Automotive Cybersecurity

12 Million Security Events Per Day. Their VSOC Had 4 People.

A European OEM rolled out connected services to 2.3 million vehicles. The security telemetry hit like a fire hose - 47GB per vehicle per day. Their cloud IDS couldn't keep up, and their 4-person VSOC was triaging alerts from last week.

2.3M Connected Vehicles

0.8ms Attack Detection

847 Daily Alerts (was 12M)

Client

European Automotive OEM

Industry

Automotive

Use Case

Vehicle Intrusion Detection & Cybersecurity

Products Used

Expanso

Timeline

Pilot on 15K vehicles in 8 weeks, fleet rollout over 6 months

ROI

$11.4M annual cloud and cellular cost avoidance

The Challenge

The VSOC was a month behind. Every vehicle was sending 47GB of CAN bus traffic, ECU logs, and network events daily. The cloud IDS took 340ms to analyze each event. By the time an alert triggered, the attack was over. And their cellular provider was sending invoices that made the CFO's eye twitch.

2.3 million vehicles generating 47GB of security telemetry each per day
Cloud IDS latency was 340ms - attacks complete before detection
VSOC receiving 12 million events daily - 4 analysts couldn't keep up
Cellular data costs were $14.2M annually for security telemetry alone
UN R155 regulation deadline approaching for on-vehicle IDS
Cloud infrastructure costs projected to hit $23M for next year

The Solution

We put the IDS on the vehicle. CAN bus traffic analyzes locally. The vehicle knows what 'normal' looks like for that specific car. When something unusual happens - wrong ECU sending a message, abnormal message frequency, injection attempt - the vehicle flags it immediately. Cloud only sees confirmed security events.

On-Vehicle CAN Analysis

Each vehicle learns its own baseline - which ECUs talk to which, normal message patterns, expected frequencies. Anomaly detection runs against that baseline in 0.8ms. No cloud round-trip needed.

Local Event Triage

Vehicle classifies events into categories: confirmed attack, suspicious behavior, unusual but benign, normal operation. Only the first two categories transmit. Normal CAN traffic stays on the vehicle.

OTA Signature Updates

New attack signatures push to the fleet in 4 hours. When a new CAN injection technique appears, every vehicle gets updated before the next parking event. No recalls required.

The Results

The VSOC is now same-day. Four analysts handle 847 confirmed security alerts per day instead of 12 million raw events. They caught their first real attack in week 3 - a researcher probing the telematics unit. Detection time: 0.8ms.

0.8ms Detection Time

94% Data Reduction

847 Daily Alerts

$11.4M Cost Avoidance

Attack detection dropped from 340ms to 0.8ms - 425x faster
Daily VSOC alert volume reduced from 12 million to 847
Cellular costs dropped from $14.2M to $840K annually
Cloud infrastructure savings of $11.4M in first year
UN R155 compliance achieved 4 months ahead of deadline
Pilot validated on 15K vehicles in 8 weeks
First real attack caught in week 3 - researcher probing telematics

"We had a researcher poking at our telematics unit during the pilot. Old system would have flagged it in the daily batch analysis - 18 hours later. New system caught it in 0.8 milliseconds. I got an alert while he was still in the parking lot."

Head of Vehicle Security, European OEM

Your VSOC drowning in vehicle telemetry?

If your connected fleet generates more security data than your team can analyze, we should talk. We've deployed on millions of vehicles.

Book A Demo