"There is a convergence of the space and cyber domains," said Sam Visner, former senior U.S. official and chair of the Space Information Sharing and Analysis Center.
Why conventional cybersecurity tools mostly don't work in orbit
Space is an unforgiving environment, and conventional cybersecurity tooling — the intrusion detection and response suites honed on terrestrial networks — largely fail when deployed on spacecraft, experts told ISMG. Satellites run on a variety of platforms, operating systems, flight software and bus architectures rather than the Windows- or Linux-based ecosystems common on earth. Operators must deliver deterministic outcomes in systems constrained by very limited size, weight and power, and they are often reluctant to place unproven security upgrades on mission-critical flight software.
That combination creates an "onboard detection gap," in the words of Ernest Wong, the technical lead for space systems at the Department of Homeland Security's Science and Technology Division (S&T). Today, satellite operators commonly rely on telemetry — signals beamed back to ground stations — to detect possible cyberattacks. But telemetry gives limited visibility, and traditional indicators of compromise (IOCs) generally become available only after an attack has occurred. In orbit, many attacks would be novel and lack historical signatures to mine for clues.
Indicators of behavior and SpaceCOP: a malware-agnostic approach
To address that gap, DHS S&T and the federally funded Aerospace Corporation partnered to develop an alternate gauge of attack: indicators of behavior (IOBs). Rather than hunting for known malware signatures, IOBs look for anomalous behavior in a satellite or its payloads. "If you can detect various categories of malicious behavior, that can also potentially detect future unknown exploits," Wong said.
Last year, S&T and Aerospace built SpaceCOP, a software package designed to detect — and in some cases repel — hostile cyber activity onboard satellites. Ten commercial partners are currently testing SpaceCOP, Brandon Bailey, principal engineer for space cybersecurity at the Aerospace Corp., told ISMG. The plan is to open source it later this year. S&T and Aerospace also view autonomous response — software that can act automatically to block or expel an intrusion — as the necessary next step, given the scale of new low earth orbit (LEO) megaconstellations and the way LEO satellites "wink in and out of view" of ground stations, Wong said.
Deloitte's Silent Shield: the only on-orbit intrusion detector so far
The only cyber tool actually on orbit today, according to the coverage, is Silent Shield, built by Deloitte and carried on Deloitte-1, a cubesat launched last year from Vandenberg Space Force base. The 22-pound, microwave-oven-sized satellite pairs an operational RF collection payload with a prototype on-orbit intrusion detection system. Silent Shield is deliberately out-of-band and set behind a one-way diode so it can receive telemetry and monitor outputs and performance without feeding anything back into the satellite's operating or payload software.
Deloitte cyber operators have been subjecting the system to a series of 40 increasingly sophisticated cyberattacks to see whether Silent Shield will detect them; so far, it has detected them all, Ryan Roberts, a principal at Deloitte, told ISMG. Deloitte-2 and Deloitte-3 launched this year. Neither carries Silent Shield preinstalled; instead, Deloitte plans to upload the tool to those satellites to demonstrate that cyber protections can be added to legacy vehicles already in orbit. The small constellation is flying "in a cluster or a ball," Roberts said, both to support operational missions and to test inter-satellite communications and lateral movement through the ground segment — techniques Deloitte says an advanced adversary might leverage.
AI, synthetic telemetry, and standards work by Proof Labs, BigBear.ai, Redwire, and Space‑ISAC
Several private contractors and standards groups are building complementary capabilities. Proof Labs, a U.S. Space Force contractor, is developing the Cyber Resilience On‑Orbit program — an AI-powered tool that uses machine learning to spot anomalous behavior from the ground. Dick Wilkinson, cofounder and chief technology officer of Proof Labs, told ISMG the AI model is being trained with high-fidelity synthetic satellite telemetry and other data compiled by BigBear.ai using a digital model built by Redwire Space Systems; Proof Labs plans to make the capability available to military and civilian customers this year.
At the same time, Space-ISAC is leading a working group of the OASIS Cyber Threat Intelligence Technical Committee — the organization that manages the STIX standard — to adapt the structured threat information expression format for the space industry. That work is intended to enable the sharing of machine-readable cyber threat intelligence across space operators and vendors.
What this means for commercial satellite operators, U.S. Space Force contractors, and standards bodies
- Commercial satellite operators: many today rely on ground-station telemetry for detection and face the challenge of diverse flight software and tight hardware constraints. Operators are experimenting with on-orbit IOB detection through SpaceCOP and with retrofitting existing satellites via uploads, as Deloitte plans to demonstrate.
- U.S. Space Force contractors and military customers: contractors such as Proof Labs are fielding machine-learning tools trained on synthetic telemetry and intend to offer those tools to military and civilian customers this year, while Deloitte's testing includes inter-satellite link behaviors that simulate advanced adversary techniques.
- Standards bodies and information-sharing groups: Space-ISAC is leading an OASIS working group to adapt STIX for space so threat intelligence can be exchanged in a machine-readable way, supporting automated defensive responses across disparate vendors and platforms.
Sam Visner warned that the sector is "in a race against time." The convergence of space and cyber, and the erosion of previously strong norms around attacks on spacecraft, means defenders are rushing to build new detection models, on-orbit tooling and automated responses. Whether those defenses can be developed, scaled and installed on the many satellites — new and legacy — already circling the globe will be the central technical and operational question as the next chapter of cyberwar unfolds in space.




