Compliance monitoring ·

Vodafone builds SOAR and monitoring workflows with n8n, saving 5,000 person-days

The problem

As one of the most-targeted sectors for cyberattacks, Vodafone faced rising breach costs and new Telecom Security Act requirements to expand logging and monitoring coverage, while already processing billions of events and thousands of alerts a month through time-consuming manual processes that risked straining its engineering and CSOC teams.

First attempt

Vodafone piloted traditional SOAR tools, including IBM Resilient and Tines, but found that despite being comprehensive, they couldn't address its overall workflow capability and issues.

Workflow diagram · grounded in source
1
Critical feed monitoring
trigger
“We've created a workflow that allows us to monitor our critical feeds every five minutes”
2
Feed-loss detection
validation
“we now know instantly if one disappears”
3
Basic triage
routing
“perform basic triage to identify the problem area”
4
Ticket raised to correct team
output
“raise a ticket with the correct team”
5
Fraud detection workflow
integration
“a fraud detection workflow which provides IP geolocation and fraud detection services to help businesses localize content, and enhance security”
Reported outcome

Vodafone launched 33 workflows since August 2024 spanning SOAR, engineering, and CSOC use cases, saving 5,000 person-days, avoiding £2.2M in costs, and continuing to save roughly £300k per month in 2025, while also expanding its monitoring and logging capabilities to meet TSA compliance.

Reported metrics
Workflows launched33 workflows since August 2024
Person-days saved5,000 person-days
Costs avoided£2.2M
Ongoing monthly savings~£300k per month in 2025
Show all 8 reported metrics
workflows launched33 workflows since August 2024
person-days saved5,000 person-days
costs avoided£2.2M
ongoing monthly savings~£300k per month in 2025
events processed per monththree to five billion events per month
log retention periodfrom 90 days to 13 months
average telco breach cost$5.72M
critical feed monitoring frequencyevery five minutes
Reported stack
n8nIBM ResilientTines
Source
https://n8n.io/case-studies/vodafone/
Read source ↗

Frequently asked questions

What did this team achieve with this AI workflow?

Vodafone launched 33 workflows since August 2024 spanning SOAR, engineering, and CSOC use cases, saving 5,000 person-days, avoiding £2.2M in costs, and continuing to save roughly £300k per month in 2025, while also ex…

What tools did this team use?

n8n, IBM Resilient, Tines.

What results were reported?

Workflows launched: 33 workflows since August 2024; Person-days saved: 5,000 person-days; Costs avoided: £2.2M; Ongoing monthly savings: ~£300k per month in 2025 (source-reported, not independently verified).

What failed first in this deployment?

Vodafone piloted traditional SOAR tools, including IBM Resilient and Tines, but found that despite being comprehensive, they couldn't address its overall workflow capability and issues.

How is this compliance monitoring AI workflow structured?

Critical feed monitoring → Feed-loss detection → Basic triage → Ticket raised to correct team → Fraud detection workflow.