ShiftSix Security logo
OT EXPOSURE RESEARCH

OT Threat Research & Exposure Intelligence

Data-driven analysis of internet-exposed OT assets, protocols, and services across critical infrastructure sectors.
THE OUTSIDE-IN PERSPECTIVE

Exposure Data No One Else Publishes

Most OT security research looks inward — what is happening inside your network. We look outward. ShiftSix continuously maps internet-exposed OT assets, industrial protocols, and critical infrastructure services that are visible to threat actors right now. This research tracks what we find, how it is changing, and which adversaries are actively targeting it.

OT Exposure Index

Our flagship quarterly publication tracking internet-facing OT devices by protocol, sector, and geography — correlated against active threat campaigns and compliance frameworks.

Exposure Briefs

Sector-specific and protocol-specific deep dives into what we find exposed across critical infrastructure — water, energy, manufacturing, building automation, and more.

Advisories

When a new vulnerability drops, we publish the external exposure footprint — how many devices are internet-facing, which sectors are affected, and which threat actors are exploiting it.

FEATURED

OT Exposure Index — Q1 2026

Our inaugural quarterly report mapping internet-exposed OT assets across critical infrastructure sectors. Covering Modbus, DNP3, BACnet, EtherNet/IP, S7, and OPC UA — with threat campaign correlation and sector-by-sector breakdowns.

Read the Full Report
OUR METHODOLOGY

How We Measure OT Exposure

Our research is based on continuous external scanning and analysis of internet-facing OT assets. We do not access, authenticate with, or disrupt any systems. Our methodology:

  • Protocol-level discovery — We identify services responding on OT-specific protocols (Modbus, DNP3, BACnet, EtherNet/IP, S7, OPC UA) across the IPv4 address space
  • Fingerprinting — We classify devices by vendor, firmware, and function without sending exploit payloads or modifying device state
  • Threat correlation — Every discovered exposure is cross-referenced against active threat campaigns, CISA KEV entries, and ICS-CERT advisories
  • Sector attribution — Exposures are mapped to critical infrastructure sectors using organizational data, ASN ownership, and geolocation
  • Responsible aggregation — We never name specific organizations. All findings are published in aggregate at the sector and protocol level

6

OT protocols monitored

8

Critical infrastructure sectors covered

Quarterly

Exposure Index publication cadence

Free

All research published ungated

See What Is Exposed Right Now

Get a complimentary external OT exposure assessment for your organization. No agents, no network access — just the attacker’s view of your infrastructure.

Request an Assessment
Read the OT Exposure Index
ShiftSix Security logo
Get a Free Exposure Report →

Continuous attack surface intelligence for IT, OT, and ICS environments — purpose-built for enterprise security teams and critical infrastructure operators.

QUICK LINKS
PLATFORM
SUPPORT
GET IN TOUCH
Linkedin Twitter
Skip to content