OTDefend unifies passive network monitoring, a featherweight Windows endpoint agent, integrated threat intelligence and vendor-neutral response — full OT/ICS visibility, detection and protection, from a single PLC to a multi-site, high-availability deployment.
| Severity | Detection | Source → Dest | Protocol |
|---|---|---|---|
| Critical | PLC program download | 10.4.1.22 → 10.4.0.9 | S7comm |
| High | Cross-zone write | 10.7.2.5 → 10.4.1.30 | Modbus |
| Medium | Unexpected new talker | 10.4.1.40 → 10.4.1.11 | DNP3 |
Integrates with the security stack you already run
Network, endpoint, intelligence and response, unified — and engineered to be safe on live process networks.
Pure-passive deep packet inspection of 16+ industrial protocols from a mirror/TAP port — never injects traffic, safe on live process networks.
A dependency-free ~8–11 KB Windows agent runs from XP to 11 — no driver, no reboot. Edge inventory plus a host-IDS streaming new processes, ports and persistence.
Built-in CTI store with TAXII 2.1 / STIX 2.1 feeds matches live traffic — IPs, domains, JA3 fingerprints and file hashes — and alerts on a hit.
Three detection formats in one engine: network IDS signatures, Sigma analytics (host & network) and YARA malware signatures — 688 rules shipped.
Passive CVE / ICS-CERT matching with exposure-weighted prioritization (CVSS × Purdue × KEV) and a full remediation lifecycle.
Strict, server-enforced per-tenant isolation with sites and role-based access — one platform for many plants, customers or business units.
Active/standby core with warm failover, so monitoring and detection keep running through a node loss or maintenance window.
One-way, sequence-numbered sensor uplink with forward-error-correction — collect from diode-protected, air-gapped segments that have no return path.
One "Contain" blocks an attacker at FortiGate / PAN / Check Point and isolates hosts on CrowdStrike / Defender / SentinelOne / Cortex — explicit and reversible.
An offline AI analyst explains every alarm, suggests an OT-safe response and answers asset questions — a local model with zero data egress, safe for air-gapped sites.
Engineer-defined hard limits — min/max and rate-of-change per controller register — catch protocol-valid but physically dangerous commands: the TRITON / Stuxnet class.
Inject Industroyer2, TRITON or BlackEnergy into an isolated engine and watch real alarms and ATT&CK techniques fire on your live stream — one click, instantly cleared.
Some OT hosts can't be watched passively. OTDefend ships a tiny, install-free Windows agent — under ~11 KB, linking only built-in system libraries — that runs from Windows XP through Windows 11 with no .NET, no driver and no reboot.
Collects host details, neighbours, listening ports and processes — write a file for offline upload, or send straight to the console.
Runs persistently to stream new process executions, listening ports and persistence entries — evaluated by host Sigma rules in the core.
No runtime dependencies and a dedicated legacy-TLS upload path, so even XP-era HMIs are covered without risk.
| Severity | Detection | Source |
|---|---|---|
| Critical | Credential dumping (LSASS access) | process |
| High | LOLBin: certutil remote download | process |
| Medium | New persistence — Run key | registry |
| Medium | New listening port 4444 | port |
Lightweight sensors collect at the edge and stream normalized events to a central core that analyzes, stores and serves the console. The same pipeline scales from one appliance to a federated, multi-site deployment.
Live AF_PACKET (incl. multi-queue fanout), AF_XDP zero-copy, SPAN/RSPAN/ERSPAN decapsulation and PCAP replay — or all-in-one, with the core capturing on its own NICs, no separate sensor.
HTTP store-and-forward, NATS JetStream, mTLS enrollment, or a one-way UDP path for true data-diode segments.
Multi-tenant isolation, an HA core and multi-site federation — backed by durable PostgreSQL/TimescaleDB, ClickHouse or OpenSearch event stores.
Offline Docker bundle, .deb sensor or a hardened, bootable appliance ISO — with a performance proof pack (EPS, peak and storage projections) for clean sizing.
OTDefend learns your entire industrial network from observed traffic and renders it as a live, interactive map — relational, Purdue-zoned and inventory views, with cross-zone violations highlighted instantly.
Device-type icons coloured by health, animated flow edges, and per-flow detail on hover.
Devices placed in their level (L0–L5) with observed connections and live zone-violation markers.
Inventory grouped by zone with vulnerability exposure surfaced where it matters.
| Modbus/TCP | FC16 · write multiple |
| S7comm | PLC program download |
| DNP3 | Cold restart |
| IEC-104 | C_SC · single command |
| OPC UA | Write · 12 nodes |
OTDefend's pure-Go engine reads industrial protocols on the wire — classifying read, write, program, firmware and start/stop intent — and ships a maintained, license-clean content set validated against the real engines.
Modbus (TCP & RTU), S7comm, DNP3, EtherNet/IP, IEC-104, IEC 61850, PROFINET, EtherCAT, POWERLINK, CC-Link IE, OPC UA, BACnet, FINS, MELSEC, HART-IP and more.
New-talker, out-of-range process variables, blind state changes and off-cadence anomalies, learned from a baseline — with an optional unsupervised ML anomaly sidecar.
Real attack scenarios (Industroyer2, TRITON, BlackEnergy) replay-verify ATT&CK coverage — and inject safely into an isolated engine for an on-demand, live demo.
Specialized solutions for the critical infrastructure that can't afford downtime.
EnergySCADA/RTU protection and IEC 61850/DNP3 inspection for uninterrupted supply.
ManufacturingPLC/CNC security and Modbus/PROFINET/EtherNet/IP coverage for Industry 4.0.
Oil & GasUpstream-to-downstream visibility across remote pipelines, terminals and refineries.
"OTDefend lifted the security of our industrial systems to the next level — easy to use and quick to integrate with what we already run."
"Being able to visually monitor our network topology and catch threats early has made it indispensable to our operations team."
"The reporting makes preparing the security briefings we present to the board dramatically faster and clearer."
Book a personalized demo and watch OTDefend discover assets, map your network and surface threats — passively, in minutes.