OT security testingthat walks the protocols, not the perimeter.

Plant-safe pentests for ICS, SCADA, PLCs, and HMIs. Modbus, DNP3, OPC UA, and S7Comm read by hand. Report mapped to IEC 62443 and NIST 800-82.

Read a sample OT finding
OT penetration testing surfaces converging across Modbus, DNP3, OPC UA, and the Purdue model from level 0 sensors up through level 3 plant historians.

Plant-safe

Read-only baseline first. Write-tests behind your change control. No PLC writes without sign-off.

Protocol-native

Modbus, DNP3, OPC UA, S7Comm, IEC 60870-5-104, IEC 61850, EtherNet/IP, PROFINET (walked by hand, not by signature).

Re-test included

Same researcher, same chain. PLC firmware patch, segmentation fix, or HMI hardening verified on the line.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

  • CREST accredited
  • ISO/IEC 27001

Protocol-native.

We speak the plant's protocols, down to the function code.

OT risk lives in the protocol, not the port. Modbus function-code 06 accepting unauthenticated register writes, DNP3 unsolicited responses spoofed across the bus, OPC UA handshakes abused by hand, we test those safely on your plant and show you exactly what moves.

How AI fits in OT pentests >
Two columns. Left: IT scanner view of a PLC as three open ports. Right: the same PLC walked over Modbus and S7Comm with function-code abuse and an extracted ladder logic program.
Two columns. Left: IT scanner view of a PLC as three open ports. Right: the same PLC walked over Modbus and S7Comm with function-code abuse and an extracted ladder logic program.

What lands in scope.

Counted, not claimed.

Industrial protocols
8

Modbus TCP/RTU, DNP3, OPC UA, EtherNet/IP (CIP), PROFINET, S7Comm, IEC 60870-5-104, IEC 61850. Walked by hand, not by signature.

Purdue zones in scope
0 to 5

From sensors and actuators (level 0) through process control (level 2), site operations (level 3), corporate IT (level 4), and the boundary firewall (level 5).

PLC vendors covered
5+

Siemens S7 (300/400/1200/1500), Rockwell Allen-Bradley (CompactLogix, ControlLogix), Schneider Modicon, Mitsubishi MELSEC, ABB AC500.

Re-test after fix
Included

Same researcher, same chain. PLC patch, segmentation change, or HMI hardening verified on the live line.

RECON TO PURDUE.

What a bench operator finds on a plant that an IT scanner cannot see.

5
  1. 01
    Passive recon on the bus

    Tap the network at the cell switch. Read Modbus, DNP3, and S7Comm traffic for asset inventory, function-code patterns, and master/slave relationships before sending a single packet.

  2. 02
    PLC enumeration

    Identify PLC vendor, firmware build, slot configuration, and protection level over S7Comm, CIP, or Modbus. Pull ladder logic and tag tables where the PLC permits unauthenticated reads.

  3. 03
    HMI and SCADA chain

    Walk Wonderware, GE iFix, Ignition, or FactoryTalk View for default credentials, weak project-file ACLs, and SCADA tag writes that bypass the operator console.

  4. 04
    Engineering workstation pivot

    Test the Windows 7 or stale Windows 10 engineering hosts that sit dual-homed in zone 2 and zone 4. Recover project files, signing keys, and stored RDP credentials to the next zone.

  5. 05
    Purdue boundary crossing

    Walk the jump host or VPN appliance bridging IT (zone 4) into OT (zone 3). Test for split-tunnel, weak MFA, and stale firewall rules that let an IT-side compromise reach the line.

OT methodology.

Eight phases. Boundary to bus.

Threat-modelled to your plant. Not a checklist.

  1. 01
    Scope & threat-model
  2. 02
    Passive surface recon
  3. 03
    Boundary walk
  4. 04
    Protocol attack surface
  5. 05
    PLC and engineering workstation
  6. 06
    HMI and SCADA chain
  7. 07
    Exploit synthesis
  8. 08
    Patch verification

Insights

OT & plant Resources.

Real OT engagement notes from the operators who ran them.

Meet your expert

John Dill

vCISO at SecureLayer7

Plant-led

OT engagement model

Modbus to MES

In scope by default

IEC 62443

Report-mapped

John scopes OT engagements against your PLC vendor mix, SCADA platform, and Purdue-zone layout. Runs kick-off, change-control review, and sign-off.

  • Scopes engagements across manufacturing, energy, utilities, oil and gas (API 1164), and water (TSA Pipeline) against your real safety model.
  • Owns kick-off, maintenance-window planning, and live review of every protocol, PLC, HMI, and boundary finding.
  • Drives remediation review and re-test until every chain is closed and the patch is verified on the live line.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

Ready to scope an OT pentest? Book 30 minutes with John to walk through your plant, PLC vendor mix, SCADA platform, and maintenance window.

Book a 30-min call

Common procurement questions

What buyers askbefore signing an OT pentest SOW.

Have a procurement question not listed here?

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech (industrial SaaS / IIoT)

IIoT platforms, fleet-control APIs, OTA chains into plant gateways, edge controllers.

See Tech pentest

Retail (logistics / supply chain)

Warehouse robotics, edge IoT controllers, Modbus-speaking conveyor PLCs, distribution-centre HMIs.

See Retail pentest

Energy & utilities

Substation IEC 61850, DNP3 outstations, NERC CIP scope, TSA Pipeline pipeline SCADA.

Talk to a security expert
Sample OT pentest report: chain, evidence, patch path, re-test.

Sample OT engagement report

See what arrives in your inbox.

A redacted sample OT pentest report: protocol-walk narrative, recorded proof-of-exploit on the bus, patch path, and re-test note.