Correlens

Product cyber security · one platform

From a signal in the wild to the exact component.

Threat intelligence, supplier risk, vulnerabilities and SBOM on one connected graph. Correlens correlates them, so a leak, an exploit or a breached supplier resolves to the exact component in the exact program, and a person can act.

Threat intel Supply chain Vulnerabilities SBOM CSMS · R155 · CRA
Studio product photograph of a generic electric vehicle, representing the connected platforms Correlens secures

Automotive-grade rigor, applied everywhere software moves.

Automotive Commercial ITS Drones / UAS e-Mobility Fleets

Supply chain risk

When your supplier is breached, you find out first.

Your suppliers become part of your risk surface the moment they ship you code. Correlens watches them across threat-intel sources, scores the noise, and correlates a breach to the exact components and programs it puts at risk.

Suppliers, mapped to your programsAuto-linked from your SBOMs, with tier, role and the components they ship.
Watched across every sourceBreach claims, leak markets, adverse news, dark-web listings, all in one feed.
Scored, not cried wolfThe AI weighs the claim and the actor's track record into a confidence, so a boast is not an incident.
Correlated to your exposureWhich of your components, nodes and programs this supplier touches, ranked by risk.
Supplier breach signalsample data

Actor “888” advertises ~35 GB allegedly stolen from Accenture on a dark-web forum

supplierAccenture, connected engineering partner actor888 (PwnForums) claimedsource code, Azure tokens, credentials statusAccenture confirmed an incident; volume unverified
Confidence: medium · actor has a scope-inflation history
Correlated to your programs
EV Platform E-3 · 2 shared componentsat risk
Robotaxi R1 · 1 shared componentreview
ITS Corridor · toolchain overlapwatch

Threat intelligence

Curated for what you ship, summarized by AI, confirmed by a human.

Signals from the open web, the dark web and the deep net, scored for your context. The AI reads, translates and summarizes each one; an analyst confirms it. Nothing escalates on the machine's word alone.

Feedsample data
OSINT0.84
Actor advertises stolen data from a connected engineering supplier
Supply chainData leak
dark-web forum · 1 d ago · under investigation
Publication0.81
Voltage-glitching bypass of read protection on RH850 automotive MCUs
MCUFault injection
security research · 3 d ago · confirmed
Code leak0.72
Public repo exposes CI config referencing an internal supplier build domain
InfotainmentOTA
code-leak site · 2 h ago · to validate
scored for your context · correlated to your SBOM and suppliers
DetailAIsample data

Actor advertises stolen data from a connected engineering supplier

Relevance
0.84
Confidence
MEDIUM
Summary

A dark-web actor is advertising data claimed to be stolen from a connected engineering supplier. The same actor has a documented history of inflating scope, so the claim is treated as unconfirmed and correlated to the exact components and programs that supplier ships to you.

curated and translated by the AI brain
Entities
Supply chainDark-web marketTier-1 supplierData leak

Ask the graph

One question. A grounded, cited answer.

Everything the platform knows is one connected graph. Ask it in plain language and get a real answer, with the numbers and the sources behind it.

Correlens assistantsample data
Which suppliers and components are affected by CVE-2026-4187 across my programs?
Grounded answer

CVE-2026-4187 (gstreamer 1.14.4, confirmed exploited) reaches 3 programs, 2 suppliers and 5 nodes. It is reachable on 4 of 5 nodes; one is suppressed by a supplier VEX statement.

3
programs
2
suppliers
5
nodes
EV Platform E-32 nodes
Robotaxi R12 nodes
Commercial eFleetVEX suppressed
sourcesSBOM · gstreamerSupplier · Tier-1 IVICISA KEVVEX · Zonal

Vulnerability management

Actionable risk, not a wall of CVEs.

Every finding is enriched from correlated threat intelligence and re-scored for the product in the field. You act on what is exploited and reachable, not on a raw severity number.

Vulnerabilities · EV Platform E-3sample data
VulnerabilityComponentCVSSEPSSExploitationReachabilityState
CVE-2026-4187gstreamer 1.14.49.80.89confirmed exploited (KEV)reachableunder review
CVE-2026-3350botan 2.19.58.40.42exploit availablereachableto validate
CVE-2026-0915bluez 5.667.50.18PoC publishedadjacentto validate
CVE-2026-2044libexpat 2.2.66.20.05no known exploitnot reachablesuppressed (VEX)
exploitation enriched from correlated CTI · CISA KEV (confirmed) · exploit availability · EPSS (predictive)

Re-scored for the product in front of you.

A 9.8 with no network path to it is not a 9.8 in your program. Set a node's real external interfaces and safety level once, and every finding re-scores to match, in CVSS 3.0, 3.1 or 4.0.

Exploit-aware first. KEV, exploit code and EPSS outrank raw severity.
Context re-scoring. External interfaces and ASIL drive the real score.
Owned by a person. Every state and re-score is recorded for the audit trail.
Context re-scoresample data
9.8
CVE-2026-4187 · base 9.8 criticalthe published NVD base score
7.2
7.2 high in your contextreachable only over the internal bus, no external path
Node context drives the score
BluetoothWi-FiV2XUSBOBD-IICANASIL B

Watchlists

Hunt the risk that is specific to your parts.

Curate the observables that matter for what you ship, and the platform watches them proactively. The tuning and unlock scene, for one, trades ECU-unlock techniques openly, long before they become an incident.

Auto-seeded from your SBOM and portable by standard. Import and export as STIX 2.1, so a watchlist moves between your teams and tools.

Automotive Tuning & Unlock Intelligencesample data
keywordRH850 / V850 locked-MCU read (glitcher)high
partMG1CS164 initial unlockmed
keywordcomponent protection (CP) bypassmed
keywordStellantis SGW security-gateway bypassmed
keywordimmobilizer / PIN readmed
9 observables · 4 STIX patterns · auto-seeded from your SBOM · export STIX 2.1

SBOM

The inventory that feeds everything else.

Your software bill of materials is one input, and the platform makes it work for the rest: it feeds vulnerability management and threat correlation, so a component is never just a line in a file. Watch it move from import to audit-ready.

Import · Validation gatesample data
B
Gate passed · score 84 / 100NTIA minimum elements · CycloneDX 1.6
312 components · threshold 30
Component name and version312/312pass
Supplier name312/312pass
Unique identifier (CPE / purl)308/3124 gaps
Dependency relationships312/312pass
EV Platform E-3 · Nodessample data
Central GatewayAdaptive AUTOSAR · Infineon AURIX
128 comp
21
IVI Head UnitAndroid Automotive
312 comp
47
ADAS ControllerQNX Neutrino
204 comp
12
Telematics (TCU)Automotive Grade Linux
156 comp
18
IVI Head Unit · Componentssample data
ComponentVersionOriginEOLVulns
gstreamer1.14.4OSS2027-0129
botan2.19.5OSS6
bluez5.66OSS2027-039
ivi-mediastack2.8.1proprietary4
312 components · 41 proprietary · 271 OSS
gstreamer 1.14.4 · Cross-referencesample data
VULN
CVE-2026-4187confirmed exploited · KEV
9.8
CTI
Watchlist matchexploit chatter tagged to this component
2 signals
VEX
Supplier statementnot affected on the Zonal Controller
applied
one component, seen by vulnerability management and threat intel at once

Transportability

Bring your data in. Take more out.

Open by standard at both ends. What you import is never trapped, and what the platform learns comes back in a format your other tools already speak, whatever you build.

What you bring in

CycloneDX / SPDXAny SBOM, from any buildimported and validated, never trapped
STIX 2.1Watchlists and observablesyour existing intelligence, picked up as-is

What you take out

enriched + VEXYour SBOM, worth morevulnerabilities and exploitability on every component
STIX 2.1Incidents your SOC can consumeconfirmed findings as portable objects, no re-keying

e.g. a drone flight-controller SBOM in, an enriched bill with reachable CVEs out.

e.g. an ITS roadside-unit incident exported straight to your SOC and PSIRT.

Compliance, evidenced

Run the work, and the audit evidence writes itself.

A Cyber Security Management System (ISO/SAE 21434) is how you govern product cyber security across the lifecycle. The modules above are its operational workflows, and the trail they leave is the evidence a regulator asks for.

Compliance · CSMS (ISO/SAE 21434)sample data
UNECE R155Cyber security & CSMS · per-type approval
in forceall new vehicles since 07/2024
Evidence coverage92%
Supply chainVulnerabilities
live
UNECE R156Software updates · SUMS · RxSWIN
in forceall vehicles since 07/2024
Evidence coverage88%
SBOM
live
EU CRARegulation (EU) 2024/2847
reporting from 09/2026full obligations 12/2027
Evidence coverage76%
SBOMVulnerabilities
on track
NIS2Directive (EU) 2022/2555
transposedsince 10/2024
Evidence coverage84%
Threat intelSupply chain
live
every control traces back to the workflow that evidences it · the audit pack exports on demand
07/2022UNECE R155 / R156mandatory for new vehicle types
07/2024R155 / R156, all vehiclesevery new vehicle sold needs a certified CSMS
10/2024NIS2 transposedincident reporting for transport operators
09/2026EU CRA reporting24h / 72h vulnerability reporting beginsnext deadline
12/2027EU CRA, full obligationsSBOM per release, 5-year support window

Software, plus people. Our product-security experts work alongside your team, from your first SBOM to audit-ready compliance.

AI with humans in control

A loop, not an autopilot.

The AI does the reading, scoring and correlation at machine scale. The analyst makes every call that matters. Neither works alone.

InputA signal in the wilda leak, an exploit, a breach claim
1 AIReads and translatesevery source, any language, at machine scale
2 AIScores relevance and confidenceweighing the claim and the actor’s history
3 AICorrelates to your graphthe exact component, node, supplier and program
Human gateThe analyst makes the callnothing escalates on the machine’s word alone confirmre-scoreoverride
OutputA decision, recordedowned by a person, on the audit trail

Every decision is recorded. The audit trail a regulator asks for is a byproduct of the work, not a separate chore. Teams are multi-tenant and role-based, so you can invite an external supplier with scoped access and still keep the whole picture.

Ready when you are

One source of truth for product cyber security.

Cars, commercial vehicles, ITS, drones and e-mobility. Book a demo and we will map it to your programs, with our experts alongside your team.

Product surfaces on this page show sample data. The supplier-breach example reflects publicly reported claims, shown to illustrate correlation.