There’s a category of industrial site that permanent security monitoring never seems to reach. The compressor station is three hours past the last gas station. The substation has no spare rack space and no budget line for sensors. The plant that runs air-gapped by policy, where “just ship the data to the cloud” gets you laughed out of the control room.
These sites still get attacked. Volt Typhoon didn’t skip the small facilities, and neither does anyone else. The question is how you get real network visibility into a place that was never designed for it. That’s the problem a flyaway kit solves.
What is a Flyaway Kit?
A flyaway kit is a portable, self-contained OT security platform you can carry to a site, plug into a SPAN port or tap, and start analyzing traffic within the hour. No cloud dependency, no internet connection, no permanent install, no change tickets that take six months to approve. When the job is done, you unplug it, and the site goes back to exactly how you found it. The concept came out of military and intelligence field operations, where teams needed serious analytical capabilities in places with zero infrastructure, and it translates remarkably well to industrial environments.
Our version of this is Cygnet, which runs the full Valkyrie monitoring platform from a portable case one person can carry to a site. But whether you’re evaluating ours or building your own, the use cases below are where these kits earn their keep.
1. Assessing Air-Gapped and Isolated Environments
This is the original use case, and it’s still the biggest one. Plenty of environments prohibit outside network connectivity entirely: classified facilities, nuclear plants, certain defense and manufacturing sites, and any operator who decided isolation was their strongest control.
The catch is that “air-gapped” and “secure” are not the same thing. Isolated networks still see USB media, vendor laptops, transient engineering connections, and misconfigurations that have been quietly sitting there for a decade. A flyaway kit lets you actually look at what’s happening on those networks without violating the very isolation policy that defines them. Everything stays in the kit. Nothing phones home.
At the most sensitive facilities, it goes one step further: the hard drives never leave the building. Our team has run engagements where we hand over the drives at the end, rebuild the kit, and the data stays exactly where policy says it must. If your site has that requirement, it’s worth confirming that any kit you’re evaluating can operate that way.
2. Remote and Distributed Sites
Pipelines, wind farms, water systems, and transmission networks share a problem: the assets are everywhere, and the security team is not. Permanently instrumenting a hundred pump stations rarely survives a budget review.
A flyaway kit turns that into a rotation problem instead of a capital problem. One kit and one analyst can work through a circuit of sites, capturing traffic, baselining assets, and hunting for anything that shouldn’t be there. It’s not continuous monitoring, and we’d never pretend it is. But a thorough assessment every quarter beats zero visibility forever.
3. Incident Response
When something goes wrong at an unmonitored site, the first hours are usually spent just figuring out what’s on the network. That’s a terrible time to start from scratch.
A flyaway kit is the difference between “we think it’s contained” and “here’s the packet capture showing exactly what the adversary touched.” Responders can get eyes on live traffic fast, pull forensic data from hosts, and start scoping the intrusion without waiting on procurement or a permanent sensor deployment. For OT incidents specifically, doing this without disrupting operations is the whole game, and passive collection off a SPAN port is about as low-risk as it gets.
The blind spots aren’t always whole sites, either. We’ve worked on refinery and substation projects where the links between the control systems and the substation rings were monitored, but nothing was watched further down the Purdue stack. Is something happening over DNP3? Over IEC 61850? A kit light enough to be carried overnight through a standard carrier contract, paired with a portable tap so you can place it at whatever level needs eyes, lets responders follow the incident wherever it goes instead of stopping where the fixed sensors do.
4. Threat hunting engagements
Hunting assumes compromise and goes looking for evidence, which means it works best with fresh data from the actual environment rather than whatever logs happen to exist. Most OT sites don’t have the telemetry to support a real hunt.
Bring the telemetry with you. A kit capturing east-west traffic inside the control network gives hunters something to actually hunt in: unusual protocol behavior, unexpected connections between zones, living-off-the-land activity that signature-based tools shrug at. This matters more now than it did five years ago, because groups like Volt Typhoon largely skip custom malware in favor of built-in admin tools and stolen credentials. You find them by knowing what normal looks like, and you can’t baseline a network you’ve never observed.
Depth matters as much as placement. Open source tools might show you Modbus function code 90 and stop there. Knowing that function code means Schneider’s proprietary UMAS protocol, and being able to dissect it, is the difference between seeing traffic and confirming whether someone actually pushed a program to a PLC. The same logic applies to host data. Sysmon and Windows event logs from OT-adjacent endpoints often can’t be shipped back to a SIEM, either because the site is too remote or the data isn’t allowed to leave. So bring the analysis to the data instead.
5. Compliance and Regulatory Assessments
If you’re subject to NERC CIP, TSA security directives, or similar frameworks, you eventually have to demonstrate that your electronic security perimeter looks the way your documentation says it does. Paper reviews find paper problems. Traffic analysis finds real ones.
This is getting more concrete for the electric sector. NERC CIP-015-1, approved by FERC in June 2025, requires Internal Network Security Monitoring, or INSM. That means visibility into the east-west traffic moving inside a utility’s trust zones, not just the north-south traffic crossing the perimeter that older CIP standards focused on. Compliance deadlines phase in starting in 2028, and a flyaway kit is a practical way to see what your east-west traffic actually looks like before committing to a permanent INSM architecture.
INSM isn’t the only regulatory angle, either. CIP incident response obligations come with reporting clocks and real fines attached. A kit that’s staged and ready to deploy is a lot easier to write into an incident response plan than a procurement process, and it’s the kind of thing you want figured out before the building is on fire, not during.
A flyaway kit gives assessors ground truth: every asset actually communicating on the network, every external connection, every protocol in use. We’ve seen more than one site discover an undocumented remote access path this way. Better to find it during an assessment than during an audit, and much better than finding it during an incident.
6. M&A Due Diligence
Acquiring an industrial company means acquiring its OT networks, including whatever has been living in them. Financial due diligence is standard. OT security due diligence mostly isn’t, which is strange given that a compromised plant is a very expensive surprise.
A short on-site engagement with a flyaway kit can characterize the target’s OT environment before the deal closes: asset inventory, network architecture as it actually exists, obvious hygiene problems, and any signs of active compromise. Our team has worked these engagements on both sides of the table, buyers wanting to know where the skeletons are and sellers wanting to find them first. Either way, it’s a few days of work that can materially change a valuation.
7. Baselining New or Modified Systems
Factory acceptance tests and site acceptance tests verify that a system works. They rarely verify what it talks to. Capturing a network baseline during commissioning, before the system goes live, gives you a clean reference for everything that comes after. When something looks weird two years later, you have an answer to “was it always like this?”
The same logic applies after major upgrades, vendor service visits, or turnarounds. Any window where the environment changes is a window worth capturing.
8. Validating Vendor and Third-Party Activity
Vendors need access to do their jobs, and vendor access is one of the most common paths into OT networks. During scheduled vendor work, a kit on the relevant network segment lets you watch exactly what the connection does: what it touches, what it pulls, whether it stays inside the boundaries everyone agreed to. Trust, then verify, in that order.
9. Emerging Asset Classes like Battery Storage
Battery energy storage sites have been coming up constantly lately, driven by supply chain concerns and the national conversation about where grid components come from. These are often new builds with immature monitoring, heavy vendor involvement, and inverters and controllers that haven’t been through the scrutiny older grid assets have. Our team has done a fair amount of BESS analysis work recently for exactly these reasons. A portable assessment is a natural fit for an asset class where the risk conversation is moving faster than the permanent security budget.
10. Red Team and Pen Test Support
This one surprises people. Before a penetration test, a flyaway kit can sit passively in the environment and build the picture a patient attacker would build: what’s talking to what, which protocols are in play, where the soft spots are. That reconnaissance shapes a far more realistic engagement than a red team walking in cold.
The keyword is passively. Analysis happens off a tap or packet broker on the production side, and anything active gets emulated in a lab against what you learned, not tested against live control systems. Some kits, ours included, can optionally send a single identification query over protocols like Modbus, EtherNet/IP, or IEC 61850 to ask devices for make, model, and firmware. That capability is strictly opt-in and should never be the default in a production OT network.
11. Multiplying a Small Team Across Many Sites
An incident response or assessment team of half a dozen people cannot be everywhere, and boots on the ground at every site get expensive fast. A well-designed kit changes that math. Ship it out, get someone local on the phone, and the instructions are short: plug in the network cable, plug in the power, don’t touch anything else. No OT security expert is required at the far end.
That works for asset owners with dozens of sites, and it works for MSSPs and consulting teams juggling different clients and different ops teams. Some customers take it further and keep several kits staged: half deployed proactively into known blind spots, half held back as break-glass units ready to ship the day something happens.
12. Bridging the Gap in a Phased Rollout
Sometimes the flyaway kit is the pilot. Before committing to a permanent deployment, running portable monitoring for a few weeks answers the questions that matter: where the sensors should go, what the traffic volumes look like, what the baseline actually is, and whether the organization can act on what it sees. It de-risks the bigger investment, and the data collected becomes the starting baseline for the permanent installation.
The same logic applies once the rollout is underway. If you’re deploying permanent sensors across 150 plants, that’s a multi-year project, and the sites at the back of the schedule shouldn’t stay dark until their turn comes. Rotating portable assessments through the not-yet-covered sites keeps risk visible while the deployment catches up, and it often reshuffles the deployment order once you see what’s actually out there.
What Makes a Flyaway Kit Actually Work in the Field
Having done a lot of these engagements, a few things separate a useful kit from an expensive briefcase:
Truly standalone operation. If any workflow quietly assumes an internet connection, it will fail at the worst possible time. Detection, content analysis, and reporting all have to work offline.
Passive by default. Active scanning in an OT network is how you end up in a very uncomfortable meeting with the operations manager. Collection should come off SPAN ports and taps, with active techniques reserved for cases where they’re explicitly approved. Taps with a unidirectional, data diode design add another layer of assurance, since the monitoring side physically cannot inject traffic back onto the network. And whatever the collection method, plan it with the site’s OT network engineers. They know the network better than any outside team ever will, and tap installs belong in maintenance windows, not surprise visits.
OT protocol fluency. A kit that can’t parse Modbus, DNP3, EtherNet/IP, and the rest of the industrial protocol stack will show you traffic without showing you meaning.
Fast setup. Site time is expensive, and access windows are short. If it takes a day to get the kit collecting, you’ve burned a day of a three-day engagement.
Host data, not just packets. Network traffic tells you a lot, but pairing it with host forensics gives you the full picture, especially in incident response.
Batch and streaming analysis. Live streaming is great when you can get it. But some networks are too fast to capture in real time without a massive engineering effort, and some sites won’t allow it. A kit that can also ingest and analyze batch data, packet captures, and host logs collected separately keeps the engagement moving when live isn’t an option.
Cygnet was built around exactly these constraints because our team kept running into them on real engagements. It’s Valkyrie’s full analytic capability, network and host analysis together, in a package designed to be carried in, run disconnected, and carried back out.
The Bottom Line
Permanent monitoring is the right answer for the sites that can support it. Flyaway kits exist for everywhere else, which turns out to be a lot of critical infrastructure. If your OT security strategy only covers the sites with rack space and bandwidth, adversaries are happy to focus on the rest.
If you’re weighing an assessment at a site like that, or you want to talk through whether portable monitoring fits your environment, our team does this every week. Reach out, and we’ll compare notes.

