SAPPAN · Project

Automated Cyber Threat Detection and Response With Privacy-Preserving Intelligence Sharing

digitalPilotedTRL 7

Imagine every company has security cameras, but none of them talk to each other — so a burglar caught on one camera can walk right past all the others. SAPPAN built a system that lets organizations share what they know about cyber attacks without revealing their own private data. It uses machine learning to spot threats automatically and recommends the best way to respond and recover. Think of it as a neighborhood watch for cybersecurity where everyone benefits from shared knowledge, but nobody has to show their home layout.

By the numbers

EUR 4,175,070

EU contribution for development

consortium partners across 5 countries

working demonstrators delivered

real operational environments used for validation (2 multinationals, 1 NREN, 2 CSIRTs)

total project deliverables completed

industry partners in the consortium

The business problem

What needed solving

Companies face growing cyber threats but cannot share attack intelligence with peers or outsource detection without exposing their confidential data. Security analysts in SOCs are overwhelmed — manually investigating incidents and reinventing response procedures that others have already solved. Small and mid-size companies lack the resources for in-house intrusion detection but cannot trust external providers with their sensitive network data.

The solution

What was built

SAPPAN delivered a complete integrated cyber threat intelligence platform with 9 working demonstrators: a visual dashboard for SOC operators, interactive detection model design tools, federated learning support for distributed threat detection, uncertainty visualization for ML-based decisions, and analysis provenance tracking. The final system was piloted across 2 multinational companies, 1 NREN, and 2 CSIRTs.

Audience

Who needs this

Enterprise CISOs managing multi-site security operationsManaged Security Service Providers (MSSPs) offering SOC-as-a-ServiceNational CERTs and CSIRTs coordinating cross-border threat responseResearch and education networks protecting distributed institutionsIndustry sectors forming Information Sharing and Analysis Centers (ISACs)

Business applications

Who can put this to work

Financial Services

enterprise

Target: Banks and insurance companies with distributed IT operations

If you are a bank dealing with increasingly sophisticated cyber attacks across multiple branches — SAPPAN developed a privacy-preserving threat intelligence platform that lets you share attack patterns with other financial institutions without exposing your internal data. The system was demonstrated in environments of 2 multinational companies and uses federated machine learning so your sensitive customer data never leaves your network.

Managed Security Services

mid-size

Target: MSSPs and SOC-as-a-Service providers

If you are a managed security provider struggling to scale intrusion detection across dozens of client networks — SAPPAN built a federated detection system that enables outsourced intrusion detection while respecting client confidentiality. The platform includes a visual dashboard for Security Operation Center operators, demonstrated across 2 CSIRTs, reducing the effort analysts need to find optimal responses to attacks.

Higher Education and Research Networks

enterprise

Target: National research and education networks (NRENs) and university IT departments

If you are a research network protecting thousands of connected institutions from cyber threats — SAPPAN was specifically demonstrated in 1 NREN environment, providing automated threat detection using shared anonymized data across institutions. The system standardizes incident response knowledge so your team can reuse proven recovery procedures instead of starting from scratch every time.

Frequently asked

Quick answers

What would it cost to adopt this technology?

The project had a total EU contribution of EUR 4,175,070 across 8 partners over 3 years, reflecting significant R&D investment. Licensing terms would depend on the specific components needed — the platform was built by a consortium led by Fraunhofer, so commercial arrangements would go through them or the individual technology owners.

Can this scale to large enterprise environments?

Yes — the system was specifically designed for and demonstrated in environments of 2 multinational companies, 1 National Research and Education Network, and 2 Computer Security Incident Response Teams. The federated architecture means it scales horizontally as more organizations join without centralizing sensitive data.

What is the IP situation and how can I license this?

The project was an Innovation Action (IA) under Horizon 2020 with 8 partners including 3 industry players and Fraunhofer as coordinator. IP is typically shared among consortium members under H2020 rules. Commercial licensing would need to be negotiated with the relevant partners who developed specific components.

How does this integrate with our existing security tools?

SAPPAN was built to work with Security Operation Centers (SOCs) and includes a visual dashboard that serves as the end-user frontend. The platform standardizes knowledge for incident response and recovery, which suggests compatibility with existing SIEM and SOAR workflows. The final SAPPAN demonstrator integrated all individual components into one system.

How does the privacy preservation actually work?

SAPPAN uses client-side data abstractions and anonymization before any sharing occurs. It employs federated learning — where machine learning models are trained locally and only the trained models (not raw data) are shared. This means your organization's sensitive security data never leaves your network.

What is the current development status?

The project closed in April 2022 with 37 deliverables completed, including 9 demonstrators. Final versions of the dashboard, visual detection model support, and the integrated SAPPAN system demonstrator were all delivered. The technology was validated in 5 real operational environments.

Consortium

Who built it

The SAPPAN consortium of 8 partners across 5 countries (Germany, Finland, Ireland, Czech Republic, Switzerland) is well-balanced for cybersecurity commercialization. Led by Fraunhofer — Europe's largest applied research organization — the project brings together 3 industry partners (38% industry ratio), 3 universities, and 2 research institutes. Having 3 multinational companies as both developers and pilot users means the technology was built with real enterprise needs in mind, not just academic theory. The cross-border composition spanning Western and Central Europe reflects the inherently international nature of cyber threats. No SMEs are in the consortium, which means commercialization would likely come through the existing industry partners or spin-off licensing rather than startup ventures.

CESNET ZAJMOVE SDRUZENI PRAVNICKYCH OSOBparticipant · CZ
Masarykova univerzitaparticipant · CZ
RHEINISCH-WESTFAELISCHE TECHNISCHE HOCHSCHULE AACHENparticipant · DE
UNIVERSITY OF STUTTGARTparticipant · DE
WITHSECURE OYJparticipant · FI

How to reach the team

Fraunhofer Gesellschaft (Germany) — coordinator. Use SciTransfer to get connected with the right team.

Order a report on this consortium

Next steps

Talk to the team behind this work.

Want to explore how SAPPAN's privacy-preserving threat intelligence can strengthen your cybersecurity operations? SciTransfer can connect you directly with the project team and help assess fit for your organization.

Order a report on this topic More in Digital & ICT