Who we are
Industrial
security
from the
inside out
Sec4OT was founded to address a gap that most IT security firms don't understand: the floor is not the office. Production environments run on protocols IT doesn't speak, hardware IT won't patch, and uptime requirements IT doesn't face.
We operate from the Netherlands, work on-site across industrial sectors, and bring OT-native expertise to every engagement — not an IT security methodology adapted for OT as an afterthought.
Sec4OT is deliberately small. When you engage with us, you work directly with Marc — a senior security engineer with a background in both production floor automation and offensive security. No junior consultants, no generic checklists.
M
Marc
Founder & OT Security Engineer
Over a decade of hands-on experience spanning industrial automation and OT cybersecurity. Fluent in both Modbus and MITRE ATT&CK for ICS — which means findings are grounded in production reality, not theoretical risk frameworks.
Backgrounds in PLC/SCADA engineering and penetration testing. Regularly engaged for asset discovery, vulnerability assessments, live-hack demonstrations, and OT-SOC design across manufacturing, water, and energy sectors.
PI Certified — Process Industry
IEC 62443 — Industrial cybersecurity standard
NIST SP 800-82 — OT security guidance
MITRE ATT&CK for ICS — adversary emulation
CISA ICS-CERT advisory alignment
Our approach
Four principles that
guide every engagement
Hard-earned convictions about what actually works in industrial environments.
Uptime first
Every recommendation accounts for production schedules, maintenance windows, and the reality that a PLC running 24/7 for eight years cannot simply be patched on a Tuesday afternoon. We plan around your operations, not our methodology.
OT-native, not IT-adapted
We use passive discovery tools designed for OT networks — not Nessus against a Siemens S7. We understand Modbus, Profinet, DNP3, and EtherNet/IP. We know the difference between a PLC and a DCS, and why it matters for your security posture.
Evidence-based risk
No vendor fear-mongering. Every finding is tied to a specific asset, a specific risk, and a specific compensating control option. If we cannot quantify it, we do not report it as critical. Your risk register should be actionable, not alarming.
Built for operators
Security awareness training designed for the person running the SCADA screen, not the CISO. Incident response procedures that account for the fact that your most important safety system is also potentially your most vulnerable network node.
Our services
OT security that
speaks industrial
Three service lines built specifically for production environments. Every engagement is scoped around your uptime requirements, your risk exposure, and your actual environment — not a standard IT security template.
Service 01
Asset visibility
OT asset management & inventory
You cannot defend what you haven't discovered. Most OT environments have grown organically over years — PLCs added, HMIs upgraded, historian servers never decommissioned. The result is a network nobody fully understands.
We deploy OT-safe passive and selective active discovery to build a complete, verified inventory of every device on your production network. No guessing. No spreadsheets from 2019.
Complete asset register: device type, vendor, firmware version, IP/MAC, and communication patterns
Network topology map showing OT/IT boundaries and internet-exposed assets
Identification of legacy devices, unmanaged endpoints, and rogue connections
CMDB-ready export compatible with your existing asset management tooling
Onsite deliveryZero production impact1–5 days typical
Protocols & platforms covered
- Modbus, Profinet, EtherNet/IP, DNP3, OPC-UA
- Siemens S7, Allen-Bradley, Schneider, ABB, Honeywell
- Historians: OSIsoft PI, Ignition, Wonderware
- HMI/SCADA: WinCC, FactoryTalk, iFIX
- Safety instrumented systems (SIS/SIL-rated)
Frameworks aligned
- IEC 62443-2-1 (IACS security management)
- NIST SP 800-82 (OT security guide)
- CISA ICS-CERT asset visibility guidance
Service 02
Vulnerability management
OT risk assessment & remediation planning
OT vulnerability management is fundamentally different from IT. You cannot simply patch a PLC running 15-year-old firmware because a scanner flagged a CVE. The risk of a failed update often exceeds the risk of the vulnerability itself.
We assess every finding in the context of your production environment — what can be patched, what requires compensating controls, what needs network isolation, and what requires a documented risk acceptance decision.
Prioritised risk register: each finding scored by exploitability, production impact, and proximity to safety systems
Remediation options per finding: patch, compensating control, isolation, or risk acceptance — with tradeoffs
Quick-win list: findings addressable in under one day with zero production impact
Technical report for your OT team plus executive summary for management
Onsite + remote optionsNo active scanning by default2–10 days typical
Assessment scope
- CVE cross-reference for all discovered assets
- Configuration review: hardening gaps, default credentials
- Network segmentation: OT/IT boundary analysis
- Remote access: VPN, jump servers, vendor connections
- Patch status across all patchable devices
Deliverable format
- Executive summary (1 page) for management
- Technical report with full findings for OT team
- Remediation tracker (Excel/CSV) for follow-up
Service 03
Professional services
Security testing, training & OT-SOC advisory
Beyond assessment, Sec4OT provides hands-on services for organisations that need to test their defences, train their people, and build detection capability in OT environments.
Live-hack simulation — Controlled attack demonstration on a digital twin. Shows your team exactly what an attacker could do and how it would appear in your monitoring tooling
Digital twin security lab — Mirror your production environment for testing without production risk. Ideal for patch testing, change validation, and red team exercises
OT security testing — Structured pen testing aligned to IEC 62443 zone/conduit model, with explicit scope agreed with your production manager before any test begins
Security awareness training — Operator-focused training in Dutch or English, built for SCADA operators, field engineers, and maintenance technicians — not the IT helpdesk
OT-SOC advisory — Design and implementation guidance for an Operational SOC — detection use cases, playbook development, and OT-specific incident response procedures
Dutch & EnglishOnsite deliveryScoped per engagement
Training audiences
- SCADA operators & control room staff
- Field engineers & maintenance technicians
- OT/IT convergence teams
- Plant managers & HSE officers
- Executive & board level (tabletop exercises)
MITRE ATT&CK for ICS
- All testing mapped to ATT&CK for ICS matrix
- Findings linked to real-world threat actors
- Detection gap analysis included
Blog & insights
OT security
in the field
Practical insights from production environments — not theoretical frameworks. Written for engineers and security professionals working in or around industrial control systems.
13 March 2024 — Marc
Building an operational security operations center: what it actually takes
OT environments have become aware of the need for security in production — making an operational SOC a possibility. But an OT-SOC is not an IT-SOC with different data sources. It requires different detection logic, different playbooks, different tooling, and a fundamentally different relationship with production.
This post covers what makes an OT-SOC distinct, what the minimum viable capability looks like, and the common mistakes organisations make when adapting IT security operations for industrial environments.
Read full article →
Asset management
OT asset inventory in practice
Discovery methods, tooling, and what to do when you find devices nobody remembers installing.
Coming soon
Vulnerability management
Patching PLCs without breaking production
Risk-based patch management for OT — when to patch, when to compensate, and when to accept.
Coming soon
Threat intelligence
MITRE ATT&CK for ICS explained
How adversary tactics map to production environments — and what it means for your detection strategy.
Coming soon