TTechclick ⚡ XP 0% All lessons
Nozomi · OT/IoT Security · GuardianInteractive · L1 / L2 / L3

Nozomi Guardian — Passive DPI, Asset Discovery & OT Threat Detection

Nozomi Guardian is the core OT/ICS sensor: it listens passively on a SPAN or TAP, runs deep packet inspection across hundreds of industrial protocols, automatically builds a live asset inventory and network map, and detects threats with a hybrid engine that combines behaviour baselines, signatures and threat intelligence — all with zero impact on fragile PLCs and RTUs. This lesson maps every capability and shows how Guardian fits into the broader Nozomi platform.

📅 2026-06-18 · ⏱ 17 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A hands-on guide to Nozomi Guardian (2026): passive DPI, automatic OT asset discovery, network visualisation, hybrid anomaly and threat detection, vulnerability assessment, and all deployment forms — appliance, VM, container, and Guardian Air wireless sensor.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What Guardian is

Passive sensor, deployment forms, Guardian Air.

 2

DPI & discovery

Protocol depth, asset inventory, network map.

 3

Detection & vuln

Hybrid engine, CVE matching, Time Machine.

 4

Deploy & integrate

SPAN/TAP placement, Vantage/CMC, SIEM.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does Guardian send any packets into your OT network during monitoring?

Answered in What Guardian is.

2. How does Guardian build its asset inventory?

Answered in DPI & discovery.

3. What does Guardian Air add that a wired Guardian sensor cannot cover?

Answered in What Guardian is.

Most engineers think…

Most people assume OT monitoring means either a loud active scan that risks tripping a PLC, or a basic NetFlow collector that only sees IP addresses. Neither is true of Nozomi Guardian.

Guardian is a passive deep-packet-inspection sensor: it reads a copy of the wire, decodes hundreds of industrial protocols down to register-level commands, and automatically builds a rich asset inventory and live network map — all without injecting a single packet. Its hybrid detection engine combines a learned behaviour baseline, a signature engine, and continuous threat-intelligence updates from Nozomi Labs, so it catches both known malware and novel zero-day anomalies. Understanding exactly what the sensor does — and what it doesn't — is what lets you place it correctly, justify it to OT operations teams, and answer the interview question confidently.

① What Nozomi Guardian is — the passive OT sensor

Guardian is Nozomi's core network sensor: it connects to a SPAN/mirror port or a TAP at an aggregation switch and listens to a copy of OT/ICS traffic. Because it only reads a copy, it is genuinely passive — it cannot cause a PLC fault, disrupt a control loop, or affect real-time operations. This is the non-negotiable starting point for OT security: any tool that injects traffic risks tripping fragile devices on the production floor.

Guardian deploys in three forms to fit any site. A physical appliance slots into a rack next to the aggregation switch and handles high-throughput industrial environments. A virtual machine (VM) runs on a site's existing hypervisor when dedicated hardware is not available. A container offers a lightweight deployment path for more modern or flexible environments. All three forms deliver the same DPI, discovery and detection capabilities.

Guardian Air is the wireless variant. Where wired sensors miss Wi-Fi-connected HMIs, Bluetooth sensors, handheld barcode scanners and cellular-attached field devices, Guardian Air captures that spectrum — Wi-Fi, Bluetooth, cellular and drone-band — and feeds the same asset inventory and detection pipeline as a wired Guardian.

LegendGuardian sensor / Nozomi component (royal)pipeline stage (DPI, detect, enrich)diagram headingdiagram background panelsupporting label / OT detail
Figure 1 — Guardian sensor pipeline — from wire to alert
Every packet Guardian sees passes through the same five-step pipeline regardless of deployment form.Guardian sensor pipeline — from wire to alertTap / SPANcopy of OT trafficPassive DPIprotocol decodeAsset inventoryenrich & mapHybrid detectbaseline+sig+TIAlert / reportto Vantage/CMC
Every packet Guardian sees passes through the same five-step pipeline regardless of deployment form.
Figure 2 — Wired Guardian vs Guardian Air
Guardian Air extends the same passive-sensor capabilities to wireless OT/IoT spectrum where a SPAN tap cannot reach.Wired Guardian vs Guardian AirWired GuardianSPAN/TAP on aggregation switchCovers wired OT/ICS protocolsAppliance, VM or containerBest for Level 2/3 aggregationGuardian AirCaptures Wi-Fi, Bluetooth,Covers wireless OT/IoT devicesDedicated wireless sensor hardwareBest for wireless HMIs &
Guardian Air extends the same passive-sensor capabilities to wireless OT/IoT spectrum where a SPAN tap cannot reach.
Quick check · Q1 of 10 · Understand

Why is Guardian described as 'passive'?

Correct: b. Guardian listens on a copy of traffic via SPAN or TAP and never transmits packets into the OT network, eliminating any risk of disturbing PLCs, RTUs or control loops.
👉 So far: Guardian = passive OT sensor (SPAN/TAP, no injected packets). Three deployment forms: physical appliance, VM, container. Guardian Air adds wireless coverage (Wi-Fi/Bluetooth/cellular).

② Inside Guardian — deep packet inspection & asset discovery

Guardian's DPI engine decodes hundreds of OT/ICS and IT protocols down to the field level: Modbus, DNP3, Profinet, EtherNet/IP (CIP), Siemens S7/S7+, OPC DA/UA, IEC 60870-5-104, IEC 61850 (MMS/GOOSE), BACnet and many more. This is far richer than an IP-layer NetFlow: Guardian can see that a specific master station issued a specific Modbus function-code 16 (write multiple registers) to a specific slave address — the kind of field-level context that matters for OT incident investigation.

Automatic asset inventory

Every device that appears in the traffic gets added to the asset inventory automatically. For each asset Guardian captures: IP address, MAC address, vendor, model, firmware version, operating system, open ports, protocols in use, and Purdue level. This passive inventory routinely surfaces rogue or unmanaged devices that the IT CMDB never knew existed. The result feeds an interactive network map: nodes are assets, edges represent observed communication paths. Operators can filter by Purdue level, zone or site; unexpected cross-zone edges stand out immediately. An optional Smart Polling add-on can send selective active queries (e.g. querying a PLC for its exact firmware build) to enrich the passive data where needed.

Figure 3 — What DPI surfaces per asset
Passive DPI extracts far more than an IP address — it reveals the full operational identity of every OT device.What DPI surfaces per assetIdentityIP, MAC, vendor, model, firmware, OSComms profileprotocols, ports, Purdue level, peersBehaviourcommand types, polling rates, baselines
Passive DPI extracts far more than an IP address — it reveals the full operational identity of every OT device.
📡
Passive DPI
tap to flip

Guardian reads a copy of traffic from a SPAN or TAP, decodes OT/ICS protocols to field level, and never injects packets — zero risk to PLCs and RTUs.

🗺️
Network map
tap to flip

An interactive graph of assets (nodes) and observed communications (edges), auto-built from passive DPI. Cross-zone edges stand out immediately.

📶
Guardian Air
tap to flip

The wireless sensor variant that captures Wi-Fi, Bluetooth, cellular and drone spectrum to cover wireless OT/IoT devices a wired SPAN cannot reach.

⏮️
Time Machine
tap to flip

Periodic snapshots of full network and asset state that let you replay the network topology at any past point — essential for forensic root-cause analysis.

Lead with 'passive DPI'

In interviews, the phrase to open with is 'Guardian uses passive DPI on a SPAN or TAP — it never injects packets.' That immediately shows you understand why OT teams accept it: no risk to PLCs. Follow up with the automatic asset inventory to show you know the value beyond just 'monitoring'.

Quick check · Q2 of 10 · Remember

Which capability lets Guardian discover firmware versions and Purdue levels without any scanning?

Correct: b. Passive DPI decodes protocol traffic already flowing between OT devices. Device identity, firmware, protocols and Purdue level all surface from that existing traffic with no active queries needed.
👉 So far: Passive DPI decodes hundreds of OT/ICS protocols to field level, auto-building an asset inventory (IP/MAC/vendor/firmware/Purdue level) and an interactive network map — all without scanning.

③ Hybrid detection & vulnerability assessment

Guardian's detection is hybrid — three complementary layers working together. The first layer is behaviour/anomaly-based: Guardian runs a self-learning phase to build a baseline of normal OT communications. After the baseline is established, deviations (a new connection between two devices that have never talked, a command type not seen before, an abnormal polling rate) raise anomaly alerts. This layer catches zero-day threats and operational anomalies that have no signature. The second layer is signature and rules-based: known attack patterns, malware indicators and policy violations are matched against a rules library. The third layer is threat intelligence from Nozomi Networks Labs: IOC subscriptions, YARA rules and packet-level rules are continuously updated and pushed to Guardian, ensuring it recognises the latest known threats without a manual update cycle.

Vulnerability assessment and Time Machine

Guardian cross-references each asset's discovered firmware and software version against CVE databases, producing a prioritised vulnerability list with risk scores. Because OT devices often cannot be patched quickly, Guardian highlights compensating controls alongside CVE findings. The Time Machine feature takes periodic snapshots of the full network and asset state — so after an incident you can replay 'what did the network look like at 02:45?' to reconstruct the attack path and support forensics.

Figure 4 — Guardian's hybrid detection layers
Three detection layers feed a single alert pipeline — covering both known threats and novel zero-day anomalies.Guardian's hybrid detection layersGuardianDetection engineAnomaly baselineSignature rulesThreat IntelCVE matchingTime Machine
Three detection layers feed a single alert pipeline — covering both known threats and novel zero-day anomalies.
'Signatures only' under-sells it

Guardian is not a signature-only IDS. Its hybrid engine pairs a self-learned behaviour baseline (for zero-day anomalies) with a signature/rules engine (for known threats) and continuous Nozomi Labs threat intelligence. If you answer 'it uses signatures' in an interview, you've missed two-thirds of the detection model.

▶ Watch Guardian catch a rogue S7 command in real time

How a single suspicious Siemens S7 write is detected and raised as an alert. Press Play for the normal path, then Break it to see the classic blind spot.

① Wire captureGuardian's SPAN port receives a copy of all traffic on the Level 2 aggregation switch, including a new S7 packet from an engineering workstation.
② DPI decodeThe DPI engine decodes the S7 packet: function code = write, target = PLC register block, source = workstation IP. This source-to-target pair has never been seen before.
③ Anomaly matchThe behaviour baseline flags 'new lateral communication path'. A signature rule also matches a known lateral-movement pattern for S7. Both layers fire.
④ Alert + asset ctxGuardian raises an alert with full asset context: workstation identity, PLC details, Purdue level, the exact S7 command, and a severity score. The alert flows to Vantage/CMC and the SIEM.
Press Play to step through the healthy detection path. Then press Break it.
Quick check · Q3 of 10 · Apply

A new command type appears between two devices that have never communicated before. Which Guardian detection layer raises this alert?

Correct: c. Novel communication patterns that deviate from the learned baseline are caught by the behaviour/anomaly layer. The signature engine needs a known pattern; the TI feed needs a known IOC — neither fires on a novel path.
👉 So far: Hybrid detection = three layers: behaviour/anomaly baseline (zero-day), signature/rules (known), threat intelligence from Nozomi Labs (IOCs/YARA). CVE matching adds vulnerability prioritisation. Time Machine enables forensic replay.

④ Deployment, placement & integration

Guardian sensor placement follows the Purdue model. The highest-value tap points are the Level 2 to Level 3 aggregation switches: a sensor here sees traffic between the field-device layer (Level 1/2) and the site-operations / historian layer (Level 3), capturing the richest mix of OT protocols. Additional sensors at Level 3 to Level 3.5 (the IT/OT DMZ) catch traffic crossing into the corporate network. Each sensor is scoped to the traffic volume and protocol mix at its tap point; physical appliances are chosen for high-throughput segments, VMs for lighter or remote sites.

Guardian data flows up to either Vantage (Nozomi's cloud-native SaaS platform) for multi-site aggregation, AI-driven analytics and a single pane of glass, or to the Central Management Console (CMC) for air-gapped or sovereignty-constrained estates. Guardian integrates with SIEM/SOAR platforms (Splunk, Microsoft Sentinel), ticketing systems (ServiceNow), and next-generation firewalls (Palo Alto, Fortinet) to feed OT alerts into the wider SOC workflow. Alert lifecycle: Guardian raises an alert with asset context, protocol detail and a severity score; the analyst confirms or suppresses it; confirmed alerts can auto-open a ticket or trigger a SOAR playbook.

Figure 5 — Guardian alert to SOC response
A Guardian alert carries asset context and protocol detail all the way to a SIEM ticket or SOAR playbook.Guardian alert to SOC responseDetectionanomaly or sig matchAlert raisedasset + severityVantage/CMCtriage & confirmSIEM/SOARSentinel/SplunkTicket / actionServiceNow/isolate
A Guardian alert carries asset context and protocol detail all the way to a SIEM ticket or SOAR playbook.

Priya Nair, OT security engineer at PowerGrid South Pvt. Ltd., Chennai, faces this

Guardian raises an alert: 'New lateral communication path — engineering workstation initiating S7 reads to a protection relay it has never queried before.' The OT team says a technician may have been doing maintenance.

Likely cause

An unauthorised session (possibly lateral movement by malware on the workstation) is querying protection relay configuration registers outside any change window.

Diagnosis

Open Guardian's network map, filter by the workstation IP — confirm an S7 session targeting the relay's config registers. Cross-reference the change-management system: no maintenance window is logged for that device pair.

Guardian Network Map ▸ filter by asset ▸ session detail ▸ Time Machine for session history
Fix

Isolate the workstation from the relay VLAN, initiate IR, use Guardian Time Machine to replay the session and extract forensic evidence. Scan the workstation for lateral-movement malware.

Verify

After isolation the alert clears; the network map shows no further unexpected edges from that workstation. Confirm via Time Machine that no further S7 writes occurred after isolation.

Prove the tap before you trust the inventory

An asset that doesn't appear in Guardian's inventory may simply not be visible from your SPAN port — not necessarily absent from the network. Before concluding a device is 'not there', verify your SPAN is capturing all VLANs on the aggregation switch. A missed VLAN means a blind spot, not an empty segment.

Quick check · Q4 of 10 · Analyze

An OT site is fully air-gapped and cannot use cloud services. Where does Guardian send its data for central management?

Correct: c. The CMC is Nozomi's on-premises/virtual aggregation platform designed for air-gapped or sovereignty-constrained estates where cloud-based Vantage is not an option.
👉 So far: Place sensors at Level 2–3 aggregation switches (SPAN/TAP). Air-gapped sites use CMC on-prem; cloud-connected use Vantage SaaS. Integrate with Splunk, Sentinel, ServiceNow for SOC-to-OT workflow.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Guardian connects to the OT network via which method?

Correct: b. Guardian uses a SPAN/mirror port or a TAP to receive a copy of traffic. This is how it remains passive and avoids injecting any packets into the OT network.
Q6 · Understand

Guardian Air extends Guardian's coverage to which type of traffic?

Correct: a. Guardian Air is the wireless sensor variant. It captures Wi-Fi, Bluetooth, cellular and drone spectrum to cover wireless HMIs, handheld scanners and other wireless OT/IoT devices a wired SPAN cannot see.
Q7 · Apply

An analyst needs to find out which devices on an OT network are running firmware with a known CVE. Which Guardian capability addresses this directly?

Correct: c. Guardian's vulnerability assessment cross-references every discovered asset's firmware and software version against CVE databases, producing a prioritised list with risk scores.
Q8 · Analyze

A Guardian alert fires for a device that communicates with a PLC it has never talked to before, but there is no matching signature. Which detection layer raised the alert?

Correct: a. The behaviour/anomaly baseline catches deviations from normal communications — including new device pairs. Signature and TI engines require a known pattern or IOC; the anomaly layer fires on novelty alone.
Q9 · Evaluate

A new OT site is fully air-gapped with no internet access. Which management platform should receive Guardian's data?

Correct: d. The CMC is Nozomi's on-premises aggregation platform for air-gapped or sovereignty-constrained estates. Vantage is cloud-native and requires internet connectivity.
Q10 · Evaluate

Why is Guardian's hybrid detection model stronger than a signature-only approach for OT security?

Correct: b. Signature-only detection misses novel threats because no signature exists yet. The behaviour baseline catches zero-day deviations; the TI layer covers new known threats. Together they provide coverage no single method can match.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why can Guardian inventory OT assets without scanning them? Then compare with the expert version.

Expert version: Because Guardian decodes the OT/ICS protocol traffic already flowing between devices on the SPAN copy — Modbus frames, S7 packets, Profinet handshakes all carry device identity, firmware, model and vendor in their normal fields. Guardian extracts that information from the copy it receives without ever sending a packet. Scanning is unnecessary and risky; passive protocol decoding is sufficient and safe.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Guardian
Nozomi's core passive OT/ICS network sensor — DPI, asset discovery, anomaly + threat detection and vulnerability assessment.
Passive DPI
Deep packet inspection performed on a traffic copy from a SPAN port or TAP, with no packets injected into the OT network.
Guardian Air
Nozomi's wireless sensor variant that captures Wi-Fi, Bluetooth, cellular and drone spectrum for wireless OT/IoT device coverage.
Smart Polling
An optional Guardian add-on that sends selective active queries to specific devices to enrich passive asset data where needed.
Hybrid detection
Nozomi's three-layer detection model: behaviour/anomaly baseline, signature/rules engine, and Nozomi Labs threat intelligence — working together.
Time Machine
Guardian snapshots of full network and asset state at regular intervals, enabling forensic replay of topology at any past point.
Vantage
Nozomi's cloud-native SaaS management platform that aggregates Guardian sensors across many sites into a single pane of glass.
CMC (Central Management Console)
Nozomi's on-premises virtual aggregation platform for air-gapped or sovereignty-constrained multi-site estates — the on-prem alternative to Vantage.

📚 Sources

  1. Nozomi Networks — Guardian: OT & IoT Network Security Sensor. nozominetworks.com/products/guardian
  2. Nozomi Networks — Guardian Air: Wireless OT/IoT Security Sensor. nozominetworks.com/products/guardian-air
  3. Nozomi Networks — Nozomi Networks Platform Overview (Guardian, Vantage, CMC, Arc). nozominetworks.com
  4. Nozomi Networks Labs — Threat Intelligence & Asset Intelligence subscription feeds. nozominetworks.com/labs
  5. CISA — Recommended Practices for Securing ICS: passive network monitoring guidance. cisa.gov/ics
  6. Nozomi Networks — Deployment Guide: Guardian sensor placement across the Purdue model. nozominetworks.com/resources

What's next?

Got Guardian? Next, explore Nozomi Vantage — the cloud-native SaaS platform that aggregates many Guardian sensors into one single pane of glass with Vantage IQ AI analytics.

Next · All interview lessons → Practice on exam.techclick.in →