What is the primary role of the Nozomi CMC?

Correct: b. CMC is the management aggregation layer. It consolidates assets, alerts, policy and integrations from all connected Guardian sensors. It does not capture traffic — only Guardian does that.

Why does low WAN bandwidth between remote sites and the CMC not cause a major problem?

Correct: d. Raw OT traffic never leaves the Guardian. The CMC only receives enriched metadata — already processed alerts, asset records and events — which is far smaller than raw packet streams, making low-bandwidth WAN links viable.

Deepika needs to update Threat Intelligence signatures on 20 Guardian sensors deployed across 20 remote substations. What is the most efficient approach with a CMC?

Correct: a. CMC's fleet management capability means one TI update at the CMC is validated and pushed simultaneously to all connected Guardians. This eliminates the 20-sensor manual update burden and ensures consistency.

An air-gapped power-grid operator wants multi-site OT security visibility. Which combination is architecturally correct?

Correct: c. Vantage requires internet connectivity and is ruled out. CMC runs on-prem within the controlled perimeter. Guardians at each substation connect to the CMC over the organisation's private WAN — no internet path at any point.

A commercial manufacturer with 5 plants wants AI-assisted alert triage and their security team has no capacity to run on-prem management infra. Which platform fits best?

Correct: b. Vantage removes infra management overhead (Nozomi runs it), scales automatically and includes Vantage IQ for AI-assisted triage. CMC would require the manufacturer to size, run and patch on-prem appliances — not viable given their team capacity.

What is the strongest reason to choose CMC over Vantage for a government defence site?

Correct: d. Defence sites operate under classification rules that prohibit operational telemetry reaching any external cloud. CMC is purely on-prem — data never leaves the controlled perimeter. This data-residency guarantee is the decisive architectural reason to choose CMC.

Nozomi CMC — Central Management Console for Multi-Site OT Security (2026)

Q: Without a CMC, what is the main operational problem when you have Guardian sensors at many sites?

Correct: b. Each Guardian only sees its own segment. Without CMC, operators must log in to each one separately, apply updates site by site, and have no consolidated cross-site picture — the classic alert-silo and policy-drift problem.

Q: What travels from Guardian sensors up to the CMC over the WAN link?

Correct: a. Raw traffic stays at the Guardian. Only enriched metadata (alerts, asset inventory, network topology, events, risk scores) flows to the CMC. This keeps WAN bandwidth requirements low and data-residency controls intact.

Q: A national power grid operator's security policy says OT telemetry must never reach the internet. Which Nozomi management platform should they use?

Correct: d. Vantage is cloud SaaS and would route telemetry to the internet — ruled out by the policy. CMC runs entirely within the customer's network, satisfies air-gap and sovereignty requirements, and still provides multi-site aggregation.

Q: A manufacturing company with 8 plants wants AI-assisted triage and is happy for telemetry to go to the cloud. What is the best management platform choice and why?

Correct: c. Cloud-forward companies without data-sovereignty constraints benefit from Vantage: Nozomi manages the infra, Vantage IQ provides AI-accelerated correlation and triage, and scaling is automatic. CMC would require the customer to size, run and patch on-prem appliances.

Most engineers think…

Most people assume that once you have a Guardian sensor at each site, you are done — you just log into each Guardian console when something happens.

That works for one site. For a 12-substation transmission operator or a five-plant manufacturer, it means 12 login sessions, 12 policy updates, 12 Threat Intelligence refreshes and no cross-site picture. The CMC is the management plane that turns a fleet of Guardians into one coherent OT security programme — central policy, one alert queue, a single integration point for your SIEM, and all data staying on-prem for air-gapped or sovereign environments. Getting this right is the difference between a monitoring tool and an enterprise security programme.

① Why you need a management layer above Guardian

A single Guardian sensor is excellent at one thing: passively monitoring one network segment — discovering assets, detecting anomalies, raising alerts. But most OT estates are multi-site. A power transmission operator might have twelve substations; a pharma company might have four manufacturing plants across two states. Each Guardian sees only its own segment.

Without a management layer, an OT security team faces three problems: alert silos (log in to each Guardian separately to see its alerts), policy drift (Threat Intelligence updates and rule changes must be applied site by site, leading to inconsistency), and no cross-site picture (you cannot correlate an anomaly at Plant A with a related event at Plant B). The CMC solves all three by providing an aggregation and management plane above the Guardian fleet — on-prem, air-gapped-capable, no cloud dependency required.

LegendGuardian sensor / Nozomi component (royal)pipeline stage (DPI, detect, enrich)diagram headingdiagram background panelsupporting label / OT detail

Figure 1 — From isolated sensors to a managed estate

Without the CMC, each Guardian is an island. Adding the CMC turns many sensors into one coherent OT security programme.

Figure 2 — Nozomi deployment hierarchy

The management plane sits above the sensors. Only enriched metadata travels up — raw traffic stays at the Guardian.

Quick check · Q1 of 10 · Understand

Without a CMC, what is the main operational problem when you have Guardian sensors at many sites?

a) Guardians cannot detect anomalies without a CMCb) Each Guardian is an island — separate alert queues, policy drift across sites, and no cross-site correlationc) Guardian sensors stop capturing trafficd) The Purdue model cannot be applied

Correct: b. Each Guardian only sees its own segment. Without CMC, operators must log in to each one separately, apply updates site by site, and have no consolidated cross-site picture — the classic alert-silo and policy-drift problem.

👉 So far: One Guardian = one site. CMC = all sites in one console. Without a management layer, multi-site OT security means alert silos, policy drift and no cross-site picture.

② CMC architecture — topology, policy push & alert aggregation

The CMC sits at the top of the Nozomi deployment hierarchy. Each Guardian sensor at a remote site connects back to the CMC (over an encrypted WAN link) and streams upward: asset inventory updates, network topology snapshots, alerts, events and risk scores. Crucially, raw traffic stays at the sensor — only enriched metadata travels to the CMC, so even a low-bandwidth WAN link is sufficient.

What CMC manages centrally

Policy push: Define detection rules, zone mappings, alert thresholds and learning settings in the CMC; push them down to every Guardian (or a selected subset) in one operation.
Unified alert queue: All alerts from all sites flow into a single CMC console. Analysts triage, acknowledge and escalate from one place without switching sessions.
Asset inventory roll-up: The CMC maintains a consolidated device inventory across every monitored segment — searchable, filterable, exportable.
Threat & Asset Intelligence updates: Apply Nozomi Labs subscription updates once at the CMC; they propagate to the full Guardian fleet simultaneously.
RBAC: Global SOC analysts see all sites; local OT engineers see only their plant. Role-based access enforced centrally.
Single API / integration point: Connect your SIEM, SOAR or ticketing system to the CMC REST API once, not to each Guardian individually.

Figure 3 — CMC: one console, many Guardians

The CMC is the single management hub. Each spoke is a Guardian site feeding data upward and receiving policy downward.

🖥️

CMC

tap to flip

Central Management Console — the on-prem aggregation layer above Guardian sensors. Consolidates alerts, assets, policy and integrations for the whole fleet without cloud connectivity.

📡

Guardian sensor

tap to flip

Nozomi's passive OT/IoT network sensor. Captures traffic, discovers assets and detects anomalies — but only sees its own segment. Feeds data up to the CMC.

☁️

Vantage SaaS

tap to flip

Cloud-native alternative to CMC. Aggregates Guardians and Arc endpoints from the cloud. Adds Vantage IQ AI analytics. Requires internet connectivity — not suitable for air-gapped estates.

🛡️

Threat Intelligence

tap to flip

Periodic subscription updates from Nozomi Networks Labs — IOCs, signatures, YARA rules and threat behaviours. Applied once at CMC and distributed to all Guardians simultaneously.

CMC does not touch traffic

In interviews, be clear: CMC never captures or inspects OT traffic. Only Guardian sensors do. CMC aggregates enriched metadata — alerts, asset data, events — that Guardians send upward. This distinction matters for data-residency architecture questions.

▶ Watch a Threat Intelligence update reach every Guardian

How one CMC operation pushes new detection rules to a 12-site Guardian fleet. Press Play for the healthy path, then Break it to see the classic failure.

① Nozomi LabsNozomi Labs releases a new Threat Intelligence package covering a newly identified OT malware campaign targeting industrial PLCs.

▼

② CMC receivesThe CMC administrator applies the TI package to the CMC — one operation, either via internet download or offline USB transfer for air-gapped estates.

▼

③ Push to fleetThe CMC validates the package and distributes updated signatures, YARA rules and IOCs to all 12 connected Guardian sensors simultaneously.

▼

④ Guardians updatedEach Guardian applies the new rules. Within minutes, all 12 substations are protected against the new campaign — no per-sensor visits required.

Press Play to step through the healthy Threat Intelligence distribution path. Then press Break it.

Quick check · Q2 of 10 · Remember

What travels from Guardian sensors up to the CMC over the WAN link?

a) Enriched metadata, alerts, asset data and events — not raw packet capturesb) Full raw packet captures for centralised DPIc) Only RBAC tokensd) Nothing — CMC pulls from Guardians on demand only

Correct: a. Raw traffic stays at the Guardian. Only enriched metadata (alerts, asset inventory, network topology, events, risk scores) flows to the CMC. This keeps WAN bandwidth requirements low and data-residency controls intact.

👉 So far: CMC pushes policy down to Guardians and pulls alerts, assets and events upward. Only enriched metadata travels — raw traffic stays at the sensor. One API connects your SIEM, not one per Guardian.

③ Air-gap & sovereignty — why the CMC exists for regulated estates

For many OT operators, the SaaS option is not available — not because of cost or convenience, but because of regulation or architecture. Critical national infrastructure (power grids, water treatment, rail, pipelines, defence sites) in India and globally operates under data-sovereignty and classification requirements that prohibit operational telemetry leaving a controlled perimeter. An air-gapped network has, by definition, no internet path.

The CMC is purpose-built for these environments. It runs entirely within the customer's controlled network — in an operations-centre DMZ, a secure data centre, or even on-site at a control room. The Guardian sensors at remote substations or plants connect to the CMC over the organisation's own private WAN (MPLS, leased line, even satellite) — not the internet. Threat Intelligence updates are received by the CMC via offline transfer (USB, controlled update server) if the network is fully air-gapped. The result: enterprise-grade multi-site OT security visibility with zero cloud dependency.

Figure 4 — Threat Intelligence update — CMC fleet distribution

One update at the CMC propagates to every Guardian. In fully air-gapped estates the update arrives by offline transfer.

Confusing air-gap with disconnected Guardians

An air-gapped estate does not mean Guardians cannot reach the CMC. They connect over the organisation's own private WAN (MPLS, leased line), not the internet. The CMC sits inside the same controlled perimeter. Air-gap means no internet path — not no internal network.

Quick check · Q3 of 10 · Apply

A national power grid operator's security policy says OT telemetry must never reach the internet. Which Nozomi management platform should they use?

a) Arc endpoint sensorb) Smart Polling add-onc) Guardian Air for wireless monitoringd) CMC — deployed on-prem so all data stays within the controlled network

Correct: d. Vantage is cloud SaaS and would route telemetry to the internet — ruled out by the policy. CMC runs entirely within the customer's network, satisfies air-gap and sovereignty requirements, and still provides multi-site aggregation.

👉 So far: CMC is purpose-built for air-gapped and sovereign mandates. All data stays on-prem; Guardians connect via private WAN; Threat Intelligence arrives by offline transfer if fully air-gapped.

④ CMC vs Vantage — choosing the right management plane

Vantage is Nozomi's cloud-native SaaS platform that does the same job as CMC — aggregating Guardians and Arc endpoints — but delivers it from the cloud. The choice is not about features; it is about data residency and connectivity. If data may reach the internet: choose Vantage and gain Vantage IQ AI-assisted triage, automated scaling and no infra to manage. If data must stay on-prem: choose CMC.

Three practical decision questions: 1. Can telemetry leave the perimeter? If no, CMC. 2. Do you have the infra team to run and patch an on-prem VM? If no, Vantage removes that overhead. 3. Do you need AI-accelerated triage and correlation? Vantage IQ is the add-on — CMC does not have a native AI layer. For large regulated estates (utilities, defence, government), CMC is the standard choice; for commercial industrial companies that are cloud-forward, Vantage scales faster with less overhead.

Figure 5 — CMC vs Vantage — the management plane choice

Both aggregate Guardians into one view. The decision turns entirely on data residency, connectivity and AI analytics needs.

Deepika Nair at IndraGrid Power Transmission Ltd. in Nagpur faces this

Guardian sensors at 12 substations across three states each raise alerts independently. The NOC logs in to 12 different Guardian consoles, and every Threat Intelligence update has to be applied 12 times. A suspected coordinated lateral-movement event across three sites goes undetected for hours because no one was correlating across consoles.

Likely cause

No CMC — each Guardian is managed in isolation, creating alert silos, policy drift and no cross-site correlation.

Diagnosis

CMC is missing from the architecture. There is no aggregation layer, no unified alert queue and no fleet-wide policy or Threat Intelligence distribution mechanism.

Architecture review ▸ Guardian connectivity ▸ CMC deployment plan

Fix

Deploy a CMC VM in IndraGrid's secure operations-centre DMZ. Onboard all 12 Guardians via encrypted WAN links. Push the current policy baseline and the latest Threat Intelligence update from the CMC to all sensors at once. Configure RBAC — NOC analysts see all 12 sites; substation engineers see only their site.

Verify

Log into the CMC once — all 12-site alerts appear in a single queue. Run a cross-site CVE risk report spanning all substations. Confirm a new Threat Intelligence update propagates to all 12 Guardians within minutes from a single CMC operation.

Test the CMC choice against three questions

Before recommending CMC or Vantage in an exam or on the job, answer three: (1) Can telemetry leave the perimeter? If no, CMC. (2) Does the team have infra capacity to run and patch an on-prem VM? If no, Vantage. (3) Is AI-assisted triage (Vantage IQ) a requirement? If yes, Vantage. All three point to CMC for regulated CNI; all three point to Vantage for cloud-forward commercial operators.

Quick check · Q4 of 10 · Analyze

A manufacturing company with 8 plants wants AI-assisted triage and is happy for telemetry to go to the cloud. What is the best management platform choice and why?

a) CMC — because it is always more secureb) Individual Guardian consoles — no management layer needed at 8 sitesc) Vantage with Vantage IQ — cloud-native, scalable, AI triage, no infra overheadd) A standalone SIEM replacing Nozomi entirely

Correct: c. Cloud-forward companies without data-sovereignty constraints benefit from Vantage: Nozomi manages the infra, Vantage IQ provides AI-accelerated correlation and triage, and scaling is automatic. CMC would require the customer to size, run and patch on-prem appliances.

👉 So far: CMC vs Vantage: if data must stay on-prem, choose CMC. If cloud is acceptable and you want AI triage (Vantage IQ) without managing infra, choose Vantage.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: what is the single most important architectural difference between CMC and Vantage? Then compare with the expert version.

Expert version: CMC runs on-prem within the customer's controlled network — no telemetry ever reaches the cloud, making it the only option for air-gapped or sovereign-data environments. Vantage is cloud SaaS managed by Nozomi — it requires internet connectivity but removes infra overhead and adds Vantage IQ AI analytics. Both aggregate Guardian sensors into one management interface; the choice is purely about where data is allowed to go and whether the customer has capacity to run their own management infra.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Nozomi Networks at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

CMC (Central Management Console): Nozomi's on-prem or virtual aggregation appliance that federates many Guardian sensors into a single management interface — consolidating alerts, asset inventory, policy and integrations without cloud connectivity.
Guardian: Nozomi's core passive OT/IoT network sensor — deploys as appliance, VM or container; captures traffic, discovers assets and detects anomalies at a single site; feeds data upward to CMC or Vantage.
Vantage: Nozomi's cloud-native SaaS management platform — the cloud alternative to CMC. Aggregates Guardian and Arc data, requires internet connectivity, and offers Vantage IQ AI analytics.
Vantage IQ: AI and analytics add-on for the Vantage SaaS platform that accelerates alert triage, correlation and root-cause analysis — not available natively on CMC.
Threat Intelligence feed: Periodic subscription updates from Nozomi Networks Labs delivering IOCs, signatures, YARA rules and behavioural threat data to Guardian sensors via CMC or Vantage.
Asset Intelligence feed: Curated device profiles and behavioural baselines from Nozomi Labs that improve Guardian asset classification accuracy and reduce false positives.
Air-gapped network: An isolated OT/IT network with no internet connection; all data must stay within a controlled physical and logical perimeter. Mandates on-prem management solutions like CMC.
RBAC (Role-Based Access Control): Access model where users are granted permissions by role — e.g. a global SOC analyst sees all CMC-connected sites; a local OT engineer sees only their own plant.

📚 Sources

Nozomi Networks — Central Management Console (CMC) datasheet and product overview. nozominetworks.com/products/central-management-console
Nozomi Networks — Vantage SaaS platform overview and Vantage IQ AI analytics. nozominetworks.com/products/vantage
Nozomi Networks — Guardian sensor datasheet — passive OT/IoT network monitoring & DPI. nozominetworks.com/products/guardian
Nozomi Networks — Threat Intelligence & Asset Intelligence subscription feeds from Nozomi Labs. nozominetworks.com
Nozomi Networks — OT/IoT security for critical infrastructure — energy, utilities, rail, defence. nozominetworks.com/solutions
Nozomi Networks — Integration ecosystem: Splunk, Microsoft Sentinel, ServiceNow, Palo Alto XSOAR. nozominetworks.com/integrations

What's next?

Understood CMC? Next, go deep on Nozomi Arc — the lightweight endpoint sensor that fills the passive blind spots CMC and Guardian can't see, adding host context (users, processes, USB) without network changes.

Next · All interview lessons → Practice on exam.techclick.in →

Nozomi CMC — Central Management for Air-Gapped & Multi-Site OT

🎯 By the end you will be able to

Pick where you want to start

The problem

CMC architecture

Air-gap use cases

CMC vs Vantage

① Why you need a management layer above Guardian

② CMC architecture — topology, policy push & alert aggregation

What CMC manages centrally

▶ Watch a Threat Intelligence update reach every Guardian

③ Air-gap & sovereignty — why the CMC exists for regulated estates

④ CMC vs Vantage — choosing the right management plane

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?