Circle K Achieves Detection as Fast as 4 Seconds with GreyMatter Transit

Overview

Circle K is a proud low-cost operator. Its 35-person security team covers governance, third-party risk, security operations, architecture, and cloud for a $74 billion company operating across four distinct data environments: fuel distribution, corporate, customer, and workforce identity. With no room to scale through headcount, the team needed to implement AI that could carry the operational knowledge of a 15-year veteran and act on it autonomously.

Firewall data at fuel terminals alone carried a 25–35 minute detection delay—every minute of which compounded that exposure across environments where a wrong response carries seven-figure consequences.

Detection Delays at Fuel Terminals: A Million-Dollar Exposure

Circle K's most sensitive detection challenge sat at 25 fuel distribution centers—critical infrastructure sites where every minute of undetected attacker activity compounds exposure. Firewall data from these environments followed the traditional path: collected, shipped to centralized storage, indexed, then finally correlated and detected. By the time an alert surfaced, threat actors already had a 25–35 minute head start.

"The impact of dwell time in general can be very significant, especially at our fuel terminals. If we have to wait 30 minutes to detect an incident happening at a fuel terminal, that could cost millions of dollars in lost revenue."

Pat O'Keefe
Head of Global Cybersecurity & Risk Management, Circle K

How Transit Detects in 4 Seconds—Before Data Lands

GreyMatter Transit runs single- and multi-event detection logic against data while it's still streaming from connected technologies—before it's parsed, indexed, or stored. Transit holds partial event sequences in temporary storage and waits for subsequent events to complete a pattern, creating real-time detection with no ingestion dependency.

Circle K deployed Transit against the highest-consequence data source first: firewall logs from fuel terminals and corporate environments. Upon initial deployment, Transit delivered sub-30-second detection. As GreyMatter learned Circle K's environment, detection times continued to drop[MG1] —landing at sub-10 seconds on average, with detections as fast as 4 seconds.

From Detection to Containment in Under One Minute

Sub-10-second detection created the opening—but at Circle K, containment decisions carry environment-specific consequences that previously demanded 15+ years of domain knowledge to navigate. Which device lives in a fuel terminal versus a corporate office? What's the right response action for each?

"Shutting down a store versus shutting down someone's laptop is different. Shutting down a fuel terminal that costs millions—that is very critical. We have to be very cautious in our playbooks and responses to make sure we're doing the right thing for the right type of environment."

Over just 6 months, Circle K deployed 20 new Agentic Memories: which devices live in which segments, what constitutes normal behavior at a fuel terminal versus a retail location, and which response actions are appropriate for each context. With that environmental knowledge in place, GreyMatter resolves alerts autonomously—identifying known-benign patterns and closing them without analyst intervention—reducing noise by 99%. Those Memories, combined with Agentic Teammates, automated response playbooks, and custom workflows, drove mean time to contain under one minute.