Space has never been busier or more contested. The thousands of satellites circling Earth, providing everything from broadband connectivity and GPS tracking to earth observation and defense monitoring, have become tempting targets for adversaries. Satellites are no longer just silent machines in orbit; they are vulnerable computers operating in an isolated environment.
“Satellites at their core are computers, with similar components, operating systems, applications and scripts that run on terrestrial systems,” said Ryan Roberts, principal at Deloitte, who developed on-orbit intrusion detection through its space division. “But today many satellites lack even the most basic cyber protections.”
The analogy is straightforward: We wouldn’t connect millions of terrestrial computers to the internet without antivirus and intrusion detection. With thousands of satellites forming the backbone of global infrastructure, space is no different.
That reality is driving a shift in mindset. What if satellites could see, in real time, when something looked wrong and respond before the mission faltered? That’s the promise of on-orbit intrusion detection systems (IDS), potentially enhanced by the advent of artificial intelligence.
Why Traditional Defenses Fall Short
An on-orbit IDS is a cybersecurity tool built directly into a satellite to monitor data, commands and behavior in real time. By spotting anomalies that may signal tampering, malware or hostile activity, these systems give satellite operators early warning of cyber intrusions that ground-based defenses might miss.
Until recently, most satellite security lived on the ground, and spacecraft remained potentially under-defended.
“The cybersecurity posture in space is totally different.” —Dick Wilkinson, Proof Labs
“The cybersecurity posture in space is totally different,” said Dick Wilkinson, CTO of Proof Labs, a developer of cybersecurity platforms for satellite networks. “That has prevented security from taking place onboard the spacecraft for basically the history of satellites. And that’s shifting and changing.”
There’s no shortage of evidence that it must change. Russia and China have both conducted close approach “flybys” of satellites in GEO and other orbits. To William Ferguson, a researcher with the Ethically Hacking Space project, a research and training initiative focused on space cybersecurity, those maneuvers are ominous. “The assumption is these flybys are potentially linked to capabilities looking for attack surface on these satellites,” Ferguson said.
Ferguson cited open-source intelligence attributed to independent astronomer Marco Langbroek indicating orbital patterns for what could be an increasing number of "sleeping interceptors" attributed to Russian capabilities in Low Earth Orbit. Russian controlled Cosmos 2588 launched May 23 was observed in a coplanar orbit with US LEO assets.
Further, Ferguson cited additional open-source intelligence from Integrity ISR indicating what seems to be a docking and refueling demonstration. While not confirmed and not an indication of malicious activity, it does demonstrate what could be a significant advancement in the ability for China to have both persistent and agile docking/refueling capabilities in and around GEO.
Meanwhile, ransomware gangs are probing the aerospace supply chain, where attacks have spiked several hundred percent in the past year. Satellite operators face a complex, fast-evolving threat landscape with which ground-only defenses can’t keep pace.
From Detection to Defense
That’s why the conversation has shifted from firewalls on the ground to intrusion detection on orbit. By monitoring telemetry streams, command sequences, and subsystem behavior as they happen, IDS promises to shrink detection times from hours to seconds.
“The faster anomalous activity can be identified after it begins, the greater likelihood the issue can be mitigated before it impacts the mission.” —Ryan Roberts, Deloitte
“The faster anomalous activity can be identified after it begins, the greater likelihood the issue can be mitigated before it impacts the mission,” Roberts of Deloitte said.
But speed is just one part of the equation. Autonomy is the next step. Deloitte envisions satellites executing pre-approved defensive measures without waiting for human intervention on the ground. “Organizations need to find ways to maximize both human capital and technological capabilities, progressing toward autonomous cyber defense that operates within pre-approved actions,” Roberts said.
For Jacob Oakley, technical director for cybersecurity solutions developer Sixgen, intrusion detection is a necessity. “Intrusion detection is one of the few cybersecurity capabilities you can leverage in space,” he said.
Architectures Taking Shape
There is no single approach to on-orbit IDS, and different industry players are taking different slants.
Deloitte’s Silent Shield leverages an out-of-band design, detecting cyberattacks on an operational satellite called Deloitte-1. It is the company’s intent to evolve the capability to be ready to integrate into any satellite bus and payload architecture, Roberts said, so that operators don’t have to worry about introducing new vulnerabilities or accidentally interfering with payload performance.
Proof Labs’ approach is to use digital twins. The company has built a replica of the Moonlighter spacecraft to simulate cyberattacks and watch how a satellite responds. CTO Dick Wilkinson describes it as breakthrough in training AI, because by teaching algorithms how anomalies look in practice, Proof Labs can better detect them in flight.
“From the feedback you get to know the things that came up mimic real attacks, and that the response on the spacecraft is something we can use to train the machine learning models,” Wilkinson said.
Sixgen, meanwhile, approaches the problem from the other side of the chessboard. The company red-teams satellite systems, probing vulnerabilities and simulating intrusions to stress test defenses.
“I’m the one they’re trying to catch.” —Jacob Oakley, Sixgen
“I’m the one they’re trying to catch,” Oakley said. His team’s insights help shape what IDSs should look for in the wild.
How AI Changes the Game
One of the challenges with anomaly detection is volume. Spacecraft generate torrents of telemetry, much of it influenced by radiation or environmental noise. Artificial intelligence can help sort benign anomalies from malicious ones.
Deloitte has already started sending Silent Shield data to GPU clusters on the ground to train machine learning models. “Once it has a handle on what is normal, it can help us identify anomalies and continue learning,” Roberts said. The endgame is what he calls an “autonomous cyber defense agent” that can detect, mitigate and adapt to evolving threats faster than adversaries.
Oakley of Sixgen agreed with the potential of AI to enhance intrusion detection. “A good use of AI in space systems is looking at combined telemetry and security data,” he said.
The Benefits of Acting Early
For satellite operators, the payoff of on-orbit intrusion detection is straightforward: resilience. Faster detection means faster response, and that alone can make the difference between a hiccup and a failed mission.
But the bigger prize may be autonomy. Satellites able to take pre-approved defensive actions buy operators time when links are jammed or unavailable. That kind of reflex could prevent a single compromised node from cascading into a constellation-wide disruption.
“This is going to be critical when we get into cislunar and Mars exploration, where we have to rely on gateways and autonomous systems.” —William Ferguson, Ethically Hacking Space
Ferguson sees IDS as a prerequisite for humanity’s next steps. “This is going to be critical when we get into cislunar and Mars exploration, where we have to rely on gateways and autonomous systems,” he said, noting that spacecraft will need the ability to recognize and contain threats on their own.
Challenges That Can’t Be Ignored
Still, the road to widespread deployment of AI-powered on-orbit intrusion detection isn’t without challenges. AI models demand compute, power and storage, three things spacecraft have in very limited supply.
“The size, weight and power required to run this sort of AI capability on the satellite remains a challenge,” Roberts of Deloitte said. To bridge it, the firm plans to fly GPUs in orbit within 18 months to test real-world performance.
Precision is another challenge. False positives that trigger defensive responses could be worse than the threats themselves. Oakley cited one academic experiment that had to be shut down almost immediately because its intrusion detection tool filled the spacecraft’s hard drive with logs. The last thing operators want is security that becomes the problem.
Information sharing is another obstacle. Unlike the terrestrial world, where companies often disclose breaches and exchange threat intelligence, aerospace operators tend to keep quiet.
“You’re not going to have this breadth of open source threat intelligence,” Oakley said. That means intrusion detection systems are often flying blind, without the benefit of a community knowledge base. And when satellites are compromised, they may be stolen or destroyed, leaving no opportunity for forensic learning, he said.
The Road Ahead
Despite those challenges, momentum is building. Deloitte is already gathering flight data from Silent Shield and preparing to test AI in space. Proof Labs expects its CROO (for Cyber Resilient On-Orbit) platform to evolve from anomaly detection to a full suite of defensive tools, or “antivirus for spacecraft,” as Wilkinson describes it.
Meanwhile, organizations like Space ISAC and IEEE are pushing toward shared standards and collective defense frameworks.
“On-orbit intrusion detection offers not only a new layer of defense, but also a way to capture real telemetry on how satellites experience attacks in practice.” —Joel Francis, Space ISAC
“On-orbit intrusion detection offers not only a new layer of defense, but also a way to capture real telemetry on how satellites experience attacks in practice,” said Joel Francis, watch center lead for Space ISAC. “This shifts us from hypothetical scenarios to evidence-based prioritization, strengthening both resiliency and collective defense in the space domain.”
Ferguson said he sees the future as less about isolated tools and more about coordinated resilience.
“It’s not just about detecting things on orbit, but what are the preparations, the execution and the outcomes you need for collective response,” he said.
The satellite industry is taking steps toward making spacecraft active defenders of their own missions, and it’s a cultural shift as much as a technical one. For decades, space relied on distance and complexity as its shield. Now, operators are beginning to accept that cyber risk is inseparable from mission risk—and that protection must move onboard.
Explore More:
Redwire CTO: Spotting AI Hallucinations and Training Algorithms for Orbit
Data Centers In Space - Why Data Processing is Moving from the Ground to On-Orbit
Threat Briefing 31: Cyber Threats to Operational Technology in Aerospace and Aviation Supply Chains
