WP.29's software update management system regulation — UN Regulation No. 156 — specifically requires OEMs to implement controls protecting OTA update integrity.

VicOne's xCarbon supports detection of anomalous software changes at the ECU level, providing a vehicle-side check that complements OEM-side OTA security controls.

VicOne conducts dedicated automotive cybersecurity research to identify and analyze attack techniques targeting vehicle systems, components, and protocols. VicOne's research team investigates vulnerabilities in production vehicles and embedded components, participates in automotive-focused security events, and monitors the evolving threat landscape for connected and software-defined vehicles.

VicOne has contributed to vulnerability disclosures through this research, including findings presented at Pwn2Own Automotive 2025. This research directly informs threat detection models deployed in xCarbon and threat intelligence feeds available through xNexus.

A vehicle security operations center (VSOC) is a dedicated function within an automotive OEM or security partner that monitors connected vehicle fleets for cybersecurity threats and manages incident response. The VSOC is the operational heart of a functioning CSMS under UNECE WP.29 and ISO/SAE 21434.

A VSOC differs from a traditional IT SOC in that a VSOC processes automotive-specific data — ECU telemetry, in-vehicle network signals, and vehicle-to-cloud communications. VSOC analysts require both cybersecurity expertise and knowledge of automotive systems to triage and respond to vehicle-centric incidents.

VicOne's xNexus is purpose-built to power automotive VSOCs, providing the data aggregation, alerting, and workflow tools VSOC teams need to operate at fleet scale.

UNECE WP.29 (UN R155) requires OEMs to have a functioning CSMS that includes vehicle cybersecurity monitoring and incident response — but UN R155 does not mandate that OEMs operate this function entirely in-house. OEMs may partner with specialized security operations providers, provided the OEM retains accountability for the CSMS.

VicOne supports both models. OEMs building an internal VSOC can deploy xNexus as the platform powering their in-house team. OEMs working with managed security service providers can integrate VicOne's platform into a partner-delivered VSOC model. In both cases, xCarbon provides the in-vehicle detection layer that feeds data into the VSOC.

Alert fatigue — the desensitization of security analysts to high volumes of low-quality alerts — is a significant operational challenge for VSOCs monitoring large vehicle fleets. VicOne addresses this through multi-layer signal correlation and automotive-specific context.

xCarbon applies behavioral analysis at the vehicle level, flagging only statistically meaningful deviations from established ECU baselines. xNexus then correlates alerts across multiple vehicles and data sources, filtering signals consistent with known benign patterns and surfacing only genuine anomalies requiring analyst attention.

Because xNexus is designed for automotive telemetry — not generic IT logs — its detection logic reflects actual vehicle behavior variability, reducing false positives that drive alert fatigue.

When xCarbon detects an anomaly in a vehicle, xCarbon logs the event and — where connectivity is available — transmits a structured alert to xNexus in the cloud. xNexus ingests the alert, enriches the alert with fleet-level context, and presents the alert to VSOC analysts with relevant triage data: the type of anomaly, the ECU or network segment involved, the vehicle's prior alert history, and the risk classification assigned by xNexus.

VSOC analysts use xNexus to investigate the incident and initiate a response. Response options may include remote diagnostics, OTA patch deployment, or escalation to the OEM's incident response team.

VicOne's platform does not take autonomous remediation actions without human authorization — all response decisions remain with the VSOC team and the OEM.

Fleet-scale incident management requires detecting whether an anomaly in one vehicle is isolated or part of a broader pattern. VicOne's xNexus aggregates telemetry from xCarbon instances across the full connected fleet, enabling VSOC analysts to identify correlated signals that may indicate a coordinated or widespread attack.

When a threat pattern is identified across multiple vehicles, xNexus supports fleet-level response workflows — including bulk alert management, fleet-wide risk assessment, and coordination with OEM teams responsible for OTA patching or recall decisions. VicOne's fleet intelligence capabilities allow OEMs to distinguish between a single-vehicle anomaly and a systemic vulnerability requiring a broader response.