Most penetration testing firms treat OT like flat IT: same scanners, same tools, same playbooks. The result is engagements that either crash production equipment or skip the OT environment entirely. Arsenal operators come from industrial backgrounds and test OT the way an attacker actually would: safety-first, protocol-aware, and focused on the IT-to-OT pivot paths that real adversaries exploit.
Passive observation by default. Active testing only against assets in scope, with explicit customer sign-off. No experiments against live production PLCs.
Working familiarity with Modbus, OPC UA, DNP3, EtherNet/IP, and Siemens S7. The protocols that run plants, not generic web stacks.
The techniques nation-state actors actually use against industrial targets. Not a vulnerability scanner with a clipboard.
The path almost every real industrial breach takes. We map where the boundary is actually weak — jump servers, weak VPN, historian exposure, engineering workstations.
Firewall rules, jump servers, remote-access VPN, and historian exposure — the chokepoints attackers actually pivot through to reach the plant network.
Level 3 historians and engineering workstations, Level 2 HMIs, Level 1 PLCs, and the supporting Level 4–5 enterprise infrastructure that surrounds them.
Authentication, integrity, and observability across Modbus, DNP3, OPC UA, EtherNet/IP, and the proprietary protocols that move production data.
We demonstrate how a real attacker could affect operations — without actually disrupting production. Findings are defensible enough for a board report and concrete enough for engineering to act on.
The operator running your assessment is the same person who wrote the curriculum on industrial penetration testing.
Talk to us about a scoped OT engagement or fold industrial coverage into a Continuous Red Team Assessment.
