
Cyber-Physical Systems (CPS) Security
Dragos Platform
Industrial cybersecurity platform delivering OT asset visibility and threat detection.
Dragos Platform Overview
What it does
The Dragos Platform is purpose-built cybersecurity software for operational technology (OT) and industrial control systems (ICS), providing asset visibility, threat detection, vulnerability management, and incident response specifically for critical infrastructure. Unlike IT security tools that lack understanding of industrial protocols, the platform uses threat behavior analytics that characterize adversary tactics, techniques, and procedures (TTPs) to identify malicious activity with high confidence while minimizing false positives that plague generic solutions.
How it works
The platform discovers and classifies OT, IT, IoT, and IIoT assets through passive network monitoring and active ICS device collection, capturing device type, manufacturer, firmware version, and communication patterns with detailed vulnerability context. Detection capabilities use composite threat analytics based on real-world attack groups documented by Dragos WorldView intelligence researchers, providing alerts with investigation playbooks that guide security teams through efficient response workflows and automated risk prioritization based on environmental context rather than generic CVE scores.
Credentials and traction
The Dragos Platform is ISO/IEC 27001:2022 and SOC 2 Type II certified. Dragos was named a Leader in the 2026 Gartner Magic Quadrant for Cyber-Physical Systems Protection Platforms, its second consecutive placement, and holds a 4.5 out of 5 rating on Gartner Peer Insights in the CPS Protection Platform category. Frost & Sullivan ranked it #1 in Innovation in the 2025 Frost Radar for OT Cybersecurity Solutions. The platform serves critical infrastructure operators across the electric, oil and gas, manufacturing, and water sectors.
Key Capabilities
mapped to solution categoriesMonitors ICS network traffic by analyzing span port or tap data without injecting any traffic, critical for environments where active probing can cause PLC faults or safety system trips.
Inspects industrial protocols (Modbus, DNP3, IEC 61850, EtherNet/IP, PROFINET, OPC-UA, BACnet) at function-code level for commands and configuration changes. Coverage breadth and inspection depth (command-level function code analysis vs. packet-level header parsing) both vary across ICS security products and are primary evaluation criteria.
Models expected behavior of safety-instrumented systems (SIS) separately from process control systems, preventing false alerts on normal SIS state machine transitions.
Identifies device vulnerabilities by fingerprinting asset type, firmware version, and protocol implementation from passive traffic observation, no active scan that could disrupt device operation.
Maps network topology, identified vulnerabilities, and detected anomalies to IEC 62443 zone and conduit requirements and security level targets.
Provides a single platform for monitoring both enterprise IT and OT network segments, enabling unified SOC operations without separate monitoring tooling for each domain.
Builds ICS asset inventories (PLCs, RTUs, HMIs, engineering workstations) from passive network observation without probes that could disrupt operations.
Ingests and applies threat intelligence specific to critical infrastructure threat actor groups (Sandworm, ELECTRUM, Volt Typhoon), and sector-specific attack techniques.
Generates pre-formatted incident notifications compliant with CISA reporting requirements, NERC CIP-008, and sector-specific regulatory reporting obligations.
Supports sector-specific compliance frameworks alongside IEC 62443: NERC CIP for electric utilities, TSA security directives for pipelines, NRC cybersecurity requirements for nuclear.
Monitors OT system availability, process variable integrity, and control system state, flagging deviations that indicate cyberattack or equipment failure affecting operational continuity.
Discovers OT/ICS assets by analyzing existing network traffic (Modbus polls, Profinet broadcasts, EtherNet/IP connections), without sending any probe packets that could disrupt device operation.
Dissects OT protocol payloads at the function code level, detecting unauthorized read/write operations, unusual register ranges, and firmware upload commands in Modbus, DNP3, EtherNet/IP, PROFINET, and OPC-UA traffic.
Baselines normal device communication patterns (command frequency, connection pairs, timing), and alerts on deviations, detecting reconnaissance, manipulation, and lateral movement.
Forwards enriched OT security alerts into enterprise SIEM and SOAR platforms with OT-specific context, enabling unified SOC operations without requiring OT-specialized analysts.
Identifies and prioritizes vulnerabilities across discovered OT and ICS assets using device, firmware, and exposure context, recommending safe, operationally feasible remediation or compensating controls for environments where patching is constrained.
Compliance
certificationsIntegrations
compatible toolsImplementation & support
Info last updated on May 28, 2026
Vendors
Is this your product?
Claim your profile to connect with the teams looking for your solutions.