Industrial Threat Hunter®

Industrial Threat Hunter - Cybersecurity for Industrial Networks

Intrusion Detection for ICS and SCADA Networks

Industrial Threat Hunter® is an intrusion detection system designed specifically for the unique requirements of Industrial Control Systems and SCADA networks.  Because industrial networks are significantly more stable (change less often) than typical IT networks, Threat Hunter creates a baseline of network devices and communications that is used to identify important changes in the network.

Then, using standards-based event formatting, alerts are sent to existing control panels, monitoring systems and/or the SEIM. It is not uncommon for malware to evade today’s anti-malware products. However, in an ICS environment it is very difficult for that same malware to communicate to any system without discovery. C&C channels are instantly discovered. New protocols are identified with the first packet. Any packet not meeting the standard will be flagged.

This may sound noisy, but in ICS or SCADA networks it isn’t. In fact, during normal operations, Industrial Threat Hunter is completely silent. But when things even start to go wrong – an unauthorized device is added, the network is surveilled, a vulnerability in the protocol is exploited… Industrial Threat Hunter sounds the alarm during all phases of the attack.

NERC CIP V Support

Because Industrial Threat Hunter constantly watches the network for changes, events created byIndustrial Threat Hunter can be used to document changes to meet NERC CIP V requirements.

Incident Response

While Industrial Threat Hunter does not actively block attacks or suspicious activity, it does provide you with information that is critical to knowing the source of an attack. None of these alerts are typical for IT-based detection systems. Support for protocols like IEC61850, DNP3 and Modbus are non-existent or weak, in commercial products.


Industrial Threat Hunter is deployed in passive mode. It cannot block operational traffic. Most often,Industrial Threat Hunter gets a feed from the SPAN or Mirror port on the network switch. It can also be deployed via a network tap.

Industrial Threat Hunter is a software application that run on Linux platform. Depending on the hardware used and the network infrastructure,Industrial Threat Hunter can be deployed to monitor multiple networks with a single instance.

Industrial Threat Hunter requires no external communication. Your administrator will configure whereIndustrial Threat Hunter is to send alert data. No other data is sent out fromIndustrial Threat Hunter.

Industrial Threat Hunter is a perpetual license. While support and updates will be available under a support contract,Industrial Threat Hunter will not expire or ever stop working due to an expired license.

Subscribe to newsletter