TTechclick ⚡ XP 0% All lessons
Darktrace · OT · ICS SecurityInteractive · L1 / L2 / L3

Darktrace / OT — Self-Learning AI for Industrial & ICS

OT and ICS networks cannot be treated like office IT: the devices are fragile, run for years unpatched, and break if you actively scan them. Darktrace / OT brings passive Self-Learning AI to the plant floor — it learns the normal pattern of life of every industrial asset and protocol, maps it to the Purdue model, and catches the IT-to-OT attack path that IT-only tools never see.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Darktrace / OT (2026): passive Self-Learning AI for operational technology and ICS. Why OT devices are fragile and cannot be actively scanned, how Darktrace learns the normal pattern of life of industrial protocols (Modbus, DNP3, S7, EtherNet/IP, OPC, IEC-104, Profinet), maps assets to the Purdue model, and catches the IT-to-OT cross-boundary attack path that IT-only or OT-only tools miss.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why OT is different

Fragile devices, no agents, no active scans, special protocols.

 2

The Darktrace / OT approach

Passive Self-Learning AI, protocols, asset visibility, Purdue.

 3

The real attack path

IT-to-OT pivot plus anomalies inside the OT network.

 4

One platform vs silos

IT+OT correlation, safety systems, and the pitfalls.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Can you safely run an active network scan against a live PLC?

Answered in Why OT is different.

2. How does Darktrace / OT decide something is a threat?

Answered in The Darktrace / OT approach.

3. Where do most real OT attacks actually begin?

Answered in The real attack path.

Most engineers think…

Most people assume you can point the same security tools at the plant floor that you use for the office — scan everything, drop an agent on each box, match known signatures. In OT that mental model is not just wrong, it is dangerous.

OT and ICS run fragile devices — PLCs, RTUs and HMIs — that can be disrupted by active probing, run for years without patching, and speak industrial protocols IT tools don't understand. Darktrace / OT instead watches traffic passively, learns the normal pattern of life of every asset and protocol with Self-Learning AI, and flags anomalies with no signatures and no agents. Crucially, because it correlates IT and OT on one platform, it can follow an attacker who lands on IT and pivots into OT — the most common attack path and the exact thing siloed tools miss.

① Why OT and ICS are not just 'IT on the plant floor'

The single most important idea: you cannot treat OT like IT. Operational technology runs the physical process — and the devices that do it (PLCs, RTUs and HMIs) are fragile, often run for years without patching, and can be knocked over by something as simple as an active scan.

That changes the rules. You generally cannot install agents on OT devices, you must not actively probe them, and the priorities are flipped: safety and uptime come before patching. On top of that, OT speaks its own languages — industrial protocols like Modbus, DNP3, Siemens S7, EtherNet/IP, OPC, IEC-104 and Profinet — that ordinary IT security tools simply do not understand.

So any OT security approach has to be passive, agentless and protocol-aware. Point a normal IT scanner at the plant floor and you risk causing the very outage you were trying to prevent.

Figure 1 — How Darktrace / OT works — watch, learn, detect, investigate
Darktrace / OT runs the same passive loop against the live OT network, never sending a packet to a device.How Darktrace / OT works — watch, learn, detect, investigateObservepassive OT trafficLearnpattern of lifeDetectanomaly, no signatureInvestigateCyber AI AnalystPrioritiserisk + exposure
Darktrace / OT runs the same passive loop against the live OT network, never sending a packet to a device.
Figure 2 — Why OT is not IT
Three realities of the plant floor that force a passive, agentless, protocol-aware approach.Why OT is not ITFragile devicesPLCs, RTUs, HMIs disrupted by probingNo agents / no scanspassive observation onlyIndustrial protocolsModbus, DNP3, S7, OPC, IEC-104
Three realities of the plant floor that force a passive, agentless, protocol-aware approach.
Quick check · Q1 of 10 · Understand

Why must an OT security approach be passive rather than actively scanning devices?

Correct: b. PLCs, RTUs and HMIs are fragile and often run unpatched for years; an IT-style active scan can crash or disrupt them, causing the very outage you were trying to prevent. So OT monitoring must be passive and agentless.
👉 So far: OT is not IT: fragile PLCs/RTUs/HMIs, no agents, no active scans, and industrial protocols (Modbus/DNP3/S7) that IT tools don't understand — safety and uptime beat patching.

② Darktrace / OT — passive Self-Learning AI on the plant floor

Darktrace / OT brings Darktrace's Self-Learning AI to OT and ICS. It works entirely from passive traffic — no active scanning, no agents on devices — so fragile gear is never disturbed. From that traffic it learns the normal pattern of life of each OT asset and each industrial protocol, then flags deviations as anomalies. Because it learns rather than matches, it needs no signatures and can catch novel or zero-day OT threats.

Protocol understanding and asset visibility

It genuinely understands OT protocols (Modbus, DNP3, S7, EtherNet/IP, OPC, IEC-104, Profinet), so it can tell a routine Modbus read from a suspicious Modbus write to a controller. Passively, it also builds an OT asset inventory and maps every device to the Purdue model levels — giving you a picture of what is talking to what, and where each asset sits, without ever sending a packet to a PLC.

Figure 3 — One AI learns every OT protocol
Self-Learning AI builds a pattern of life across all the industrial protocols on the network, with no signatures.One AI learns every OT protocolSelf-Learning AIpattern of lifeModbusDNP3Siemens S7EtherNet/IPOPCIEC-104 / Profinet
Self-Learning AI builds a pattern of life across all the industrial protocols on the network, with no signatures.
🧠
Self-Learning AI
tap to flip

Learns the normal pattern of life of each OT asset and protocol from passive traffic, then flags anomalies — no signatures needed.

👁️
Passive monitoring
tap to flip

Read-only observation of OT traffic with no agents and no probing, so fragile PLCs, RTUs and HMIs are never disturbed.

🔀
IT/OT boundary
tap to flip

The line between office IT and plant-floor OT — the most common attack path, where an IT foothold pivots down into OT.

🔎
Cyber AI Analyst
tap to flip

Automated investigation that stitches related IT and OT events into one incident, exposing the full cross-boundary chain.

Lead with 'passive and protocol-aware'

In an interview, the first two words for any OT tool are passive and agentless — because the devices are fragile. Then add that Darktrace learns each protocol's pattern of life (Modbus, DNP3, S7) so it interprets commands, not just packet counts, and maps assets to the Purdue model.

Quick check · Q2 of 10 · Remember

How does Darktrace / OT decide that OT activity is a threat?

Correct: a. Darktrace / OT uses Self-Learning AI to build a normal pattern of life for each asset and protocol, then flags anomalies. It needs no signatures, so it can catch novel or zero-day OT threats, and it never installs agents or actively scans.
👉 So far: Darktrace / OT = passive Self-Learning AI: learns each asset's pattern of life with no signatures and no probing, understands OT protocols, and maps assets to the Purdue model.

③ Catching the real attack path — IT to OT, and inside OT

Here is the part interviews care about: most OT attacks do not start in OT. They start with an IT foothold — a phishing email, a compromised laptop — and then pivot across the IT/OT boundary into the plant network. That boundary is the most common attack path, and the blind spot for tools that only see one side.

Because Darktrace correlates IT and OT on one platform, the Cyber AI Analyst can stitch related events into a single incident. An IT phishing compromise and a later anomalous command to a PLC are not two unrelated alerts — they read as one chain. It also catches anomalies within OT itself: an HMI issuing commands it never has, or a device talking to a controller it has never spoken to.

The interview line: the value is following the attacker across the boundary, not just watching one network. You see the foothold, the pivot, and the OT deviation as a connected story.

Figure 4 — The IT-to-OT attack path
The common real-world chain: an IT foothold pivots across the boundary and issues an anomalous OT command.The IT-to-OT attack pathPhishingIT laptop compromisedPivottoward OT networkCross boundaryinto the plantModbus writeto an unknown PLCFlaggeddeviation caught
The common real-world chain: an IT foothold pivots across the boundary and issues an anomalous OT command.

Priya at Sahyadri Steelworks near Pune faces this

The IT SOC's EDR cleaned a phishing-infected office laptop, but nobody can say whether anything reached the plant floor — the OT network is a black box to the IT tools.

Likely cause

The attacker used the IT foothold to pivot toward the OT segment; the IT-only tooling has zero visibility into OT protocols, so any plant-floor activity is invisible.

Diagnosis

Open the Cyber AI Analyst incident in Darktrace / OT — it shows the laptop's connection crossing the IT/OT boundary and an anomalous Modbus write to a PLC the source had never talked to, flagged as a deviation from the OT pattern of life.

Darktrace / OT ▸ Cyber AI Analyst ▸ Incident ▸ Asset (PLC)
Fix

Isolate the source on the IT side, confirm with the OT/engineering team that the PLC logic and setpoints are intact (alongside, not replacing, the safety system), and tighten the IT/OT segmentation to close that path.

Verify

Re-baseline shows the OT pattern of life back to normal, no further anomalous writes to the PLC, and the incident closed with the full IT-to-OT chain documented.

'OT is air-gapped, so it's safe' is wrong

Most real OT attacks start on IT and pivot across the IT/OT boundary — a so-called air gap rarely holds. A tool that only watches OT misses where the attack came from; a tool that only watches IT misses where it went. You need IT and OT correlated to see the whole chain.

▶ Watch an IT-to-OT attack get caught before the PLC is touched

How a phishing foothold turns into an OT command, and how Darktrace / OT sees it. Press Play for the caught path, then Break it to see the classic failure.

① FootholdAn attacker phishes an office laptop at the plant and gains an IT foothold inside the corporate network.
② PivotFrom the laptop the attacker pivots toward the OT network, crossing the IT/OT boundary into the plant floor.
③ OT commandThe source sends an unusual Modbus write to a PLC it has never communicated with — outside that asset's pattern of life.
④ CaughtDarktrace / OT flags the deviation and Cyber AI Analyst links it to the earlier IT compromise — caught before the PLC is manipulated.
Press Play to step through the caught IT-to-OT path. Then press Break it.
Quick check · Q3 of 10 · Apply

A compromised IT laptop sends a Modbus write to a PLC it has never communicated with. How does Darktrace / OT treat this?

Correct: c. The write breaks the learned pattern of life for that PLC, so it is flagged as an anomaly. Because IT and OT are correlated on one platform, Cyber AI Analyst links it to the earlier IT compromise into one cross-boundary incident.
👉 So far: The real attack path is IT-to-OT: a phishing foothold pivots across the boundary. Cyber AI Analyst links the IT compromise to the OT anomaly into one cross-boundary incident.

④ One platform vs silos — and the pitfalls

Why one platform? Because correlating IT + OT together is what lets Darktrace follow an attacker from an IT foothold down into OT. An IT-only tool never sees the OT side; an OT-only tool never sees where the attack came from. Either silo misses the cross-boundary path. Darktrace / OT also adds risk and exposure context — which assets are most at risk — and is designed to work alongside safety systems, never to replace them.

The classic pitfalls

Three mistakes sink most OT-security efforts. Active scanning in OT — using IT-style probes that can crash fragile devices. Treating IT and OT as separate silos — which misses the cross-boundary attack entirely. And having no passive visibility into OT protocols — so anomalous Modbus or S7 traffic goes unseen. Darktrace / OT is built to avoid all three: passive, protocol-aware, and correlated with IT.

Figure 5 — IT-only / OT-only tools vs Darktrace / OT
Siloed tools each see half the attack; one correlated platform follows the attacker across the IT/OT boundary.IT-only / OT-only tools vs Darktrace / OTIT-only or OT-onlyIT tool blind to OT protocolsOT tool blind to the IT footholdActive scans can crash devicesCross-boundary path is missedDarktrace / OTPassive, agentless, no probingUnderstands OT protocolsIT + OT correlated on one platformFollows the attacker IT to OT
Siloed tools each see half the attack; one correlated platform follows the attacker across the IT/OT boundary.
Confirm OT impact with the engineering team

Never close an OT incident on a hunch. Use the Cyber AI Analyst incident to see the exact asset, protocol and command, then confirm with the OT/engineering team that the controller's logic and setpoints are intact — alongside the safety system, which Darktrace complements rather than replaces.

Quick check · Q4 of 10 · Analyze

Which of these is a classic OT-security pitfall Darktrace / OT is designed to avoid?

Correct: d. Active scanning, treating IT and OT as separate silos, and having no passive OT protocol visibility are the classic pitfalls. Darktrace / OT avoids all three by being passive, protocol-aware and correlated with IT — active probing can crash ICS gear.
👉 So far: One platform correlating IT + OT beats IT-only or OT-only silos. Avoid the pitfalls: active scanning in OT, siloed IT/OT, and no passive OT protocol visibility. It works alongside safety systems.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Why is Darktrace / OT designed to be passive (no active scanning, no agents)?

Correct: b. PLCs, RTUs and HMIs are fragile and often unpatched; active probing or agents can crash or disrupt them. Passive, agentless observation lets Darktrace monitor without ever putting the process at risk.
Q6 · Understand

Which is an industrial protocol Darktrace / OT understands so it can interpret OT commands?

Correct: c. Darktrace / OT understands OT/ICS protocols such as Modbus, DNP3, Siemens S7, EtherNet/IP, OPC, IEC-104 and Profinet, so it can tell a normal read from an anomalous write — not just count packets.
Q7 · Apply

An attacker phishes an office laptop, then sends an odd command to a PLC. What lets Darktrace tie these two events together?

Correct: a. Because IT and OT are correlated on one platform, the Cyber AI Analyst stitches the IT foothold and the OT anomaly into a single cross-boundary incident — the chain reads as one story, not two unrelated alerts.
Q8 · Analyze

Why does an IT-only tool miss the kind of attack in the packet demo?

Correct: c. An IT-only tool never sees the plant floor or understands OT protocols, so the anomalous Modbus write is invisible and the ICS attack proceeds. Catching it needs passive, protocol-aware OT monitoring correlated with IT.
Q9 · Evaluate

What does mapping OT assets to the Purdue model give a defender?

Correct: c. Purdue-model mapping organises OT assets into hierarchical levels, giving context for what is talking to what and where each device sits — useful for spotting traffic that crosses levels in unexpected ways. It does not encrypt, patch or replace safety systems.
Q10 · Evaluate

An interviewer asks for the biggest OT-security mistakes to avoid. Best answer?

Correct: b. The three classic pitfalls are active scanning in OT (can crash devices), treating IT and OT separately (misses the cross-boundary path), and having no passive OT protocol visibility (anomalous Modbus/S7 goes unseen). Darktrace / OT is built to avoid all three.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why can Darktrace / OT catch an IT-to-OT attack that an IT-only tool cannot? Then compare with the expert version.

Expert version: Because Darktrace / OT watches the plant floor passively, understands OT protocols (so it sees an anomalous Modbus write as a break from the learned pattern of life), and correlates IT and OT on one platform. An IT-only tool has no OT protocol awareness and no OT visibility, so the cross-boundary attack — the most common real path, starting from an IT phishing foothold — is invisible to it. The Cyber AI Analyst then stitches the IT foothold and the OT anomaly into one incident, so you see the whole chain instead of two unrelated halves, and you catch it before the PLC is manipulated.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

OT (Operational Technology)
The hardware and software that runs physical industrial processes — the plant floor, as opposed to office IT.
ICS (Industrial Control System)
The systems that monitor and control industrial processes — PLCs, RTUs, HMIs and SCADA.
PLC / RTU / HMI
Programmable Logic Controller, Remote Terminal Unit and Human-Machine Interface — fragile OT devices that run and display the process.
Pattern of life
The learned baseline of normal behaviour for an OT asset or protocol, against which Darktrace flags anomalies.
Self-Learning AI
Darktrace's anomaly-detection AI that builds its own baseline from passive traffic and needs no signatures.
Industrial protocols
OT languages such as Modbus, DNP3, Siemens S7, EtherNet/IP, OPC, IEC-104 and Profinet that Darktrace / OT interprets.
IT/OT boundary
The junction between the IT and OT networks — the most common path for an attacker to cross into OT.
Purdue model
A reference model that organises ICS/OT into hierarchical levels, used to give OT assets context.
Cyber AI Analyst
Darktrace's automated investigation that stitches related IT and OT events into one incident, exposing the cross-boundary chain.

📚 Sources

  1. Darktrace — Darktrace / OT: cyber security for critical infrastructure and industrial systems. darktrace.com/products/ot
  2. Darktrace — Self-Learning AI and the ActiveAI Security Platform. darktrace.com
  3. Darktrace — Cyber AI Analyst: automated investigation across IT and OT. darktrace.com
  4. Darktrace — OT asset visibility and Purdue model mapping (product overview). darktrace.com/products/ot
  5. Purdue Enterprise Reference Architecture / ISA-95 — ICS network segmentation model.
  6. CISA — Industrial Control Systems (ICS) security guidance and OT protocol references. cisa.gov

What's next?

Got the OT approach? Next, see the Threat Visualizer in action and how Darktrace is actually deployed — sensors, taps and what sits where on the network.

Next · All interview lessons → Practice on exam.techclick.in →