Security for the
Physical World.
Everyone watches the network. Vardar measures the physics - and catches the attack that looks perfectly normal on the wire.
Edge-native, passive, and explainable. Full OT visibility in under 24 hours - and your raw data never leaves the site.
From plug-in to full visibility
Read-only. Never touches the process.
Raw data never leaves the site
Stop chasing anomalies. Start measuring physics.
Stuxnet, the Ukraine grid, Triton, Oldsmar - every attack used a valid command and looked like normal traffic. What gave them away was physics. Watch it caught, attack by attack.
Full technical walkthrough
5 minA guided tour of the live attack gallery - real SWaT / WaDi attacks caught, with the physics and the SHAP explanation behind each one.
portal.vardar.ai/gallery/attacksWe See Where Everyone Else
Goes Blind
The attack that matters uses a legitimate command and looks like normal traffic. Signature- and network-only tools miss it, bury you in noise, and ship your data to their cloud to do even that. The attack surface has moved - the incumbents have not.
Blind to the Physics
Network-only tools match signatures and curated asset databases. A valid-looking command that quietly drives the physical process out of spec looks perfectly normal on the wire - so the incumbents never see it.
AUC for network-only detection - vs 0.83 physics-informed
Drowning in Alerts
Legacy monitors emit thousands of raw anomalies with no context and no fix. Analysts burn out, real signals get lost, and "alert fatigue" becomes the actual security posture.
Raw anomalies with no explanation and no next step
Your Data Leaves the Site
Cloud-first platforms ship your OT telemetry off to their cloud to detect anything at all. For regulated and air-gapped operators, sending process data off-site is a non-starter.
Where cloud-first tools send your OT telemetry
Vardar was engineered against all three. Physics-aware. Explainable. Edge-native.
One Appliance.
Three Things That Matter.
Physics-informed detection. Passive by design. Sovereign by architecture. All on a ruggedized edge appliance - no cloud required.
Physics-Informed Detection
A stealthy attacker can send a valid-looking command that quietly breaks the physical process - the packets look normal, so network-only tools miss it. Vardar models the physics itself, flags the deviation, and explains why.
- Catches the valid command that breaks the process
- Behavioral + process-physics, beyond signatures
- Every alert explained: SHAP + MITRE ATT&CK for ICS
- Benchmark-validated on public ICS datasets
Passive & Self-Running
Vardar listens on a read-only SPAN/mirror port and never injects a packet - zero production risk. It auto-discovers every device and baselines on its own. No tuning, no per-vertical setup, no SOC team required.
- Read-only SPAN - never touches the process
- Automatic discovery & behavioral baselining
- No tuning, no per-vertical retuning
- Plain-English alerts - no alert fatigue
Edge-Native & Sovereign
All detection runs on-site on a ruggedized edge appliance - air-gap capable, no cloud round-trip in the detection path. Your raw traffic never leaves the facility; only anonymized patterns and scores ever do.
- On-device detection - air-gap capable
- Raw traffic, IPs & hostnames never leave site
- HMAC-anonymized at the edge
- Cloud is additive, never required
NPU-Accelerated Edge
Anomaly scoring on an on-device NPU. All inference stays at the edge - no cloud round-trip in the detection path.
The Hive (Opt-In)
Opt-in cross-tenant intelligence over anonymized patterns. A threat pattern seen at one site sharpens detection for all - raw data never leaves.
Audit Shield
A CI test mathematically proves no raw IPs, MACs, or hostnames leave a Sentinel. Privacy by code, not by policy.
Explainable Alerts
Every alert says what changed, why it matters, and what to do - in plain English, mapped to MITRE ATT&CK for ICS.
From Zero to Protected
in Under 24 Hours
No months-long deployments. No dedicated security teams required. Three simple steps to full OT/IoT visibility and protection.
Plug In
10 MinutesWe place a compact cybersecurity edge appliance next to your network switch. It connects to a mirror port - a standard, read-only tap that copies traffic without touching your production network. No agents installed. No configuration changes. No risk.
Learn
24 HoursWithin 24 hours, the Sentinel automatically discovers every device on your network and builds a behavioral profile for each one - what it talks to, when, how much, and using which protocols. The on-device autoencoder produces an anomaly score per device-window; this becomes the behavioral half of Dual-Confirm.
Protect
OngoingWhen any device deviates from its established behavior - unusual traffic, new connections, abnormal timing - you get a plain-English alert explaining exactly what changed and why it matters. No cryptic logs. No alert fatigue. Just clear, actionable intelligence.
Not 10,000 Alerts.
One Sentence.
Other tools bury you in raw anomalies. Vardar tells you exactly what changed, why it matters, and what to do about it - in plain English, mapped to MITRE ATT&CK for ICS.
Every alert ships with the SHAP explanation behind the score and a concrete next step, so your team acts in minutes - not after an afternoon of log triage.
Setpoint write drives flow beyond the safe envelope
Tank overflow risk - the process physics is violated
MITRE ATT&CK for ICS · T0836 Modify Parameter
Isolate engineering workstation WS-12; revert the setpoint
Competitors Hit a Sectoral Ceiling.
We Engineered Past It.
Claroty, Nozomi, Armis, Forescout and Dragos detect by matching against signature and asset databases, curated per vertical - powerful inside their lane, blind outside it, and unable to learn across customers. Vardar models behavior and the physics of the process itself, so detection generalizes across every sector.
Behavior & Physics, Beyond Signatures
Incumbents lean on curated signature and asset databases - so an unknown device or a novel attack with no signature is a blind spot. Vardar adds a behavioral and physics layer on top of fast JA4 fingerprinting: it models how a device behaves and how the physical process should move, catching the deviation - not just waiting for a known fingerprint.
One Brain, Every Sector
Their coverage is only as deep as the asset database for your vertical - it does not transfer. Vardar’s detection generalizes across processes and industries, so the same engine works whether you run water, power, solar, or oil & gas.
The Hive - Defense That Compounds
Each incumbent deployment is an island; knowledge from one customer never improves detection for the next. Vardar’s opt-in cross-tenant Hive shares anonymized behavioral patterns, so every participating site sharpens detection for all - a network effect per-vertical databases structurally cannot replicate. Raw data never leaves the edge.
Built for Critical Infrastructure & Energy
Heavy appliances, professional services, and six-figure price tags put the incumbents out of reach for most regulated operators. Vardar is edge-native and passive, plugs into a SPAN/mirror port in minutes with full visibility in under 24 hours, and is priced for the operators who actually run the grid, the water, and the pipelines.
Vardar measures process physics, not just network anomalies - benchmark-validated on public ICS datasets and explained, attack by attack.
Collective Defense.
Zero Raw Data.
Opt in, and each Sentinel contributes only anonymized patterns to the Vardar Hive. A threat pattern seen at one site becomes a guardrail at every other - without anyone's raw network data ever leaving the edge.
The shared layer is anonymized metadata, never packet content. Device identities are HMAC-anonymized at the edge with a salt that physically cannot leave the Sentinel - and a CI test enforces that invariant on every commit.
"A ransomware pattern caught at a utility in New York becomes a guardrail for a manufacturer in Tokyo - without either side sharing a single byte of raw data."
Cross-Tenant Patterns
An attack pattern observed at a utility in New York can protect a manufacturer in Tokyo - opt-in, and only as an anonymized pattern. Every participating site makes the network sharper.
Continuous Refinement
Anonymized behavioral patterns refine the global model over time. The more sites that opt in, the sharper detection becomes - a network effect signature databases cannot replicate.
Privacy by Construction
Only anonymized patterns and numeric scores ever leave the edge - never raw traffic, never IPs, never hostnames. Enforced by a CI test, not a promise.
Air-Gapped Sites Still Benefit
A site can receive sharpened intelligence without sending anything out, and detection runs fully standalone if the cloud is unreachable. The Hive is an optional layer, never a dependency.
Mathematical Privacy.
Not Policy Privacy.
Most vendors hand you a privacy promise. We hand you a failing build. Every byte that leaves a Vardar Sentinel is governed by 7 inviolable invariants - and a CI test that blocks any regression before it merges.
The Audit Shield
Our CI runs TestAuditShield_EndToEndFingerprintWire on every pull request. It builds a payload from realistic raw IPs, MACs, and hostnames, ships it through the actual production uplink, captures the outbound bytes, and asserts via regex that ZERO raw-identifier patterns survived. A privacy regression breaks the build before merge. This is mathematical privacy, not policy privacy.
What Leaves the Edge - Exactly
JA4 fingerprints (public-by-construction protocol IDs). HMAC-SHA256-anonymized device IDs and hostnames, 16 hex chars, per-tenant salt. Numeric anomaly scores and kill-chain stage events. That is it. No raw IPs. No MACs. No payload bytes. No plant hostnames. No AD account names. Ever.
Salt That Cannot Leave
The per-tenant HMAC salt is generated on the device at provisioning time and stored at /etc/vardar/sentinel/tenant.salt mode 0600. By physical and architectural construction it is NEVER transmitted, NEVER logged, NEVER OTA-synced, NEVER backed up off-device. Salt rotation requires explicit operator re-provision.
Read the Source Yourself
ADR_011 documents the 7 inviolable Zero-Trust Privacy invariants. The Audit Shield test source is available to your CISO under NDA - clone the repo, run go test, reproduce the proof on your laptop in five minutes. We do not ask you to trust us. We give you the code that makes trust unnecessary.
SOC 2 Type II and IEC 62443 alignment underway. The privacy guarantee above stands independent of certifications - it is enforced by the code.
Built for What Regulators
Now Require
New mandates worldwide now require continuous OT monitoring - exactly what Vardar delivers, passively and on the budgets operators already hold. Compliance doesn't have to cost six figures.
NERC CIP-015 (INSM)
Internal Network Security Monitoring for the bulk electric system - continuous monitoring inside the trust zone to catch threats that bypass the perimeter. Exactly what Vardar does, passively.
EPA AWIA
America's Water Infrastructure Act requires community water systems to assess and reduce cyber risk. The majority of utilities still run with no OT monitoring at all.
TSA Pipeline Security Directives
Mandatory cybersecurity measures, network segmentation, and continuous monitoring for TSA-designated pipeline owners and operators.
NIS2 Directive
Mandatory cyber risk management and incident reporting for essential and important entities across energy, water, manufacturing, and more.
IEC 62443
The reference standard for industrial automation and control system security. Vardar maps to its zones-and-conduits model and monitoring requirements.
Israel INCD
National Cyber Directorate regulations requiring OT security for critical infrastructure operators, with growing enforcement and audit requirements.
Start Your Compliance Journey Today
Vardar provides the device inventory, behavioral monitoring, and compliance reporting that regulators require - deployed in hours, not months, at a fraction of enterprise cost.
Free Compliance AssessmentTrained on Your World.
Built for Critical Infrastructure & Energy.
One detection engine that generalizes across processes and industries - because it models the physics, not a per-vertical signature database. Proven on water and power, extending across energy.
Our Beachhead - Proven on Water
Vardar's physics models are validated on public water-treatment datasets (SWaT / WaDi). Most utilities run distributed SCADA with little or no OT-aware monitoring - exactly where attackers like Volt Typhoon look first.
Key Challenges
- Distributed SCADA across pump, treatment & lift stations
- Named in CISA Volt Typhoon advisories (AA24-038A)
- Little or no existing OT monitoring
How Vardar Helps
One Sentinel per plant, passive SPAN install, full visibility in under 24 hours. Catches the valid command that breaks the process - and aligns with EPA AWIA and the CISA Cyber Performance Goals.
Get a free assessment for water & wastewater→Substations, Co-ops & the Bulk Electric System
From regional cooperatives to substation automation, the grid is the most regulated OT footprint there is - and NERC CIP-015 now mandates internal network monitoring inside the trust zone.
Key Challenges
- NERC CIP-015 internal monitoring mandate phasing in
- IEC 61850 / DNP3 increasingly TLS-wrapped
- Geographically dispersed, thinly staffed sites
How Vardar Helps
Passive, edge-native monitoring that satisfies INSM requirements without touching the process. Physics-informed detection flags manipulation that signature tools miss - air-gap friendly, detection survives cloud loss.
Get a free assessment for power & grid→The Fastest-Growing, Least-Defended Footprint
Solar farms, inverters, and distributed energy resources are scaling faster than anyone can secure them. Vardar speaks SunSpec natively and models the physics of generation - not just the packets.
Key Challenges
- SunSpec / Modbus inverter fleets with weak authentication
- Disclosed inverter vulnerabilities (e.g. SUN:DOWN)
- Low-bandwidth, remotely managed sites
How Vardar Helps
One Sentinel per site, OTA-managed and mesh-connected. Native SunSpec identity plus physics-informed detection covers what network-only tools are blind to - fully standalone if the cloud drops.
Get a free assessment for solar pv & distributed energy→Pipelines, Refineries & Remote Field Sites
Pipelines and refineries sit under TSA Security Directives and run the same process-control physics Vardar already models elsewhere - so the same engine extends here, no per-vertical asset database required.
Key Challenges
- TSA pipeline directives mandate monitoring & segmentation
- Dispersed remote field devices and RTUs
- Safety-critical processes - zero tolerance for disruption
How Vardar Helps
Passive, read-only deployment that never touches the process, addressable by the same physics engine that powers our water and power coverage. Pinpoints the anomaly and the fix, mapped to MITRE ATT&CK for ICS.
Get a free assessment for oil & gas→Also supports smart buildings and manufacturing - the same engine adapts to any OT/IoT environment.
Let's Discuss Your NeedsThe Same Physics That Catches an Attacker
Catches a Failing Pump.
The tiny physical deviations that expose an intruder also expose equipment starting to fail. So Vardar can predict operational problems before they cause downtime - security that also protects uptime.
On the roadmap for Vardar customers: turn the same edge intelligence into early warning for the maintenance team, not just the security team.
Predictive Operational Health
From negligible physical changes, surfaced before they become failures:
- A bearing starting to wear
- A valve drifting out of spec
- A pump heading for failure
Pick One Tier Per Site.
Each Includes the One Below.
Priced per sentinel, per year - inclusive tiers, no six-figure contracts. Every engagement starts with a free visibility week.
Visibility
See every device
- Automatic asset discovery & map
- Behavioral baselining per device
- Purdue zoning & device inventory
- Plain-English dashboard
Detection
= Visibility + get warned
- Everything in Visibility, plus:
- Physics-informed detection
- Explained alerts + fix (SHAP, MITRE ATT&CK ICS)
- The Hive - opt-in collective intelligence
- Compliance reporting (NERC, AWIA, NIS2)
Active Defense
= Detection + respond safely
- Everything in Detection, plus:
- Safe, governed response - optional, off by default
- Predictive operational health (coming soon)
- Priority support & SLAs
| Compare tiers | Visibility | Detection | Active Defense |
|---|---|---|---|
| Asset discovery & map | |||
| Physics-informed detection | |||
| Explained alerts + fix | |||
| The Hive (opt-in) | |||
| Safe governed response (optional) | |||
| Predictive operational health | Soon |
Every engagement starts with a free visibility week - passive, no commitment, no data leaves your site.
Start your Free Visibility WeekRequest a
Private Demo
See how VARDAR can transform your network security. Our team will walk you through a personalized demonstration tailored to your industry and use case.
Built by cybersecurity engineers. Passive · edge-native · your raw data never leaves the site.