ABSTRACT: Vehicles data-centric with the need to process personally identifiable information. Often, companies that develop such systems act as integrators and need to comply to adequate data protection requirements. For instance, GDPR requires securing personal data. Yet, testing security of data (including, but not limited to personal data) is challenging. Penetration testing often starts from the outside of the system and take place at the end of the development lifecycle. This may be insufficient to adequatelytest for potential errors hidden within system boundaries. Having methods to design, execute, and reuse (automated) security test cases on a ‘white-box’ system is desirable. This positioning paper proposes an approach to design tool-based security test sequences. We structurally approach high-level data storing, processing, and communicating functionality in connection to the system boundary. We suggest to use pen-testing tools and sequences for testing the functionality of the vehicle’s (sub)system, before test-enabling interfaces are removed. This paper intends to contribute to discussions how to test layered defense implementations. The proposed approach is undergoing extensions and validations.