Security Stack Logo
Nozomi Networks Platform logo

Cyber-Physical Systems (CPS) Security

Nozomi Networks Platform

OT and IoT security with AI-powered threat detection and network-to-endpoint visibility.

Industrial Control Systems (ICS) SecurityNetwork Detection and Response (NDR)Internet of Things (IoT) SecurityOperational Technology (OT) Security

Nozomi Networks Platform Overview

What it does

Nozomi Networks Platform is an OT, IoT, and cyber-physical systems security solution from Nozomi Networks, founded in 2013 by Andrea Carcano (Co-Founder & CPO), Moreno Carullo (Co-Founder & CTO), and Edgard Capdevielle (President & CEO), and headquartered in San Francisco, CA with R&D in Mendrisio, Switzerland. The company raised $266M in total funding across 8 rounds from 22 investors including GGV Capital, Lux Capital, Energize Capital, Mitsubishi Electric, and Schneider Electric before being acquired by Mitsubishi Electric in September 2025 for approximately $1 billion (largest OT/IoT security acquisition to date). The company has been recognized as Leader in the 2025 Forrester Wave for IoT Security Solutions and received awards from Cyber Defense Magazine, Gartner, Fast Company, and Crossfire Media.

How it works

The platform uniquely combines network and endpoint visibility through Guardian passive network monitoring sensors, Guardian Air wireless spectrum visibility, Arc endpoint agents for host-based systems, and Vantage cloud-native SaaS platform with Central Management Console (CMC) for unified management. AI-powered capabilities include Asset Intelligence for automatic device classification achieving near 100% accuracy, Threat Intelligence with continuously updated IoCs and OT/IoT zero-day vulnerability research from Nozomi Labs, Smart Polling for safe active discovery without disrupting operations, and Vantage IQ AI/ML security engine for extended analytics and automation. The platform supports hundreds of industrial protocols (Modbus, DNP3, BACnet, EtherNet/IP, S7, OPC-UA) with advanced anomaly detection identifying deviations from baselines to detect known threats and zero-day attacks.

Credentials and traction

Nozomi Networks holds SOC 2 Type II attestation and ISO 27001:2022 certification for its Vantage platform, alongside ISO 9001:2015, ISO 27017:2015, and ISO 27018:2025. It was named a Leader in The Forrester Wave: IoT Security Solutions, Q3 2025, earning the highest score of all evaluated providers in the Current Offering category. The platform secures critical infrastructure for organizations including Enel, whose deployment monitors over 10,000 assets, and protected the 2024 Paris Olympics; the company reports supporting more than 115 million devices across its installations.

Key Capabilities

mapped to solution categories
Network Detection and Response (NDR)

Groups related network alerts into structured incidents that reconstruct an attack across hosts and time, reducing alert volume and giving analysts a single investigation timeline instead of disconnected events.

Extends network detection to cloud VPC traffic using VPC flow log analysis, cloud-native sensors, or mirroring, covering east-west traffic between cloud workloads.

Builds per-device and per-application baselines of normal network communication patterns and detects deviations, enabling detection of novel C2 channels, data staging, and lateral movement.

Integrates with firewalls, NAC platforms, and switches to automatically block or quarantine hosts and traffic flows in response to confirmed detections, without requiring analyst-initiated action.

Monitors lateral movement traffic between internal network segments and hosts, distinct from perimeter monitoring. Requires network tap or span port placement on internal switch infrastructure.

Detects threats in TLS-encrypted traffic using JA3/JA3S fingerprinting, certificate anomaly detection, and traffic behavioral analysis, without requiring decryption.

Performs deep packet inspection on industrial protocols (Modbus, DNP3, EtherNet/IP, PROFINET, IEC 61850, OPC-UA), for behavioral monitoring of OT environments alongside IT network analysis.

Detects threats using intelligence feeds from internal and external sources.

Uses an AI-based search assistant to accelerate threat hunting and surface actionable insights.

Industrial Control Systems (ICS) Security

Maps network topology, identified vulnerabilities, and detected anomalies to IEC 62443 zone and conduit requirements and security level targets.

Monitors ICS network traffic by analyzing span port or tap data without injecting any traffic, critical for environments where active probing can cause PLC faults or safety system trips.

Inspects industrial protocols (Modbus, DNP3, IEC 61850, EtherNet/IP, PROFINET, OPC-UA, BACnet) at function-code level for commands and configuration changes. Coverage breadth and inspection depth (command-level function code analysis vs. packet-level header parsing) both vary across ICS security products and are primary evaluation criteria.

Provides a single platform for monitoring both enterprise IT and OT network segments, enabling unified SOC operations without separate monitoring tooling for each domain.

Identifies device vulnerabilities by fingerprinting asset type, firmware version, and protocol implementation from passive traffic observation, no active scan that could disrupt device operation.

Models expected behavior of safety-instrumented systems (SIS) separately from process control systems, preventing false alerts on normal SIS state machine transitions.

Builds ICS asset inventories (PLCs, RTUs, HMIs, engineering workstations) from passive network observation without probes that could disrupt operations.

Operational Technology (OT) Security

Discovers OT/ICS assets by analyzing existing network traffic (Modbus polls, Profinet broadcasts, EtherNet/IP connections), without sending any probe packets that could disrupt device operation.

Dissects OT protocol payloads at the function code level, detecting unauthorized read/write operations, unusual register ranges, and firmware upload commands in Modbus, DNP3, EtherNet/IP, PROFINET, and OPC-UA traffic.

Baselines normal device communication patterns (command frequency, connection pairs, timing), and alerts on deviations, detecting reconnaissance, manipulation, and lateral movement.

Maps actual traffic flows between IT and OT zones and between Purdue model levels, revealing unauthorized cross-zone connections and segmentation failures.

Classifies discovered assets and traffic flows into Purdue Model levels (Level 0-4), supporting IEC 62443 zone and conduit documentation and compliance assessment.

Forwards enriched OT security alerts into enterprise SIEM and SOAR platforms with OT-specific context, enabling unified SOC operations without requiring OT-specialized analysts.

Identifies and prioritizes vulnerabilities across discovered OT and ICS assets using device, firmware, and exposure context, recommending safe, operationally feasible remediation or compensating controls for environments where patching is constrained.

Internet of Things (IoT) Security

Discovers and fingerprints purpose-built connected devices (printers, cameras, infusion pumps, smart meters, building systems), classifying make, model, OS, firmware, and function, including unmanaged devices that cannot run an endpoint agent.

Identifies, prioritizes, and helps remediate device vulnerabilities, including outdated firmware and exposed network services, across the connected-device fleet.

Assesses overall device-ecosystem risk (device trustworthiness, exposure, and operational context) as a continuous posture, distinct from per-CVE vulnerability management.

Generates and enforces least-privilege network segmentation and microsegmentation policies for devices, with pre-deployment impact assessment so new policies do not break device operations.

Monitors device behavior and network traffic to detect anomalies, exploits, and threats targeting connected devices.

Compliance

certifications
ISO 27001SOC 2 Type II

Integrations

compatible tools
Active DirectoryAruba ClearPassAWS IoT Security HubCheck PointCisco ASACisco FirepowerCisco FTDCisco ISEColorTokensCrowdStrikeDispelFortinetGoogle CloudIBM QRadarMicrosoft SentinelPalo Alto NetworksServiceNowSIEM PlatformsSOAR PlatformsSplunkTanium

Implementation & support

Deployment model
Air-GappedCloudHybridOn-PremisesSaaS
Pricing structure
Custom / EnterpriseSubscription
Support channels
24/7 SupportCommunity ForumDocumentationKnowledge BasePhone SupportTicketing PortalTraining / Academy

Info last updated on May 28, 2026

Vendors

Is this your product?

Claim your profile to connect with the teams looking for your solutions.

Security Stack Logo

The curated research platform for enterprise cybersecurity solutions.

All product and company names, logos, and brands are property of their respective owners and are used on this website for identification purposes only. Security Stack does not endorse any vendor, product, or service listed, and makes no warranties, express or implied, as to the accuracy or completeness of this content, including any warranties of merchantability or fitness for a particular purpose.

© 2026 Security Stack. All rights reserved.