PhantomPlant
STANDALONE OT/IT DECEPTION APPLIANCE

Deploy a fake industrial network before attackers find the real one.

PhantomPlant is a standalone OT/IT deception appliance that creates a believable network of coordinated industrial and enterprise decoys. Every scan, login attempt, protocol probe and suspicious interaction becomes a security event.

NOT A SIMPLE HONEYPOT

A complete OT/IT deception environment.

Up to 10 coordinated decoys

Present a coherent fake plant rather than isolated traps, with every device contributing context to the same attack story.

Believable OT and IT profiles

PLCs, SCADA/HMI, historians, engineering workstations, file servers, identity and infrastructure services.

Central event visibility

See active decoys, attack sources, critical writes, credentials and asset-level interaction history.

Appliance deployment

Container-ready deployment on compact ARM64 or x86-64 hardware for lab, edge and production-adjacent networks.

Every fake device becomes a sensor.
Every interaction becomes intelligence.

REALISTIC DECOYS, REAL SERVICES

Functional industrial protocol emulation.

Not fake banners or passive open ports. Attackers can interact with the decoys like real systems while every action is captured.

⬡

OPC UA

Functional OPC UA server

</>

OPC XML

NodeSet XML emulation

⌘

Modbus/TCP

Functional Modbus server

↔Connect
â–¤Read
â—‰Subscribe
✎Write
â–£Browse

Functional service emulations support realistic connections, queries, subscriptions, browsing, reads and attempted writes.

DECOY ASSET PROFILES

A believable industrial ecosystem.

PLC decoys

Functional industrial protocol emulations.

SCADA / HMI

Realistic operator-facing systems.

Historian decoys

OPC UA and SQL history services with live data.

Engineering workstations

Tools, projects and configuration lures.

File servers

SMB shares with realistic folders and documents.

Identity services

Directory, LDAP and authentication services.

Infrastructure services

DNS, DHCP, NTP, Syslog and core services.

Remote access

RDP, SSH and VPN-style lateral-movement targets.

FILE SERVER LURES

2,500 realistic files

Detect suspicious browsing, backup hunting, document enumeration and access to fake engineering, operations, maintenance and reporting material.

WORKING INFRASTRUCTURE

DNS, DHCP and NTP

Core services operate as part of the deception environment, making the fake network more complete while generating rich interaction data.

WHAT IT DETECTS

High-signal activity against assets no legitimate user should touch.

Network scanningService enumerationUnauthorized login attemptsOPC UA / OPC XML interactionModbus reads and writesSMB share accessFile and backup enumerationDNS / DHCP / NTP interaction
FROM EVENTS TO ACTIONABLE ALERTS

Central event collection and flexible delivery.

Every interaction creates a structured event with source IP, target asset, protocol, event type, timestamp, severity and interaction details.

Attacker→Decoy assets→Event API→Local store→Dashboard / SOC
ALERTING & INTEGRATION
✉Email alertsInstant notifications
â–¦SNMP trapsSend events to NMS
⌁WebhooksReal-time integrations
TMicrosoft TeamsStay in the workflow
APISOC / SIEMAutomate and correlate
WHAT SECURITY TEAMS CAN SEE
  • Source IP address
  • Target decoy device
  • Protocol or service used
  • Event type and severity
  • Timestamp and repeated activity
  • Asset-level interaction history

Dashboard and reports

Review source timelines, critical events, writes, credentials and assets at risk.

Local visibility

No mandatory external cloud connection, suitable for isolated and controlled environments.

DEPLOY WHERE VISIBILITY IS MISSING

OT labs. Industrial DMZs. Production-adjacent networks. Remote sites.

PHANTOMPLANT APPLIANCE

Give attackers something believable to find.

Give defenders an early warning before real industrial assets are touched.

Contact us about PhantomPlant