OTegrity
Request a demo
Zero Trust for OT

Anchored to the DoW Zero Trust for OT framework.

The U.S. Department of War's Zero Trust for Operational Technology defines 105 activities across 7 pillars that DoW Components must achieve. OTegrity maps directly to 37 of them — with 16 as the primary control and the deepest concentration in Visibility & Analytics.

Request a demo See the coverage
105 activities 7 pillars 16 Primary alignments 21 Supporting
OT.1.3 · 105 activities · 7 pillars mapped
  1. 1 User 6/18
  2. 2 Device 7/16
  3. 3 Application & Workload 4/12
  4. 4 Data 2/19
  5. 5 Network & Environment 0/10
  6. 6 Automation & Orchestration 7/16
  7. 7 Visibility & Analytics 11/14
Primary 16 Supporting 21 Not addressed 68
The framework

One source. Authoritative. Open publication.

We map against the framework as written — not a paraphrase, not an interpretation. Numbers below are the framework's own, verified against the source document.

Source document

Zero Trust for Operational Technology

Published by the U.S. Department of War (DoW), Version OT.1.3 (final activities baseline 09/25/2025), cleared for open publication 18 Nov 2025. 28 pages. 105 activities. 7 pillars.

Download the PDF

Mandate

DTM 25-003 (July 2025)

"Implementing the DoD Zero Trust Strategy" directs DoW Components to achieve, at minimum, Target Level ZT across all unclassified and classified systems — explicitly including control systems / Operational Technology.

Authority chain

Built on the standards you already cite

Underpinned by DoDI 8500 Series, DoD CSRA 5.0, DoD Control Systems SRG, RMF control-systems overlays, and NIST SP 800-82 rev3. Aligned to the Enterprise IT ZT activities for interoperability.

Coverage by pillar

Where OTegrity addresses the framework.

The framework's seven pillars and OTegrity's contribution to each. We claim only what the platform actually implements.

01

User

6 of 18 0 Primary 6 Supporting

OTegrity's management console implements ICAM-grade access for the OT security platform itself — OIDC SSO (Azure AD/Entra ID, Okta, Google, Keycloak), LDAP/AD with StartTLS, TOTP 2FA, JIT provisioning, and a tamper-evident hash-chained audit trail. Environment-wide OT user management is complementary tooling.

1.2.1.OT1.3.1.OT1.3.3.OT1.6.1.OT1.7.1.OT1.9.1.OT
02

Device

7 of 16 3 Primary 4 Supporting

Direct-from-PLC integrity. The PLC Identity Tracker reads firmware version, program checksum, and program name natively over the industrial protocol and records every field-level change in a hash-chained audit trail. Detection conditions on verified integrity. Integrations with Armis, Claroty xDome, Dragos, and Nozomi Networks fill in environment-wide asset context.

2.3.1.OT2.6.2.OT2.7.1.OT2.1.1.OT2.1.4.OT2.5.1.OT2.7.2.OT
03

Application & Workload

4 of 12 3 Primary 1 Supporting

For the most critical OT application class — the program running on each PLC — OTegrity is the application inventory, the application-control detector, and the approved-binary registry. Reads happen against the controller, not a project file on an engineering workstation. SCADA/HMI workstation coverage is extended via the four asset-visibility integrations.

3.1.1.OT3.1.2.OT3.3.3.OT3.3.1.OT
04

Data

2 of 19 2 Primary 0 Supporting

The framework names controller programs, configuration files, and firmware images as the highest-priority OT "files." We monitor exactly those — by reading the live state from the controller itself, in standard machine-readable formats (CEF Syslog, REST API, JSON-RPC over WebSocket) ready for any SIEM/DLP/UEBA consumer. Data tagging, DLP, DRM, and DAM are out of scope.

4.4.3.OT4.4.4.OT
05

Network & Environment

0 of 10 Honest scope

OTegrity is read-only and does not enforce network policy. Segmentation, micro-segmentation, SDN, and data-in-transit protection are complementary capabilities — OT-aware NGFWs (Cisco, Fortinet, Palo Alto, Belden) and NDR products (Claroty, Dragos, Nozomi) cover this pillar. OTegrity rides alongside them.

06

Automation & Orchestration

7 of 16 0 Primary 7 Supporting

Every external interface on the platform is a widely-adopted standard — no proprietary endpoints. A comprehensive REST API with OpenAPI/Swagger, JSON-RPC 2.0 outbound WebSocket from engines to console, CEF Syslog to SIEM, and standard email/webhook notification dispatch. Bidirectional integrations with Armis, Claroty xDome, and Nozomi (alert write-back).

6.2.2.OT6.5.2.OT6.6.1.OT6.6.3.OT6.6.4.OT6.7.1.OT6.7.2.OT
07

Visibility & Analytics

Strongest coverage
11 of 14 · 79% 8 Primary 3 Supporting

This is the pillar that makes Zero Trust operationally real in OT — and it's our core. Self-calibrating behavioral baselines, multi-method anomaly detection, integrity-anchored classification, forensic capture, MITRE ATT&CK for ICS enrichment, and continuous self-improvement via shadow training, milestone relearning, and two-tier auto-learn. One of these alignments — 7.2.4.OT Advanced Threat Alerting — is the one Advanced-Primary mapping on the entire matrix.

7.1.3.OT7.2.3.OT7.2.4.OT7.2.5.OT7.2.6.OT7.3.1.OT7.3.2.OT7.4.1.OT7.1.2.OT7.2.2.OT7.5.1.OT

Coverage matrix verified against the framework's per-activity outcomes. Activity numbering follows the framework taxonomy (e.g. 7.2.4.OT).

Pillar 7 — the deepest fit

Eight Primary alignments in Visibility & Analytics.

Each maps to an outcome the framework requires. Each is implemented in the platform today — not on a roadmap.

  1. 7.1.3.OT

    Log Analysis in OT Environments

    20 self-calibrating algorithms develop "common behaviors" from observed process data — per-tag, per-pair, per-mode, and system-wide — with multi-algorithm consensus (Noisy-OR fusion) prioritizing events confirmed by independent detection methods over isolated single-algorithm triggers.

  2. 7.2.3.OT

    Threat Alerting Pt. 2 — Deviation Anomaly Rules

    Each algorithm implements a distinct deviation-anomaly rule class — statistical, relational, temporal, spectral, ML-based, graph-theoretic, pattern-based, string-based, rule-based. Self-calibrated thresholds, ISA-18.2 dynamic hysteresis, pair demotion, and benign-behavior suppression keep the false-positive surface low while preserving advanced-threat sensitivity.

  3. 7.2.4.OT Advanced

    Threat Alerting Pt. 3 — UEBA for OT NPEs

    The single Advanced-Primary alignment on the matrix. OTegrity is UEBA purpose-built for OT non-person entities — PLCs, RTUs, controllers. Triggering policy is multi-layered (per-algorithm self-calibrated thresholds, fusion, hysteresis, dampening, pair demotion). Continuous self-improvement runs through shadow training, milestone relearning, two-tier auto-learn, mode-coherence audit, and historical replay pre-warming.

  4. 7.2.5.OT

    OT Asset ID & Alert Correlation

    Every alert carries PLC identifier, affected tag names, triggering algorithm IDs, integrity state, classification, and MITRE ATT&CK for ICS technique/tactic IDs. Not "an anomaly occurred" — which PLC, which tags, which algorithms agreed, and which ATT&CK technique.

  5. 7.2.6.OT

    OT Baselines

    Baselines established through an automated four-phase pipeline (classify → learn → validate → detect), at every analytical level the framework would ask for: per-tag (mean/variance/range/rate/distribution/drift), per-pair (correlation, lag-based causality), per-mode (operational clusters and transitions), system-wide (multivariate reconstruction, correlation-matrix fingerprint, outlier profile), timing (protocol response-time spectrum), rules (mutual-exclusion constraints), and subsequence (z-normalized nearest-neighbor patterns).

  6. 7.3.1.OT

    Analytics Tools for OT Environments

    Real-time analytics at scan-rate frequency across statistical, ML, temporal, spectral, graph-theoretic, pattern-based, string-based, and rule-based methods. Forensic snapshots — current sample plus 30 historical samples, fused results, algorithm internals, and a plain-English decision trail — enable analysis of processes that have already occurred.

  7. 7.3.2.OT

    Establish OT Baseline Behavior

    Baselines learned from live process data during an automated learning phase. Continuous monitoring after validation. UEBA self-improvement built in: shadow training swaps stale models, milestone relearning at scheduled checkpoints, auto-learn dismisses benign anomalies that meet strict safety criteria, and pre-fusion benign-behavior suppression attenuates confidence when learned process knowledge already explains the firing tag.

  8. 7.4.1.OT

    Environment Baseline & Profiling

    Threat profiles produced by a multi-factor risk assessment — anomaly mass, algorithm breadth, integrity state, trend, and confidence — combined into severity (Critical / High / Medium / Low). Events prioritized by severity and classification: a Cyber Attack alert at Critical is prioritized above an Equipment Fault alert at Medium.

Integrated capability

Twelve activities. One platform.

The set of DoW ZT for OT activities that OTegrity addresses in a single integrated system. Competing approaches require multiple separate tools to achieve equivalent coverage across this combination — and lose the cross-signal that makes integrity-anchored detection work.

2.3.1.OT

Configuration Monitoring & Control

Device · Target
2.6.2.OT

OT Device Config Management

Device · Target
2.7.1.OT

EDR for OT

Device · Target
3.1.1.OT

Application & Code Inventory

App · Target
3.1.2.OT

OT Application Control

App · Target
3.3.3.OT

Approved Binaries / Code / Hardware

App · Target
4.4.3.OT

OT File Prioritization & Monitoring

Data · Target
4.4.4.OT

OT File Monitoring Interoperability

Data · Target
7.2.4.OT Advanced

Advanced Threat Alerting · UEBA for NPEs

V&A · Advanced
7.2.6.OT

OT Baselines

V&A · Target
7.3.2.OT

OT Baseline Behavior

V&A · Target
7.4.1.OT

Environment Baseline & Profiling

V&A · Target
Why the integration matters

PLC program-integrity monitoring, behavioral baselines, and advanced UEBA are not separate capabilities — they're a unified system where each informs the others. A firmware or program change plus a behavioral anomaly on the same controller is automatically classified as Cyber Attack rather than Anomaly or Equipment Fault. That cross-signal is impossible to produce when integrity and behavior live in different tools.

Honest scope

What we don't claim.

A full Zero Trust posture for OT spans capabilities no single product delivers. OTegrity is one layer — purpose-built for Level 0 and Level 1 — and pairs cleanly with the rest.

  • Network segmentation, micro-segmentation, SDN, data-in-transit protection — entire Pillar 5
    Pair with OT-aware NGFWs (Cisco, Fortinet, Palo Alto, Belden) and NDR (Claroty, Dragos, Nozomi).
  • Host-based file integrity monitoring on SCADA / HMI workstations, historian operating systems, and network-device configuration files
    Pair with a host FIM product such as the CimTrak Integrity Suite by Cimcor, Inc.
  • Privileged Access Management — session recording, credential vaulting, privileged session management
    Console RBAC is least-privilege but is not PAM. Pair with Claroty SRA, BeyondTrust, CyberArk, etc.
  • Vulnerability scanning and patch deployment
    We enrich vulnerability context via Claroty CVEs, Dragos Now/Next/Never, Armis and Nozomi risk scores — we don't scan or deploy patches.
  • Data tagging, DLP, DRM, and database activity monitoring — most of Pillar 4 beyond OT file monitoring
    OTegrity monitors the OT file class the framework names as highest-priority. The rest is complementary tooling.
  • Identity Lifecycle Management and enterprise credential issuance
    We integrate with your IdP (OIDC / LDAP) and consume credentials — we don't issue them.
Bring it to your environment

A clear path to Target Level ZT for OT — at Level 0 and Level 1.

We'll walk through the alignment activity by activity, what's implemented today, and how OTegrity fits alongside your existing stack.

Request a demo Get the framework PDF