Executive Summary
You cannot put an agent on a twenty-year-old PLC, and you cannot take the line down to patch it — so in OT, you watch first and touch almost nothing.
On the plant floor the priorities invert. IT security optimizes for confidentiality; an OT environment optimizes for safety and uptime, where an availability outage can stop production, spill product, or hurt someone. The assets are programmable logic controllers, RTUs, HMIs, and SCADA servers that may run for decades on firmware no one dares to touch, speak proprietary protocols like Modbus, DNP3, EtherNet/IP, and S7, and cannot host an endpoint agent or tolerate an active scan that an IT vulnerability tool takes for granted. The first job is not to block — it is to see what is actually connected and how it talks.
This guide provides a vendor-neutral evaluation framework for 8 leading platforms — Claroty, Nozomi Networks, Dragos, Armis, Microsoft Defender for IoT, Tenable OT Security, Forescout, and Palo Alto Networks Industrial OT Security — framed around the discipline Gartner now calls cyber-physical systems (CPS) protection. The market split that should drive your shortlist is whether you buy a passive, agentless OT-native platform built for industrial protocols and the Purdue model, an IT-security vendor’s OT extension that folds the plant into a stack you already run, or a broad XIoT/asset-intelligence platform that treats OT as one slice of every connected thing.
Why OT & ICS Security Matters for Enterprise Strategy
The decisive question in OT security is not which vendor has the longest feature list — it is whether the platform gives you a trustworthy, continuously updated inventory of every industrial asset and a read on how they communicate, without ever putting the process at risk. Selection should turn on the depth of passive, agentless discovery, the breadth and accuracy of the industrial-protocol and asset database behind it, and how cleanly OT findings flow into the SOC and risk program your IT side already runs — not on IT-grade scanning speed or generic dashboards that were never built for a substation or a packaging line.
OT security is also where the long-standing organizational divide between IT and engineering finally has to be settled. The SOC speaks in CVEs and ATT&CK techniques; the plant speaks in process safety, change windows, and decades-old vendor support contracts. The platforms that earn their place translate between the two — mapping industrial assets and their real exposures into IT/OT SOC workflows the security team can act on, while respecting that an engineer, not an analyst, owns the final decision to touch a controller. Weigh each vendor on how well it bridges that gap rather than how aggressively it tries to apply IT playbooks to a network that was never designed for them.
Architecture & Sourcing Decision
OT security is almost never a build-vs-buy question — no enterprise writes its own deep-packet parsers for hundreds of proprietary industrial protocols, and getting protocol dissection wrong on a live control network is exactly the risk you are trying to avoid. The real decision is structural: an OT-native passive platform built for the plant, an IT-security vendor’s OT extension that consolidates the estate, or a broad XIoT/asset-intelligence platform that spans OT, IoT, and IT in one view. Frame the choice around who will operate it (engineering, the SOC, or both), how converged your IT and OT already are, and how deep your protocol and asset coverage must go — not the feature checklist.
| Your Situation | Recommended Path | Rationale |
|---|---|---|
| Industrial estate with little OT visibility, engineering-led security | OT-native passive monitoring platform | Purpose-built passive discovery and deep industrial-protocol dissection give you a trustworthy asset inventory and anomaly detection without touching the process; the OT-native vendors go deepest where IT tools are blind. |
| Mature SOC consolidating IT and OT on fewer vendors | IT-security vendor’s OT extension | If a single console and a unified IT/OT SOC matter more than maximum OT depth, an OT module from your existing security platform may suffice — verify it has real protocol coverage, not a thin sensor bolted onto an IT product. |
| Heavily converged estate of OT, IoT, IoMT, and IT assets | Broad XIoT / asset-intelligence platform | Where the line between OT and unmanaged IoT/IoMT is blurry, an asset-intelligence platform that profiles everything in one model beats stitching together separate OT and IoT tools. |
| Critical infrastructure facing targeted threats (energy, water, public sector) | Threat-intelligence-led OT platform | Where adversaries are ICS-specific and incident-response stakes are existential, prioritize curated OT threat intelligence, detections mapped to known industrial attacks, and an IR practice that has actually worked these environments. |
| Already standardized on a vulnerability-management program | OT module of your exposure / VM platform | Extending an existing exposure-management or VM platform into OT unifies cyber risk across IT and OT in one view — accept that passive OT detection depth may trail the OT-native specialists. |
Key Capabilities & Evaluation Criteria
Weight these domains against your own sector, the age and protocol mix of your installed base, and how converged your IT and OT operations already are. For most industrial enterprises, the accuracy of passive asset discovery and the depth of the protocol and threat-intelligence database now outrank the generic SIEM-style features and raw scanning throughput that IT-centric RFPs over-index on.
| Capability Domain | Weight | What to Evaluate |
|---|---|---|
| Asset Discovery & Inventory | 25% | Accuracy and depth of passive, agentless discovery of every OT/ICS/IIoT asset — make, model, firmware, backplane and serial detail, protocol, and Purdue level — with optional OT-safe active querying only where engineering permits |
| Protocol & Asset-Database Depth | 20% | Breadth of supported industrial protocols (Modbus, DNP3, EtherNet/IP, PROFINET, S7, BACnet, IEC 61850, and vendor-proprietary) and the size and currency of the asset/vulnerability knowledge base behind detections |
| Threat Detection & OT Intelligence | 20% | Behavioral anomaly detection on industrial traffic, signatures and analytics mapped to known ICS threats and MITRE ATT&CK for ICS, and the quality and curation of OT-specific threat intelligence feeding the platform |
| Vulnerability & Risk Prioritization | 15% | Mapping of CVEs and vendor advisories to discovered assets, OT-aware risk scoring that accounts for safety and reachability (not just CVSS), and practical compensating-control guidance where patching is impossible |
| Deployment & OT Network Fit | 10% | Passive sensor model (SPAN/TAP), handling of the Purdue model and air-gapped or segmented sites, support for remote and bandwidth-constrained locations, and on-prem vs. cloud management options for regulated environments |
| IT/OT SOC Convergence | 5% | Bidirectional integration with SIEM, SOAR, EDR/XDR, CMDB, and firewall/NAC; alignment to a unified IT/OT SOC; and clean handoff of OT context into the security workflows the enterprise already runs |
| Secure Remote Access & Control | 5% | Native or integrated OT remote access for engineers and third-party vendors, segmentation and zone enforcement, and policy controls that respect that an engineer owns the decision to act on a controller |
Vendor Landscape
The market splits along clear lines: OT-native specialists that built passive, agentless monitoring and deep protocol dissection for the plant from day one; a threat-intelligence-led camp focused on industrial adversaries and incident response; broad XIoT and asset-intelligence platforms that treat OT as one slice of every connected device; and IT-security incumbents — firewall, endpoint, and vulnerability-management vendors — that extended into OT to consolidate the estate. Most shortlists end up comparing across these camps, not within them. Note the 2026 ownership shifts that reshape the field: ServiceNow agreed to acquire Armis (announced 2025, pending close in 2H 2026), folding asset intelligence into its workflow platform; Microsoft Defender for IoT is the former CyberX; Tenable OT Security is the former Indegy; and Accenture has announced an agreement to take a majority stake in Dragos, a transaction still pending close as of mid-2026.
Strengths: Broadest cyber-physical coverage spanning industrial OT, healthcare IoMT (after Medigate merged into Claroty xDome), and building-management and other XIoT assets, delivered cloud-native via xDome or on-prem via CTD; deep passive discovery, exposure management, secure remote access, and threat detection in one platform, backed by the Team82 research group. Named a Leader in the 2026 Gartner Magic Quadrant for CPS Protection Platforms. Considerations: Breadth means scoping the right modules (xDome, secure access, threat detection) to your actual needs rather than buying the whole suite; healthcare and industrial buyers land on different parts of the portfolio; deepest value assumes you exploit the exposure-management and access capabilities, not just discovery.
Strengths: Built for consistent visibility across many sites at scale, with Guardian sensors for passive OT/IoT network monitoring, the Arc host sensor for endpoint and on-host telemetry, Guardian Air for wireless spectrum, and Vantage for cloud-based aggregation and analytics; strong AI-driven anomaly detection and a flexible sensor model for distributed, bandwidth-constrained environments. A 2026 Gartner Magic Quadrant Leader. Considerations: Full value comes from deploying the sensor family (network, endpoint, wireless) rather than network monitoring alone; large multi-site rollouts need sensor-placement and central-management planning; the endpoint and wireless sensors are newer additions than the core passive engine.
Strengths: Purpose-built for threat-intelligence-driven OT programs, with the Dragos Platform for asset visibility and detection, WorldView industrial threat intelligence, the opt-in Neighborhood Keeper early-warning community, and a renowned incident-response practice; especially strong in electric utilities, oil and gas, and the public sector, and runs the free OT-CERT community program. A 2026 Gartner Magic Quadrant Leader led by co-founder and CEO Robert M. Lee. Considerations: Intelligence-and-detection depth assumes a security program mature enough to act on it; historically narrower on broad XIoT/IT-asset breadth than the asset-intelligence platforms; Accenture has announced an agreement to take a majority stake (with runZero and NetRise), so track the pending close and the planned roadmap to integrate exposure-assessment and firmware capabilities.
Strengths: Asset-intelligence platform (Armis Centrix) that profiles IT, OT, IoT, and IoMT in one converged model using an agentless collective asset-knowledge engine, ideal where the boundary between OT and unmanaged connected devices is blurry; strong discovery, risk scoring, and exposure management across the full estate. A 2026 Gartner Magic Quadrant Leader, being acquired by ServiceNow (announced 2025; deal pending regulatory close in 2H 2026). Considerations: Built for the converged environment rather than for the deepest single-protocol OT engineering use cases, so the most ICS-specific buyers should validate plant-floor depth; the ServiceNow acquisition is still pending, so watch packaging and roadmap as it integrates with the ServiceNow platform; value scales with breadth of asset coverage.
Strengths: The former CyberX, now integrated into the Microsoft Defender and Sentinel ecosystem, delivering agentless OT/IoT discovery and behavioral threat detection that flows natively into a unified IT/OT SOC; compelling for organizations already standardized on Microsoft security, with OT findings correlated alongside endpoint, identity, and cloud signals. Considerations: Value is greatest inside the Microsoft security stack; OT-specialist depth and protocol breadth may trail the dedicated CPS pure-plays for the most demanding industrial environments; air-gapped and heavily regulated sites need to confirm the on-prem and connectivity model fits their constraints.
Strengths: The former Indegy, extending Tenable’s vulnerability- and exposure-management heritage into ICS/OT and unifying cyber-physical risk with IT exposure in one view via Tenable One; combines passive monitoring with OT-safe selective querying and strong CVE-to-asset mapping, with a new OT discovery engine broadening cyber-physical coverage. Recognized as a Challenger in the 2026 Gartner Magic Quadrant for CPS Protection Platforms. Considerations: Strength is rooted in vulnerability and exposure management, so passive OT detection breadth can trail the OT-native leaders; deepest value accrues to existing Tenable exposure-management customers; selective active querying must be scoped carefully on sensitive control networks.
Strengths: Long heritage in agentless device visibility and control across IT, OT, and IoT, with eyeInspect for deep OT network monitoring and eyeSight for broad asset discovery, plus policy-based segmentation and network-access enforcement; strong where buyers want both visibility and the ability to act on it through NAC and zero-trust controls across a converged estate. Considerations: Breadth across IT/OT/IoT means confirming OT depth matches your most demanding industrial protocols; enforcement-driven value depends on how far you push segmentation and NAC; the portfolio spans several products, so scope the right combination for your environment.
Strengths: Delivers OT visibility, risk assessment, and segmentation as a cloud-delivered service that rides the installed base of Palo Alto next-generation and ruggedized firewalls, applying ML-based asset discovery and OT-aware policy without separate sensors where the firewalls already sit; strong fit for organizations consolidating on the Palo Alto platform and Zero Trust across IT and OT. Considerations: Greatest value is realized with Palo Alto firewalls deployed in or around the OT environment; as a platform extension it is newer to dedicated OT than the pure-plays; the deepest passive-only, firewall-independent deployments may favor an OT-native sensor approach.
Pricing Models & Cost Structure
OT-security pricing has largely moved to subscription, but the unit of measure varies — monitored assets or devices, sites or sensors, or throughput — and that unit, more than the headline rate, determines what you pay as you instrument more plants. Model cost against the number of sites and assets you must actually cover, the sensor footprint each remote or bandwidth-constrained location needs, and whether on-prem management is required for air-gapped or regulated facilities. When OT is delivered as a module of an IT-security platform, the math shifts toward the platform license rather than a standalone line item, and existing-vendor leverage can dominate.
| Vendor | Pricing Model | Relative Tier | Key Cost Drivers |
|---|---|---|---|
| Claroty | Subscription, typically by monitored assets / sites; modular | Premium | Asset/site count, modules selected (xDome, secure access, threat detection), cloud (xDome) vs. on-prem (CTD), healthcare vs. industrial scope |
| Nozomi Networks | Subscription by sensors / monitored assets; Vantage tiers | Moderate–Premium | Number and type of sensors (Guardian, Arc, Guardian Air), monitored assets, Vantage cloud aggregation, number of sites and remote collectors |
| Dragos | Subscription by sites / assets; intelligence and services add-ons | Premium | Site and asset coverage, WorldView threat intelligence, professional and incident-response services, sensor footprint across distributed facilities |
| Armis | Subscription, typically by monitored assets / devices | Moderate–Premium | Monitored asset count across IT/OT/IoT/IoMT, Centrix modules (OT, medical, vulnerability), breadth of estate, ServiceNow platform alignment |
| Microsoft Defender for IoT | Subscription per monitored device / site; Defender-aligned | Moderate | Monitored device count, sites and sensors, Microsoft security (Defender/Sentinel) entitlements and enterprise-agreement fit |
| Tenable OT Security | Subscription by assets; Tenable One exposure platform | Moderate | OT asset count, Tenable One / exposure-management bundle, sensor footprint, integration with existing Tenable vulnerability program |
| Forescout | Subscription by monitored devices / capacity; modular | Moderate–Premium | Device count across IT/OT/IoT, modules (eyeInspect, eyeSight, segmentation), enforcement scope, number of sites |
| Palo Alto Industrial OT Security | Subscription add-on to NGFW platform; per coverage | Moderate–Premium | OT Security subscription scope, underlying firewall footprint (including ruggedized models), assets and sites covered, broader platform adoption |
Implementation & Migration
Sequence the rollout by operational and safety criticality, not by what is easiest to tap, and run it jointly with engineering from day one. Establish passive visibility and a trustworthy asset inventory at your most critical sites first, prove the platform reads the process safely, and only then extend coverage, detection tuning, and any enforcement across the wider estate.
Engage engineering and OT operations as co-owners, then deploy passive sensors via SPAN/TAP at priority sites to build an asset inventory — make, model, firmware, protocol, and Purdue level — without injecting traffic. Validate findings against the engineering asset register and a manual walk-down, and establish a baseline of normal industrial communication.
Turn on anomaly detection and ICS threat intelligence, map CVEs and vendor advisories to discovered assets, and apply OT-aware risk scoring that accounts for safety and reachability rather than raw CVSS. Tune to suppress benign process behavior, and agree with engineering on compensating controls where patching is impossible.
Feed OT alerts and asset context into SIEM, SOAR, and the security team’s workflows, align on a converged IT/OT SOC operating model, and codify response playbooks that keep the engineer as the decision-maker for any action on a controller. Stand up secure remote access for engineers and third-party vendors under policy.
Roll out to remaining plants, substations, and remote or air-gapped sites; introduce segmentation and zone enforcement where the program is ready; and establish recurring asset reconciliation, detection tuning, and risk review as standing joint IT/OT processes measured against the original coverage map.
Selection Checklist & RFP Questions
Use this checklist during evaluation to ensure each shortlisted platform covers the capabilities that actually decide whether it can protect a control network without endangering it.