Industry · Energy & Critical Infrastructure

Zero Footprint on OT

Personnel-layer security testing that never requires a foothold in your control-system network — because there's nothing there to configure in the first place.

The catch-22 of testing near OT

NERC CIP-004-6 requires documented personnel-risk training and access-management evidence — but a testing tool that needs any kind of network reach toward control-system assets to do its job introduces exactly the kind of exposure CIP is meant to reduce. The safest testing surface is the one that was never near OT to begin with.

Email + human layer only

Nothing to configure on the OT side

PhishArmory tests inboxes and human decision-making — full stop. There is no agent to install on a workstation with HMI access, no credential that reaches a SCADA historian, and no code path that queries anything on your OT network. Non-disruptive by construction, not by careful configuration.

LureDomain.domain_name

Traceable at the IT/OT boundary

Pretext domains are a stable, named pool your team manages once — not disposable, rotating infrastructure. That makes simulation traffic cleanly identifiable at the mail layer, which is exactly the evidence a NERC auditor wants to see distinguishing test traffic from a real intrusion attempt.

crypto_vault.py · operators.mfa_secret_ciphertext

Administrative & Cryptographic Hardening

Independent of the OT-isolation story above: every operator account requires TOTP multi-factor authentication to sign in, and every stored credential — including those MFA secrets themselves — is protected under host-isolated envelope encryption, a per-secret data key wrapped by a master key that never leaves this host's environment. Baseline platform protections, not something you have to configure per engagement.

What this maps to on your compliance calendar

Architectural controls, not certifications — this is the evidence our platform contributes to a program you already run.

FrameworkWhat we contribute
NERC CIP-004-6
(R2, personnel risk assessment & training)
Per-employee campaign results and completion records give your compliance team the documented personnel-training evidence R2 asks for, without any testing footprint on OT/ICS assets.
CIP-003 (security management controls) An append-only, tamper-resistant log of every campaign action supports the security-awareness-program documentation reviewers expect alongside your broader CIP-003 controls.