If you’re an IT/OT security manager, you likely rely on proven OT security platforms like Dragos, Nozomi Networks, or Claroty for passive network monitoring and asset visibility. These tools have revolutionized industrial cybersecurity by giving you a solid foundation of visibility – you can see what’s on your network, detect anomalies, and map out communications. In other words, you know what is happening across your control systems.
However, here’s the hard truth: the threat landscape has moved beyond the network. Today’s adversaries are getting stealthier, exploiting blind spots that traditional network-only security models can’t see. Unless we adapt our defenses, even the best OT monitoring platforms can leave dangerous gaps in protection.
In this post, we’ll explore those visibility gaps and how active threat hunting adds the missing layer to your OT security stack. You’ll learn how an active approach – exemplified by platforms like Insane Cyber’s Valkyrie – correlates host and network telemetry to catch threats that passive tools might miss.
We’ll walk through real-world scenarios (like malicious scripts or abuse of valid credentials) to show how active threat hunting provides deeper insight, context-rich alerts, and faster incident response. Finally, we’ll see how Valkyrie complements (not replaces) your existing tools by integrating with their intel and alerts, reducing false positives and boosting the ROI of your current security investments.
The Foundation: Passive OT Monitoring and Asset Visibility
Platforms like Dragos, Claroty, and Nozomi Networks deserve credit. Their passive network monitoring approach was a breakthrough for OT security – it allowed industrial asset discovery, communication mapping, and anomaly detection without disrupting sensitive control systems. By passively listening to network traffic (via SPAN ports or taps), these tools can decode hundreds of proprietary industrial protocols, identify devices, and learn “normal” behaviors on your ICS network.
This provides a non-intrusive, real-time picture of your OT environment’s baseline. In fact, passive monitoring remains highly popular in ICS environments because it is safe for uptime; it won’t accidentally crash a PLC or interfere with operations. The result is often an impressive asset inventory and visibility into network communications that IT-centric tools alone could never achieve.
However, passive monitoring has inherent limitations. As effective as network-centric tools are, their design comes with trade-offs:
- Inference vs. Evidence: Passive systems infer issues from network traffic patterns, but they can lack direct evidence from the hosts themselves. For example, seeing a strange packet on the network might hint at a problem, but you may not know why it’s happening.
- No Host-Level View: These tools can’t see what’s happening inside endpoints like human-machine interfaces (HMIs), engineering workstations, or PLC programming laptops. They monitor communications between devices, not the processes on those devices.
- Context Gaps: A passive sensor might tell you a PLC logic change was initiated over the network, but not who initiated it, why, or what else happened on the workstation that triggered that change. Critical context – such as which user account or process made a change – is missing if you only have network data. This is often called the “context gap” in OT security.
Put simply, network tools show what happened between systems, but not the full story of who and how it happened on the systems involved. Your SOC might see an alert about a suspicious command sent to a controller, yet be left wondering: was it a legitimate maintenance action or an illicit change made by a malware-infected engineering station? Without data from the host, the alert remains ambiguous and difficult to quickly verify.
The Visibility Gap at the Host/Endpoint Level
This lack of host-level insight is a growing concern. Modern attackers know that if defenders are only watching the network, they can hide on endpoints. Many of the most dangerous tactics in the MITRE ATT&CK for ICS framework operate on the host, invisible to network sensors alone. Attackers increasingly use techniques like in-memory scripts, unauthorized user account activity, or malware that masquerades as legitimate processes – all of which may not generate obvious network anomalies. As a result, even with the best network monitoring, your team may be missing half the picture.
Consider a real-world inspired scenario: An attacker gains access to an engineering workstation in your plant, perhaps via stolen VPN credentials or a phishing email to an engineer. They run a malicious PowerShell script on that workstation to quietly install a backdoor and then use a standard PLC programming tool (with a valid login) to download new logic to a controller.
What would your passive OT monitors see?
They might detect the PLC logic download and flag it as unusual – after all, changes to controller logic outside of maintenance windows are often suspicious. But is it malicious or just a late-night maintenance fix? Without host visibility, you have no immediate evidence. The network alert lacks context about who ran that change and what happened on the workstation around that time.
This ambiguity can lead to alert fatigue and slow investigations – your analysts would have to scramble, manually pulling Windows logs or forensic data from the workstation to figure out if a script ran or if an unauthorized user was present. That process is not only inefficient, it’s nearly impossible to scale across dozens or hundreds of assets during a fast-moving incident.
Now think about threats like insider misuse. An employee or contractor with valid credentials could intentionally or accidentally execute unauthorized changes on a critical HMI. Passive network tools might not raise an alarm at all if the actions use allowed protocols and credentials.
Only by correlating user activity and system events on the host can you catch that kind of misuse. In fact, OT security experts warn that endpoint monitoring is the only way to correlate user activity and events to detect insider threats – purely network-based solutions leave blind spots in East-West communications and user behavior that attackers can exploit.
Simply put, relying on network monitoring alone means there are things happening on your OT endpoints that you’re not seeing. This visibility gap at the host level is exactly what active threat hunting is meant to fill.
Active Threat Hunting: The Missing Layer in OT Security
Active threat hunting is an emerging best practice for mature security programs, including in OT environments. Unlike passive monitoring, which waits for alerts to pop up, active threat hunting means proactively searching for signs of adversaries already in your environment. It’s a shift in mindset from reactive to proactive: assume a breach could happen (or is in progress) and systematically scour your network and endpoints for any evidence of suspicious activity.
In IT networks, this approach is common (threat hunters comb through logs, EDR alerts, etc. to find hidden malware or intrusions). In OT, active hunting has been slower to catch on – partly due to fears of disrupting operations – but it’s quickly becoming the new standard as companies recognize the need to root out stealthy threats.
So, what makes active threat hunting in OT different from the passive tools you already have? In short, it adds that missing host-level visibility and correlates it with your network data to paint a complete picture. Imagine if every suspicious network packet or PLC command could be paired with the process or user on the host that caused it – all in one view. That’s the vision behind platforms like Insane Cyber’s Valkyrie, which was built to bridge the gap between network visibility and host intelligence. Valkyrie and similar solutions integrate two critical data sources:
- Network Traffic Intelligence: They ingest the same kind of rich network data you get from tools like Nozomi or Dragos – deep packet inspection across hundreds of industrial protocols and high-fidelity network alerts. This ensures you’re still catching known bad network behaviors (like a PLC being put into STOP mode unexpectedly, or unfamiliar devices scanning your control network).
- Host-Level Evidence: They also collect and analyze data from the endpoints themselves – logs, processes, system calls, registry changes, user login events, etc.. This host telemetry provides the contextual insight from the very workstations and servers that adversaries target, such as HMIs, engineering stations, historians, and even Windows domain controllers in OT segments.
By correlating these two feeds in real-time, an active hunting platform creates a single unified view of each potential threat. Suddenly, those network anomalies are backed by concrete evidence from the host side – turning guesswork into high-confidence detections. This unified approach effectively closes the “context gap” we talked about. Instead of inferring what might have happened on a host, you can see actual host data aligned with the network event.
How Active Hunting Identifies What Passive Tools Miss
Let’s revisit our earlier scenario (the suspicious PLC logic change) with an active threat hunting platform in place. Here’s how it could play out with Valkyrie, for example:
- Network Detection: Valkyrie’s network sensor picks up the PLC logic download event – just like a traditional monitor would – and recognizes that this is unusual for that PLC at this time.
- Host Detection: At the same time, Valkyrie’s host agent on the engineering workstation flags a suspicious PowerShell script running under an account that isn’t an engineer. This is a major red flag: a non-engineer account executing a script on an engineering station suggests credential abuse or an outsider using stolen credentials.
- Automatic Correlation: The platform automatically correlates these two observations – the network event (PLC logic change) and the host event (malicious script and unusual user) – and flags them as one high-confidence alert on a unified dashboard. Rather than two separate alerts in different systems, it’s a single incident with all related evidence tied together.
- Rich Context for Analysts: Within minutes, your analyst can drill down and see exactly what happened: which user ran the script, what that script did (e.g., changes to the Windows registry or system), and which process on the host was responsible for the PLC logic change. All this detail is available immediately, with no need to manually pull logs or jump between different tools. There’s no guesswork – you have the who, what, when, and how in one place.
In this scenario, what would have been an ambiguous network alert is now a clear, actionable security incident. The malicious script (which passive network monitoring alone would have missed) is revealed and linked to the unauthorized change on the PLC, and the use of a valid but inappropriate account is highlighted. Active threat hunting shines in catching exactly these kinds of multi-faceted attacks: where an adversary may live off the land (using legitimate tools or credentials) and blend into normal network traffic, but where their host-level actions leave footprints that can be detected if you’re looking for them.
To give another hypothetical example, consider USB-borne threats, a common risk in industrial sites. An operator might inadvertently introduce malware via a USB drive on an HMI. A passive network tool likely won’t notice anything until that malware starts sending traffic (which might be too late).
In contrast, an active hunting platform with host visibility could immediately flag an unusual process executed from a USB, or the installation of new files/drivers on the HMI, or even just the act of a new USB device being mounted if that’s not common. (In fact, Valkyrie has dedicated dashboards for USB and removable media activity, precisely because removable media is a top infection vector in OT.) By catching these host indicators, active threat hunting can alert you to malware or policy violations before they manifest as a full-blown network incident.
The bottom line is that active threat hunting tools don’t wait for damage to become obvious. They continuously and proactively analyze host behavior and combine it with network data to surface subtle signs of intrusion – malicious scripts, suspicious user behavior, unauthorized configurations, etc. – that passive systems alone might overlook. And they do this in a safe, OT-aware manner (for instance, lightweight agents or sensors that won’t disrupt operations, and clever use of “safe querying” techniques to gather data). As one industry report noted, combining host and network perspectives provides a far more complete picture and can identify complex threats that a siloed, single-source tool would miss. In essence, active threat hunting is the missing layer that complements your existing OT security investments by adding depth and proactivity to your defenses.
Enhancing – Not Replacing – Your Existing OT Security Stack
It’s important to emphasize that an active threat hunting platform like Valkyrie isn’t meant to rip-and-replace the tools you have. It’s built to enhance them. Think of your current OT security tools as providing the wide-angle view of your environment – they cover a broad surface area, giving you the big picture of assets and network activity. In contrast, active threat hunting provides the zoom lens – the detailed, close-up insight that turns uncertainty into action. You really need both perspectives to effectively protect modern OT networks.
Here are a few ways active hunting complements common OT platforms:
- Dragos (Threat Intelligence): If you use Dragos, you benefit from their WorldView threat intelligence feed and industry-specific threat detection. Valkyrie can take that threat intel and provide ground-truth validation in real time. For example, if Dragos alerts on a known adversary technique or threat behavior, Valkyrie’s host data can immediately check if that technique actually occurred on any of your endpoints – mapping any findings directly to MITRE ATT&CK tactics for clarity. This means fewer blind spots and faster confirmation of whether intel indicators are present in your environment.
- Claroty or Nozomi Networks (Network Anomaly Detection & Asset Visibility): These platforms excel at identifying anomalies in network traffic and maintaining an up-to-date asset inventory. Valkyrie adds a layer of verification to those anomalies. When Claroty/Nozomi flags a strange communication or device behavior, Valkyrie can instantly correlate it with host processes or logs to determine if it’s truly malicious or just an operational quirk. By linking network deviations with specific host activities, Valkyrie dramatically cuts down on false positives. Your team won’t waste time chasing an alert that turns out to be benign – the system will show whether there was an associated suspicious action on the host. This validation step means you get higher-confidence alerts and can respond more quickly to genuine threats.
Integration is usually straightforward as well. Active hunting platforms can ingest data or alerts from your existing tools and vice versa. For instance, Valkyrie can forward its high-fidelity alerts into a SIEM or an OT SOC console you already use, or pull in context (like asset details or vulnerability info) from your current inventory systems. This synergy effectively increases the ROI of your current investments – you’re leveraging what you already have (network monitoring, threat intel, etc.) and making their outputs more actionable with the additional context and evidence provided by active threat hunting.
To summarize the differences and complementary strengths of passive OT monitoring vs. active threat hunting, the table below provides a quick comparison:
Aspect | Passive OT Monitoring (Dragos, Claroty, Nozomi, etc.) | Active Threat Hunting (e.g., Valkyrie) |
Visibility Coverage | Network-centric visibility – observes network traffic, communications between devices, and protocol activity on the wire. Excellent for mapping assets and connections. | Unified network and host visibility – monitors network packets plus endpoint telemetry (logs, processes, user actions) for a complete picture. No blind spots on critical hosts. |
Monitoring Approach | Passive & continuous: Listens to traffic non-intrusively, detects anomalies against baseline behavior. Does not interact with devices (safety-first). Reactive alerting when something deviates. | Proactive & hunting-oriented: Actively looks for indicators of compromise on hosts and network. Assumes threats may be present and searches for them (e.g., scans host logs, runs hunting queries). Can safely query endpoints for data to fill gaps. |
Context & Detail | Limited context: Knows what happened on the network (e.g., a PLC was programmed) but not who or what process initiated it. Relies on inference; may require manual investigation to get details. | Rich context: Correlates events with user accounts, processes, file changes, etc.. Provides evidence-backed alerts (who did what, when, how) without needing separate forensic work. |
Threats Detected | Network-borne threats and anomalies: e.g., unauthorized protocol use, scanning, known malicious packets, obvious changes in device communication. May miss purely host-based attacks (malware that doesn’t beacon or misuse of legitimate credentials). | Both network and host indicators: catches everything passive tools see plus host-based tactics – e.g., malicious scripts, abnormal user logins, rogue software installs, USB malware. Can identify insider actions or lateral movement that generate subtle or no network signals. |
False Positives | Can be higher due to lack of context – an alert might be benign but looks suspicious on network alone. Analysts often must verify by gathering more data (time-consuming). | Tends to be lower due to cross-correlation – alerts are raised only when multiple indicators align (network and host evidence). This reduces noise and alert fatigue, focusing analysts on true positives. |
Response & Investigation | Provides a starting point for investigation but often requires manual log pulling or jumping to endpoint tools to confirm what happened. Incident response can be slower, as team pieces together context after an alert. | Speeds up response with immediate, consolidated incident context. Analysts see all related information in one alert (network flow + host artifacts), enabling faster triage and remediation. Often includes tools to pivot directly into endpoint forensic data or network packet captures as needed. |
Role in Security Stack | Foundation layer for OT security – excellent for baseline visibility and safety. Ensures you know your assets and “normal” network operations. However, not a silver bullet on its own, especially against advanced threats. | Complementary layer that enhances the foundation. Works alongside passive tools to provide complete visibility. Turns your security program from purely monitoring into actively hunting and responding, without replacing existing systems. |
Conclusion: Gaining the Full Picture with Active Hunting
In summary, passive OT monitoring tools are necessary but no longer sufficient on their own. They cover a lot of ground by watching network traffic, but they inevitably leave gaps on the hosts – and modern attackers are skillful at slipping through those gaps. Active threat hunting fills that void, unifying network and host data so you can see both sides of the story. By moving from inference to evidence and from reactive alerts to proactive detection, you dramatically improve your chances of catching malicious activity early and definitively.
The future of OT security is one of unified visibility. To outpace adversaries, you need to monitor the network and understand what’s happening on your endpoints. It’s not about piling on more alerts – it’s about getting smarter, context-rich alerts that you can act on with confidence. Active threat hunting platforms like Valkyrie were built to close this OT visibility gap once and for all, giving your team the insight needed to not just see events, but truly understand them in context.
Next Steps – Consider trying a pilot deployment or assessment in a segment of your OT environment. There’s no better way to see the benefits than experiencing them firsthand. Many organizations start with a focused threat hunting assessment or a limited Valkyrie pilot, and they’re often surprised by the previously unseen issues uncovered (from dormant malware to misconfigured devices).
Such a pilot can quickly highlight the value of active threat hunting – revealing hidden threats, providing peace of mind, and showing how it complements your existing Dragos/Nozomi/Claroty investments in practice. By layering active hunting on top of your current tools, you’ll gain deeper insight, faster incident response, and ultimately higher ROI on your security investments through a more robust, context-aware defense.
Don’t let your OT security stop at passive monitoring. With active threat hunting as a complementary layer, you can confidently close the gaps and protect every level of your operations. It’s time to move beyond just monitoring – and start actively hunting to keep your industrial systems safe.
