← All use cases

OT Deception and Early Warning

Deploy up to 10 coordinated virtual decoys that look and behave like real industrial and enterprise assets—then turn every interaction into a high-signal security alert.

A believable virtual plant becomes a sensor.

Each decoy exposes realistic services and has no legitimate production user. Scans, connections, reads, writes and login attempts therefore carry immediate security value.

01 · PLC
OPC UA · OPC XML · Modbus/TCP
02 · SCADA / HMI Server
OPC UA client/server · HTTP/HTTPS · RDP
03 · Historian Server
OPC UA · SQL history services · HTTP/HTTPS
04 · Engineering Workstation
RDP · SMB · SSH · project and configuration lures
05 · File Server
SMB shares · realistic folders · engineering and operations documents
06 · Identity Server
LDAP · directory and authentication services
07 · Infrastructure Server
DNS · DHCP · NTP · Syslog
08 · Remote Access Gateway
VPN-style target · RDP · SSH
09 · Mail Server
SMTP · IMAP · mail and credential lures
10 · Database Server
SQL service · application data · reporting lures

Event / alert on interaction

Every action is captured with source IP, target decoy, protocol, event type, timestamp, severity and interaction details.

Network scanService probeBrowse OPC tagsRead valuesAttempted writeSubscriptionLogin attemptCredential useSMB share accessFile enumerationBackup huntingLateral-movement activity

Alerting and integration

Email

Immediate notifications.

SNMP traps

Send events to the NMS.

Webhooks

Real-time integrations.

Microsoft Teams

Keep responders in their workflow.

SOC / SIEM API

Automate and correlate.

High-signal activity against assets nobody should touch.

Believable interaction

Functional industrial and enterprise service emulation supports realistic connections, queries, browsing, reads and attempted writes.

Coordinated context

Present one coherent fake plant rather than isolated traps, with each decoy contributing to the same attack story.

Local visibility

Review source timelines, critical events, credentials and asset-level interaction history without a mandatory cloud connection.

Give attackers something believable to find.

Start with the protocols and asset profiles that match your environment.

Discuss an OT deception deployment