X thor
Industrial OT NDR  ·  IEC 62443  ·  MITRE ATT&CK for ICS

Industrial threats
don't announce
themselves.

Xthor monitors your OT network at the protocol level. Passively, without agents, without touching the control plane. It detects attacks your SOC has never seen, and explains them to the engineers who can actually stop them.

Request Demo How it works
Sectors
Energy Oil & Gas Manufacturing Water Railway Defence
xthor.io / overview
48
Risk Score
MODERATE
DETECTION
183
Assets
12
Critical
31
High
Active Alerts
Setpoint overwrite on compressor loop - source outside engineering zone T0836
Protection relay replay attack detected - bay 3 substation T0830
Safety controller command from unrecognized host - TRITON pattern T0839
Protocol Activity - Last Hour
Modbus
4.2k
IEC 61850
3.1k
S7 / PLC
1.9k
Field bus
940
0
Industrial Protocols
full semantic inspection
0
Detection Models
behavioral, ML, and signature
0
Adversary Groups Tracked
with live TTP correlation
<1h
Time to First Detection
from deploy to active monitoring
Why Xthor

Your IT security stack is blind to what's happening on the plant floor.

Industrial control networks run on decades of proprietary protocols that generic security tools cannot read. Attackers know this. The most destructive ICS attacks in history (Industroyer, TRITON, PIPEDREAM) all exploited this detection gap. Xthor closes it.

Port inspection is not protocol inspection.

Firewalls and generic IDS see network flows. Xthor reads the protocol: command type, target device, process parameter, value. The difference between "normal traffic" and an attack is in those details.

Nation-state actors built their tools around your blind spots.

PIPEDREAM, Industroyer2, TRITON - every major ICS attack was designed to stay invisible in standard OT networks. Eight adversary groups are active today. Xthor tracks each one.

A SOC alert that engineers can't act on is not a detection.

Xthor doesn't generate tickets for your security team. It tells your process engineers exactly what happened, what it means for the physical process, and what to do next - in their language.

How It Works

Passive by design. Zero footprint. Works on any network.

Xthor connects to a SPAN port or TAP on your OT switch. It never injects packets, never participates in protocol handshakes, and is invisible to every device on your network (including attackers).

01
Passive Capture
Mirror traffic from a SPAN port or network TAP. No agents, no configuration changes on PLCs, RTUs, or relays. Nothing is injected into the network.
Zero impact
02
Protocol Intelligence
Every packet is decoded at the semantic level: command type, target, process parameter, value, session state. Across 180+ industrial protocols.
180+ protocols
03
Asset Discovery
Every device on the OT network is identified, fingerprinted by vendor and firmware, and correlated against active vulnerability databases automatically.
Full inventory
04
Threat Detection
Behavioral baselines, ML anomaly models, signature rules, and adversary TTP matching run in parallel on every flow. 40+ detection models, updated continuously.
40+ models
05
Xthor Platform
MITRE ATT&CK mapping, AI-powered explainability, compliance reporting, SIEM/SOAR integration. On-premise, air-gapped, or hybrid. Multi-tenant for MSSPs.
Enterprise ready
Capabilities

One platform. Every layer of OT security.

Deep Protocol Inspection

Reads the semantic content of industrial communications, not just the header. What is being commanded, on which device, and what it means for the process.

Asset Intelligence

Automatic device discovery with vendor fingerprinting and firmware identification. Every asset correlated with active vulnerability advisories - no manual input required.

Behavioral Detection

Network baselines learned from your environment. Deviations detected at the command level, not just traffic volume. Catch slow attacks that look normal from the outside.

MITRE ATT&CK for ICS

Every alert auto-mapped to the ICS technique matrix. Kill chain visualization shows which attack phase is active. Full coverage from Initial Access to Impact.

Threat Intelligence

Eight active ICS adversary groups tracked in real time. IOC matching against live feeds. Every new advisory automatically correlated against your existing asset inventory.

AI Explainability

Every alert explained in the language of the process: what happened, which device, what it means physically, what the risk is, and what to do. For engineers, not analysts.

Compliance Automation

Automated gap analysis for IEC 62443, NERC CIP, and NIS2. Zone models, security level assessments, and audit-ready reports — generated continuously from live network data.

Enterprise Architecture

Multi-tenant, MSSP-ready deployment. On-premise, air-gap, or hybrid cloud. SAML 2.0 / OIDC SSO, MFA, RBAC. Scales from a single site to a global industrial estate.

Protocol Coverage

Every sector. Every protocol family.
Full semantic inspection.

Xthor covers 180+ industrial protocols across every major sector, from IEC 61850 substation protection and PLC control networks to safety instrumented systems and smart metering infrastructure. Coverage is updated continuously as new protocols emerge.

180+
Total Protocols
155+
Full DPI
8
Industry Sectors
40+
Vendor Families
83
MITRE Techniques
Power & Substations
12 protocols
IEC 61850 · GOOSE · Sampled Values · IEC 60870-5 · DNP3 · Synchrophasor C37.118
Manufacturing
18 protocols
Modbus · EtherNet/IP · S7comm · PROFINET · CODESYS · EtherCAT · DeviceNet
Oil & Gas
11 protocols
HART-IP · WirelessHART · BSAP · OPC-UA · Foundation Fieldbus · PROFIBUS
Safety SIS
5 protocols
TriStation · CIP Safety · PROFIsafe · openSAFETY · AS-i Safety
Building & HVAC
10 protocols
BACnet · KNX · LonWorks · DALI · M-Bus · Niagara Fox · OpenADR
Smart Grid & Metering
8 protocols
DLMS/COSEM · IEC 62056 · ANSI C12 · PRIME · G3-PLC · Wireless M-Bus
Maritime & Transport
9 protocols
NMEA 0183/2000 · AIS · CAN bus · J1939 · CANopen · Rail SCADA
IIoT & Messaging
9 protocols
MQTT · CoAP · AMQP · SNMP · OPC-UA · LoRaWAN · ISA100.11a

Plus 25+ proprietary protocols across major DCS vendors including Honeywell, Emerson, Yokogawa, and GE.

Detection

40+ models. Four distinct detection layers.

Xthor doesn't rely on a single detection approach. Behavioral baselines, machine learning, protocol-specific signatures, and live threat intelligence run simultaneously — each catching what the others miss.

Critical - Process Integrity
Commands that can cause physical harm.
Unauthorized control commands from outside the engineering zone
Dangerous operations: stop, restart, program overwrite, firmware flash
Safety system commands from unrecognized hosts
Setpoint modifications that exceed operating or safety limits
Replay attacks on protection relay communications
High — Network Behavior
Network activity that shouldn't exist.
New device on an OT segment - unrecognized vendor or fingerprint
IT-to-OT communication outside the approved whitelist
Engineering station activity outside scheduled maintenance windows
Abnormal polling frequency — reconnaissance or scan pattern
Protocol direction reversal - device initiating unexpected connections
Intelligence — Adversary TTPs
Known attack patterns from tracked threat actors.
IOC match against live ICS-CERT and CISA advisories
PIPEDREAM / CHERNOVITE multi-step attack chain detection
TRITON / XENOTIME safety system intrusion pattern
Industroyer / SANDWORM substation protocol weaponization
STIX 2.1 indicator correlation across all active alerts
Machine Learning - Subtle Anomalies
Attacks that look normal until they aren't.
Time-series anomaly detection on process control values
Slow-poison setpoint drift — gradual manipulation over days or weeks
Statistical deviation in register access patterns
Seasonal and shift-aware baseline - reduces false positives
Unsupervised clustering for novel protocol behavior
Live Alert Feed Active
AI Explainability

Not "anomalous traffic detected." The full story, for the engineer on call.

Every Xthor alert includes a physical consequence analysis — what device, what command, what it means for the process, whether the safety limits are at risk, and the exact recommended action. No SOC intermediary required.

Process language, not security language

Alerts reference the engineering tag, process variable, unit of measure, and safety limit - not the protocol address. Your operators understand it immediately.

Natural language threat hunting

Query your entire event history in plain English. No SIEM query language, no log parsing. Ask the question, get the answer.

Predictive anomaly detection

ML models detect gradual setpoint manipulation weeks before it reaches process impact — a class of attack that conventional signature detection cannot catch.

On-premise model inference

AI runs locally on your hardware. No data leaves the plant. Air-gapped environments fully supported with on-premise fine-tuned models.

Xthor · Alert #2847 - Critical
DeviceCompressor Loop 2 · PLC · Siemens · OT Zone 3
Triggered byIT segment host — not in engineering whitelist
ActionSetpoint overwrite · pressure control parameter
New value400 bar - 222% above operating setpoint
Safety limit180 bar · SIL-2 rated · PSH-201
AdversaryCHERNOVITE signature match · step 3 of 5
MITRET0836 Modify Parameter · Impair Process Control
▶ Physical consequence analysis
Risk: If this command executes and the pressure safety valve (PSH-201) is not triggered, compressor mechanical failure is possible within 3–8 minutes. A concurrent alert (#2844) indicates a possible bypass attempt on PSH-201.

Recommended action: Isolate the source host immediately. Do not reset the controller before a forensic memory snapshot is captured. Verify safety valve status on loop 2 manually.
Threat Intelligence

Eight adversary groups.
All of them actively targeting your sector.

Xthor ThreatDB tracks the TTPs of every major ICS threat actor — updated continuously from ICS-CERT, CISA, and open threat intelligence communities. Every detection is enriched with adversary context the moment a match occurs.

Nation-state Energy · LNG
CHERNOVITE
PIPEDREAM / INCONTROLLER
The most capable ICS attack framework ever analyzed. Designed for simultaneous, large-scale disruption of energy and LNG infrastructure across multiple control system vendors.
Nation-state Oil & Gas · Safety SIS
XENOTIME
TRITON / TRISIS
The only adversary known to deliberately target safety instrumented systems. Deployed malware designed to disable emergency shutdown systems in an active petrochemical facility.
Nation-state Electric · Critical infra
SANDWORM
ELECTRUM · Industroyer
Responsible for the only confirmed cyberattacks to cause widespread power outages. Three separate attacks on Ukrainian grid infrastructure between 2015 and 2022.
Nation-state Electric utilities
KAMACITE
UNC3886
Specializes in IT-to-OT intrusion paths, moving from spearphishing to substation network access. Actively targeting electric utilities in North America and Western Europe.
Nation-state US critical infra
VOLT TYPHOON
Bronze Silhouette
Living-off-the-land pre-positioning in US critical infrastructure. CISA emergency directive issued. Focus on long-term persistence for potential future disruption, not immediate attack.
Nation-state Oil & Gas · Electric
MAGNALLIUM
APT33 · Refined Kitten
Iranian threat group targeting energy sector with destructive payloads following extended reconnaissance campaigns. Active across Middle East, Europe, and North America.
Nation-state Energy · Utilities
IRON LIBERTY
Dragonfly 2.0
Historian and HMI intelligence collection specialist. Targets operational data (process setpoints, network topology, engineering configurations) as a precursor to disruption campaigns.
Nation-state Oil & Gas · Defence
RASPITE
Leafminer · APT34
Long-term persistence specialist in Middle East energy infrastructure. Exfiltrates engineering documentation and SCADA configurations before staging operational disruption.
Live intelligence feeds updated daily
ICS-CERT advisories, CISA, MISP, and CIRCL intelligence. STIX 2.1 / TAXII 2.1 export to any SIEM. Every new advisory automatically matched against your live asset inventory — no analyst action required.
Integrations

Works with your existing security stack. Out of the box.

Xthor sends enriched OT security events to every major SIEM, SOAR, and ticketing platform. No custom connectors, no professional services engagement.

SIEM
Splunk HEC
Microsoft Sentinel
IBM QRadar
Elastic / OpenSearch
Wazuh
CEF / Syslog
SOAR & Response
Palo Alto XSOAR
ServiceNow CMDB
Jira Service Mgmt
PagerDuty
Webhook / REST API
Threat Intelligence & IAM
MISP (STIX/TAXII)
CrowdStrike Falcon
Okta / Azure AD
SAML 2.0 / OIDC
LDAP / Active Directory
Get Started

See your OT network the way
the adversaries do.

Live deployment on your network or replay from your own packet capture. Working detections in under an hour - no commitment, no professional services fee, no extended onboarding.

Request Demo See the Platform
No agents on any OT device
Zero packets injected into the network
On-premise · fully air-gap capable
Deployed and detecting in under an hour