Targeting "fewer false positives, faster response, evidence retained, auditable." Providing 5x8 on-site support plus 7x24 automated response for end-to-end vehicle cybersecurity operations. L1/L2/L3 three-tier team collaboration, connecting "anomaly → alert → classification → response → review," deeply integrated with OEM CSMS framework, meeting UN R155 continuous monitoring requirements for every vehicle.
5×8 现场 + 7×24 自动化
Weekday on-site + full-time automated
L1 / L2 / L3 三级团队
Three-tier collaborative operations
UN R155 / CSMS 合规
Continuous monitoring & auditable
UN R155 requires OEMs to continuously monitor cybersecurity for every sold vehicle. CSMS frameworks require auditable operations closure capabilities. Self-building operations teams faces talent scarcity, immature processes, and insufficient intelligence coverage. Managed operations rapidly establishes compliant and efficient operational capabilities.
UN R155 explicitly requires OEMs to conduct lifecycle cybersecurity monitoring for sold vehicles. Without continuous operations capability, type approval and subsequent audits cannot be passed.
Automotive cybersecurity operations requires cross-disciplinary talent understanding vehicle protocols, cloud platforms, threat intelligence, and emergency response. Market supply is severely insufficient; self-building teams is slow and expensive.
From incident classification, detection use cases, ticket closure to reporting systems, years of practical experience are needed. Temporarily assembled teams cannot establish auditable operations processes in short time.
As vehicle volume, data volume, and alert peaks grow, operations shift from "stable and usable" to "lean and controllable," requiring continuous optimization in signal-to-noise ratio, scenario coverage, and intelligence closure.
Different target markets (EU, Middle East, Southeast Asia) have varying regulatory and audit depth, requiring multi-region, multi-regulatory operations support capabilities.
Key threat scenarios for APP, Bluetooth, accounts, and OTA continue to increase. Vulnerability intelligence tracking and detection strategy require continuous updates, not one-time construction.
Callisto VSOC Managed Operations Service is an end-to-end operations outsourcing service for OEM cybersecurity teams. Built on the S3-VSOC platform, Callisto professional operations teams provide 5x8 on-site support and 7x24 automated response, covering monitoring, alerting, classification, response, and review. Integrated with OEM CSMS frameworks to form continuous monitoring, precise intelligence, rapid identification, efficient response, and closed-loop management capabilities.
Operations Model
5x8 on-site + 7x24 automated
Team Structure
L1/L2/L3 three-tier
Incident Levels
P0-P3 four-tier response
Service Period
Year-round continuous
Compliance
UN R155 / CSMS
Reporting
Daily/Weekly/Monthly/Annual
Eight core services delivered year-round, covering the complete operations chain from daily monitoring to emergency drills
Vehicle cybersecurity data monitoring and anomaly incident response. Year-round continuous operation ensuring platform stability and real-time risk visibility.
Design and refine operations processes and documentation based on internal CSMS requirements and regulatory requirements, ensuring auditable and traceable operations.
Anomaly signal detector and alert strategy design and optimization, building event classification library and detection use case library with continuous iteration.
Threat intelligence collection and curation, enterprise-relevant intelligence analysis and reporting, covering CVE/NVD/CNVD, vendor advisories, and industry alliances.
Support OEMs in completing regulatory certification and authority audits, assisting with on-site platform demonstrations and certification documentation.
Regularly design drill scenarios based on VSOC daily monitoring anomalies and alerts, using internal tools for data simulation and security remediation.
Regular penetration testing of VSOC platform, focusing on core security dimensions, providing test reports and remediation plans.
Build VSOC security operations knowledge base, regularly train operations personnel and client teams on platform usage, detection logic design, data collection principles.
L1/L2/L3 three-tier team with clear responsibilities and escalation mechanisms
Frontline Defense
Technical Support
Accountability Hub
Building an "incident classification library" as the unified reference for monitoring, alerting, ticketing, and auditing, with P0-P3 four-tier differentiated response standards
Vehicle/ECU, Gateway & Communication, Charging & Energy, Mobile App/Account, Vehicle Cloud/Backend API, OTA/SUMS, Supply Chain/Third-party
Unauthorized access/control, Availability degradation/DoS, Data & privacy, Integrity & tampering, Lateral movement/propagation, Cryptographic material compromise
| 级别 | 名称 | 响应时间 | 说明 |
|---|---|---|---|
P1 | Critical | 2 hours | Severe security events that may lead to remote vehicle control, mass data breaches, or platform compromise |
P2 | High Priority | 4 hours | Security events with exploitable attack paths affecting multiple vehicles or critical functions |
P3 | Medium Priority | 6 hours | Localized anomalies or potential risks without actual harm yet but requiring tracking |
P4 | Low Priority | 10 hours | Low-risk alerts or intelligence线索, processed through routine analysis workflow |
Weekday fixed shifts ensure continuous stable operations; off-hours rely on platform automation and multi-channel alert push
Weekday 5x8 hour fixed shift mechanism ensuring VSOC continuous stable operations, achieving real-time monitoring and dynamic control of vehicle cybersecurity risks. Differentiated response SLAs for P1-P4 incidents (2h/4h/6h/10h).
Relying on VSOC platform built-in automated response tools for full-time automated incident processing. During off-hours, if P1/P2 high-risk events occur, the platform triggers push notifications via Feishu bot, DingTalk bot, email, and other channels. Operations personnel respond as quickly as possible for analysis, emergency response, and escalation.
For major security incidents, emergency response process is activated. L3 Operations Response leads response plan development, coordinating with OEM CSMS team to execute emergency response plans, ensuring timely risk control, complete evidence retention, and auditable review.
One event definition links to multiple detection use cases; anomalies triggered by use cases, alerts triggered by events, tickets classified by event library
Submit event entry draft (with minimum fields)
Joint review meeting to confirm definition and boundaries, supplement examples and evidence points
Formal entry with version number, synchronized to monitoring/ticketing/reporting data dictionary
Operations side configures use cases and detectors accordingly
Add/revise/deprecate through change orders, retaining historical versions for traceability
| EventIncidentID | 事件名称 | 建议级别 | 关联用例 |
|---|---|---|---|
| EI-OTA-001 | OTA Package Integrity Anomaly | P2 | UC-OTA-Sign-01, UC-OTA-Delta-03 |
| EI-API-002 | Vehicle Cloud API Unauthorized Access | P1 | UC-API-Auth-02, UC-API-Rate-05 |
| EI-ACC-003 | Account Credential Abuse | P2 | UC-ACC-Brute-01, UC-ACC-Token-02 |
Covering sentiment, authoritative platforms, vendor advisories, and industry alliances with a three-tier daily-weekly-major tracking mechanism
Covering sentiment, authoritative platforms (CVE/NVD/CNVD etc.), vendor advisories, and industry alliances, forming a "past 24h intelligence list" with source links, related assets/vehicle models, and intelligence summaries.
Weekly summary of new vulnerability classification statistics and key threat impact areas, with interpretation of key items and trend analysis.
Triggers "HQ technical rapid review" (security architect/intelligence researcher/vehicle model engineer), outputting technical analysis and response recommendations.
All security-related items (detection alerts, intelligence, penetration/drill findings, audit issues) are handled through the VSOC ticket module
Platform automated/manual deduplication, merging same-source items, generating ticket number.
Preliminary incident triage, assigning P0-P3 recommended levels based on event library.
Forming response recommendations, executing response operations per authorization levels.
Response verification, recovery confirmation, continuous monitoring, closed-loop ticket closure.
Four-tier reporting system covering daily/weekly/monthly/annual, ensuring traceable operations, measurable quality, and auditable planning
Records key daily cybersecurity information: ticket processing (processed/resolved/pending), emergency incidents (count/type/progress), vulnerability intelligence briefs (new count/critical count).
Weekly operations summary and analysis: daily key info weekly totals, ticket processing efficiency (avg handling time, overdue tickets and reasons), emergency incident processing summary, weekly vulnerability intelligence analysis (type distribution, impact assessment).
Comprehensive based on weekly reports: monthly operations target completion, monthly security risk assessment, next month operations priority planning, supporting management decision-making.
Full-year operations review: annual operations data overview, annual security incident statistics and analysis (major incident detailed review), annual target achievement, improvement measures, next year security operations strategic planning.
Supporting OEMs in completing R155, MIIT, and other compliance reviews, assisting with on-site platform demonstrations and certification documentation
Providing VSOC continuous monitoring capability proof, operations process documentation, incident response records, and other certification materials.
Operations processes deeply integrated with OEM CSMS framework, ensuring auditable and traceable operations closure.
Supporting domestic regulatory reviews, providing platform demonstrations, data reports, operations records, and other review materials.
Supporting EU, Middle East, Southeast Asia, and other multi-region certifications, providing localized operations evidence and compliance reports.
Regularly testing VSOC platform security and operations team emergency response capabilities
Operations team provides biannual platform penetration testing, focusing on VSOC platform core security dimensions, providing test reports and remediation plans.
Developing VSOC Platform Emergency Drill Plan based on platform application scenarios, defining participant roles (platform operator, technical response team), drill process (alert discovery → risk analysis → technical response → recovery verification → review), providing simulation attack tools and anomaly event trigger scripts.
S3-VSOC is Callisto's Vehicle Security Operations Center platform product, providing monitoring, alerting, ticketing, and reporting technical capabilities. VSOC Managed Operations Service is a people+process+tools integrated operations outsourcing service based on the S3-VSOC platform, provided by Callisto professional operations teams. You can purchase only the platform for self-building operations teams, or choose managed operations service to rapidly establish compliant operations capabilities.
5x8 refers to weekday (Monday-Friday) 8-hour fixed on-site shifts, with L1/L2/L3 operators providing real-time support at client sites or Callisto operations centers. 7x24 refers to full-time (including off-hours and nights) automated incident processing via VSOC platform built-in tools. When P1/P2 high-risk events occur, alerts are pushed via Feishu, DingTalk, email, and other channels, with operators responding as quickly as possible.
Standard three-tier team: L1 Basic Operations for daily data monitoring and intelligence collection; L2 Technical Analysis for anomaly log analysis, in-depth intelligence analysis, and detection use case optimization; L3 Operations Response for final incident review, classification escalation, response plan development, and full-process closure management, interfacing with OEM CSMS teams. Specific headcount is planned based on vehicle scale and alert peaks.
Our operations processes strictly align with UN R155 CSMS framework requirements: building event classification libraries, detection use case libraries, ticket closure mechanisms, and four-tier reporting systems. All operations actions retain evidence and are auditable. During vehicle certification, we provide continuous monitoring capability proof, operations process documentation, and incident response records to support type approval and subsequent audits.
We define differentiated response SLAs by P0-P3 (or P1-P4) four tiers: Critical (P1) 2-hour response, High Priority (P2) 4-hour response, Medium Priority (P3) 6-hour response, Low Priority (P4) 10-hour response. Specific handling duration follows client CSMS requirements, with all response and handling processes recorded in tickets for traceability.
Covering three major categories: authoritative vulnerability platforms (CVE, NVD, CNVD, etc.); vendor security advisories and industry alliance intelligence; sentiment monitoring and technical community dynamics. Forming daily intelligence lists (delivered before 09:00), weekly intelligence summaries (delivered before Friday 18:00), with major intelligence triggering HQ technical rapid review and outputting technical analysis and response recommendations.
Yes. We have achieved 7x24 continuous operations in the EU primary domain, with L1/L2/L3 and OEM CSMS closure stable operations. Operations capabilities scale linearly by vehicle model and region, planned by access scale, supporting unified operations for EU, Middle East, Southeast Asia, and other overseas vehicle models.
Yes. We build VSOC security operations knowledge bases and regularly train operations personnel and client teams on platform usage, detection logic design, data collection principles, incident analysis methods, ticket handling processes, and more. This helps OEM teams gradually build independent operations capabilities, reducing long-term external dependence.
From 5x8 on-site support to 7x24 automated response, Callisto helps you build compliant, efficient, and auditable automotive security operations.