Get ISO/SAE 21434 + UN R155 audit-ready on your own machine.
A fast, fully-offline desktop workbench that takes you from item definition to a signed, auditor-ready Threat Analysis & Risk Assessment — without a six-figure cloud platform or a consulting engagement.
Your TARA never leaves your laptop. No cloud. No telemetry. No per-analysis fees.
The problem
Every road-vehicle programme now needs a TARA. Today the options are bad.
ISO/SAE 21434 requires a Threat Analysis & Risk Assessment, and UN R155 type-approval readiness. Teams are stuck between three bad options:
Six-figure cloud platforms
Powerful, but priced for large OEMs — and they put your most sensitive design data in someone else's cloud.
General-purpose tools
Spreadsheets and threat-modeling apps that weren't built for 21434/R155 — so the method, the work products and the report are all manual.
Consultants
Expensive — and the knowledge walks out the door when the engagement ends.
Meanwhile Tier-2/3 suppliers, smaller OEMs, and teams on air-gapped networks need the same audit-ready evidence — on a realistic budget, without sending their IP to the cloud. That gap is exactly where TARAexl sits.
What TARAexl is
The full ISO/SAE 21434 TARA method — as a guided desktop workflow.
A single-user Windows desktop application that implements the full 21434 TARA method and produces the auditor-ready deliverables at the end. It runs 100% offline and stores everything locally in a project file you own.
- Single-user Windows desktop app — works on a machine that's never touched the internet.
- 100% offline; everything stored locally in a project file you own.
- Speaks UN R155 (Annex 5 Part-A threat coverage).
- Speaks ISO/DIS 24882 — so it serves road vehicles and off-highway/agricultural programmes alike.
Capabilities
Nothing left manual
Guided 21434 workflow
Item definition · architecture & data-flow modelling · assets → damage → threat scenarios → attack paths → feasibility → risk → treatment → cybersecurity concept. Each step gates the next, with an approval / sign-off trail.
Method, done right
Attack feasibility by ISO/IEC 18045 attack potential or CVSS. Cybersecurity Assurance Level (CAL) per Annex E. A configurable risk matrix with an at-a-glance risk dashboard.
Standards & threat intel
UN R155 Annex 5 Part-A coverage & gap analysis (per project). CAPEC attack-pattern reference; SBOM import with CVE / vulnerability matching.
Evidence & traceability
End-to-end traceability graph (asset → … → claim), coverage / gap analysis, baselines & versioning, an append-only audit trail — and one-click DOCX + XLSX reports with your company branding.
Offline AI assistant
An on-device model (IBM Granite) drafts damage scenarios, threats, controls and rationale — every suggestion enters as an editable draft for the engineer to approve. No cloud, no data egress.
Trust by architecture
100% offline · zero telemetry · per-seat licensing · proprietary content encrypted at rest · exports carry an unforgeable per-customer watermark for traceability.
Inside the workbench
See the method at work
Real screens from the workbench.
Project overview & completeness checks
UN R155 Annex 5 coverage & gap analysis
Attack trees & attack paths
Threat scenarios
End-to-end traceability map
One-click DOCX + XLSX report export
Who it's for
Built for the whole supply chain
- Tier-1 / Tier-2 / Tier-3 automotive suppliers producing TARAs for OEM programmes.
- Smaller & emerging OEMs that need 21434/R155 evidence without an enterprise platform spend.
- Cybersecurity engineers & managers who want the method enforced and the report generated — not hand-built.
- Teams on air-gapped / restricted networks (defense-adjacent, IP-sensitive) that cannot use cloud tools.
- Off-highway & agricultural machinery makers working to ISO/DIS 24882.
Why TARAexl
How it compares
| Cloud lifecycle platforms | Spreadsheets / generic tools | Consultants | TARAexl | |
|---|---|---|---|---|
| ISO 21434 method built-in | ✓ | ✗ | n/a | ✓ |
| UN R155 coverage | ✓ | ✗ | depends | ✓ |
| Runs fully offline / air-gap | ✗ | ✓ | n/a | ✓ |
| Your data stays on your machine | ✗ | ✓ | ✗ | ✓ |
| Auditor-ready report out-of-the-box | ✓ | ✗ | ✓ | ✓ |
| Affordable per-seat | ✗ ($100k–$2M/yr) | ✓ | ✗ | ✓ |
| Knowledge stays in-house | partial | ✓ | ✗ | ✓ |
The offline, affordable TARA workbench that gets automotive teams ISO 21434 + R155 audit-ready on their own machines — the method, the evidence and the report, without the cloud or the consultant.
Trust & security
Private by default — buyers will ask
100% offline
No account, no server, no online activation. The renderer is locked down; the only ever-optional network call is a one-time model download you can do on a separate machine and copy across.
Zero telemetry
We collect nothing. Your TARA is yours.
Your IP stays yours
Proprietary catalogs and methodology data are encrypted at rest in the install.
Licensing that respects you
Per-seat, node-locked. When a licence lapses the app drops to read-only — you can always open and export your existing work; never locked out of your own data.
Honest about limits
The licence is a strong deterrent plus unforgeable per-customer traceability — not an "uncrackable" DRM claim. We'd rather tell you the truth than oversell.
Audit-ready evidence
Append-only approval trail, baselines and one-click work products — the official deliverables an auditor expects.
Where this goes
Local, affordable, method-complete — private by default
The definitive offline TARA workbench
Richer threat catalogs (MITRE EMB3D alongside CAPEC), attack-tree / attack-path assists, ReqIF import/export for OEM↔supplier exchange, an even stronger evidence binder, and an AI assistant that genuinely saves hours per analysis.
Munimentx — the product-security suite
An offline companion for the organisational layer — ISO/SAE 21434 §5 + UN R155 Annex-5 CSMS: governance, evidence register, audit-readiness dashboard and a one-click R155 evidence binder. TARAexl proves the product; Munimentx proves the organisation.
The lifecycle, end to end, on your terms
Continuous activities recorded locally (monitoring, vulnerability triage, incidents, R156 updates), multi-framework coverage (ASPICE-for-Cybersecurity, ISO 27001) — while never compromising the promise: your data never leaves your machine.
What we'll deliberately never build: cloud monitoring / vSOC / telemetry ingestion, or anything that requires your design data to leave your control.
Get audit-ready on your own machine.
Start a 30-day trial or book a 20-minute walkthrough — and see a full ISO 21434 + R155 TARA produced offline, end to end.