Leveraging Automation in Cybersecurity

Background

Vodafone UK, part of the global Vodafone Group, is the largest telecommunications company operating in the United Kingdom, focused on connecting people, businesses, and communities through its mobile and fixed network infrastructure.

Challenge

As a leading telco serving millions of customers, Vodafone has to remain constantly vigilant to cybersecurity threats. In fact, the telco sector is among the top three most vulnerable sectors to cyber attacks, after finance and healthcare, with attack frequency and complexity evolving relentlessly. According to Gartner, the average cost of breach in telco has risen to $5.72M, placing additional pressure on already stretched security teams.

The Telecom Security Act (TSA) introduced in 2024 sets out strict regulations that network providers, such as Vodafone, must adhere to. This includes increasing logging and monitoring coverage – ensuring that more assets are not just being logged locally, but also stored centrally.

“This means that there's going to be more assets, more data, more data types, therefore more monitoring required with more alerts being generated,” Claire Van Hinsbergh, Engineering Manager at Vodafone said.

“Given that we already process three to five billion events per month, alongside thousands of alerts every month. The manual process we used in engineering and CSOC are time consuming. And as we planned to increase logging and monitoring, it was going to result in resource strain.”

As part of its cybersecurity objectives, Vodafone wanted to

• Expand logging and monitoring coverage to account for more assets, data types, and longer retention (from 90 days to 13 months) in order to be compliant with TSA requirements.

• Overcome resource strain from increased logging/monitoring without exponential staff increase, or additional strain on the existing engineering and CSOC teams.

Solution

Vodafone considered various approaches to its security orchestration, automation, and response (SOAR), including proof of concepts with traditional tools like IBM Resilient and Tines. Although comprehensive, the traditional tools couldn't address Vodafone’s overall workflow capability and issues.

“Then we found n8n, which does both. It provides SOAR capability and a workflow capability in a low-code model, as well as the ability to code for more complex workflows and integrations. It did everything that we wanted, all in one tool,” said Claire.

“With n8n, we were also able to create modules. We broke down our workflows and looked at what we could reuse in other teams or spaces, like an email module – once you’ve got it, it can be used anywhere.”

Given the speed that Vodafone wanted to move, they brought in Bounteous as an accelerator.

Once onboard, their team began using n8n to leverage CI/CD in a low code environment – working on modular workflow design to enable rapid iteration, consistency, and scalability across complex cybersecurity processes.

“n8n and the flexibility it allows helped us in the design and development of an entire CI/CD, DevOps lifecycle. Utilizing n8n environments, we were able to build, develop, test, and deploy code and applications. This allowed us to easily and securely create and update workflows and take them through the lifecycle. It also allowed for version control and log streaming capabilities.” Sumit Sachdeva, Director- Industry Principal Consultant at Bounteous said.

Bounteous also developed several reusable workflows, which were added to a repository for Vodafone, for example, a fraud detection workflow which provides IP geolocation and fraud detection services to help businesses localize content, and enhance security.

Impact

n8n has had a significant impact at Vodafone. The team has created and launched 33 workflows since August 2024, enhancing monitoring, checks, and SOAR capabilities across engineering and CSOC teams. This has saved Vodafone 5,000 person-days, avoiding £2.2M in costs, and driven continued savings of ~£300k per month in 2025.

Workflows now don't just support SOAR and Vodafone’s CSOC team, but also onboarding, engineering, and content creation. And because n8n is modular, Vodafone is generating workflows at an exponential rate – with the potential of sharing workflows across the organization to empower other teams.

Vodafone was also ultimately able to increase its monitoring and logging capabilities, adhering to TSA regulations.

“We’ve created a workflow that allows us to monitor our critical feeds every five minutes. These feeds are parsing huge amounts of data, and we now know instantly if one disappears, then perform basic triage to identify the problem area and raise a ticket with the correct team,” said Claire.

“To manually carry out this process every 5 minutes with triage and tickets being raised on the correct ticketing system for all of our critical feeds would have been impossible without a significant increase in operational resource, taking us away from higher value work. n8n is allowing us to work smarter, rather than harder.”

Next steps

Looking ahead Vodafone is iteratively developing existing workflows, improving existing modules and swapping out manual steps for new automation as integrations are available. Increasing the reuse capability.

They are looking at opportunities to reuse the workflow capabilities across other Cyber Engineering Tools and teams to improve onboarding, throughput and monitoring allowing teams to enhance their existing capabilities, introduce new ones and focus their efforts on higher value and exciting projects.

As AI continues to develop, so too does the frequency of cyber attacks and the quality of sophistication. Vodafone is now looking into Agentic AI SOC in cybersecurity to see how they can utilize AI to their advantage and reduce the strain on their engineering teams as well as their SOC teams - with Agentic Ops and Agentic SOC.