The OTegrity Platform

Real-time process integrity, validated at Level 0 and Level 1.

OTegrity learns how your industrial process normally behaves and monitors it continuously. By analyzing values, rates, timing, and relationships across tags, it identifies when the process is no longer behaving correctly — and helps your team understand why.

Aligned to
  • NIST SP 800-82 rev3
  • IEC 62443
  • MITRE ATT&CK for ICS
  • NERC CIP
  • DoW Zero Trust for OT
Purpose-built for Level 0 & Level 1
How it works

Learn. Monitor. Diagnose. Guide.

From abnormal behavior to a confident decision — automatically, with no prebuilt models and no per-site tuning.

Stage 01

Learn the process

OTegrity learns the normal ranges, rates, timing, and cross-tag relationships of your live process — building a behavioral picture of how it actually runs, without prebuilt models.

Stage 02

Monitor in real time

It validates ongoing behavior continuously, watching the physical process itself rather than only network traffic or asset inventories.

Stage 03

Diagnose the cause

When behavior changes, OTegrity classifies the likely cause — equipment fault, sensor failure, process drift, or cyber manipulation — instead of just flagging a symptom.

Stage 04

Guide the response

Each finding carries evidence, affected tags, and a recommended next step, so operations and security teams act from the same source of truth.

Capabilities

What the platform delivers.

Process behavior modeling

Learns values, rates of change, timing, and relationships across tags to understand how the process behaves as a whole — not one signal at a time.

Cause classification

Determines whether abnormal behavior looks like an equipment fault, a sensor failure, process drift, or cyber-induced manipulation.

Cyber-vs-fault differentiation

Confirms whether suspicious digital activity actually changed the physical process — so security teams prioritize real impact, not noise.

Recommended action

Turns abnormal behavior into clear operational guidance — what likely changed, where to look, and what to do next.

Evidence & forensics

Every finding snapshots the surrounding process window, so teams can reconstruct exactly what happened and act with confidence.

Works with your stack

Broad industrial-protocol coverage on the way in; shares findings out via Syslog/CEF and REST API to your SOC and SIEM.

Process knowledge, explained

The engine tells you what it learned.

Operating modes, sensor behavior, discovered physical rules, and what it watches for — in plain language, not a black box.

otegrity · process knowledge
The engine has learned how this process behaves and watches for deviations.
22
Tags
5
Modes
36
Relationships
14
Safety rules
7 sensors hold steady; 15 fluctuate within learned ranges.
Discovered physical rules that must always hold between sensors.
Monitors how sensors influence each other — flags broken relationships.
Detects deviations from the 5 learned operating modes.
Watches for replay attacks & value injection via temporal prediction.
Transparent by design. Learned modes, relationships, rules, and what it watches for — in plain language.
Where OTegrity fits

Deep visibility where the traditional OT-security stack can't reach.

Network detection and asset visibility watch the OT network — Levels 2–3 — but have no view inside the controller or the process beneath it. OTegrity completes defense-in-depth by owning Level 0/1: the PLC's real behavior and the physical process itself.

5EnterpriseCorporate IT systems
4Business planningPlant business systems
3OperationsSite operations · SCADA
3.5OT DMZOptional · jump servers, diodes
2Supervisory controlHMI / SCADA clients
1Basic controlPLCs, controllers, I/O
0ProcessSensors, actuators, equipment
Levels 4–5

Little to no coverage — barely reaches business systems, and not enterprise IT.

Levels 2–3 · the network layers

Traditional OT security stack

Network detection (NDR), asset inventory, and traffic analysis — watches protocols, assets, and east-west traffic between devices on the OT network.

Levels 0–1 · blind spot
Inside the PLC & the process — unseen

Network tools watch traffic between devices. They can't see what the controller is actually executing, or whether the physical process is behaving.

Levels 0–1

OTegrity — integrity + behavior

Fuses verified control-system integrity with live process behavior — watching both what the system is and what it's doing, down at the process the layers above can't reach.

Defense in depth: comprehensive OT protection needs visibility from the enterprise all the way down to the process.

Deployment

Visibility into Level 0 and Level 1 — deployed your way.

OTegrity gives you trusted visibility into the physical process: the layer most OT stacks can't truly validate. It fits your environment without a heavy project.

  • Flexible form factor — deploy as software or as a hardware appliance.
  • Non-invasive & read-only — observes the process, never writes to equipment.
  • Self-learning — calibrates to your process automatically; no prebuilt models.
  • One source of truth — shared by operations, engineering, and security.
process truth · level 0/1
Watches
The process
Form factor
SW / HW
Access
Read-only
Setup
Self-learn

Validates the outcome directly — not inferred from traffic or controller changes.

Deployment architecture

Where OTegrity sits in your environment.

OTegrity collects read-only telemetry from controllers via native industrial protocols, runs detection on-premises, and dispatches enriched findings to the SOC and security tools you already operate. No cloud dependency, no inbound listening ports on the detection engines.

Security OperationsPurdue Level 3.5+
SIEM · Syslog / CEF SOAR · REST API Asset visibility · Armis / Claroty / Dragos / Nozomi Notifications · Email · Webhook
Outbound dispatch · TLS
Management ConsolePurdue Level 3.5 · aggregation, alert analysis, RBAC
REST API · OpenAPI / Swagger Operator UI Forensic capture Audit trail · SHA-256 hash-chained HA peer (optional)
Outbound WebSocket · JSON-RPC 2.0 · TLS
OTegrity Detection EnginePurdue Level 3 / OT DMZ · 20 algorithms · self-calibrating
Behavioral baselines Integrity-anchored classification Causal & temporal analysis MITRE ATT&CK for ICS tagging No inbound listening port
Native industrial protocols · read-only · rate-limited
Process ControlPurdue Levels 0 – 2 · PLCs, RTUs, sensors, actuators
Modbus TCP OPC UA EtherNet/IP Allen-Bradley PCCC Siemens S7 Omron FINS BACnet/IP MQTT Sparkplug B REST / HTTP DNP3 CODESYS V3

Data flows up only. The detection engine has no listening port; engines initiate outbound WebSocket connections to the console — matching Purdue-aligned unidirectional data-flow practice.

Integrations

Works with the OT ecosystem you already run.

OTegrity is one layer in your stack — designed to interoperate, not replace. Built on widely-adopted industry standards on every external interface; bidirectional integrations with the OT asset-visibility platforms your team is most likely to already operate.

Standards & infrastructure

  • SIEM · Syslog / CEF
  • OIDC SSO · Azure AD / Entra ID, Okta, Google, Keycloak
  • LDAP / Active Directory · StartTLS / LDAPS
  • REST API · OpenAPI 3.0.3 / Swagger
  • WebSocket · JSON-RPC 2.0
  • Email · SMTP · Webhook · HTTP POST

Complementary OT & security technologies

  • Armis
  • Claroty xDome
  • Dragos
  • Nozomi Networks
  • CimTrak Integrity Suite
  • ServiceNow ITSM
  • Zscaler
  • MITRE ATT&CK for ICS
Capabilities

Capabilities at a glance.

A summary of what the platform supports today. Detailed compatibility matrices are available on request.

CapabilityDetail
Industrial protocols Modbus TCP · OPC UA · EtherNet/IP · Allen-Bradley PCCC · Siemens S7 · Omron FINS · BACnet/IP · MQTT · Sparkplug B · REST / HTTP · DNP3 · CODESYS V3
Controller families Rockwell ControlLogix / CompactLogix / PLC-5 / SLC-500 / MicroLogix / Micro800 · Siemens S7-300 / 400 / 1200 / 1500 · Modbus TCP devices (Schneider Modicon and others) · Omron CJ / CS / NJ / NX · CODESYS V3 controllers (WAGO, Beckhoff, ABB, Eaton, IFM, and others) · DNP3 RTUs · BACnet/IP building controllers
Detection algorithms 20 self-calibrating algorithms (behavioral baseline, causal graph, rate-of-change, spectral, temporal invariants, HMM mode detection, fingerprint, change-point, autoencoder, DAG, value shift, histogram density, drift, isolation forest, matrix profile, string novelty, string rate, TCN, learned process invariants, operator rules)
Classification classes 7 — Normal · Anomaly · Equipment Fault · Configuration Error · Environmental · Unauthorized Change · Cyber Attack
Threat-intel enrichment MITRE ATT&CK for ICS technique & tactic IDs on every alert · CVE enrichment via Claroty xDome · Now/Next/Never priority via Dragos · risk scores via Armis & Nozomi
Deployment Software or hardware appliance · on-premises · air-gap friendly (no required cloud connectivity)
Access model Strictly read-only · no write paths to PLCs or actuators · outbound-only network posture on detection engines
Management Console Role-based access control (5 roles) · OIDC SSO · LDAP / AD · TOTP 2FA · SHA-256 hash-chained audit trail · multi-engine aggregation · HA peer
Reporting Compliance templates: NIST SP 800-82 · IEC 62443 · NERC CIP · MITRE ATT&CK for ICS · CISA Zero Trust for OT · DoW Zero Trust for OT
Output channels Syslog (CEF) · REST API · WebSocket (JSON-RPC 2.0) · Email · Webhook (HTTP POST)
Bring it to your environment

Put OTegrity in front of your process.

We'll walk through how OTegrity validates process behavior, diagnoses cause, and fits your operations and security workflows.