Callisto Technology

VSOC Managed Operations Service

Targeting "fewer false positives, faster response, evidence retained, auditable." Providing 5x8 on-site support plus 7x24 automated response for end-to-end vehicle cybersecurity operations. L1/L2/L3 three-tier team collaboration, connecting "anomaly → alert → classification → response → review," deeply integrated with OEM CSMS framework, meeting UN R155 continuous monitoring requirements for every vehicle.

Managed Operations

5×8 现场 + 7×24 自动化

Weekday on-site + full-time automated

L1 / L2 / L3 三级团队

Three-tier collaborative operations

UN R155 / CSMS 合规

Continuous monitoring & auditable

Why VSOC Managed Operations?

UN R155 requires OEMs to continuously monitor cybersecurity for every sold vehicle. CSMS frameworks require auditable operations closure capabilities. Self-building operations teams faces talent scarcity, immature processes, and insufficient intelligence coverage. Managed operations rapidly establishes compliant and efficient operational capabilities.

R155 Mandatory Continuous Monitoring

UN R155 explicitly requires OEMs to conduct lifecycle cybersecurity monitoring for sold vehicles. Without continuous operations capability, type approval and subsequent audits cannot be passed.

Operations Talent Scarcity

Automotive cybersecurity operations requires cross-disciplinary talent understanding vehicle protocols, cloud platforms, threat intelligence, and emergency response. Market supply is severely insufficient; self-building teams is slow and expensive.

Immature Processes

From incident classification, detection use cases, ticket closure to reporting systems, years of practical experience are needed. Temporarily assembled teams cannot establish auditable operations processes in short time.

Scale Drives Refinement

As vehicle volume, data volume, and alert peaks grow, operations shift from "stable and usable" to "lean and controllable," requiring continuous optimization in signal-to-noise ratio, scenario coverage, and intelligence closure.

Export Compliance Differentiation

Different target markets (EU, Middle East, Southeast Asia) have varying regulatory and audit depth, requiring multi-region, multi-regulatory operations support capabilities.

Evolving Threat Scenarios

Key threat scenarios for APP, Bluetooth, accounts, and OTA continue to increase. Vulnerability intelligence tracking and detection strategy require continuous updates, not one-time construction.

What is VSOC Managed Operations Service?

Callisto VSOC Managed Operations Service is an end-to-end operations outsourcing service for OEM cybersecurity teams. Built on the S3-VSOC platform, Callisto professional operations teams provide 5x8 on-site support and 7x24 automated response, covering monitoring, alerting, classification, response, and review. Integrated with OEM CSMS frameworks to form continuous monitoring, precise intelligence, rapid identification, efficient response, and closed-loop management capabilities.

Operations Model

5x8 on-site + 7x24 automated

Team Structure

L1/L2/L3 three-tier

Incident Levels

P0-P3 four-tier response

Service Period

Year-round continuous

Compliance

UN R155 / CSMS

Reporting

Daily/Weekly/Monthly/Annual

Operations Service List

Eight core services delivered year-round, covering the complete operations chain from daily monitoring to emergency drills

VSOC Basic Operations

Vehicle cybersecurity data monitoring and anomaly incident response. Year-round continuous operation ensuring platform stability and real-time risk visibility.

Year-round
Operations System Development

Design and refine operations processes and documentation based on internal CSMS requirements and regulatory requirements, ensuring auditable and traceable operations.

Year-round
Security Event Library Creation

Anomaly signal detector and alert strategy design and optimization, building event classification library and detection use case library with continuous iteration.

Year-round
Threat Intelligence Support

Threat intelligence collection and curation, enterprise-relevant intelligence analysis and reporting, covering CVE/NVD/CNVD, vendor advisories, and industry alliances.

Year-round
Vehicle Compliance Support

Support OEMs in completing regulatory certification and authority audits, assisting with on-site platform demonstrations and certification documentation.

Year-round
Cybersecurity Emergency Drills

Regularly design drill scenarios based on VSOC daily monitoring anomalies and alerts, using internal tools for data simulation and security remediation.

1-2 times/year
Platform Penetration Testing

Regular penetration testing of VSOC platform, focusing on core security dimensions, providing test reports and remediation plans.

2 times/year
Security Training & Knowledge Base

Build VSOC security operations knowledge base, regularly train operations personnel and client teams on platform usage, detection logic design, data collection principles.

Year-round

Operations Team Organization & Responsibilities

L1/L2/L3 three-tier team with clear responsibilities and escalation mechanisms

L1
Basic Operations

Frontline Defense

  • Basic data statistics and monitoring
  • Scheduled anomaly data reporting
  • Vehicle information entry and registration screening
  • Automotive threat intelligence collection
L2
Technical Analysis

Technical Support

  • Inherits all L1 duties
  • Preliminary anomaly log analysis
  • In-depth automotive threat intelligence analysis
  • Detection use case and alert strategy optimization recommendations
L3
Operations Response

Accountability Hub

  • Inherits all L2 duties
  • Final review of anomaly/alert data
  • Incident classification and escalation
  • Response plan development and full-process closure management
  • CSMS team coordination and interface

Incident Classification & Response SLA

Building an "incident classification library" as the unified reference for monitoring, alerting, ticketing, and auditing, with P0-P3 four-tier differentiated response standards

Domain

Vehicle/ECU, Gateway & Communication, Charging & Energy, Mobile App/Account, Vehicle Cloud/Backend API, OTA/SUMS, Supply Chain/Third-party

Behavior

Unauthorized access/control, Availability degradation/DoS, Data & privacy, Integrity & tampering, Lateral movement/propagation, Cryptographic material compromise

级别名称响应时间说明
P1
Critical2 hoursSevere security events that may lead to remote vehicle control, mass data breaches, or platform compromise
P2
High Priority4 hoursSecurity events with exploitable attack paths affecting multiple vehicles or critical functions
P3
Medium Priority6 hoursLocalized anomalies or potential risks without actual harm yet but requiring tracking
P4
Low Priority10 hoursLow-risk alerts or intelligence线索, processed through routine analysis workflow

5x8 On-site + 7x24 Automated Operations Model

Weekday fixed shifts ensure continuous stable operations; off-hours rely on platform automation and multi-channel alert push

Weekdays
5x8 On-site Support

Weekday 5x8 hour fixed shift mechanism ensuring VSOC continuous stable operations, achieving real-time monitoring and dynamic control of vehicle cybersecurity risks. Differentiated response SLAs for P1-P4 incidents (2h/4h/6h/10h).

Full-time
7x24 Incident Processing

Relying on VSOC platform built-in automated response tools for full-time automated incident processing. During off-hours, if P1/P2 high-risk events occur, the platform triggers push notifications via Feishu bot, DingTalk bot, email, and other channels. Operations personnel respond as quickly as possible for analysis, emergency response, and escalation.

Emergency
Emergency Response Mechanism

For major security incidents, emergency response process is activated. L3 Operations Response leads response plan development, coordinating with OEM CSMS team to execute emergency response plans, ensuring timely risk control, complete evidence retention, and auditable review.

Detection Use Case Library & Event Library

One event definition links to multiple detection use cases; anomalies triggered by use cases, alerts triggered by events, tickets classified by event library

1
Proposal

Submit event entry draft (with minimum fields)

2
Alignment

Joint review meeting to confirm definition and boundaries, supplement examples and evidence points

3
Library Entry

Formal entry with version number, synchronized to monitoring/ticketing/reporting data dictionary

4
Linkage

Operations side configures use cases and detectors accordingly

5
Change

Add/revise/deprecate through change orders, retaining historical versions for traceability

EventIncidentID事件名称建议级别关联用例
EI-OTA-001OTA Package Integrity Anomaly
P2
UC-OTA-Sign-01, UC-OTA-Delta-03
EI-API-002Vehicle Cloud API Unauthorized Access
P1
UC-API-Auth-02, UC-API-Rate-05
EI-ACC-003Account Credential Abuse
P2
UC-ACC-Brute-01, UC-ACC-Token-02

Vulnerability & Threat Intelligence Tracking

Covering sentiment, authoritative platforms, vendor advisories, and industry alliances with a three-tier daily-weekly-major tracking mechanism

Daily Intelligence List
Before 09:00 daily

Covering sentiment, authoritative platforms (CVE/NVD/CNVD etc.), vendor advisories, and industry alliances, forming a "past 24h intelligence list" with source links, related assets/vehicle models, and intelligence summaries.

最小字段:Source/link, related assets/vehicle models (if any), intelligence summary
Weekly Intelligence Summary
Before 18:00 Friday

Weekly summary of new vulnerability classification statistics and key threat impact areas, with interpretation of key items and trend analysis.

最小字段:New vulnerability/intelligence classification distribution, key item interpretation
Major Intelligence Technical Analysis
On-demand

Triggers "HQ technical rapid review" (security architect/intelligence researcher/vehicle model engineer), outputting technical analysis and response recommendations.

最小字段:Impact assessment, exploitability, mitigation/remediation recommendations

Ticket Closure Process

All security-related items (detection alerts, intelligence, penetration/drill findings, audit issues) are handled through the VSOC ticket module

1
Intake & Dedup

Platform automated/manual deduplication, merging same-source items, generating ticket number.

2
Triage & Assignment

Preliminary incident triage, assigning P0-P3 recommended levels based on event library.

3
Response & Authorization

Forming response recommendations, executing response operations per authorization levels.

4
Verification & Closure

Response verification, recovery confirmation, continuous monitoring, closed-loop ticket closure.

Operations Reporting System

Four-tier reporting system covering daily/weekly/monthly/annual, ensuring traceable operations, measurable quality, and auditable planning

Daily Report
Daily

Records key daily cybersecurity information: ticket processing (processed/resolved/pending), emergency incidents (count/type/progress), vulnerability intelligence briefs (new count/critical count).

Weekly Report
Weekly

Weekly operations summary and analysis: daily key info weekly totals, ticket processing efficiency (avg handling time, overdue tickets and reasons), emergency incident processing summary, weekly vulnerability intelligence analysis (type distribution, impact assessment).

Monthly Report
Monthly

Comprehensive based on weekly reports: monthly operations target completion, monthly security risk assessment, next month operations priority planning, supporting management decision-making.

Annual Report
Annual

Full-year operations review: annual operations data overview, annual security incident statistics and analysis (major incident detailed review), annual target achievement, improvement measures, next year security operations strategic planning.

Vehicle Compliance Support

Supporting OEMs in completing R155, MIIT, and other compliance reviews, assisting with on-site platform demonstrations and certification documentation

R155 Type Approval Support

Providing VSOC continuous monitoring capability proof, operations process documentation, incident response records, and other certification materials.

CSMS Framework Integration

Operations processes deeply integrated with OEM CSMS framework, ensuring auditable and traceable operations closure.

MIIT Compliance Review

Supporting domestic regulatory reviews, providing platform demonstrations, data reports, operations records, and other review materials.

Overseas Certification Support

Supporting EU, Middle East, Southeast Asia, and other multi-region certifications, providing localized operations evidence and compliance reports.

Platform Security & Emergency Response Drills

Regularly testing VSOC platform security and operations team emergency response capabilities

Platform Penetration Testing
2 times/year

Operations team provides biannual platform penetration testing, focusing on VSOC platform core security dimensions, providing test reports and remediation plans.

Vehicle Cybersecurity Emergency Response Drill
1 time/year

Developing VSOC Platform Emergency Drill Plan based on platform application scenarios, defining participant roles (platform operator, technical response team), drill process (alert discovery → risk analysis → technical response → recovery verification → review), providing simulation attack tools and anomaly event trigger scripts.

Frequently Asked Questions

S3-VSOC is Callisto's Vehicle Security Operations Center platform product, providing monitoring, alerting, ticketing, and reporting technical capabilities. VSOC Managed Operations Service is a people+process+tools integrated operations outsourcing service based on the S3-VSOC platform, provided by Callisto professional operations teams. You can purchase only the platform for self-building operations teams, or choose managed operations service to rapidly establish compliant operations capabilities.

5x8 refers to weekday (Monday-Friday) 8-hour fixed on-site shifts, with L1/L2/L3 operators providing real-time support at client sites or Callisto operations centers. 7x24 refers to full-time (including off-hours and nights) automated incident processing via VSOC platform built-in tools. When P1/P2 high-risk events occur, alerts are pushed via Feishu, DingTalk, email, and other channels, with operators responding as quickly as possible.

Standard three-tier team: L1 Basic Operations for daily data monitoring and intelligence collection; L2 Technical Analysis for anomaly log analysis, in-depth intelligence analysis, and detection use case optimization; L3 Operations Response for final incident review, classification escalation, response plan development, and full-process closure management, interfacing with OEM CSMS teams. Specific headcount is planned based on vehicle scale and alert peaks.

Our operations processes strictly align with UN R155 CSMS framework requirements: building event classification libraries, detection use case libraries, ticket closure mechanisms, and four-tier reporting systems. All operations actions retain evidence and are auditable. During vehicle certification, we provide continuous monitoring capability proof, operations process documentation, and incident response records to support type approval and subsequent audits.

We define differentiated response SLAs by P0-P3 (or P1-P4) four tiers: Critical (P1) 2-hour response, High Priority (P2) 4-hour response, Medium Priority (P3) 6-hour response, Low Priority (P4) 10-hour response. Specific handling duration follows client CSMS requirements, with all response and handling processes recorded in tickets for traceability.

Covering three major categories: authoritative vulnerability platforms (CVE, NVD, CNVD, etc.); vendor security advisories and industry alliance intelligence; sentiment monitoring and technical community dynamics. Forming daily intelligence lists (delivered before 09:00), weekly intelligence summaries (delivered before Friday 18:00), with major intelligence triggering HQ technical rapid review and outputting technical analysis and response recommendations.

Yes. We have achieved 7x24 continuous operations in the EU primary domain, with L1/L2/L3 and OEM CSMS closure stable operations. Operations capabilities scale linearly by vehicle model and region, planned by access scale, supporting unified operations for EU, Middle East, Southeast Asia, and other overseas vehicle models.

Yes. We build VSOC security operations knowledge bases and regularly train operations personnel and client teams on platform usage, detection logic design, data collection principles, incident analysis methods, ticket handling processes, and more. This helps OEM teams gradually build independent operations capabilities, reducing long-term external dependence.

Ready to build your VSOC managed operations capability?

From 5x8 on-site support to 7x24 automated response, Callisto helps you build compliant, efficient, and auditable automotive security operations.

Contact us about our automotive cybersecurity services

With the transformation of automobiles into intelligent ones, automobile cybersecurity challenges are becoming increasingly prominent, and automobile companies urgently need to upgrade their cybersecurity protection systems.
Callisto (Beijing) Technology Co., Ltd. is a national high-tech enterprise founded by one of the world's first technical experts focusing on automotive network security, invested by world-renowned institutions, and possessing a number of independent intellectual property rights.
GDPR
Chinese vehicle cybersecurity standard:
General Technical Requirements for Automobile Information Security
Comply with" Guidelines for the Construction of Internet of Vehicles Network Security and Data Security Standard System",meet GB/T 40861-2021 "General Technical Requirements for Automobile Information Security", establish and provide automobile network security services. Any data we process for our customers and any risks we discover are the private assets of our customers and cannot be accessed without authorization.
©2022 Callisto (Beijing) Technology Co., Ltd.ICP No. 2022011284-1
ISO/SAE 21434
Vehicle cybersecurity certification:
ISO/SAE 21434 and UN R155UN R156

Contact us for ISO and WP.29 certification services to meet EU regulations.

Tel: 4001059410

Address: 201, Building 2A, Silicon Valley Liangcheng, Haidian District, Beijing