GigaOm Radar for Operational Technology (OT) Security v4

Operational technology (OT) security solutions protect critical industrial control systems (ICS), supervisory control and data acquisition (SCADA) networks, and other operational infrastructure from evolving cyberthreats. These specialized security platforms bridge the gap between traditional IT security and industrial environments, providing visibility, threat detection, and protection for systems that control physical operations and critical infrastructure. As industrial systems become deeply integrated with AI-driven analytics and the internet, they represent high-value targets for threat actors seeking to disrupt operations, compromise safety systems, or extract intellectual property.

For executive leadership, OT security represents a critical business imperative rather than merely a technical requirement. Active state-sponsored campaigns on industrial infrastructure demonstrate that operational disruptions can result in substantial financial losses, regulatory penalties, physical safety incidents, and reputational damage. The convergence of IT and OT environments has created security blind spots that conventional security tools cannot address due to the unique protocols, operational requirements, and legacy technology common in industrial settings. Organizations with significant operational technology environments, including manufacturing, utilities, energy, transportation, and critical infrastructure, face escalating risks that demand specialized, outcome-oriented security approaches.

This report evaluates OT security solutions designed specifically for industrial environments rather than general-purpose cybersecurity tools repurposed for OT. Included solutions must provide purpose-built capabilities for industrial protocols and environments, demonstrating specialized functionality beyond conventional IT security measures. We focus on platforms that can be deployed in production environments without compromising operational reliability or safety, a critical consideration for industrial systems where availability is paramount.

The solutions evaluated combine several essential capabilities: comprehensive asset discovery and inventory of OT environments, continuous monitoring for threats and anomalies, granular visibility into industrial protocols and communications, and specialized threat detection for OT-specific attack patterns. In 2026, market leaders also deliver automated remediation workflows calibrated to industrial environments, unified security across IT, OT, and cloud boundaries, and secure methods for zero trust vendor and remote access management.

This is our fourth year evaluating the OT security space in the context of our Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 22 of the top OT security solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria). It provides an overview of the market, identifies leading OT security offerings, and helps decision-makers evaluate these solutions so they can make a more informed investment decision.

To help prospective customers find the best fit for their use case and business requirements, we assess how well OT security solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Small-to-medium business (SMB): In this category, we assess solutions on their ability to meet the needs of organizations ranging from small businesses to midsize companies. Also assessed are departmental use cases in large enterprises where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.

• Large enterprise: Here, offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category will have a strong focus on flexibility, performance, data services, and features that improve security and data protection. Scalability is another big differentiator, as is the ability to deploy the same service in different environments.

• Public sector: Solutions for this market are gauged on their fit for government, education, and public services, with emphasis on meeting stringent regulatory and security requirements. Ideal offerings prioritize secure handling of sensitive data, system interoperability, and scalability for extensive deployments. The ability to seamlessly integrate with existing infrastructure and support various public functions is crucial.

In addition, we recognize the following deployment models:

• Physical appliance (on-prem): This is the most traditional form, where the manufacturer supplies the hardware preinstalled with its software.

• Public cloud service: This model offers OT security solutions hosted by popular cloud service providers, enabling quick scalability and easy integration with minimal upfront costs, but may limit interoperability with other services.

• Software/virtual machine (VM): Here we include VM images as well as cloud images and ready-to-deploy containers.

• SaaS: These solutions are available only in the cloud and are often designed, deployed, and managed by the service provider. Sometimes, availability is limited to one or a few specific providers. The advantages of this type of solution include integration with other services offered by the cloud provider (such as functions) and overall simplicity.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Network-based threat detection

• Support for digital-to-physical communication systems

• Agentless deployments

• Support for wired and wireless network protocols

• Detailed logging of security events for OT systems

• Automated asset discovery

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating an OT security solution

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization

These decision criteria are summarized below.

Key Features

• LLM-based remediation guidance: Large language model (LLM)-based remediation guidance leverages artificial intelligence (AI) to provide contextually relevant, step-by-step instructions for addressing detected OT security issues. This capability transforms generic alerts into actionable guidance, enabling faster incident response and reducing the specialized knowledge required to remediate threats in complex industrial environments.

• Dynamic network segmentation: Dynamic network segmentation is a feature that automatically segregates network traffic within OT environments to enhance security and manageability. It is pivotal for minimizing the attack surface and containing potential breaches by isolating critical systems and functions.

• AI technologies for threat detection: AI technologies for threat detection employ advanced algorithms and machine learning (ML) to identify and respond to cybersecurity threats in real time. This capability is crucial for preemptively recognizing and mitigating sophisticated cyberattacks that traditional security tools may overlook.

• Protocol and application decoding: Protocol and application decoding is a critical feature for understanding and monitoring the data traffic and commands specific to OT environments. It enables deeper insight into network operations and potential security threats by interpreting the unique protocols and applications common in ICS.

• OT-specific threat intelligence: OT-specific threat intelligence involves gathering and analyzing information about emerging or existing threats specifically targeting OT environments. This intelligence is crucial for preemptively identifying vulnerabilities and fortifying defenses against attacks tailored to disrupt critical infrastructure systems.

• Unified IT/OT security: Unified IT/OT security integrates traditionally separate security infrastructures to provide comprehensive visibility and protection across both information technology and operational technology environments. This convergence enables organizations to implement consistent security controls, streamline threat detection, and coordinate incident response across the entire technology stack, addressing the growing attack surface where IT and OT systems intersect.

• Visualization of OT asset relationships: Visualizations of OT asset relationships provide a graphical representation of how operational technology assets connect and interact within an organization's network. This visibility is crucial for understanding the potential pathways of cyberthreats and optimizing security responses.

• Hybrid asset discovery: Hybrid asset discovery combines passive traffic analysis with safe, vendor-approved active querying to create a real-time, high-fidelity inventory. This dual approach is essential for identifying transient devices and deep-nested assets while ensuring zero disruption to sensitive industrial control processes.

• OT supply chain security: OT supply chain security provides specialized capabilities to verify the integrity and security posture of industrial components, software, and third-party systems before or after they connect to operational environments. This emerging capability helps organizations identify vulnerable or compromised elements in their industrial supply chain, mitigating the risk of supply chain attacks that could introduce backdoors, malicious code, or counterfeit components into critical infrastructure systems.

Table 2. Key Features Comparison

Emerging Features

• Secure remote access: Secure remote access provides tightly controlled, authenticated, and encrypted connectivity for vendors and remote employees requiring access to OT environments. This capability enables essential remote maintenance and monitoring while implementing granular access controls, session monitoring, and comprehensive audit trails to mitigate the significant risks associated with third-party connections to critical infrastructure.

• Deception technology: Deception technology involves creating traps or decoys within a network to detect, confuse, and divert potential attackers. Its importance lies in its ability to proactively identify threats by enticing attackers away from actual assets and into controlled environments.

• Digital twins: Security-focused digital twins provide a virtualized, high-fidelity replica of the industrial environment to simulate cyberattacks and validate security patches without risking physical production uptime. This capability is vital for transitioning from reactive defense to predictive resilience in high-availability critical infrastructure.

Table 3. Emerging Features Comparison

Business Criteria

• Cost transparency: Cost transparency refers to the clarity and predictability of the total financial investment for OT security. It goes beyond the initial price to assess total cost of ownership (TCO), including hardware, licensing, and support. High transparency helps prevent budget disruptions from hidden fees and ensures measurable ROI.

• Ease of use: Ease of use describes the simplicity and intuitiveness of deploying, managing, and operating OT security solutions. It is important to ensure that all levels of technical staff can use the system effectively, maximizing the solution's effectiveness and minimizing human error.

• Flexibility: Flexibility refers to the ability of an OT security solution to adapt to changing requirements and integrate with diverse systems. It is crucial, as OT environments are constantly evolving, and solutions must be able to accommodate new technologies and evolving threats seamlessly.

• Scalability: Scalability refers to the capability of OT security solutions to adapt and expand according to the growing and changing needs of an organization. This is essential, as it ensures that cybersecurity investments can support both current operations and future growth without requiring frequent, costly replacements or upgrades.

• Certification: Certification refers to the official recognition that an OT security solution meets specific industry standards and regulatory requirements. This is vital, as it ensures that the solution adheres to best practices for security, reliability, and interoperability and instills confidence in its ability to protect critical infrastructure.

Table 4. Business Criteria Comparison

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those positioned closer to the center being judged as having the most complete solution. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s expected evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for OT Security

As you can see in Figure 1, the OT security market has evolved from fragmented, visibility-centric tools into a consolidated landscape of integrated protection platforms. As predicted in our 2025 assessment, the "low-hanging fruit" of simple asset discovery has been plucked; the current chart reflects a decisive shift toward Platform Play and Innovation, driven by the need for automated remediation and deep supply chain integrity.

A notable "gravitational pull" toward the center of the Radar indicates a maturing market where the Leaders circle is becoming more crowded. This isn't due to a lowering of the bar, but rather a rapid baseline elevation where features like hybrid asset discovery and OT supply chain security are now essential for entry into the inner rings.

The distribution of vendors provides a clear narrative of the current buying landscape:

• Innovation vs. Maturity: There is a nearly equal distribution across the vertical axis, though the Outperformers are predominantly found in the Maturity half. This suggests that vendors are identifying the most impactful features and are now focusing on rapidly maturing these capabilities.

• Platform Play vs. Feature Play: The market is heavily weighted toward Platform Play vendors. This reflects a shift in buyer behavior; CSOs are moving away from managing "mosaics of tools" in favor of holistic platforms that reduce the cognitive load on security teams. The few remaining in Feature Play are highly specialized solutions focusing on specific areas like workload protection and microsegmentation.

• The Leaders circle: The increased density of the Leaders circle indicates a convergence of capability. Several vendors from the 2025 Challenger tier have successfully executed their roadmaps, moving inward by expanding their cloud integrations and proving their automated response capabilities in production environments.

The transition from version 3 to version 4 highlights significant vendor churn and movement:

• New entrants: We have added several new players this year, specifically those focusing on microsegmentation and firmware-level supply chain security. These vendors entered the Radar directly as Fast Movers, reflecting how quickly new specialized technologies are being adopted to meet 2026 regulatory mandates like NIS2.

• Departures and M&A: A few names from the 2025 Radar are absent, having been absorbed by larger platform providers. This consolidation validates our Platform Play thesis, which says standalone OT visibility tools are increasingly viewed as features rather than independent products.

• Progressive shifts: Most Forward Movers from last year have progressed toward the center as Fast Movers, showing that the industry's development velocity remains high. However, a few vendors in the Maturity/Feature Play quadrant have remained static; for these solutions, the challenge will be evolving their legacy architectures fast enough to keep pace with the agentic AI and digital twin trends now defining the Outperformer category.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Acalvio: ShadowPlex

Solution Overview

Acalvio provides ShadowPlex, a platform focused on active defense and attack surface reduction through advanced deception technology. Its primary objective is preemptive threat detection across converged IT, OT, cloud, and identity environments. The solution employs autonomous deception to create high-fidelity decoys and honeytokens that mislead attackers and reveal their intent early in the kill chain. By integrating directly with existing security infrastructure, ShadowPlex provides a layer of active defense that complements traditional detection and response tools.

The platform architecture is agentless, utilizing lightweight software sensors to project deceptive assets across the network without disrupting operational workflows. Acalvio's ShadowPlex is positioned as a Platform Play, offering a unified dashboard for managing converged infrastructure and automating the deployment and rotation of decoys. The solution will look and feel largely the same over the contract lifecycle. Acalvio prioritizes stability and continuity, providing a dependable foundation for long-term security strategies while delivering methodical improvements to its core deception and analytics engines.

Acalvio is positioned as a Challenger and Outperformer in the Maturity/Platform Play quadrant of the OT security Radar chart.

Strengths

Acalvio scored well on a number of decision criteria, including:

• AI technologies for threat detection: Intent-based analytics use machine learning to correlate attacker interactions with deceptive assets, enabling the system to identify malicious intent with high precision. This focus on behavioral patterns allows security teams to detect stealthy tactics and prioritize responses based on verified threats rather than simple anomalies.

• Unified IT/OT security: The single-console management interface provides a unified view of converged IT and OT environments, facilitating consistent security policy application across diverse asset types. This centralized approach reduces administrative overhead and enables faster correlation of threats that pivot between information and operational technology domains.

• Deception technology: Fluid Deception technology automates the deployment of more than 350 autonomous decoys that dynamically adapt to the network environment to maintain realism. By morphing the attack surface in real time, the solution forces attackers to engage with nonproduction assets, increasing the likelihood of early detection and providing rich forensic data without risking critical infrastructure.

Acalvio is classified as an Outperformer thanks to its accelerated development pace in the last 12 months, particularly in expanding its autonomous decoy palette and enhancing its AI-driven intent analytics. The solution demonstrates strong momentum in the integration of deception-based detection into broader enterprise security architectures.

Opportunities

Acalvio has room for improvement in a few decision criteria, including:

• Protocol and application decoding: The platform focuses on expert-level decoding of standard protocols, which may limit visibility for organizations utilizing proprietary or highly specialized industrial protocols. The absence of a programmable SDK and encrypted traffic analysis means security teams must rely on prebuilt decoders, potentially creating blind spots in environments with custom or encrypted communication streams.

• OT supply chain security: Automated vulnerability monitoring provides visibility into known asset exposures but lacks deep firmware binary analysis or hardware bill of materials (HBOM) inspection. Organizations requiring granular insights into the internal composition of third-party OT components may need to supplement the solution with dedicated supply chain analysis tools to address hidden firmware risks.

• Dynamic network segmentation: The solution utilizes rules-based triggers for third-party enforcement of segmentation, which can create delays in response compared to native microsegmentation capabilities. Lacking native PLC-level segmentation or automated moving target defense (AMTD) cloaking, the platform depends on external networking equipment to isolate threats, potentially introducing complexity in heterogeneous OT environments.

Purchase Considerations

Acalvio's solution employs a predictable tiered subscription pricing model based on asset volume, primarily focusing on the number of protected endpoints and decoys. This structure allows organizations to scale their active defense strategy in alignment with their infrastructure growth. The platform is designed for enterprise-scale deployments, with the capacity to handle more than 100,000 endpoints through optimized data processing and sensor distribution.

Implementation is streamlined via an agentless architecture and an AI-assisted user interface that simplifies the design and deployment of deception strategies. The solution offers flexible deployment options, including SaaS, public and private cloud, software and VM, and physical appliances, catering to diverse architectural requirements. Its FedRAMP Ready status and security operations center (SOC) 2 compliance make it a viable option for public sector and highly regulated organizations. The system provides high-fidelity alerts and actionable intelligence shortly after deployment, reducing time-to-value for security operations teams.

Use Cases

Acalvio excels in large enterprise environments with converged IT/OT infrastructure where early detection of lateral movement is critical. Financial institutions and energy companies can leverage ShadowPlex to protect critical production assets by diverting attackers to high-fidelity decoys, while the unified console helps security teams manage risk across the entire environment.

The solution is particularly well suited for public sector organizations and government agencies requiring FedRAMP-compliant security measures. Its agentless deployment allows these organizations to establish a proactive defense posture without the operational risks associated with installing software on sensitive or legacy systems. Organizations looking to enhance their zero trust architecture benefit from Acalvio's identity protection capabilities, which help detect credential misuse and privilege escalation through deceptive service accounts.

Armis: Centrix

Solution Overview

Armis provides a comprehensive asset intelligence and security platform designed to address the unique challenges of unmanaged, IoT, and OT environments. The core of the offering is the Armis Centrix platform, which employs an agentless, passive monitoring approach to discover and classify every device across the enterprise, from traditional IT infrastructure to specialized ICS and medical devices. By analyzing device behavior in real time and comparing it against a massive database of billions of known assets, the solution identifies vulnerabilities, detects threats, and provides actionable risk assessments without the need for intrusive scans that could disrupt critical operations.

The architecture is cloud-native and scales to support global deployments, integrating seamlessly with existing network infrastructure and security tools like network access control (NAC), firewall, and SIEM. The solution will look and feel different over the contract lifecycle. Armis delivers an aggressive roadmap, frequently introducing new modules for vulnerability management, threat detection, and asset intelligence to keep pace with evolving industrial threats and emerging technologies.

Armis is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the OT security Radar chart.

Strengths

Armis scored well on a number of decision criteria, including:

• Protocol and application decoding: The Armis programmable SDK enables the creation of custom dissectors for proprietary industrial protocols, allowing security teams to gain granular visibility into specialized OT traffic that standard tools often fail to interpret. This capability ensures that organizations with legacy or highly customized environments can maintain a unified security posture across all communication layers.

• Digital twins: The Centrix high-fidelity mirror creates a virtual replica of the physical environment to simulate "what-if" attack scenarios, which empowers operators to validate security controls and identify potential impact points without risking the stability of live production systems. This proactive modeling reduces the time required to assess the feasibility of remediation strategies.

• Visualization of OT asset relationships: Interactive topology maps and PLC module views visualize the complex interconnections between industrial assets, helping analysts identify lateral movement risks and understand the dependencies between physical components and digital controllers. This structural clarity simplifies the process of identifying critical failure points and prioritizing incident response efforts.

Armis is classified as an Outperformer thanks to its aggressive development pace over the last year, demonstrated by the launch of the Centrix platform and the expansion of its digital twin and custom protocol decoding capabilities. The solution shows strong potential for continued market leadership through its focus on high-fidelity simulation and deep asset intelligence.

Opportunities

Armis has room for improvement in a few decision criteria, including:

• Dynamic network segmentation: While the platform provides AI-driven policy recommendations for microsegmentation, it currently lacks AMTD or cloaking mechanisms, limiting an organization's ability to autonomously hide critical assets from attackers once they have breached the initial perimeter.

• OT supply chain security: The solution's reliance on automated asset profiling and vulnerability monitoring for supply chain assessments provides a foundational view of software components but may struggle to identify deeply embedded hardware vulnerabilities or verify the integrity of firmware updates from third-party vendors. Organizations requiring deep hardware-level integrity checks may need to supplement the platform with specialized supply chain tools.

• Deception technology: The use of smart honeypots provides high-interaction deception, yet the absence of autonomous real-time morphing capabilities means that decoys remain static, potentially allowing sophisticated adversaries to distinguish them from authentic production assets during a prolonged reconnaissance phase.

Purchase Considerations

Armis employs a subscription-based pricing model that scales according to the number of protected assets within the environment. This structure allows organizations to start with a focused deployment on critical OT segments and expand to the full enterprise as needed. As a Platform Play, the solution offers a broad suite of integrated security capabilities, which reduces the need for multiple point products but requires a strategic commitment to the Armis ecosystem to realize maximum value.

Implementation is streamlined through its agentless architecture, typically providing initial asset visibility and risk insights within hours of deployment. The platform supports a wide range of enterprise integrations, facilitating the automated orchestration of security policies across firewalls and NAC solutions. For large-scale deployments, Armis offers dedicated technical account management and professional services to assist with complex network mapping and the customization of protocol dissectors. The platform holds FedRAMP authorization and DoD Impact Level 5 (IL5) accreditation. Licensing is available on a per-asset, per-site, or FTE basis with adaptations for industry-specific environments.

Use Cases

Armis excels in large-scale manufacturing and critical infrastructure environments where uptime is paramount. Global manufacturers can leverage the Centrix platform to maintain a real-time inventory of production-line programmable logic controllers (PLCs) and sensors, while the digital twin functionality allows them to simulate security patches before applying them to physical hardware.

Healthcare organizations also benefit from the platform's ability to secure diverse medical device ecosystems. By providing deep visibility into IoMT (Internet of Medical Things) devices and their communication patterns, Armis helps hospitals ensure patient safety and regulatory compliance without interfering with sensitive clinical equipment. The visualization of asset relationships is particularly valuable here for identifying potential paths between guest Wi-Fi networks and critical medical systems.

Check Point: Check Point IoT Security

Solution Overview

Check Point provides a comprehensive security solution for industrial environments through its Check Point IoT Security platform. The offering focuses on delivering visibility and security for OT assets by integrating with existing network infrastructure, specifically Check Point’s security gateways. The solution leverages a combination of automated asset discovery, risk assessment, and policy enforcement to secure complex ICS and building management systems (BMS).

The platform’s architecture is built on the Check Point Infinity architecture, which centralizes management and threat intelligence across IT and OT environments. This integration allows organizations to apply consistent security policies across the entire enterprise while using specialized OT protocols and deep packet inspection to protect sensitive industrial processes. The solution will look and feel largely the same over the contract lifecycle. Check Point prioritizes stability and continuity, focusing on the methodical integration of OT capabilities into its established security ecosystem rather than frequent, disruptive architectural changes.

Check Point is positioned as a Challenger and Forward Mover in the Maturity/Platform Play quadrant of the OT security Radar chart.

Strengths

Check Point scored well on a number of decision criteria, including:

• LLM-based remediation guidance: The Infinity AI Copilot utilizes large language models to assist security teams with policy creation and technical troubleshooting. This enables administrators to generate complex security rules and resolve configuration issues through natural language interactions, which reduces administrative overhead and accelerates the deployment of security controls in complex OT environments.

• Protocol and application decoding: Check Point natively integrates its Streaming Inspection Engine and a programmable SDK for custom dissector development, which provides granular, deep-packet inspection (DPI) for more than 1,800 industrial protocols. This technical depth allows security teams to decode proprietary traffic and identify subtle anomalies in command-and-control communication within niche OT environments.

• OT-specific threat intelligence: Check Point integrates real-time predictive intelligence that is mapped directly to the MITRE ATT&CK for ICS framework. This mapping allows security operations centers to correlate anomalies with specific adversary tactics, improving the accuracy of threat detection and enabling a more proactive defense posture against industrial-specific attacks.

Opportunities

Check Point has room for improvement in a few decision criteria, including:

• Dynamic network segmentation: The platform lacks native automated moving target defense (AMTD) cloaking and deep PLC-level microsegmentation capabilities. This results in a less granular security model for the lowest levels of the industrial hierarchy, which can limit the ability of organizations to protect individual device-to-device communications within a local control cell.

• OT supply chain security: Analysis within the platform is primarily focused on firmware Common Vulnerabilities and Exposures (CVEs ) and known components, lacking full HBOM validation and deep binary analysis. This limitation impacts the depth of asset risk profiling, as it may miss hidden vulnerabilities or supply chain compromises within the physical hardware components of OT devices.

• Deception technology: The solution relies on third-party integrations rather than providing a native, high-interaction industrial honeypot. This reliance increases implementation complexity for organizations seeking integrated deception capabilities and may lead to fragmented visibility when managing deceptive defenses alongside core security functions.

Check Point was classified as a Forward Mover given its focus on the architectural consolidation of its IoT security features into the unified Infinity platform. This strategic emphasis on management stability and enterprise integration has resulted in a more measured release cadence for niche OT-specific features compared to more agile, pure-play competitors in the market.

Purchase Considerations

Check Point IoT Security employs a gateway-model-based subscription structure, with pricing tied to gateway type and count rather than total asset volume. As a Platform Play, the solution is most cost-effective for organizations already utilizing the Check Point Infinity architecture, as it allows for the consolidation of management licenses and the reuse of existing hardware for OT visibility. The pricing is transparent and typically scales according to the volume of industrial traffic and the number of sites being monitored.

The implementation process is streamlined for existing Check Point customers, as OT security features can be enabled on current gateways via software updates. For new environments, the deployment is generally agentless, relying on network-based discovery to minimize impact on sensitive industrial processes. Check Point provides comprehensive professional services and technical account management to assist with the initial mapping of OT protocols and the tuning of security policies to ensure industrial uptime is maintained.

Use Cases

Check Point excels in large-scale enterprise environments that require unified management of both IT and OT security. Manufacturing organizations can leverage the platform’s integration with established security gateways to enforce consistent segmentation policies across global production sites, while the Infinity AI Copilot helps lean security teams manage the increased complexity of industrial rule sets.

Critical infrastructure providers, such as water and energy utilities, benefit from the platform’s real-time threat intelligence and MITRE ATT&CK mapping. These features allow operators to identify and respond to nation-state-level threats targeting specific industrial protocols, ensuring that response procedures are aligned with recognized adversary techniques.

Cisco: Cyber Vision

Solution Overview

Cisco provides a comprehensive OT security solution primarily through Cisco Cyber Vision, which integrates deeply with the company's extensive industrial networking portfolio. The solution focuses on delivering visibility and security by embedding monitoring capabilities directly into network hardware, such as industrial switches, routers, and gateways. This architectural choice allows for distributed DPI at the edge, eliminating the need for separate, costly sensor hardware or complex span-port configurations. The methodology centers on automated asset discovery and continuous monitoring, leveraging the scale of the existing network infrastructure to provide real-time insights into industrial processes.

The platform architecture is designed to support large-scale, distributed environments, utilizing edge sensors that report back to a centralized management center, which can be deployed on-prem or in the cloud. Cisco's strategy emphasizes a platform play, unifying IT and OT security through integrations with Cisco Identity Services Engine (ISE) and Cisco XDR. This approach allows organizations to apply consistent security policies across the entire enterprise. The solution will look and feel different over the contract lifecycle as Cisco delivers an aggressive roadmap, frequently introducing new integrations and AI-driven capabilities to its security stack.

Cisco is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the OT security Radar chart.

Strengths

Cisco scored well on a number of decision criteria, including:

• Dynamic network segmentation: Cisco Identity Services Engine (ISE) enables adaptive microsegmentation by applying identity-based policies to OT assets discovered by Cyber Vision. This integration allows for the automated enforcement of security groups and access controls, which reduces the risk of lateral movement by containing threats at the network edge without requiring manual VLAN reconfigurations.

• Protocol and application decoding: The deep packet inspection engine supports more than 5,000 industrial protocol dissectors, providing granular visibility into proprietary and standard ICS and SCADA communications. This extensive decoding capability allows the system to identify specific industrial commands and parameter changes, which enables more accurate anomaly detection and helps prevent unauthorized process modifications.

• OT-specific threat intelligence: Cisco Talos provides expert-curated industrial threat intelligence, drawing from one of the world's largest commercial threat research teams. This intelligence includes specific signatures for industrial vulnerabilities and active threat campaigns, which empowers security teams to proactively defend against specialized attacks targeting critical infrastructure.

Opportunities

Cisco has room for improvement in a few decision criteria, including:

• Visualization of OT asset relationships: Interactive maps and logical zone grouping provide a baseline for understanding the environment, but the visualization often lacks the deep cross-site global topology required for complex, multinational deployments. This can make it difficult for administrators to quickly assess the physical and logical interdependencies between assets across different geographic locations or disparate business units.

• OT supply chain security: The platform offers component tracking and vulnerability monitoring for industrial assets, yet it lacks the native, automated firmware and binary analysis capabilities found in more specialized supply chain security tools. This results in a reliance on external data sources for identifying risks within embedded software components, potentially leaving gaps in the assessment of third-party hardware integrity.

• Digital twins: Robust historical recording and traffic logging are available, but the solution lacks high-fidelity, physics-aware simulation capabilities. Without a physics-based model of the industrial process, organizations are limited in their ability to conduct "what-if" testing or predict the physical consequences of a cyberattack on specific machinery or production lines.

Purchase Considerations

Cisco's solution employs a tiered subscription pricing model based on the number of endpoints or assets monitored. This structure is designed to scale with the organization's growth, though buyers should consider the hardware requirements for edge sensors if they are not already using compatible Cisco industrial networking equipment. The Platform Play designation is a significant advantage for organizations already invested in the Cisco ecosystem, as it allows for a unified security posture across both IT and OT domains.

Implementation is streamlined for existing Cisco customers, as security monitoring can often be enabled as a software feature on supported switches and routers. This reduces time-to-value, with asset discovery beginning as soon as the edge sensors are activated. For organizations with diverse hardware environments, Cisco provides software-based sensors and VM deployment options, though the full benefits of the distributed architecture are most realized within a Cisco-centric network. Support models include global access to Cisco Technical Assistance Center (TAC) and the option for dedicated technical account managers to assist with large-scale deployments and migration complexity.

Use Cases

Cisco excels in large-scale manufacturing environments where the integration with existing network infrastructure is paramount. Manufacturers can leverage the distributed DPI capabilities to gain visibility into thousands of machines across multiple plants, while the integration with Cisco Identity Services Engine (ISE) helps automate the enforcement of least privilege access policies to protect critical production lines.

Global utility providers also benefit from Cisco's platform-centric approach. The solution's ability to correlate threat intelligence from Cisco Talos with local network behavior helps identify sophisticated attacks targeting energy grids or water treatment facilities. The centralized management of distributed edge sensors allows for consistent security monitoring across remote substations and central control rooms, facilitating a unified response to regional or national security threats.

Claroty: The Claroty Platform

Solution Overview

Claroty provides a unified security platform for CPS spanning industrial (OT), healthcare (IoMT), and commercial (IoT) environments. Its core offerings, including xDome, Continuous Threat Detection (CTD), and Secure Remote Access (SRA), focus on DPI and protocol analysis to secure critical infrastructure. The solution leverages agentless discovery and an extensive library of industrial protocols to provide visibility into assets that are often invisible to traditional IT security tools. By combining threat detection, vulnerability management, and secure access, Claroty enables organizations to manage the entire security lifecycle of their connected assets.

The platform architecture supports diverse deployment models, including cloud-native, on-prem, and air-gapped configurations, ensuring it can meet the requirements of highly regulated industries. As a Platform Play vendor, Claroty emphasizes a holistic approach to visibility and risk management across extended IoT (XIoT). The solution will look and feel largely the same over the contract lifecycle. Claroty prioritizes stability and continuity, focusing on deepening its existing protocol support and refining its core detection engines rather than pivoting its architectural foundation.

Claroty is positioned as a Challenger and Outperformer in the Maturity/Platform Play quadrant of the OT security Radar chart.

Strengths

Claroty scored well on a number of decision criteria, including:

• LLM-based remediation guidance: The AI-powered cyber‑physical systems (CPS) Library automates asset identification and provides rich operational context using assistive AI benchmarks. This reduces the manual burden on security analysts by automatically categorizing assets and providing clear guidance on remediation steps, which accelerates incident response in complex environments.

• AI technologies for threat detection: Claroty utilizes five specialized engines designed to detect behavioral anomalies within industrial traffic. These engines identify deviations from established process norms, enabling organizations to spot stealthy movements or unauthorized changes that might signal an early-stage attack or operational malfunction.

• OT-specific threat intelligence: The solution integrates original vulnerability research from Claroty's Team82 group and maps findings to Cybersecurity and Infrastructure Security Agency (CISA) advisories and the MITRE ATT&CK for ICS framework. This provides security teams with industry-specific intelligence and standardized threat modeling, allowing them to prioritize defensive measures against the most relevant threats to their specific infrastructure.

Claroty is classified as an Outperformer thanks to its accelerated development pace over the last 12 months, specifically in its AI-driven asset identification and the integration of advanced threat research into its core platform. The solution continues to lead in protocol depth and the ability to scale across massive, globally distributed site architectures.

Opportunities

Claroty has room for improvement in a few decision criteria, including:

• Unified IT/OT security: The platform currently relies on bidirectional integration with external SIEM, SOAR, and endpoint detection and response (EDR) tools for unified visibility. However, it lacks native platformization across emerging connectivity types such as 5G, satellite, and distributed cloud-native edge environments, which can create visibility gaps for organizations adopting advanced industrial networking technologies.

• Visualization of OT asset relationships: While the solution provides interactive maps and dependency visualizations, it does not yet incorporate physics-aware incident graphs that map cyber events to physical outcome risks. This can limit an operator's ability to immediately understand the real-world physical consequences of a security event, potentially delaying critical operational decisions.

• Digital twins: Claroty’s digital twin capabilities offer dynamic virtual representations for policy simulation. While these meet standard requirements for testing security rules, the lack of deeper, real-time physics-based simulation means users must still exercise caution when moving from simulation to production deployment in highly sensitive industrial processes.

Purchase Considerations

Claroty employs a flexible licensing model primarily based on the number of protected assets, which allows organizations to scale their security costs in line with their infrastructure growth. The pricing structure covers the breadth of the XIoT environment, including industrial, healthcare, and building management systems. Organizations can choose between subscription-based cloud delivery via xDome or perpetual or subscription-based on-prem licenses for CTD, providing flexibility for both OpEx and CapEx budgeting.

The solution is designed for high-scale environments, supporting cloud-native scaling for upwards of 8,000 sites. Deployment is streamlined through Claroty Edge, an agentless discovery tool that provides immediate visibility into the network without requiring configuration changes or hardware sensors, often delivering initial insights within hours. For deeper inspection, the platform supports various sensor types that can be deployed across diverse network topologies, including air-gapped segments.

Implementation is supported by a comprehensive professional services organization and a network of certified partners experienced in OT environments. Technical support models include standard enterprise tiers, with options for dedicated technical account management for large-scale global deployments. The platform’s ability to integrate with existing IT security stacks ensures it can fit into established SOC workflows with minimal friction.

Use Cases

Claroty excels in critical infrastructure and manufacturing sectors where deep protocol knowledge and process-level visibility are essential. Manufacturing organizations can leverage the specialized behavioral engines and Team82 threat intelligence to protect high-value production lines from both cyberattacks and operational errors. The interactive asset mapping helps plant managers understand the relationships between PLCs and other industrial controllers, ensuring that security policies do not disrupt production.

Healthcare providers benefit from Claroty’s ability to secure IoMT devices. The platform’s asset identification capabilities help hospital IT teams maintain an accurate inventory of clinical assets, such as infusion pumps and imaging machines, while policy simulation allows them to test security measures without risking patient safety. For large enterprises with global footprints, the platform’s cloud-native scaling and diverse deployment options provide a unified view of security posture across hundreds of remote sites.

Darktrace: Darktrace/OT*

Solution Overview

Darktrace provides a comprehensive security platform centered on its Self-Learning AI technology, which is designed to protect complex, converged environments across IT and OT infrastructure. The solution focuses on real-time threat detection and autonomous response by establishing a "pattern of life" for every user, device, and controller in the network. Its primary methodology involves an agentless, nonintrusive approach that analyzes raw network traffic to identify anomalies without the need for predefined signatures or prior knowledge of specific threats.

The platform's architecture is highly flexible, supporting physical and virtual appliances as well as cloud-native and SaaS deployments. This ensures visibility across diverse environments, from traditional data centers to remote industrial sites. The solution will look and feel different over the contract lifecycle. Darktrace delivers an aggressive roadmap that prioritizes the integration of agentic AI and continuous feedback loops to adapt to the evolving threat landscape.

Darktrace is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the OT security Radar chart.

Strengths

Darktrace scored well on a number of decision criteria, including:

• LLM-based remediation guidance: The Cyber AI Analyst utilizes agentic AI to autonomously form hypotheses and perform multihop investigations without human prompts. This allows security teams to address complex threats across converged environments more efficiently by providing context-rich remediation steps and reducing the manual effort required for incident validation.

• AI technologies for threat detection: The Self-Learning AI engine establishes a benchmark for machine learning-based behavioral analysis by creating a baseline for all network activity. This technical approach enables the detection of novel, never-before-seen threats and subtle anomalies that signature-based systems often miss, ensuring continuous protection against emerging OT-specific risks.

• Unified IT/OT security: Darktrace correlates telemetry across network, cloud, identity, email, and OT systems through a shared context model. This unified visibility allows organizations to track threats as they move laterally across converged infrastructure, providing a comprehensive security posture that eliminates the visibility gaps between traditional IT and specialized industrial environments.

Opportunities

Darktrace has room for improvement in a few decision criteria, including:

• Dynamic network segmentation: The solution evaluates real-world exposure and provides policy recommendations for identity-centric macrosegmentation. While this helps define security boundaries, organizations requiring more granular, automated microsegmentation enforcement within the OT environment may find the current recommendation-based approach requires additional manual steps or third-party orchestration for full implementation.

• OT supply chain security: Darktrace identifies rogue devices and trojanized installers through behavioral anomalies, providing a foundational layer of protection against supply chain risks. However, the current feature set lacks deep HBOM validation and binary firmware analysis, which may leave gaps for organizations needing to verify the integrity of specific hardware components or software updates from third-party suppliers.

• Digital twins: The Attack Path Modeling feature provides a dynamic virtual representation for policy simulation and risk projection across the environment. While effective for simulating security risks, it does not yet offer the high-fidelity physical process simulation found in more specialized digital twin solutions, which could limit its utility for organizations seeking to predict the exact physical consequences of a cyber incident on industrial production lines.

Purchase Considerations

Darktrace employs a tiered subscription pricing model primarily based on the number of protected entities and the volume of network traffic (bandwidth). The pricing structure is designed to be scalable, allowing organizations to start with specific modules, such as Darktrace/OT or Darktrace/Network, and expand their coverage as their digital estate grows. The Platform Play approach ensures that as more modules are added, the shared context between them increases the overall effectiveness of the AI's detection capabilities.

Implementation is streamlined through a discovery-led onboarding process. The Self-Learning AI begins establishing a baseline of network activity immediately upon installation, often providing initial visibility and insights within the first hour of deployment. The solution includes access to technical account managers and a 24/7 "Ask the Expert" service, which is particularly valuable for organizations managing critical infrastructure that requires around-the-clock monitoring and expert validation of AI-generated alerts.

Use Cases

Darktrace excels in environments with high levels of convergence between IT and OT systems, such as smart manufacturing and energy utilities. These organizations can leverage the platform's unified visibility to detect lateral movement between corporate and industrial networks, while the Cyber AI Analyst helps small security teams manage the volume of alerts generated by complex infrastructure.

Critical infrastructure providers benefit from Darktrace's nonintrusive, agentless discovery. The solution's ability to identify anomalies without active scanning is essential for sensitive OT environments where traditional vulnerability assessments might disrupt physical processes. Additionally, the platform's ability to correlate identity and email telemetry with network activity makes it an ideal choice for organizations seeking to protect against sophisticated phishing attacks targeting industrial operators.

Dragos: Dragos Platform

Solution Overview

Dragos provides a dedicated industrial cybersecurity platform focused on protecting critical infrastructure and OT environments. The solution integrates asset discovery, threat detection, and vulnerability management into a unified interface designed specifically for ICS. The Dragos Platform utilizes a combination of passive network monitoring and specialized sensors to ingest traffic data, providing deep visibility into industrial protocols and asset behaviors without disrupting operational uptime. The solution combines passive network monitoring with the Extended Visibility (EV) Agent, which performs OT-safe active collection using native industrial protocols to directly query devices for firmware versions, OS patch status, and software inventories.

The platform architecture is built for large-scale enterprise deployments, supporting both physical and virtual sensor configurations across geographically distributed sites. As a Maturity-focused solution, the platform prioritizes stability and continuity, ensuring that core monitoring and detection functions remain consistent over the contract lifecycle to support long-term industrial cycles. This approach allows organizations to build standardized security operations around a reliable technical foundation while benefiting from methodical updates to its threat intelligence libraries.

Dragos is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the OT security Radar chart.

Strengths

Dragos scored well on a number of decision criteria, including:

• OT-specific threat intelligence: The Dragos Platform uses predictive actor modeling, tracking 26 specific threat groups alongside dedicated industrial research teams. This intelligence-driven approach enables organizations to identify and mitigate targeted industrial threats before they impact operational uptime, providing a proactive defense posture that reduces the risk of unplanned outages.

• Visualization of OT asset relationships: The platform visualizes chassis hierarchies and communication paths through interactive asset maps and relationship graphs. By mapping these technical interdependencies, security teams can pinpoint critical exposure points within complex industrial architectures and validate that network communications align with intended engineering designs, improving the accuracy of the overall security posture.

• OT supply chain security: Dragos employs an expert-driven prioritization engine to evaluate vulnerabilities across the industrial supply chain. This mechanism filters through noise to highlight high-impact risks, allowing maintenance teams to focus remediation efforts on the most critical components of their production infrastructure rather than wasting resources on low-risk vulnerabilities.

Opportunities

Dragos has room for improvement in a few decision criteria, including:

• LLM-based remediation guidance: The Analyst Assistant feature provides context-aware guidance and playbooks as an assistive tool rather than a fully autonomous remediation engine. While this aids in incident response, it requires skilled operators to manually validate and execute recommended actions, which can lengthen the response window in time-sensitive industrial environments.

• Secure remote access: Security controls within the platform focus on the monitoring and validation of third-party sessions. The solution does not have its own built-in SRA feature. Instead, Dragos integrates with purpose-built SRA platforms, including Cyolo PRO (bidirectional integration with real-time session monitoring and threat alerting), TDI/ConsoleWorks, Dispel, and ABB.

• Dynamic network segmentation: Dragos delivers policy-guided network segmentation through general availability (GA ) integrations with Palo Alto Networks, Fortinet, Cisco, ORDR, and Elisity. These integrations automatically trigger enforceable segmentation actions based on user-defined rules in the Dragos rules engine. NP-View provides continuous automated configuration analysis and change monitoring. Native inline enforcement remains absent.

Purchase Considerations

The solution is offered as a subscription-based service including all core modules (asset visibility, vulnerability management, threat detection, and response playbooks), updated via weekly Knowledge Pack releases. Optional add-ons include OT Watch (proactive threat hunting), OT Watch Complete (24/7 expert-delivered monitoring and triage), and WorldView (OT threat intelligence and adversary research). Dragos also operates OT-CERT (free cybersecurity resources and vulnerability disclosures for the global ICS/OT community) and the Community Defense Program (free platform access for qualifying small utilities).

The implementation process is streamlined through the use of passive sensors that can be deployed as hardware appliances, VMs, or software agents on supported network equipment. Dragos provides significant professional services and technical support, including specialized industrial threat hunting and incident response services, to help organizations establish their OT security programs. Time-to-value is relatively short for asset discovery, with the platform typically identifying a majority of network-connected devices within hours of initial traffic ingestion.

Use Cases

Dragos excels in environments where the protection of critical infrastructure is the primary objective. Electric utilities and energy providers can leverage the platform's deep packet inspection of industrial protocols to identify potential threats to grid stability, while the visualization of asset relationships helps ensure compliance with regulatory standards such as North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP).

Manufacturing organizations benefit from the platform's ability to monitor diverse industrial environments without impacting production. The solution's focus on OT-specific threat intelligence allows manufacturers to protect high-value production lines from industrial espionage and ransomware, while the supply chain security features help manage the risk of vulnerabilities introduced by third-party component vendors.

Forescout: Forescout 4D Platform

Solution Overview

Forescout provides an expansive cybersecurity platform designed for the converged enterprise, focusing on complete visibility and control across IT, IoT, OT, and IoMT environments. The Forescout 4D Platform integrates asset discovery, risk assessment, and automated remediation through its core components, including eyeSight for agentless visibility, eyeInspect for industrial threat detection, and the recently introduced VistaroAI agentic system. The solution employs a vendor-agnostic, agentless methodology to continuously identify and classify every connected device, providing a foundational source of truth for security operations.

The architecture is designed for scale and flexibility, supporting cloud-native, on-prem appliances, and hybrid deployments to accommodate distributed sites and air-gapped environments. The solution prioritizes stability and continuity, ensuring that core capabilities remain consistent and reliable over the contract lifecycle while methodically incorporating advanced AI-driven workflows.

Forescout is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the OT security Radar chart.

Strengths

Forescout scored well on a number of decision criteria, including:

• LLM-based remediation guidance: The VistaroAI agentic system generates autonomous playbooks and response workflows without requiring manual prompt engineering, which enables security teams to accelerate remediation and reduce the window of exposure.

• Protocol and application decoding: The inclusion of a custom SDK for user-developed dissectors supports programmable DPI for proprietary and legacy OT protocols, ensuring comprehensive visibility into specialized industrial environments where standard dissectors are insufficient.

• AI technologies for threat detection: The implementation of physics-aware fusion of process residuals and advanced behavioral baselining detects anomalies across both network and physical process layers, providing high-fidelity identification of sophisticated cyber-physical threats.

Opportunities

Forescout has room for improvement in a few decision criteria, including:

• Hybrid asset discovery: Coordinating passive, active, and API‑based discovery across on‑prem, cloud, and air‑gapped environments can create synchronization gaps that reduce the real‑time accuracy of the global asset inventory during rapid infrastructure changes.

• Deception technology: Discontinuing the dedicated, commercially supported deception product in favor of research‑focused honeypots reduces the platform’s native, integrated active‑defense capabilities and limits options for organizations that require built‑in threat decoy features.

• Dynamic network segmentation: The current focus on AI-driven policy management and simulation meets foundational standards but lacks native AMTD or granular PLC-level microsegmentation, which restricts the depth of isolation possible for the most critical industrial assets.

Purchase Considerations

Forescout employs a tiered subscription pricing model primarily based on the total number of connected assets (endpoints and devices). This model is designed for enterprise scalability, allowing organizations to expand their license coverage as their IT, OT, and IoT footprints grow. The platform's designation as a Platform Play reflects its ability to serve as a central orchestration hub, integrating with more than 180 third-party security and IT products to share context and trigger response actions.

Implementation is streamlined through the platform's agentless architecture, which begins identifying and classifying assets within hours of deployment. While the solution can provide rapid time-to-value, large-scale global deployments benefit from Forescout's professional services and technical account management to ensure optimal sensor placement and policy configuration. The solution's support for air-gapped and hybrid environments makes it a strong candidate for highly regulated industries with stringent data residency and isolation requirements.

Use Cases

Forescout excels in environments requiring unified visibility across disparate technology stacks. Manufacturing organizations can leverage the platform's deep OT protocol decoding and physics-aware threat detection to protect critical production lines, while automated remediation guidance helps bridge the skills gap between IT and OT security teams.

Government agencies and large enterprises benefit from Forescout's ability to enforce zero trust mandates through continuous asset assessment and dynamic access control. The solution's capacity to identify unmanaged IoT and medical devices makes it particularly effective for healthcare environments, where it helps maintain an accurate inventory of clinical systems and prioritizes risk based on patient safety impact.

Fortinet: Fortinet Security Fabric*

Solution Overview

Fortinet provides its OT Security solution through its Security Fabric, which integrates networking and security capabilities across converged IT and OT environments. The solution leverages a broad portfolio of integrated components, including FortiGate next-generation firewalls, FortiNDR for behavioral analysis, and FortiGuard security services. These modules are unified under the FortiOS operating system, enabling a centralized approach to asset visibility, threat detection, and policy enforcement across diverse industrial protocols and hardware.

The solution reflects Fortinet's approach through its emphasis on stability and consistent performance across the security infrastructure. Its development prioritizes incremental improvements to the existing ecosystem, particularly in areas of cross-platform integration, management efficiency, and hardware-accelerated security processing. The company demonstrates methodical advancement of core features while maintaining architectural reliability.

Fortinet is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the OT security Radar chart.

Strengths

Fortinet scored well on a number of decision criteria, including:

• Dynamic network segmentation: FortiLink port-level microsegmentation delivers granular control over network traffic by isolating individual ports at the hardware level. This technical architecture allows organizations to implement zero trust principles within the local area network, effectively containing potential breaches and preventing lateral movement between sensitive OT assets.

• OT-specific threat intelligence: FortiGuard OT services provide specialized threat feeds and virtual patching capabilities supported by a dedicated ICS research arm. This focused intelligence stream enables the platform to identify and mitigate industry-specific vulnerabilities in real time, allowing security teams to protect legacy systems without requiring immediate, disruptive firmware updates.

• Unified IT/OT security: Single-OS management across the Security Fabric provides a consistent operational framework for both IT and OT environments through the FortiOS architecture. This unification allows organizations to apply standardized security policies and governance across the entire attack surface, reducing administrative complexity and closing visibility gaps between corporate and production networks.

Opportunities

Fortinet has room for improvement in a few decision criteria, including:

• Hybrid asset discovery: Orchestrated passive scanning combined with partner-led polling defines the current discovery methodology. While this approach identifies a wide range of devices, the reliance on third-party integrations for active polling may introduce latency in asset updates or create visibility gaps in environments where partner support is limited.

• Digital twins: Cloud Range simulations focus primarily on training scenarios and lack native real-time process mirroring capabilities. The absence of a live operational twin prevents organizations from conducting high-fidelity threat modeling or predictive impact analysis based on current industrial process data.

• AI technologies for threat detection: FortiNDR's behavioral baselining provides a foundation for identifying anomalies but lacks the physics-aware fusion of physical residuals required for advanced process monitoring. Without incorporating physical operational parameters into the detection logic, the solution may struggle to distinguish between complex cyberattacks and legitimate mechanical variations.

Purchase Considerations

Fortinet's solution employs a tiered pricing model primarily based on hardware capacity and subscription-based service levels for threat intelligence and support. Organizations can purchase individual components such as FortiGate or FortiNDR, which then integrate into the broader Security Fabric, allowing for a scalable deployment that grows with the organization's infrastructure.

The solution offers scalability supported by dedicated application‑specific integrated circuits (ASICs) and a distributed architecture that can handle high-volume traffic across global deployments. Implementation is facilitated by the centralized FortiManager tool, which allows for the rapid deployment of security policies across thousands of devices. While the initial setup of a full-scale Security Fabric can be complex, the unified management interface reduces long-term operational overhead.

Use Cases

Fortinet excels in large-scale manufacturing environments that require unified visibility across corporate and production networks. The single-OS management architecture allows global manufacturers to maintain consistent security standards across disparate factory floors, while dynamic network segmentation protects critical industrial controllers from lateral threats originating in the IT domain.

Critical infrastructure providers, such as those in the energy and utilities sectors, benefit from Fortinet's specialized OT threat intelligence. The dedicated research focus on ICS vulnerabilities ensures that utility operators can implement virtual patches to protect sensitive grid components, while the platform's high-performance hardware supports the low-latency requirements of real-time operational environments.

Fortress: The Fortress Platform

Solution Overview

Fortress Information Security provides a comprehensive OT security platform specifically designed to address the intersection of supply chain risk, asset visibility, and operational resilience. The solution integrates multiple distinct modules, including the Asset-to-Vendor (A2V) network, the North American Energy Software Assurance Database (NAESAD), and the MerlinAI engine. By combining traditional asset discovery with HBOM validation and process-aware anomaly detection, the platform offers a multidimensional view of risk that extends from the physical hardware layer to the software supply chain.

The platform architecture is cloud native, leveraging edge data ingestion to aggregate information across geographically dispersed industrial environments. This approach allows Fortress to correlate external threat intelligence with internal asset data, providing a unified risk posture. The solution reflects an innovative approach through its focus on predictive modeling and hardware-level transparency. Fortress delivers an aggressive roadmap, frequently introducing new AI-driven capabilities and collaborative intelligence repositories to address emerging threats in critical infrastructure. The solution will look and feel different over the contract lifecycle.

Fortress is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the OT security Radar chart.

Strengths

Fortress scored well on a number of decision criteria, including:

• AI technologies for threat detection: Fortress provides process-aware anomaly detection through integrations with source systems, enabling identification of behavioral deviations contextualized by SBOM and HBOM asset data. The platform does not natively implement physics-informed AI models.

• OT-specific threat intelligence: The A2V and NAESAD collaborative repositories provide predictive actor modeling and intelligence on nation-state pre-positioning. This allows organizations to anticipate targeted campaigns and identify vulnerabilities in the supply chain before they can be exploited, which is particularly critical for utilities and energy providers.

• Hybrid asset discovery: Fortress orchestrates passive and active discovery mechanisms alongside procurement data and deep HBOM validation. This silicon-to-process visibility ensures that even subcomponents within hardware devices are identified and analyzed for risk, enabling a more robust defense against hardware-based supply chain attacks. Fortress discovery leverages integrations with third-party data sources rather than native active querying.

Opportunities

Fortress has room for improvement in a few decision criteria, including:

• LLM-based remediation guidance: Fortress employs validated GenAI as a backend analytical engine to automate risk detection, vulnerability prioritization, and the presentation of technical supply chain risks in accessible terms across software bill of materials (SBOM) and HBOM datasets. However, the platform does not offer a conversational LLM interface or AI-generated remediation guidance for security operators. Remediation is delivered through human-authored playbooks augmented by AI-driven prioritization rather than dynamically generated, context-aware instructions. An SBOM-scoped LLM guidance capability is noted as emerging but is not available platform-wide.

• Protocol and application decoding: The solution relies on ingesting and correlating data from external scanners and industry databases for advanced protocol decoding. Organizations with highly proprietary or air-gapped OT environments may find this approach less effective than native, high-performance DPI that can decode complex industrial protocols in real time at the network edge.

• Secure remote access: While the platform supports fundamental zero trust models, it is not a dedicated high-fidelity session recording or brokering solution. This gap requires organizations to maintain separate tools for managing and auditing third-party remote maintenance sessions, potentially creating fragmented workflows and increasing the total cost of ownership for secure access management.

Purchase Considerations

Fortress employs a tiered subscription pricing model based on the volume of managed assets and the depth of vendor risk assessments required. This structure is designed to scale with organizations as they expand their visibility from core network assets to the broader supply chain. As a Platform Play, the solution provides broad utility across security, procurement, and compliance departments, making it a strategic choice for enterprises seeking to consolidate their OT risk management efforts.

Implementation is streamlined through automated discovery processes and the use of preexisting data within the A2V and NAESAD ecosystems. The solution can begin providing supply chain risk insights shortly after onboarding, though deep HBOM validation for custom hardware may require additional time for data ingestion and analysis. Fortress provides dedicated technical support and account management to assist with the integration of its intelligence feeds into existing SOC workflows.

Use Cases

Fortress excels in critical infrastructure environments, such as power utilities and water treatment facilities, that require advanced protection against nation-state threats. The integration with NAESAD allows these organizations to leverage industry-wide intelligence to secure their software and hardware supply chains against sophisticated adversaries.

Large-scale manufacturing organizations benefit from the platform’s HBOM validation and hybrid asset discovery. By identifying the origin and composition of every hardware component in the production line, these companies can mitigate the risks associated with counterfeit parts and hidden vulnerabilities, ensuring long-term operational integrity and compliance with emerging cybersecurity regulations.

Honeywell: Forge Cybersecurity+

Solution Overview

Honeywell provides a robust suite of OT security solutions under the Forge Cybersecurity+ banner, primarily centered on Cyber Insights and the Honeywell Threat Defense Platform (HTDP). The portfolio, significantly bolstered by the acquisition of SCADAfence, delivers end-to-end visibility, threat detection, and risk management specifically designed for ICS and building automation environments. The solution integrates automated asset discovery, vulnerability management, and behavioral analytics while maintaining deep compatibility with Honeywell's own Distributed Control Systems (DCS), such as Experion PKS.

The platform architecture is primarily agentless, utilizing passive network monitoring and vendor-approved active polling to minimize operational risk in sensitive environments. Honeywell’s strategy emphasizes a unified approach that bridges the gap between site-level security and enterprise-wide governance through its OT SOC and managed detection and response services. The solution will look and feel largely the same over the contract lifecycle. Honeywell prioritizes stability and continuity, focusing on deep industrial domain expertise and the methodical integration of its software suite to ensure reliable performance across diverse global infrastructures.

Honeywell is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the OT security Radar chart.

Strengths

Honeywell scored well on a number of decision criteria, including:

• Visualization of OT asset relationships: Interactive, dynamic network maps and asset graphs illustrate complex dependencies and clarify the attack surface within industrial networks. The mapping engine allows security teams to drill down into specific risk factors and asset-level details, providing the technical visibility required to identify critical failure points and potential lateral movement paths.

• Hybrid asset discovery: The platform combines passive traffic sniffing with native, vendor-approved active polling to establish an exceptionally accurate asset baseline. This hybrid methodology ensures comprehensive visibility into the OT environment without risking the integrity or availability of sensitive industrial processes.

• Deception technology: The Honeywell Threat Defense Platform (HTDP), powered by Acalvio, employs autonomous deception to trap and identify sophisticated attackers in real time. By emulating specialized OT protocols and deploying high-fidelity decoys, the solution diverts threats away from production assets while providing precise alerts based on actual engagement rather than simple anomaly detection.

Opportunities

Honeywell has room for improvement in a few decision criteria, including:

• LLM-based remediation guidance: The TechGPT generative AI tool currently focuses on assisting with technical support and customer service rather than direct security orchestration. While it provides context-aware assistance, the lack of full integration as an automated security playbook generator within the primary OT interface limits its utility for rapid, automated incident response.

• Dynamic network segmentation: The platform provides rule recommendations based on observed network behavior but relies heavily on third-party firewall integrations, such as Check Point, for enforcement. This dependency on external hardware for policy execution may create operational complexity for organizations seeking a more native, end-to-end dynamic segmentation capability.

• AI technologies for threat detection: The system utilizes machine learning to establish behavioral baselines and identify process anomalies. While effective for detecting 0-day threats through baseline deviations, there is an opportunity to further advance these capabilities by improving autonomous response triggers and reducing the manual oversight required to validate complex process-level alerts.

Purchase Considerations

Honeywell’s pricing model is typically based on asset or device counts, reflecting its focus on the scale of the industrial environment. The solution is offered through tiered subscription levels, including Site Offering and Enterprise Premium options. This structure allows organizations to start with single-site visibility and scale to centralized, multisite governance as their security maturity grows. The Platform Play designation is reinforced by the inclusion of professional and managed services, which are often bundled to support customers with limited in-house OT security expertise.

Implementation is streamlined by the agentless architecture, which allows for rapid deployment without disrupting existing workflows. Honeywell provides significant value through its "secure-by-design" approach for its own control systems, where it is the only qualified solution for certain DCS environments. Organizations should consider the depth of Honeywell's local support and its ability to provide 24/7 monitoring through its global OT SOC as part of the total cost of ownership.

Use Cases

Honeywell excels in critical infrastructure and large-scale manufacturing environments where downtime is not an option. For pipelines and power grids, the combination of hybrid asset discovery and behavioral analytics helps maintain a secure perimeter while protecting legacy ICS equipment that cannot support traditional security agents. The solution’s deep integration with Honeywell control systems makes it the preferred choice for industrial operators seeking verified compatibility.

In the building automation sector, Honeywell utilizes its HTDP deception technology to secure life safety, HVAC, and elevator systems in commercial real time. This approach is particularly effective for healthcare facilities and office complexes, where the solution can divert attackers toward decoys, preventing them from accessing critical building management systems and ensuring the safety of occupants.

Microsoft: Defender for IoT*

Solution Overview

Microsoft provides an expansive security portfolio, with Microsoft Defender for IoT serving as its dedicated solution for OT and ICS. The solution focuses on delivering comprehensive visibility and threat protection through an agentless architecture that integrates directly with the broader Microsoft security ecosystem, including Microsoft Sentinel and Defender XDR. By leveraging DPI and the analysis of proprietary industrial protocols, the platform enables organizations to discover assets and monitor for anomalies without impacting production environments.

The platform architecture centers on a cloud-integrated model that utilizes on-prem sensors to ingest network traffic and provide real-time monitoring across diverse industrial sites. Its development strategy emphasizes the integration of OT security into the unified SOC, allowing teams to manage IT and OT risks from a single pane of glass. The solution will look and feel largely the same over the contract lifecycle. Microsoft prioritizes stability and continuity, focusing on deepening its integration across its established enterprise platform while maintaining a reliable foundation for critical infrastructure protection.

Microsoft is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the OT security Radar chart.

Strengths

Microsoft scored well on a number of decision criteria, including:

• Protocol and application decoding: The Horizon SDK enables the development of custom dissectors, providing the programmable DPI necessary to support specialized or proprietary industrial protocols. This flexibility allows organizations to extend visibility into niche environment segments that standard decoders might overlook.

• Hybrid asset discovery: The solution orchestrates passive monitoring alongside native protocol queries to identify shadow devices across the network. This dual approach ensures a more complete asset inventory by capturing devices that communicate infrequently or are hidden behind other network layers.

• OT supply chain security: Automated binary firmware analysis, powered by the Refirm technology, identifies vulnerabilities such as hardcoded credentials and weak encryption within device firmware. This capability allows security teams to assess the integrity of third-party components before and after deployment into the production environment.

Opportunities

Microsoft has room for improvement in a few decision criteria, including:

• LLM-based remediation guidance: Security Copilot functions as an assistive AI by providing context-aware summaries and playbook templates, but these outputs still require significant human validation to ensure operational safety in sensitive OT environments. The current implementation lacks the autonomous precision needed for direct remediation without manual oversight.

• AI technologies for threat detection: While the solution utilizes behavioral modeling and a vast array of global signals for threat identification, it does not yet incorporate physics-aware fusion of process residuals. This limitation impacts the detection of sophisticated attacks that manipulate physical processes without triggering traditional network-based behavioral anomalies.

• Deception technology: The platform relies primarily on honeytokens for identity-based deception, lacking native, high-interaction OT decoys that simulate real industrial controllers or human-machine interfaces (HMIs). This reduces the solution's effectiveness in diverting and analyzing advanced attackers who specifically target OT hardware.

Purchase Considerations

Microsoft's solution is typically offered as a tiered subscription service based on the number of protected assets or integrated into broader enterprise licensing frameworks like Microsoft 365 E5 Security. This model provides a clear path for organizations already invested in the Microsoft ecosystem to scale their OT security alongside their existing IT infrastructure without managing separate vendor contracts for basic security functions.

Implementation is simplified through the use of preconfigured sensors that can be deployed as physical or virtual appliances across the industrial network. The deep integration with Microsoft Sentinel enables security teams to begin ingesting and analyzing OT alerts within their existing SIEM and SOAR workflows shortly after deployment. The Platform Play approach ensures that OT security is treated as a core component of the enterprise-wide security strategy, supported by Microsoft's global enterprise support infrastructure and technical account management.

Use Cases

Microsoft excels in environments where IT and OT security operations are being converged into a unified SOC. Organizations already utilizing Microsoft Sentinel and Defender for Endpoint can leverage the platform's native integrations to gain a holistic view of threats across the entire enterprise, from corporate endpoints to the factory floor, ensuring a consistent security posture.

The solution's firmware analysis capabilities make it particularly valuable for manufacturing and energy sectors concerned with supply chain integrity. By vetting the firmware of industrial controllers and IoT devices, these organizations can identify latent vulnerabilities and ensure that new equipment meets internal security standards before it is connected to the critical network infrastructure.

Nozomi Networks: Nozomi Platform

Solution Overview

Nozomi Networks provides a comprehensive security and visibility platform tailored for OT and IoT environments, as well as wired and wireless environments. Its core offerings, Guardian and Vantage, focus on deep packet inspection, asset inventory, and real-time threat detection across ICS. The solution leverages a combination of passive monitoring and selective active probing to map complex network topologies and identify vulnerabilities without disrupting sensitive industrial processes. Most deployments leverage both passive monitoring and selective active probing from the outset to maximize inventory coverage.

The platform architecture utilizes a scalable, multitier approach where physical or virtual Guardian sensors collect and analyze traffic at the edge, while the Vantage cloud-based management console provides centralized visibility and analytics. This structure enables Nozomi to deliver an aggressive roadmap, frequently introducing new protocol support and advanced analytics capabilities that adapt to the shifting industrial threat landscape. The solution will look and feel different over the contract lifecycle as Nozomi Networks delivers its roadmap of feature enhancements and integrations.

Nozomi Networks is positioned as a Challenger and Outperformer in the Innovation/Platform Play quadrant of the OT security Radar chart

Strengths

Nozomi Networks scored well on a number of decision criteria, including:

• Protocol and application decoding: The platform's DPI engine supports more than 200 industrial protocols, enabling the extraction of granular metadata from proprietary PLC and SCADA communications. This technical depth allows security teams to monitor process-specific variables and commands, facilitating the detection of subtle operational anomalies that could indicate a sophisticated cyberattack or hardware malfunction. Nozomi can rapidly expand protocol support at customer request to address emerging or proprietary industrial communication standards.

• OT-specific threat intelligence: The Nozomi Networks Labs threat feed delivers curated intelligence specifically mapped to industrial environments, including indicators of compromise (IoCs) for specialized malware like Triton or Industroyer. By correlating this intelligence with real-time traffic, the solution provides immediate context on emerging threats, reducing the time required for security analysts to validate and respond to OT-centric risks.

• OT supply chain security: The solution utilizes SBOM analysis and component-level fingerprinting to identify risks within the industrial supply chain. By mapping the underlying software libraries and firmware versions of connected devices, organizations can proactively manage vulnerabilities in third-party hardware before they are exploited in the production environment.

Nozomi Networks is classified as an Outperformer thanks to its accelerated development pace in expanding its cloud-native Vantage platform and deepening its integration with IT security ecosystems. The company's focus on unifying OT and IoT visibility through a single pane of glass demonstrates strong potential for continued market advancement.

Opportunities

Nozomi Networks has room for improvement in a few decision criteria, including:

• Dynamic network segmentation: The platform relies heavily on integration with third-party firewalls and NAC solutions to enforce segmentation policies based on its discovery data. While it provides the necessary visibility to define zones and conduits, the lack of native, automated enforcement capabilities may cause delays in isolating compromised assets during an active incident.

• Digital twins: The solution's current implementation of digital twin technology focuses primarily on communication baselining rather than full-scale process simulation. Organizations requiring high-fidelity virtual replicas of complex physical processes for "what-if" security testing may find the current modeling capabilities require significant manual configuration to achieve the desired level of predictive accuracy.

• Hybrid asset discovery: Asset discovery across converged IT, OT, and IoT environments can encounter data silos when traversing legacy air-gapped segments or specialized proprietary networks. The requirement for localized sensors to maintain full visibility in these hybrid architectures can increase deployment complexity and hardware overhead for organizations with geographically dispersed or highly fragmented infrastructure.

Purchase Considerations

Nozomi Networks employs a subscription-based pricing model primarily driven by the number of protected assets and the volume of data throughput. The tiered structure allows for scalability, though organizations must account for the additional costs of physical or virtual Guardian sensors required for edge data collection. The Platform Play designation reflects its ability to serve as a centralized hub for industrial security, integrating with SIEM, SOAR, and firewall vendors to extend its value across the broader security stack.

Implementation is generally phased, starting with passive discovery to establish a baseline without impacting network performance. Nozomi offers professional services and a global partner network to assist with complex deployments in highly regulated industries. The Vantage cloud option significantly reduces the time-to-value for management and reporting, often providing initial asset visibility and risk insights within hours of sensor activation.

Use Cases

Nozomi Networks excels in critical infrastructure sectors like energy and manufacturing where downtime is not an option. Utility providers can leverage the platform's deep protocol decoding to monitor power grid stability and detect unauthorized changes to substation controllers, while its threat intelligence helps defend against state-sponsored actors targeting national infrastructure.

Manufacturing organizations benefit from the solution's ability to provide a unified view of converged IT and OT assets. By identifying vulnerabilities in both industrial controllers and connected office equipment, security teams can prevent lateral movement and protect high-value intellectual property. The platform's supply chain security features are particularly valuable for global manufacturers managing a diverse array of international hardware vendors.

OPSWAT: MetaDefender OT Security

Solution Overview

OPSWAT provides a specialized OT security approach through its MetaDefender platform, focusing on the protection of critical infrastructure and OT environments. The solution integrates hardware and software components, including security gateways, unidirectional data diodes, and endpoint security, to identify and secure assets across the IT/OT boundary. By combining DPI with multiscanning technologies, OPSWAT facilitates a zero trust architecture designed to prevent the introduction of threats via removable media, network traffic, or transient devices.

The solution reflects OPSWAT’s innovation-led strategy through its aggressive roadmap and frequent introduction of specialized hardware-software integrations for ICS. The platform’s architecture allows for granular control over data flows between segmented networks, ensuring that high-security zones remain isolated while maintaining operational visibility. The solution will look and feel different over the contract lifecycle as OPSWAT delivers an aggressive roadmap of updates targeting emerging industrial threats and hardware-accelerated security functions.

OPSWAT is positioned as a Leader and Fast Mover in the Innovation/Feature Play quadrant of the OT security Radar chart.

Strengths

OPSWAT scored well on a number of decision criteria, including:

• AI technologies for threat detection: The solution utilizes behavioral baselining algorithms to establish a detailed profile of normal operational traffic and process-level interactions. This technical approach enables the system to identify subtle deviations from established patterns, which alerts operators to potential security breaches or process anomalies that traditional signature-based detection might overlook.

• Protocol and application decoding: OPSWAT employs high-depth dissection logic specifically optimized for major industrial vendors like GE and Siemens. By decoding these proprietary industrial protocols at a granular level, the solution extracts actionable telemetry from the control layer, providing security teams with precise visibility into command-level changes and HMI-to-PLC communications.

• OT-specific threat intelligence: The platform leverages a dedicated research team that focuses exclusively on identifying and analyzing emerging industrial vulnerabilities and 0-day threats. This proprietary intelligence feed delivers early-warning indicators and sector-specific threat data, allowing organizations to proactively harden their OT environments against specialized attacks targeting critical infrastructure.

Opportunities

OPSWAT has room for improvement in a few decision criteria, including:

• Unified IT/OT security: While the platform offers bidirectional integration between IT and OT security layers, it lacks a single, native policy engine for a fully converged XDR stack. This technical separation requires security teams to manage distinct policy frameworks for different domains, which can introduce operational friction and potentially slow down coordinated response efforts during multistage attacks.

• Dynamic network segmentation: OPSWAT provides inline Layer 2 enforcement through the MetaDefender Industrial Firewall, applying security policies via protocol-aware deep packet inspection for Modbus, OPC-UA, and DNP3. An AI-powered learning mode monitors network traffic to automatically generate and refine segmentation policies. Enforcement is native and inline, not dependent on third-party API provisioning.

• LLM-based remediation guidance: OPSWAT provides context-aware remediation summaries using LLM-driven insights that help operators understand the technical context of alerts. However, the solution does not yet support full autonomous playbook generation, requiring analysts to manually convert these narrative summaries into executable response steps, which can increase the overall time to remediate an incident.

Purchase Considerations

OPSWAT’s solution employs a modular pricing model that scales based on the number of protected assets and the specific hardware components deployed, such as NetWall diodes or MetaDefender Kiosks. This allows organizations to start with targeted protection for high-risk entry points and expand as their OT security maturity grows. As a Feature Play, the solution is optimized for organizations requiring deep, specialized technical capabilities for industrial environments rather than a generalized, all-in-one IT security platform.

Implementation typically involves a combination of hardware deployment at the network perimeter and software integration for asset visibility. The solution provides rapid time-to-value for asset discovery, often populating the inventory within an hour of deployment. OPSWAT offers comprehensive professional services to assist with the initial configuration of industrial protocol filters and provides dedicated technical support to ensure minimal disruption to production uptime during the rollout phase.

Use Cases

OPSWAT excels in environments where the convergence of IT and OT creates a significant risk to physical safety or national security. Energy and utility providers can leverage the MetaDefender Kiosk and data diode technology to ensure that maintenance personnel do not introduce malware into air-gapped control systems via USB drives. The deep packet inspection capabilities allow for the monitoring of specialized industrial protocols like Modbus and DNP3, identifying unauthorized commands that could lead to equipment damage.

Manufacturing organizations benefit from the hybrid asset discovery and secure remote access features. These tools allow security teams to maintain visibility over a global footprint of factory floors while providing third-party vendors with secure, time-limited access to specific machines for remote maintenance, ensuring that the broader corporate attack surface remains shielded from external lateral movement.

Palo Alto Networks: Industrial OT Security*

Solution Overview

Palo Alto Networks provides a comprehensive industrial security solution designed to protect OT and IoT environments. The solution integrates visibility, security, and connectivity into a unified platform, leveraging the company's established presence in the network security market. Core components include the Industrial OT Security service, which runs on next-generation firewalls, and Prisma Access for secure remote connectivity. The methodology centers on automated asset discovery and continuous monitoring, providing deep visibility into industrial protocols without requiring intrusive agents or network downtime.

The architecture is designed to be highly scalable, utilizing both on-prem hardware and cloud-based management to secure distributed industrial networks. This platform-centric approach allows organizations to consolidate their security stack and apply consistent policies across both IT and OT domains. The solution will look and feel largely the same over the contract lifecycle. Palo Alto Networks prioritizes stability and continuity for its enterprise customers while focusing on methodical integration of new features into its existing ecosystem.

Palo Alto Networks is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the OT security Radar chart.

Strengths

Palo Alto Networks scored well on a number of decision criteria, including:

• Dynamic network segmentation: Enforcing granular read/write policies natively within hardware firewalls allows the solution to control communication at the protocol level. This capability ensures that only authorized commands reach critical ICS, reducing the risk of accidental or malicious configuration changes while maintaining operational availability.

• Unified IT/OT security: The platform provides a single pane of glass for visibility and response across the entire converged enterprise. By correlating data from both traditional IT assets and industrial devices, the solution enables security teams to identify lateral movement and manage risks consistently, which reduces the complexity of maintaining separate security silos.

• Secure remote access: The ZTNA 2.0 architecture incorporates continuous security inspection and just-in-time access for remote users. This approach minimizes the attack surface by ensuring that connections to industrial assets are authenticated and authorized in real time, preventing unauthorized access and providing detailed audit trails for compliance.

Opportunities

Palo Alto Networks has room for improvement in a few decision criteria, including:

• LLM-based remediation guidance: The solution provides context-aware summaries for identifying and addressing security issues. However, it lacks autonomous safety-validation of remediation scripts, which means that human oversight is still required to verify that suggested changes will not cause unintended disruptions to industrial processes or safety systems.

• Visualization of OT asset relationships: Dynamic mapping tools visualize the connections between industrial assets across the network. However, the system does not currently simulate production impact based on business context, making it difficult for operators to quantify how a security event or asset failure might affect specific manufacturing outputs or business goals.

• Hybrid asset discovery: The discovery engine identifies and categorizes a broad range of industrial and IT devices. However, the solution does not include native parsing of PLC configuration files for individual subcomponents, which can result in incomplete visibility into the internal modules and backplane structures of industrial controllers compared to specialized niche tools.

Purchase Considerations

Palo Alto Networks employs a credit-based or tiered subscription pricing model for its OT security services, often bundled with its firewall or SASE licensing. This structure allows organizations to scale their security investment based on the number of protected assets or the volume of traffic, providing predictability for long-term budgeting. As a Platform Play, the solution is particularly attractive to organizations that have already standardized on Palo Alto Networks security infrastructure, as it allows them to extend existing workflows to their industrial environments.

Implementation is simplified for current customers, as the OT security service can be enabled on existing hardware or software firewalls with minimal reconfiguration. Professional services and technical account managers are available to assist with large-scale deployments and policy tuning. The solution provides rapid time-to-value, often delivering initial asset visibility and threat detection insights within hours of activation on the network.

Use Cases

Palo Alto Networks excels in large-scale manufacturing and utility environments that require a unified approach to security across converged IT and OT networks. Its ability to provide consistent visibility and threat detection across geographically distributed sites makes it ideal for global enterprises looking to centralize their security operations. Organizations in critical infrastructure sectors benefit from the solution's secure remote access capabilities. By using the ZTNA 2.0 framework, these entities can grant third-party technicians secure, audited access to specific industrial assets without exposing the entire network to risk, which is essential for maintaining uptime in highly regulated industries.

Rhebo: Industrial Protector

Solution Overview

Rhebo, a Landis+Gyr company, provides specialized monitoring and threat detection for OT and critical infrastructure environments. The solution centers on the Rhebo Industrial Protector, which employs nonintrusive DPI to monitor ICS and IoT networks. By analyzing network traffic in real time, the platform identifies anomalies, communication errors, and potential security breaches without impacting the availability of critical industrial processes. Its methodology emphasizes deep protocol analysis and behavioral monitoring to ensure the integrity of complex energy and utility networks.

The solution reflects Rhebo's approach through its emphasis on stability and consistent performance in highly regulated industrial environments. Its development prioritizes incremental improvements to its core detection engine and protocol support, ensuring long-term reliability for utility operators. The solution will look and feel largely the same over the contract lifecycle. Rhebo prioritizes stability and continuity in its feature set to meet the rigorous uptime requirements of its customer base.

Rhebo is positioned as a Challenger and Outperformer in the Maturity/Feature Play quadrant of the OT security Radar chart.

Strengths

Rhebo scored well on a number of decision criteria, including:

• Protocol and application decoding: Specialized deep packet inspection decodes industrial and utility protocols (such as IEC 60870, IEC 61850, and DNP3) down to the command value level. This granular visibility allows the system to detect malformed traffic and semantic inconsistencies that could indicate a sophisticated attack or a malfunctioning controller, ensuring high-fidelity alerting in specialized grid environments.

• OT-specific threat intelligence: The detection engine correlates observed network behavior with the MITRE ATT&CK for ICS framework and matches asset fingerprints against known CVE databases. This integration provides security teams with context-aware threat identification and vulnerability mapping, enabling more effective prioritization of risks within the industrial environment.

• Unified IT/OT security: Native integration capabilities allow the platform to export security events and asset data to major IT security management systems, including Splunk (owned by Cisco) and IBM QRadar. By bridging the gap between the plant floor and the SOC, the solution enables organizations to maintain a unified security posture across their entire IT and OT landscape.

Rhebo is classified as an Outperformer due to its accelerated development of specialized protocol support and enhanced integration with parent company Landis+Gyr's broader energy management ecosystem over the last 12 months. The solution shows strong potential for continued market advancement through its deep focus on the intersection of cybersecurity and grid stability.

Opportunities

Rhebo has room for improvement in a few decision criteria, including:

• LLM-based remediation guidance: The platform provides actionable risk assessments and remediation recommendations but lacks an integrated LLM for conversational or automated guidance. Users must rely on predefined documentation and expert knowledge to interpret complex alerts, which may extend the time required for less experienced analysts to respond to incidents.

• Dynamic network segmentation: The solution identifies network segmentation gaps and recommends isolation strategies to contain threats, but it does not include a native enforcement engine. Because the platform relies on third-party firewalls and switches for active enforcement, organizations may face additional integration complexity when attempting to quickly and automatically quarantine compromised assets.

• Secure remote access: Behavioral monitoring capabilities identify anomalies within remote access sessions, yet the solution does not provide a native zero trust remote access broker. Organizations requiring secure, brokered access for third-party vendors must deploy and manage separate remote access solutions, potentially increasing the management overhead for the security team.

Purchase Considerations

Rhebo's solution employs a tiered pricing model based on the number of monitored assets and the volume of network traffic processed by its sensors. The pricing structure is designed to scale with the complexity of the utility grid or industrial facility, and it can be purchased as a standalone software solution or as part of a broader Landis+Gyr managed service offering. This flexibility allows utilities to align their security investment with their existing capital and operational expenditure models.

The solution is a Feature Play, focusing on deep technical excellence in protocol analysis and anomaly detection rather than a broad platform of diverse security tools. This makes it an ideal choice for organizations that already have established IT security stacks and require a high-performance, specialized component for OT visibility including specialized utility protocols such as IEC60870-5-104 (IEC104), widely deployed in power grid SCADA environments. Implementation involves the deployment of passive sensors (available as physical appliances or virtual machines) that connect to network span ports or mirror ports, ensuring a nondisruptive installation that can provide visibility within hours of activation.

Use Cases

Rhebo excels in energy and utility environments where maintaining grid stability is paramount. Electric utilities can leverage the Industrial Protector's deep decoding of IEC protocols to monitor substation communications and protect smart grid components from cyber-physical attacks. The solution's ability to identify semantic errors in command values is particularly valuable for ensuring the safety of high-voltage equipment.

Manufacturing organizations with complex industrial automation systems benefit from Rhebo's nonintrusive monitoring. The platform integrates with Cisco Secure Firewall, Cisco XDR, and Splunk, feeding OT asset inventory, security events, and telemetry directly into the Splunk SIEM/SOAR for unified IT/OT SOC visibility. Customers can also leverage Splunk's dashboarding engine for CIO/CISO/COO-level OT security posture views across multisite deployments.

runZero: runZero Platform

Solution Overview

runZero provides a specialized attack surface management solution focused on cyber asset attack surface management and network discovery. The platform’s primary focus is identifying every asset across the environment, including unmanaged devices, IoT, and OT infrastructure, without the need for agents or credentials. The core solution consists of the runZero Explorer (a lightweight multipurpose agent) and a centralized SaaS console that aggregates and analyzes discovered data. The methodology emphasizes proprietary, safe-scanning techniques that query devices at the protocol level to provide high-fidelity fingerprinting.

The solution reflects a specialized approach through its emphasis on stability and consistent performance in large-scale enterprise environments. The platform's architecture is built to support massive scalability, capable of indexing millions of assets while maintaining a low impact on network performance.

runZero is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the OT security Radar chart.

Strengths

runZero scored well on a number of decision criteria, including:

• Protocol and application decoding: The discovery engine is built on deep-packet implementations of nearly 200 protocols, including specialized industrial standards such as Modbus/TCP, BACnet, DNP3, and Siemens S7. This allows the platform to identify assets with high precision, providing security teams with accurate inventory data without the risk of crashing sensitive OT hardware. The solution extends asset visibility by enumerating sub-assets reachable through protocol gateways, including downstream devices behind Ethernet/IP (CIP), Modbus/TCP, KNXnet, and BACnet gateways.

• OT-specific threat intelligence: The platform’s threat intelligence is driven by a dedicated in-house research team that specializes in reverse-engineering OT protocol stacks and identifying insecure-by-design vulnerabilities. This expertise is operationalized through the Rapid Response program, which delivers real-time detection logic for emerging threats directly to the platform.

• Unified IT/OT security: The solution was designed to provide a single source of truth that correlates data from enterprise IT assets, industrial OT infrastructure, and cloud environments within a common backplane. This unification eliminates silos between departments and provides a comprehensive view of the entire organizational attack surface.

Opportunities

runZero has room for improvement in a few decision criteria, including:

• LLM-based remediation guidance: The current transition from static documentation to interactive, context-aware assistance using LLMs is still in its early stages of maturity. While the system attempts to generate tailored remediation steps by correlating public advisories and social media data, the depth of guidance can vary, often requiring manual verification by security analysts to ensure accuracy in specialized operational environments.

• AI technologies for threat detection: The platform relies on advanced algorithms to profile devices based on nearly 1,000 attributes to flag behavioral anomalies; however, this approach can be sensitive to baseline noise in dynamic network environments.

• Secure remote access: runZero is primarily a visibility and exposure management tool and does not function as a secure remote access (SRA) provider or gateway. Organizations requiring integrated remote access controls will need to maintain and manage separate SRA solutions, which can lead to increased complexity in the overall security stack.

Purchase Considerations

runZero’s solution employs a transparent pricing model based on the total count of active assets discovered within the environment. This asset-based subscription allows organizations to scale their coverage as their infrastructure grows without being penalized for the number of users or scanners deployed. The platform offers a variety of tiers, including a community edition for smaller environments and enterprise-grade subscriptions that include advanced integrations and support.

Implementation is exceptionally streamlined through the deployment of runZero Explorers, which can be installed as software on existing hardware or deployed as virtual appliances. The agentless and credential-free nature of the discovery process allows organizations to begin seeing results within minutes of deployment. The solution effectively scales to support global environments through optimized data indexing and a SaaS-based management console that reduces the overhead associated with maintaining on-prem infrastructure.

Use Cases

runZero excels in environments requiring comprehensive visibility into converged IT and OT networks. Manufacturing organizations can leverage the platform’s deep-packet protocol decoding to maintain an accurate inventory of industrial controllers and legacy systems, ensuring that sensitive production equipment is protected without being disrupted by intrusive scans.

Large enterprises with significant unmanaged asset populations benefit from runZero's ability to identify "shadow IT" and forgotten infrastructure. The platform’s unified backplane allows security operations teams to monitor both cloud resources and physical office equipment in a single interface, while the Rapid Response program helps prioritize remediation efforts based on the latest threat intelligence.

Schneider Electric*

Solution Overview

Schneider Electric provides a comprehensive OT security solution designed to protect critical infrastructure and industrial automation environments. The solution integrates asset discovery, threat detection, and supply chain security into a unified platform, leveraging the company's deep heritage in ICS and its broader automation ecosystem. The platform employs a combination of passive network monitoring, active querying of native protocols, and advanced AI-driven analytics to provide real-time visibility and risk assessment across complex industrial topologies.

The solution reflects Schneider Electric's approach through its emphasis on stability and consistent performance in demanding industrial environments. Its development prioritizes reliability and continuity, ensuring that security enhancements do not disrupt critical operations over the contract lifecycle. The platform is designed for massive scale, supporting global multisite deployments while maintaining high levels of certification for safety and security.

Schneider Electric is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the OT security Radar chart.

Strengths

Schneider Electric scored well on a number of decision criteria, including:

• AI technologies for threat detection: The integration of behavioral baselining and anomaly detection algorithms serves as a core component of the platform’s detection engine. By utilizing context-aware AI assistants and decision support tools, the solution enables operators to identify subtle deviations in industrial processes, which reduces the time required to detect and respond to potential threats.

• Protocol and application decoding: Schneider Electric employs expert-level decoding for hundreds of proprietary and standard industrial protocols, ensuring deep packet visibility into complex process communications. This granular analysis allows for the inspection of specific command codes and data payloads, which is critical for identifying unauthorized changes to controller logic or operational setpoints.

• OT supply chain security: A mandatory SBOM program and an emphasis on software transparency establish a verifiable chain of custody for all platform components. This rigorous approach to software provenance ensures that industrial organizations can manage third-party risks and maintain visibility into the vulnerabilities of individual software libraries within their automation environment.

Opportunities

Schneider Electric has room for improvement in a few decision criteria, including:

• OT-specific threat intelligence: The threat intelligence feed relies on a combination of internal research and a network of security partners to deliver relevant updates. While the intelligence is timely, the dependence on external partner networks can lead to variations in the depth and native integration of specific threat indicators compared to platforms with a purely specialized, in-house intelligence apparatus.

• Unified IT/OT security: The platform facilitates IT/OT convergence through standardized communication protocols and unified management dashboards. However, the inherent complexity of the broader ecosystem and the need for specialized training to master the integration points can create hurdles for organizations attempting to bridge the gap between their SOC and plant-floor operations.

• Visualization of OT asset relationships: Interactive dashboards and dynamic mapping provide context for asset topology and risk assessment across the environment. Despite these capabilities, the visualization layer could benefit from more granular relationship mapping and automated criticality weighting to help security teams better prioritize risks in massive, multi-site deployments.

Purchase Considerations

Schneider Electric employs a flexible and tiered pricing model designed to accommodate diverse industrial environments. While the pricing structure is adaptable, the complexity of the broader ecosystem can sometimes make TCO calculations challenging for organizations with multifaceted deployment needs. The solution's positioning as a Platform Play reflects its ability to integrate deeply with existing industrial automation stacks, offering a unified security posture for large-scale enterprises.

Implementation is supported by its extensive global footprint and professional services, which are critical for navigating the complexities of multisite OT environments. The platform's ease of use is enhanced by centralized dashboards and AI copilots, though achieving mastery of the full feature set typically requires specialized training. The solution's market leadership in achieving top-tier industry certifications ensures it meets the stringent compliance requirements of regulated sectors.

Use Cases

Schneider Electric excels in large-scale industrial environments requiring high levels of reliability and certification. Global manufacturing enterprises benefit from the platform's ability to support massive asset volumes across multisite deployments, while the interactive dashboards provide the necessary context for managing complex asset topologies.

Energy and utility organizations can leverage the solution's SBOM program and protocol decoding capabilities to meet strict regulatory and supply chain security standards. Furthermore, organizations undergoing legacy modernization initiatives benefit from the platform's software-defined automation, which provides the flexibility needed to secure and modernize older industrial systems without disrupting critical services.

Shield-IoT: ShieldEdge

Solution Overview

Shield-IoT provides a specialized cybersecurity platform, ShieldEdge, designed to protect massive-scale OT and IoT environments through advanced artificial intelligence and agentless monitoring. The solution focuses on delivering high-fidelity threat detection and asset visibility without disrupting operational continuity, leveraging patented algorithms to manage data at scale. ShieldEdge integrates with existing security stacks, including SIEM and SOAR platforms, to provide a unified view of security events across industrial and cellular networks. ShieldEdge is available via SaaS, public cloud, and private cloud deployment models.

The platform's architecture is built on an application-agnostic, agentless model that supports rapid deployment across diverse IP-based environments, including physical appliances, virtual appliances, and cloud-SaaS options. As an innovation-led player, Shield-IoT focuses on the rapid advancement of its AI-driven capabilities to address the complexities of modern edge computing and industrial connectivity. The solution will look and feel different over the contract lifecycle. Shield-IoT delivers a fruitful roadmap, prioritizing the development of new features and technological integration to stay ahead of emerging threats.

Shield-IoT is positioned as a Challenger and Forward Mover in the Innovation/Feature Play quadrant of the OT security Radar chart.

Strengths

Shield-IoT scored well on a number of decision criteria, including:

• AI technologies for threat detection: The integration of patented Coreset-AI with the NVIDIA Morpheus framework enables high-fidelity anomaly detection capable of processing massive data volumes at an unlimited scale. This mathematical approach to data reduction ensures that security teams can identify subtle threat patterns across millions of devices without the performance overhead associated with traditional heuristic models.

• Visualization of OT asset relationships: Interactive dashboards and link visualization maps provide a comprehensive view of asset topology and situational risk. By graphically representing the relationships between OT assets and their communication paths, the solution allows analysts to quickly identify potential attack vectors and assess the business impact of security incidents across the operational environment.

• OT supply chain security: Automated discovery combined with compliance checking against international security standards establishes a baseline for monitoring vendor risk. This capability ensures that organizations can maintain visibility into the security posture of third-party components and adhere to regulatory requirements, reducing the likelihood of supply-chain-originated compromises.

Opportunities

Shield-IoT has room for improvement in a few decision criteria, including:

• LLM-based remediation guidance: The Agentic AI security expert provides contextual event narratives and remediation recommendations aimed at reducing analyst workloads. However, the current implementation focuses primarily on narrative generation, which may require additional human verification to ensure the recommended actions align with specific operational constraints or complex industrial workflows.

• Hybrid asset discovery: The solution utilizes a combination of passive metadata analysis and native connectivity API integrations to identify edge assets. While this provides a functional baseline for visibility, organizations with highly diverse or fragmented hybrid environments may find that passive techniques alone lack the granular depth required for comprehensive asset profiling compared to more invasive active discovery methods.

• Secure remote access: Native remote access capabilities are absent from the platform, requiring organizations to rely on third-party integrations for remote connectivity. The lack of a built-in zero trust architecture or session recording functionality means that security teams must manage and secure remote access through separate tools, potentially increasing administrative complexity and visibility gaps.

Shield-IoT was classified as a Forward Mover due to its relatively measured development pace over the last 6 to 12 months as the company focused on refining its core AI algorithms and NVIDIA integrations. While the solution demonstrates strong innovation in data processing, the current release cadence reflects a consolidation period intended to strengthen the foundational stability of the ShieldEdge platform before expanding into adjacent feature sets.

Purchase Considerations

Shield-IoT employs a transparent, object-based subscription model based on device counts, which provides predictable pricing and allows organizations to scale their security investment alongside their infrastructure growth. This model is particularly beneficial for large-scale IoT deployments where asset volume can fluctuate. The pricing structure is clear and avoids the complexity of bandwidth-based or throughput-based fees.

The solution is designed for rapid time-to-value, featuring seamless, agentless onboarding that can be completed without significant infrastructure modifications. The automated, AI-assisted user interface reduces the learning curve for security analysts, allowing teams to become proficient with the platform quickly. Furthermore, the patented Coreset-AI technology ensures the platform maintains performance even as device counts and data throughput increase, providing long-term scalability for expanding industrial networks.

Implementation is straightforward due to the application-agnostic architecture, which supports a wide range of use cases across any IP-based operational environment. Support for international security standards and certifications further simplifies the integration of ShieldEdge into regulated industries, ensuring the solution meets baseline trust requirements for critical infrastructure.

Use Cases

Shield-IoT excels in environments characterized by massive-scale IoT and OT deployments that require high-performance anomaly detection. Large enterprises with distributed edge networks can leverage Coreset-AI to monitor millions of devices in real time, identifying threats that traditional signature-based tools might miss while maintaining operational stability.

Public sector organizations and industrial operators benefit from the platform's ability to visualize complex asset relationships and communication flows. The interactive topology maps and link visualization tools help these organizations manage situational risk and ensure compliance with security standards, while the automated supply chain monitoring capabilities provide essential visibility into the security posture of third-party vendors and contractors.

Tenable: Tenable OT Security

Solution Overview

Tenable provides a comprehensive security solution for industrial environments through its Tenable OT Security platform, which is fully integrated into the Tenable One exposure management ecosystem. The solution focuses on providing deep visibility, security, and control over OT assets by combining multiple discovery methods and deep protocol analysis. It integrates OT-specific data with IT, cloud, and identity insights to offer a unified view of the organizational attack surface.

The platform architecture supports flexible deployment options across physical, virtual, and cloud environments, catering to diverse industrial infrastructures. Tenable prioritizes a platform-centric approach that consolidates vulnerability management and risk assessment into a single pane of glass. The solution will look and feel largely the same over the contract lifecycle. Tenable prioritizes stability and continuity for its enterprise customers while focusing on the methodical integration of OT capabilities into its broader security portfolio.

Tenable is positioned as a Challenger and Forward Mover in the Maturity/Platform Play quadrant of the OT security Radar chart.

Strengths

Tenable scored well on a number of decision criteria, including:

• Protocol and application decoding: Specialized plugins provide expert-level decoding for hundreds of proprietary industrial protocols, including deep visibility into controller backplanes and logic. This granularity allows organizations to monitor the internal states and logic changes of critical industrial controllers, reducing the risk of undetected process manipulation.

• Unified IT/OT security: The Tenable One platform integrates OT data into a converged view across IT, cloud, and identity assets. This unified exposure management approach enables security teams to correlate risks across the entire attack surface and execute bidirectional data exchange between disparate security domains.

• Hybrid asset discovery: A patented hybrid discovery method orchestrates passive monitoring with native industrial queries to identify assets without compromising process integrity. By combining these techniques, the solution establishes a comprehensive asset inventory in sensitive environments while maintaining the safety of ICS.

Opportunities

Tenable has room for improvement in a few decision criteria, including:

• LLM-based remediation guidance: The platform leverages generative AI to analyze complex attack paths and identify critical remediation choke points across converged IT/OT environments. While available within FedRAMP Moderate authorized environments, its restricted availability in higher-security classifications means that organizations with the most sensitive requirements may still face barriers to adoption, necessitating alternative tools for those specific segments.

• Dynamic network segmentation: The platform provides the visibility required to recommend segmentation policies and integrates with third-party tools for enforcement. The absence of native, AI-driven inline enforcement means that organizations must maintain and coordinate separate security controls to implement the recommended network boundaries.

• Secure remote access: While the solution provides basic secure access to its management console, it lacks a native zero trust remote access suite with integrated session recording. Organizations requiring secure vendor or technician access must implement and integrate third-party remote access solutions, which can increase management complexity.

Tenable was classified as a Forward Mover given its relatively measured rate of development in the core OT feature set over the last 6 to 12 months. This phase reflects the company’s strategic priority on the complex architectural integration of its industrial capabilities into the broader Tenable One platform, ensuring long-term continuity for enterprise customers over rapid, niche feature expansion.

Purchase Considerations

Tenable employs an asset-based pricing model based on IP addresses, offering progressive discounts as the volume of managed assets increases. This structure provides a logical scaling path, though costs will rise directly with the expansion of the environment. The solution is positioned as a Platform Play, designed to be part of the broader Tenable One ecosystem, which simplifies procurement for existing Tenable customers but may require a more significant commitment for those seeking a standalone OT tool.

The platform is designed for global enterprise scale, utilizing an Enterprise Manager component to consolidate data from multiple sites and hundreds of thousands of devices. Implementation is supported by a variety of deployment modes, including physical hardware for on-prem industrial sites and virtual or cloud instances for more modern architectures. The addition of ExposureAI simplifies the interpretation of complex risk data, potentially reducing the time required for security teams to reach actionable insights.

Use Cases

Tenable excels in large-scale enterprise environments where IT and OT teams are converging. Global manufacturing organizations can leverage the Enterprise Manager to maintain a consistent security posture across multiple international production sites, while the Tenable One integration allows the CISO's office to view industrial risk alongside traditional IT vulnerabilities.

The solution is also well suited for organizations requiring high-fidelity asset discovery and protocol analysis. In critical infrastructure sectors like energy or water management, the patented hybrid discovery approach ensures that even sensitive legacy controllers are identified and monitored without the risk of an active scan causing a process interruption.

TrendAI: Trend Vision One - OT Security*

Solution Overview

Formerly Trend Micro, the company rebranded in January 2026 to TrendAI. TrendAI provides a robust OT security ecosystem through its Trend Vision One platform, integrating advanced threat detection, network security, and endpoint protection specifically designed for industrial environments. The solution combines its core cybersecurity expertise with specialized industrial hardware and protocols, often delivered in partnership with TXOne Networks. Its methodology centers on providing unified visibility across the entire CPS landscape, leveraging automated asset discovery and deep packet inspection to secure critical infrastructure.

The solution reflects TrendAI's approach through its emphasis on stability and consistent performance in complex industrial settings. Its development prioritizes incremental improvements to existing capabilities, particularly in areas of protocol support, threat intelligence integration, and cross-domain visibility. The company demonstrates methodical advancement of core features while maintaining reliability. The solution will look and feel largely the same over the contract lifecycle. TrendAI prioritizes stability and continuity over disruptive shifts, ensuring that its extensive install base can maintain secure operations without significant architectural upheaval.

TrendAI is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the OT security Radar chart.

Strengths

TrendAI scored well on a number of decision criteria, including:

• Dynamic network segmentation: EdgeOne AI-driven policy management automates microsegmentation and virtual patching by continuously learning from network traffic patterns. This capability allows organizations to isolate critical OT assets and mitigate vulnerabilities in real time without requiring immediate downtime for manual patching.

• OT-specific threat intelligence: The Zero Day Initiative (ZDI) and TXODI provide specialized research into CPS, delivering virtual patches an average of 96 days before official vendor releases. This proactive intelligence feeds directly into the platform's security controls, reducing the window of exposure for industrial operators.

• OT supply chain security: Firmware integrity verification and automated risk scoring work in tandem with real-time supply chain monitoring to ensure the security of components from procurement through deployment. This multilayered approach helps organizations identify compromised hardware or malicious firmware before they can impact production environments.

TrendAI is classified as an Outperformer due to its accelerated development pace over the last 12 months, particularly in expanding its CPS-focused threat intelligence and refining its AI-driven segmentation policies. The solution demonstrates strong momentum by integrating these advanced features into its unified security platform.

Opportunities

TrendAI has room for improvement in a few decision criteria, including:

• Visualization of OT asset relationships: Interactive risk graphs and dynamic network maps provide visibility into asset interconnections, yet the current implementation requires further depth in illustrating complex logical dependencies. Strengthening the correlation between asset criticality and attack path modeling would enhance analysts’ ability to prioritize remediation in highly interconnected environments.

• Hybrid asset discovery: Orchestrated discovery using passive sniffing and native protocol queries offers broad visibility, but the integration across diverse cloud and virtualization APIs can be complex to manage at scale. Organizations with highly fragmented hybrid infrastructures may find that maintaining a unified, real-time asset inventory requires significant configuration effort.

• Deception technology: Foundational deception capabilities, such as fake credentials and basic honeypot connections, provide early warning signs of intruder activity but lack the high-interaction depth found in dedicated deception platforms. Expanding these features to include more sophisticated decoys and specialized OT protocol emulations would improve its effectiveness in luring and analyzing advanced persistent threats.

Purchase Considerations

TrendAI employs a platform-centric pricing model primarily based on the volume of assets and network nodes protected within the Trend Vision One ecosystem. Licensing is typically structured as a tiered subscription, allowing organizations to scale coverage from individual manufacturing cells to global multisite operations. The Platform Play designation reflects the solution's value as an integrated suite, where buyers benefit from unified management and cross-layer detection rather than managing disparate point products.

The implementation process is designed for industrial scale, utilizing dedicated hardware appliances like EdgeIPS and EdgeFire for inline protection alongside agentless monitoring for passive visibility. Support models are comprehensive, often including dedicated technical account managers and access to 24/7 global threat response teams. Organizations can expect initial visibility and asset discovery insights within hours of deployment, though full optimization of AI-driven policies may take several days of traffic learning.

Use Cases

TrendAI excels in large-scale manufacturing environments where protecting legacy systems is critical. The combination of ZDI-powered virtual patching and EdgeOne microsegmentation allows plant managers to secure unpatchable hardware against modern threats without disrupting production cycles.

Critical infrastructure and utility providers benefit from the solution's deep threat intelligence and supply chain security features. By verifying firmware integrity and leveraging world-class vulnerability research, energy organizations can defend against sophisticated nation-state actors targeting the supply chain and control systems.

TXOne Networks: EdgeOne, EdgeFire, and EdgeIPS

Solution Overview

TXOne Networks provides OT-native security solutions that emphasize visibility, protection, and management of ICS. The core solution suite, including the EdgeOne management platform, EdgeFire industrial firewalls, and EdgeIPS intrusion prevention systems, focuses on securing the critical assets that define the modern industrial attack surface. The company's methodology combines agentless network-based monitoring with portable hardware-based scanning to deliver comprehensive asset discovery and threat detection across both legacy and modern OT environments.

The solution's architecture is built on industrial-grade hardware and software-defined security policies, offering flexible deployment options as physical or virtual appliances. The platform's strategy focuses on delivering deep industrial protocol visibility and AI-driven automation to simplify the management of large-scale OT deployments. The solution will look and feel different over the contract lifecycle. TXOne Networks delivers an aggressive roadmap, prioritizing rapid feature delivery and architectural changes to maintain its position in an evolving market.

TXOne Networks is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the OT security Radar chart.

Strengths

TXOne Networks scored well on a number of decision criteria, including:

• Dynamic network segmentation: The AI-powered segmentation defense automates the identification of industrial assets and the creation of security zones, which enables security teams to implement microsegmentation without the heavy manual configuration typically required in complex industrial environments.

• Protocol and application decoding: TXOne provides command-level decoding for more than 70 industrial protocols, enabling granular security filtering at the instruction layer. The platform extends packet‑level inspection to more than 180 additional industrial protocols, enabling broader traffic analysis.

• OT supply chain security: The integration of the Element series with the Portable Inspector enables the physical verification of assets and firmware integrity during the onboarding process, which reduces the likelihood of introducing compromised or counterfeit hardware into the production network.

Opportunities

TXOne Networks has room for improvement in a few decision criteria, including:

• Visualization of OT asset relationships: While the Actionable Dashboard provides visualizations of network structures and data flows, the current implementation may lack the automated dependency mapping and deep relationship analysis found in more advanced attack surface management platforms.

• Hybrid asset discovery: TXOne Edge operates with full feature parity in air-gapped environments without external connections. Portable Inspector provides a supplementary discovery layer for detailed endpoint data, including specific application versions and installed patches, which complements rather than replaces network-level visibility.

• Secure remote access: Current capabilities are restricted to basic site-to-site VPNs and MFA, which fails to provide the granular session monitoring and risk-based access controls needed to secure individual technician or vendor connections into sensitive industrial environments.

Purchase Considerations

TXOne Networks employs a seat-based licensing model for its EdgeOne management nodes, while its software-defined services and security appliances typically follow a subscription-based pricing model. This structure allows organizations to align their security investments with the number of managed devices and the specific protection levels required for their industrial sites. The company's focus on modular hardware and flexible software policies makes the solution particularly attractive to organizations with diverse and evolving industrial footprints.

Implementation is simplified through a zero-config deployment approach, allowing security appliances to be integrated into the network with minimal downtime. The centralized EdgeOne management console provides a unified interface for configuring policies and monitoring alerts across the entire OT infrastructure, which helps reduce the learning curve for security administrators. The solution is designed to scale effectively for large global enterprises, supporting high port densities and massive management arrays to accommodate significant organizational growth.

Use Cases

TXOne Networks excels in large-scale manufacturing and critical infrastructure environments that require deep industrial protocol decoding and automated network segmentation. Industrial organizations can leverage the AI-powered segmentation defense to protect sensitive production lines from lateral threat movement, while the platform's support for a wide range of OT protocols ensures compatibility with legacy control systems.

Security operations teams in the energy and utilities sectors benefit from the solution's OT supply chain security features. The use of the Portable Inspector and the Element series allows these organizations to verify the integrity of third-party components and software updates before they are deployed to critical assets, reducing the risk of supply-chain-based attacks.

The OT security market has reached a critical inflection point where passive monitoring is no longer sufficient to mitigate modern industrial threats. For years, the sector focused almost exclusively on visibility, simply identifying what was on the wire. Today, the convergence of IT and OT, coupled with the rise of hyper-connected CPS, requires a transition toward active protection and automated resilience. Purchasers should view this space not as a standalone silo but as a discipline focused on maintaining the integrity of the physical process and ensuring human safety.

Several major themes currently dictate the trajectory of OT security investments. First is the erosion of the traditional Purdue Model. As edge computing and cloud-based industrial analytics become standard, the air gap is effectively dead, requiring security controls that can follow data across legacy and modern architectures. Second is the shift toward ICS-native defense. Modern solutions are moving beyond generic IT signatures to understand the specific language of industrial controllers, enabling them to detect subtle process anomalies that could indicate a sophisticated attack. Finally, supply chain integrity is a dominant concern, with organizations seeking ways to verify the security of third-party hardware and software before it enters the production environment.

IT and OT decision-makers weighing new security adoptions should prioritize these immediate steps:

• Map security to operational criticality: Do not treat all assets equally. Start by identifying the "crown jewel" processes: those where a shutdown would result in significant financial loss or safety hazards. The next best action is to deploy protection layers, such as industrial firewalls or IPS, specifically around these critical loops rather than attempting a site-wide rollout that may stall due to complexity.

• Implement virtual patching as a bridge: Many OT assets cannot be taken offline for traditional patching due to uptime requirements. Decision-makers should prioritize solutions that offer virtual patching at the network level. This allows the organization to shield vulnerable controllers from known exploits without requiring a reboot of the physical process.

• Unify visibility into a single pane of glass: The business consequence of fragmented security is a delayed response during a kinetic event. Ensure that your OT security platform can feed high-fidelity alerts into a central management console or an enterprise SOC. This integration is essential for correlating IT-based initial access (like a phishing email) with subsequent lateral movement into the OT environment.

The future of OT security lies in process-aware automation. We are moving toward a state where security systems do not just block bad traffic but actually understand the physical limits of the machines they protect. Key takeaways for the next three to five years include the rise of automated microsegmentation that can dynamically adjust based on the operational state of the plant.

To prepare for this future, organizations must focus on cyber resilience rather than just cybersecurity. This means building the capability to operate under pressure and recover quickly from an incident. The industry will increasingly lean on AI-driven analytics to manage the massive volume of data generated by industrial IoT devices. Decision-makers should prepare by investing in modular, platform-based architectures that can accommodate these advanced, automated capabilities as they reach maturity. The ultimate goal is a security posture that acts as an enabler for digital transformation, ensuring that as factories become smarter, they also become more inherently secure.

To learn about related topics in this space, check out the following GigaOm Radar reports:

• GigaOm Radar for Security Service Edge (SSE) v3

• GigaOm Radar for XDR v5

• GigaOm Radar for Threat Intelligence Platforms v3

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing, and tech. More recently, he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2026 "GigaOm Radar for Operational Technology (OT) Security" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.