OT/IoT Cybersecurity · Edge-native

Security for the
Physical World.

Everyone watches the network. Vardar measures the physics - and catches the attack that looks perfectly normal on the wire.

Edge-native, passive, and explainable. Full OT visibility in under 24 hours - and your raw data never leaves the site.

< 24h

From plug-in to full visibility

Passive

Read-only. Never touches the process.

0 exfil

Raw data never leaves the site

See it in action

Stop chasing anomalies. Start measuring physics.

Stuxnet, the Ukraine grid, Triton, Oldsmar - every attack used a valid command and looked like normal traffic. What gave them away was physics. Watch it caught, attack by attack.

Full technical walkthrough

5 min

A guided tour of the live attack gallery - real SWaT / WaDi attacks caught, with the physics and the SHAP explanation behind each one.

portal.vardar.ai/gallery/attacks
Passive · read-only SPANRaw data never leaves the siteBenchmark-validated on public ICS datasetsNERC CIP-015 · AWIA · NIS2 aligned
The Blind Spot

We See Where Everyone Else
Goes Blind

The attack that matters uses a legitimate command and looks like normal traffic. Signature- and network-only tools miss it, bury you in noise, and ship your data to their cloud to do even that. The attack surface has moved - the incumbents have not.

Blind to the Physics

Network-only tools match signatures and curated asset databases. A valid-looking command that quietly drives the physical process out of spec looks perfectly normal on the wire - so the incumbents never see it.

0.46

AUC for network-only detection - vs 0.83 physics-informed

Drowning in Alerts

Legacy monitors emit thousands of raw anomalies with no context and no fix. Analysts burn out, real signals get lost, and "alert fatigue" becomes the actual security posture.

Noise

Raw anomalies with no explanation and no next step

Your Data Leaves the Site

Cloud-first platforms ship your OT telemetry off to their cloud to detect anything at all. For regulated and air-gapped operators, sending process data off-site is a non-starter.

Off-site

Where cloud-first tools send your OT telemetry

Vardar was engineered against all three. Physics-aware. Explainable. Edge-native.

The Vardar Edge

One Appliance.
Three Things That Matter.

Physics-informed detection. Passive by design. Sovereign by architecture. All on a ruggedized edge appliance - no cloud required.

Detection that sees the process

Physics-Informed Detection

A stealthy attacker can send a valid-looking command that quietly breaks the physical process - the packets look normal, so network-only tools miss it. Vardar models the physics itself, flags the deviation, and explains why.

  • Catches the valid command that breaks the process
  • Behavioral + process-physics, beyond signatures
  • Every alert explained: SHAP + MITRE ATT&CK for ICS
  • Benchmark-validated on public ICS datasets
Engineered to run itself

Passive & Self-Running

Vardar listens on a read-only SPAN/mirror port and never injects a packet - zero production risk. It auto-discovers every device and baselines on its own. No tuning, no per-vertical setup, no SOC team required.

  • Read-only SPAN - never touches the process
  • Automatic discovery & behavioral baselining
  • No tuning, no per-vertical retuning
  • Plain-English alerts - no alert fatigue
Your data stays yours

Edge-Native & Sovereign

All detection runs on-site on a ruggedized edge appliance - air-gap capable, no cloud round-trip in the detection path. Your raw traffic never leaves the facility; only anonymized patterns and scores ever do.

  • On-device detection - air-gap capable
  • Raw traffic, IPs & hostnames never leave site
  • HMAC-anonymized at the edge
  • Cloud is additive, never required
Safe, governed response - optional, off by default

NPU-Accelerated Edge

Anomaly scoring on an on-device NPU. All inference stays at the edge - no cloud round-trip in the detection path.

The Hive (Opt-In)

Opt-in cross-tenant intelligence over anonymized patterns. A threat pattern seen at one site sharpens detection for all - raw data never leaves.

Audit Shield

A CI test mathematically proves no raw IPs, MACs, or hostnames leave a Sentinel. Privacy by code, not by policy.

Explainable Alerts

Every alert says what changed, why it matters, and what to do - in plain English, mapped to MITRE ATT&CK for ICS.

How It Works

From Zero to Protected
in Under 24 Hours

No months-long deployments. No dedicated security teams required. Three simple steps to full OT/IoT visibility and protection.

01

Plug In

10 Minutes

We place a compact cybersecurity edge appliance next to your network switch. It connects to a mirror port - a standard, read-only tap that copies traffic without touching your production network. No agents installed. No configuration changes. No risk.

Compact edge device, plug-and-play
Standard mirror/SPAN port - read-only
Zero changes to your network
Zero production risk
02

Learn

24 Hours

Within 24 hours, the Sentinel automatically discovers every device on your network and builds a behavioral profile for each one - what it talks to, when, how much, and using which protocols. The on-device autoencoder produces an anomaly score per device-window; this becomes the behavioral half of Dual-Confirm.

Automatic device discovery
Behavioral profiling per device
No manual configuration needed
All processing happens on-premise
03

Protect

Ongoing

When any device deviates from its established behavior - unusual traffic, new connections, abnormal timing - you get a plain-English alert explaining exactly what changed and why it matters. No cryptic logs. No alert fatigue. Just clear, actionable intelligence.

Plain-English anomaly alerts
Explained in business context
Delivered to your existing tools
Collective intelligence improves over time
Pinpoint the Problem - and the Fix

Not 10,000 Alerts.
One Sentence.

Other tools bury you in raw anomalies. Vardar tells you exactly what changed, why it matters, and what to do about it - in plain English, mapped to MITRE ATT&CK for ICS.

Every alert ships with the SHAP explanation behind the score and a concrete next step, so your team acts in minutes - not after an afternoon of log triage.

PLC-04 · Pump Station 2High
What changed

Setpoint write drives flow beyond the safe envelope

Why it matters

Tank overflow risk - the process physics is violated

Technique

MITRE ATT&CK for ICS · T0836 Modify Parameter

Do this

Isolate engineering workstation WS-12; revert the setpoint

Why Vardar Wins

Competitors Hit a Sectoral Ceiling.
We Engineered Past It.

Claroty, Nozomi, Armis, Forescout and Dragos detect by matching against signature and asset databases, curated per vertical - powerful inside their lane, blind outside it, and unable to learn across customers. Vardar models behavior and the physics of the process itself, so detection generalizes across every sector.

Breaks: signature & asset-DB lock-in

Behavior & Physics, Beyond Signatures

Incumbents lean on curated signature and asset databases - so an unknown device or a novel attack with no signature is a blind spot. Vardar adds a behavioral and physics layer on top of fast JA4 fingerprinting: it models how a device behaves and how the physical process should move, catching the deviation - not just waiting for a known fingerprint.

Flags the valid-looking command that breaks the process physics - invisible to signatures
Breaks: per-vertical tuning

One Brain, Every Sector

Their coverage is only as deep as the asset database for your vertical - it does not transfer. Vardar’s detection generalizes across processes and industries, so the same engine works whether you run water, power, solar, or oil & gas.

One detection engine across water, power, solar & oil & gas - no per-vertical retuning
Breaks: islands that never compound

The Hive - Defense That Compounds

Each incumbent deployment is an island; knowledge from one customer never improves detection for the next. Vardar’s opt-in cross-tenant Hive shares anonymized behavioral patterns, so every participating site sharpens detection for all - a network effect per-vertical databases structurally cannot replicate. Raw data never leaves the edge.

HMAC-SHA256 anonymized at the edge - raw traffic and MACs never leave your site
Breaks: enterprise-only economics

Built for Critical Infrastructure & Energy

Heavy appliances, professional services, and six-figure price tags put the incumbents out of reach for most regulated operators. Vardar is edge-native and passive, plugs into a SPAN/mirror port in minutes with full visibility in under 24 hours, and is priced for the operators who actually run the grid, the water, and the pipelines.

Passive SPAN-port install · full visibility < 24h · operator-friendly pricing

Vardar measures process physics, not just network anomalies - benchmark-validated on public ICS datasets and explained, attack by attack.

The Hive - Optional & Private

Collective Defense.
Zero Raw Data.

Opt in, and each Sentinel contributes only anonymized patterns to the Vardar Hive. A threat pattern seen at one site becomes a guardrail at every other - without anyone's raw network data ever leaving the edge.

The shared layer is anonymized metadata, never packet content. Device identities are HMAC-anonymized at the edge with a salt that physically cannot leave the Sentinel - and a CI test enforces that invariant on every commit.

"A ransomware pattern caught at a utility in New York becomes a guardrail for a manufacturer in Tokyo - without either side sharing a single byte of raw data."

Cross-Tenant Patterns

An attack pattern observed at a utility in New York can protect a manufacturer in Tokyo - opt-in, and only as an anonymized pattern. Every participating site makes the network sharper.

Continuous Refinement

Anonymized behavioral patterns refine the global model over time. The more sites that opt in, the sharper detection becomes - a network effect signature databases cannot replicate.

Privacy by Construction

Only anonymized patterns and numeric scores ever leave the edge - never raw traffic, never IPs, never hostnames. Enforced by a CI test, not a promise.

Air-Gapped Sites Still Benefit

A site can receive sharpened intelligence without sending anything out, and detection runs fully standalone if the cloud is unreachable. The Hive is an optional layer, never a dependency.

CISO Trust Center

Mathematical Privacy.
Not Policy Privacy.

Most vendors hand you a privacy promise. We hand you a failing build. Every byte that leaves a Vardar Sentinel is governed by 7 inviolable invariants - and a CI test that blocks any regression before it merges.

The Audit Shield

Our CI runs TestAuditShield_EndToEndFingerprintWire on every pull request. It builds a payload from realistic raw IPs, MACs, and hostnames, ships it through the actual production uplink, captures the outbound bytes, and asserts via regex that ZERO raw-identifier patterns survived. A privacy regression breaks the build before merge. This is mathematical privacy, not policy privacy.

What Leaves the Edge - Exactly

JA4 fingerprints (public-by-construction protocol IDs). HMAC-SHA256-anonymized device IDs and hostnames, 16 hex chars, per-tenant salt. Numeric anomaly scores and kill-chain stage events. That is it. No raw IPs. No MACs. No payload bytes. No plant hostnames. No AD account names. Ever.

Salt That Cannot Leave

The per-tenant HMAC salt is generated on the device at provisioning time and stored at /etc/vardar/sentinel/tenant.salt mode 0600. By physical and architectural construction it is NEVER transmitted, NEVER logged, NEVER OTA-synced, NEVER backed up off-device. Salt rotation requires explicit operator re-provision.

Read the Source Yourself

ADR_011 documents the 7 inviolable Zero-Trust Privacy invariants. The Audit Shield test source is available to your CISO under NDA - clone the repo, run go test, reproduce the proof on your laptop in five minutes. We do not ask you to trust us. We give you the code that makes trust unnecessary.

Request Audit Shield Source (NDA)

SOC 2 Type II and IEC 62443 alignment underway. The privacy guarantee above stands independent of certifications - it is enforced by the code.

Regulatory Landscape

Built for What Regulators
Now Require

New mandates worldwide now require continuous OT monitoring - exactly what Vardar delivers, passively and on the budgets operators already hold. Compliance doesn't have to cost six figures.

United States · Power

NERC CIP-015 (INSM)

Phasing in · FERC Order 887

Internal Network Security Monitoring for the bulk electric system - continuous monitoring inside the trust zone to catch threats that bypass the perimeter. Exactly what Vardar does, passively.

United States · Water

EPA AWIA

Active

America's Water Infrastructure Act requires community water systems to assess and reduce cyber risk. The majority of utilities still run with no OT monitoring at all.

United States · Oil & Gas

TSA Pipeline Security Directives

Active · post-Colonial Pipeline

Mandatory cybersecurity measures, network segmentation, and continuous monitoring for TSA-designated pipeline owners and operators.

European Union

NIS2 Directive

In force · national transposition

Mandatory cyber risk management and incident reporting for essential and important entities across energy, water, manufacturing, and more.

International standard

IEC 62443

Global standard

The reference standard for industrial automation and control system security. Vardar maps to its zones-and-conduits model and monitoring requirements.

Israel

Israel INCD

Active & evolving

National Cyber Directorate regulations requiring OT security for critical infrastructure operators, with growing enforcement and audit requirements.

Start Your Compliance Journey Today

Vardar provides the device inventory, behavioral monitoring, and compliance reporting that regulators require - deployed in hours, not months, at a fraction of enterprise cost.

Free Compliance Assessment
Who It's For

Trained on Your World.
Built for Critical Infrastructure & Energy.

One detection engine that generalizes across processes and industries - because it models the physics, not a per-vertical signature database. Proven on water and power, extending across energy.

Water & Wastewater

Our Beachhead - Proven on Water

Vardar's physics models are validated on public water-treatment datasets (SWaT / WaDi). Most utilities run distributed SCADA with little or no OT-aware monitoring - exactly where attackers like Volt Typhoon look first.

Key Challenges

  • Distributed SCADA across pump, treatment & lift stations
  • Named in CISA Volt Typhoon advisories (AA24-038A)
  • Little or no existing OT monitoring

How Vardar Helps

One Sentinel per plant, passive SPAN install, full visibility in under 24 hours. Catches the valid command that breaks the process - and aligns with EPA AWIA and the CISA Cyber Performance Goals.

Get a free assessment for water & wastewater
Power & Grid

Substations, Co-ops & the Bulk Electric System

From regional cooperatives to substation automation, the grid is the most regulated OT footprint there is - and NERC CIP-015 now mandates internal network monitoring inside the trust zone.

Key Challenges

  • NERC CIP-015 internal monitoring mandate phasing in
  • IEC 61850 / DNP3 increasingly TLS-wrapped
  • Geographically dispersed, thinly staffed sites

How Vardar Helps

Passive, edge-native monitoring that satisfies INSM requirements without touching the process. Physics-informed detection flags manipulation that signature tools miss - air-gap friendly, detection survives cloud loss.

Get a free assessment for power & grid
Solar PV & Distributed Energy

The Fastest-Growing, Least-Defended Footprint

Solar farms, inverters, and distributed energy resources are scaling faster than anyone can secure them. Vardar speaks SunSpec natively and models the physics of generation - not just the packets.

Key Challenges

  • SunSpec / Modbus inverter fleets with weak authentication
  • Disclosed inverter vulnerabilities (e.g. SUN:DOWN)
  • Low-bandwidth, remotely managed sites

How Vardar Helps

One Sentinel per site, OTA-managed and mesh-connected. Native SunSpec identity plus physics-informed detection covers what network-only tools are blind to - fully standalone if the cloud drops.

Get a free assessment for solar pv & distributed energy
Oil & Gas

Pipelines, Refineries & Remote Field Sites

Pipelines and refineries sit under TSA Security Directives and run the same process-control physics Vardar already models elsewhere - so the same engine extends here, no per-vertical asset database required.

Key Challenges

  • TSA pipeline directives mandate monitoring & segmentation
  • Dispersed remote field devices and RTUs
  • Safety-critical processes - zero tolerance for disruption

How Vardar Helps

Passive, read-only deployment that never touches the process, addressable by the same physics engine that powers our water and power coverage. Pinpoints the anomaly and the fix, mapped to MITRE ATT&CK for ICS.

Get a free assessment for oil & gas

Also supports smart buildings and manufacturing - the same engine adapts to any OT/IoT environment.

Let's Discuss Your Needs
Beyond Security · On the Roadmap

The Same Physics That Catches an Attacker
Catches a Failing Pump.

The tiny physical deviations that expose an intruder also expose equipment starting to fail. So Vardar can predict operational problems before they cause downtime - security that also protects uptime.

On the roadmap for Vardar customers: turn the same edge intelligence into early warning for the maintenance team, not just the security team.

Coming Soon

Predictive Operational Health

From negligible physical changes, surfaced before they become failures:

  • A bearing starting to wear
  • A valve drifting out of spec
  • A pump heading for failure
Pricing

Pick One Tier Per Site.
Each Includes the One Below.

Priced per sentinel, per year - inclusive tiers, no six-figure contracts. Every engagement starts with a free visibility week.

Visibility

See every device

$7,500
per sentinel / year
  • Automatic asset discovery & map
  • Behavioral baselining per device
  • Purdue zoning & device inventory
  • Plain-English dashboard
Start with a Free Week
Most Popular

Detection

= Visibility + get warned

$15,000
per sentinel / year
  • Everything in Visibility, plus:
  • Physics-informed detection
  • Explained alerts + fix (SHAP, MITRE ATT&CK ICS)
  • The Hive - opt-in collective intelligence
  • Compliance reporting (NERC, AWIA, NIS2)
Start with a Free Week

Active Defense

= Detection + respond safely

$28,000
per sentinel / year
  • Everything in Detection, plus:
  • Safe, governed response - optional, off by default
  • Predictive operational health (coming soon)
  • Priority support & SLAs
Contact Sales
Compare tiersVisibilityDetectionActive Defense
Asset discovery & map
Physics-informed detection
Explained alerts + fix
The Hive (opt-in)
Safe governed response (optional)
Predictive operational healthSoon

Every engagement starts with a free visibility week - passive, no commitment, no data leaves your site.

Start your Free Visibility Week
Get Started

Request a
Private Demo

See how VARDAR can transform your network security. Our team will walk you through a personalized demonstration tailored to your industry and use case.

Personalized threat assessment
Live platform demonstration
Custom deployment planning
ROI analysis for your environment

Built by cybersecurity engineers. Passive · edge-native · your raw data never leaves the site.

Physics-Informed AI
Passive · Read-Only
Hive (Opt-In)
< 24h Deploy
Data Never Leaves

Typical response time: Under 4 business hours.

By submitting, you agree to our Privacy Policy and Terms of Service.