Methods, systems, and apparatus for a threat detection system. The threat detection system includes a threat forensics platform. The threat forensics platform includes a memory. The memory is configured to store a baseline model of controller area network (CAN) data. The threat forensics platform includes a processor coupled to the memory. The processor is configured to obtain CAN data including multiple messages. The processor is configured to compare the CAN data including the multiple messages with the baseline model. The processor is configured to determine a threat score for the CAN data based on the comparison and determine that there is a threat within the CAN data based on the threat score. The processor is configured to provide an indication that there is the threat to a driver of a vehicle or to a service provider.