Attackers Recon Your OT Before They Attack.
We Give You the Same View.
ShiftSix enumerates your externally visible OT assets, exposed services, and internet-facing infrastructure — the same way ransomware operators, initial access brokers, and nation-state actors do it. But you get there first.
Your Attack Surface Is Already Being Mapped
In 2025, 119 ransomware groups targeted 3,300 industrial organizations — a 49% year-over-year increase in active groups. Manufacturing alone accounts for two-thirds of attacks, with downtime costing $1.9M per day. At the same time, nation-state actors like VOLT TYPHOON have spent years pre-positioned inside U.S. critical infrastructure, exploiting internet-facing network infrastructure to establish footholds. Both threats start the same way: probing your internet-facing infrastructure for exploitable footholds that lead to OT environments.
RANSOMWARE — THE DAILY REALITY
3,300
Industrial orgs hit by ransomware in 2025
119
Ransomware groups targeting industrial sectors
$1.9M
Average daily downtime cost for manufacturing
NATION-STATE — THE CATASTROPHIC THREAT
4
Critical infrastructure sectors confirmed compromised by VOLT TYPHOON
5+
Years of undetected pre-positioning inside U.S. critical infrastructure
13+
Custom ICS malware families deployed against industrial targets
Adversary-Grade Reconnaissance. OT-Native Analysis.
ShiftSix collects data the same way ransomware operators and nation-state actors do — using internet-wide scanning, banner analysis, certificate transparency, and passive DNS. Then we do something they can’t: we apply OT protocol expertise, ICS device classification, and threat-informed prioritization that generic EASM tools completely miss.
Internet-Wide Data Collection
Adversary-Grade External Reconnaissance
We query the same internet-wide scanning infrastructure, certificate transparency logs, passive DNS records, and banner data that ransomware operators, initial access brokers, and nation-state actors use to identify targets. This gives ShiftSix — and your team — the same starting view of your perimeter that an adversary already has.
OT Protocol Deep Analysis
Industrial Protocol Fingerprinting and Device Classification
This is where ShiftSix diverges from generic EASM. We analyze exposed services for OT-specific protocol signatures — Modbus function codes, DNP3 object headers, BACnet device properties, EtherNet/IP identity responses, OPC-UA endpoint configurations, and CODESYS service banners. Each response is classified against known ICS device profiles to extract PLC model, firmware revision, HMI software version, and vendor identifiers.
Why this matters: IT-focused EASM tools see an open port. ShiftSix sees a Schneider Electric Modicon M340 running firmware v3.20 with Modbus/TCP exposed on a non-standard port — and knows that firmware version is vulnerable to CVE-2022-45789, actively exploited by OT ransomware operators.
Threat-Informed Prioritization
Exposure Ranking by Real Adversary Targeting
Every discovered exposure is correlated against active OT threat campaigns, CISA Known Exploited Vulnerabilities (KEV), and the specific tactics, techniques, and procedures (TTPs) used by tracked threat groups targeting your sector. An exposed HMI on a water utility is not the same risk as an exposed HMI on a manufacturing line — because different threat actors target different sectors with different tooling.
What this replaces: Traditional vulnerability scoring (CVSS) ranks by theoretical severity. ShiftSix ranks by what adversaries are actually exploiting right now — mapped to MITRE ATT&CK for ICS and correlated against campaigns — from ransomware groups exploiting Fortinet and SonicWall VPNs to nation-state operations like VOLT TYPHOON and PIPEDREAM/INCONTROLLER.
Continuous Exposure Monitoring
Your Attack Surface Changes. So Does Ours.
OT environments change — new remote access paths are provisioned, contractor VPNs are stood up and forgotten, certificates expire, firmware is updated (or isn't). ShiftSix continuously re-enumerates your external footprint and re-correlates against the latest threat intelligence, so exposures that didn't exist yesterday — or weren't targeted yesterday — are flagged the moment they become relevant.
Your External OT Attack Surface, Continuously Mapped
ShiftSix runs the same outside-in enumeration that attackers use — discovering assets and exposures across your entire internet-facing footprint without agents, scan windows, or OT network interaction.
Internet-Exposed OT Protocols
Modbus, DNP3, IEC 61850, OPC-UA, EtherNet/IP, CODESYS, BACnet, Profinet, and other industrial protocols reachable from the public internet.
Exposed Remote Access Paths
VPN portals, RDP endpoints, Citrix servers, Fortinet and Palo Alto VPN gateways, and SCADA web interfaces reachable without network-level authentication.
Certificate and DNS Exposures
Subdomains, expired TLS certificates, dangling DNS records, and forgotten engineering network portals discovered via certificate transparency and passive DNS.
Vendor and Supply Chain Entry Points
Third-party remote access tools, contractor VPN accounts, and vendor-managed maintenance portals that extend your attack surface beyond your direct control.
OT Asset Fingerprints
PLC model, firmware version, HMI software, and vendor identifiers extracted from protocol banners — the same data attackers use to select the right CVE and malware module.
CISA KEV-Matched Vulnerabilities
Discovered assets matched against 95+ ICS-specific CISA Known Exploited Vulnerabilities — giving you adversary-informed risk context, not just CVE scores.
Enumerate. Correlate. Close.
ShiftSix operationalizes the CTEM cycle with an adversary-first lens — so your remediation priorities match what attackers would actually target, not just what scores highest on a CVSS chart.
Enumerate
Map Every External Asset
Continuous, passive enumeration of your internet-facing OT assets, services, certificates, subdomains, and remote access paths. No agents. No OT network traffic. No scan windows required.
Correlate
Apply Adversary-Grade Intelligence
Each discovered asset is correlated against CISA KEV, MITRE ATT&CK for ICS, ransomware initial access vectors (exposed VPNs, RDP, edge devices), and nation-state threat actor TTPs (VOLT TYPHOON, Sandworm) — giving you context, not just a list.
Close
Prioritize What Attackers Would Target First
Exposures are ranked by real-world attacker priority — protocol accessibility, known exploitability, and CISA KEV status — mapped to NERC CIP, IEC 62443, and NIST CSF 2.0 controls for compliance-aligned remediation.
Find Out What Attackers
Already Know About You.
ShiftSix performs a continuous, passive, outside-in enumeration of your OT and enterprise perimeter — no agents, no scan windows, no OT network interaction — and delivers an adversary-perspective exposure report correlated to active threat actor TTPs and CISA KEV.
See how ShiftSix maps exposed OT protocols to active malware campaigns and prioritizes exposures by real adversary targeting.