Product Threat Intelligence Providers 2026 Listed

Image Source: depositphotos.com

Product threat intelligence tells payment device manufacturers and payment service providers (PSP) about the vulnerabilities and attack techniques that threaten the products they build or rely on to process payments.

In 2026, the kind of specialist product threat intelligence provided by firms like PCA Cyber Security is getting much more critical for compliance and cyber resilience.

The EU Cyber Resilience Act's (CRA) vulnerability-handling and reporting duties begin to bite this year for any product with digital elements. None of the CRA’s obligations can be met with a one-off penetration test. They require ongoing, product-specific intelligence about how the device is actually being attacked which are then fed into improvements and reengineering.

Obligations will soon include 5-day early warning to ENISA on actively exploited vulns, 24-hour awareness notification, annual updates for the support period.

To help product manufacturers meet these requirements, we’ve shortlisted the product threat intelligence providers doing genuine work in 2026. Note that this list is weighted toward payment devices, connected vehicles and IoT, where the discipline is most mature.

What product threat intelligence actually involves

Product threat intelligence must be a hands-on research discipline.

Good providers reverse-engineer representative devices, track new vulnerabilities and exploit techniques affecting the relevant components and protocols, watch what is happening to that product class in the wild, and translate all of it into concrete engineering input. They produce and deliver threat models, secure-design changes, detection content, and coordinated disclosure.

For a connected car that means ECUs, in-vehicle networks, telematics, over-the-air back ends, and EV charging. For payment device manufacturers and payment service providers it means the terminal hardware, firmware, and cryptographic implementations that protect every transaction.

Understanding the threats to these product classes is a constant collaboration between researchers and pen testers. It is not something which can be replicated in house by 99% of firms.

Product Threat Intelligence Providers

Automotive OEMs and Tier 1 suppliers, EV charging and OCPP operators, connected IoT and embedded device makers, and increasingly payment device manufacturers and payment service providers who face the same lifecycle-monitoring pressure under PCI and the CRA all need product threat intelligence.

To help these kinds of firms and entities choose, we’ve listed five providers of product threat intelligence below who are highly active in the space as of 2026.

PCA Cyber Security

An offensive security firm based in Budapest, with a hardware lab and a published record of original vehicle and component research, including regular participation in Pwn2Own Automotive and disclosures to OEMs and Tier 1 suppliers.

PCA Cyber Security have the ability to feed a genuine product threat intelligence capability. In fact, PCA is also one of the few product-security specialists that crosses into payment hardware, offering PCI PTS pre and post compliance device testing, which makes it a natural fit for payment device manufacturers as well as automotive OEMs.

Upstream Security

Best known for its cloud-based vehicle security operations centre and the AutoThreat intelligence offering, Upstream monitors mobility and automotive attacks at fleet scale and turns them into actionable intelligence for OEMs and suppliers. Strong choice where the priority is continuous monitoring of a deployed fleet rather than lab research.

Argus Cyber Security

A long-established automotive cybersecurity company (part of Continental) with in-vehicle intrusion detection, a product security incident response capability, and automotive threat intelligence. Well suited to manufacturers building detection into the vehicle itself.

VicOne

Trend Micro's automotive subsidiary, built specifically for the xEV and connected-vehicle market. Its xNexus threat intelligence and vulnerability tooling bring a large security vendor's telemetry to bear on automotive products. (Verify current product names before publishing.)

ETAS

Bosch's automotive software arm, which brought the ESCRYPT security portfolio in-house. It pairs in-vehicle security products with monitoring and threat intelligence services, giving Tier 1s and OEMs an option backed by a major automotive supplier. (Verify the current ESCRYPT/ETAS branding.)

How to choose a product threat intel provider

Ask whether you need lab-grade original research, continuous fleet monitoring, or an embedded detection product, because few firms lead at all three. Look for evidence of original vulnerability discovery, mapping to R155 and ISO 21434 monitoring duties, and a coordinated disclosure track record.

And confirm the provider understands your specific product class: automotive, IoT, or payment hardware are related but not interchangeable.