What this does
Choose where your scan data comes from — a safe built-in Simulator, an authorized live-network collector, this device, or an uploaded bundle — then start the run.
Why it matters in OT: In operational technology you can crash a PLC just by probing it. Starting in the simulator lets you learn the entire workflow with zero risk to live equipment.
Source & targetSafety boundaryROE gating
Source & Target
Sim v2.4
Safe mode
Last run: 2h ago
Quick Prompts
⏱ run-sim-small-industrial
↓ Agent downloads
🔑 Checksums
📋 Last report
🔍 Diff scan
Start Safely
Device categories in scope
IoT
OT
IT
Camera
Unknown
Include reachability simulation
Passive-first (no active probing)
Flag CISA KEV matches immediately
Estimated scope
8
devices
~45s
runtime
0
active probes
System Status
NVD APIOnline
Redis CacheConnected
OpenVASAuth needed
NucleiReady
CISA KEVSynced 1h ago
What this does
Takes a device's CPE (a standardized product name like cpe:2.3:o:siemens:simatic_s7-300) and asks the NVD database which known CVEs affect it — passively, with Redis caching and rate-limit backoff so you never hammer the API.
Why it matters in OT: OT devices run for decades on old firmware. Matching a confirmed product fingerprint to its published vulnerabilities is how you find known weaknesses without ever touching the device. Exact match is precise; wildcard/family widens the net when versions are fuzzy.
CPE→CVE exactvirtualMatchString fallbackRedis cache + TTLBackoffOS-CPE exclusion
NVD / CPE Query
Exclude OS CPEs
API Status
Redis: HIT (TTL 3547s)
NVD API: 0.8s backoff
Requests: 4/50
Results
Enter a CPE string and click Query NVD API
What this does
Decodes a CVSS vector string into plain metrics — how it's attacked (AV), how hard (AC), what access it needs (PR/UI), and what it breaks (C/I/A) — then computes the 0–10 severity score and band. Edit the vector and watch the score recalculate live.
Why it matters in OT: A 9.8 that needs only network access on an internet-exposed PLC is an emergency; the same score on an air-gapped device may not be. Reading the vector, not just the number, tells you which.
v3.1 / 3.0 / 2.0 parsingSeverity bandsCWE extractionReferences & timestamps
CVSS Vector Parser
9.8
CRITICAL
0 — NoneLowMediumHighCritical
CWE: CWE-798 — Use of Hard-coded Credentials
Published: 2019-08-13
Last Modified: 2023-11-07
Metric Breakdown
What this does
Drives authorized active scanners. OpenVAS/Greenbone runs its full GMP lifecycle — feed check → create target → launch task → poll → fetch report → clean up — and Nuclei runs safe-only templates, parsing JSONL results and tolerating timeouts with partial output.
Why it matters in OT: Active scanning is powerful but risky on fragile devices. These adapters are gated behind Phase-3 authorization, normalize each scanner's severity to one scale, and always clean up after themselves so nothing is left running on the network.
GMP lifecycleSeverity normalizationNuclei JSONLPartial-on-timeoutSBOM import
OpenVAS / GMP
Nuclei
GMP Connection
Feed Info
NVT Feed: 2024-01-15
89,420 checks available
Lifecycle Progress
Nuclei Configuration
Skip INFO findings
Partial results on timeout
JSONL Output
{"template-id":"CVE-2021-36260","name":"Hikvision RCE","severity":"critical","matched-at":"192.168.1.30:80","timestamp":"2024-01-15T10:23:11Z"}
{"template-id":"CVE-2019-13945","name":"Siemens S7-300 DoS","severity":"high","matched-at":"192.168.1.10:102","timestamp":"2024-01-15T10:23:14Z"}
{"template-id":"default-siemens-http","name":"Siemens Default Creds","severity":"medium","matched-at":"192.168.1.10:80","timestamp":"2024-01-15T10:23:18Z"}
Parsed Findings
CVE-2021-36260
CRITICAL
CVE-2019-13945
HIGH
default-siemens-http
MEDIUM
What this does
Shows the logic for checking devices against known default credentials across HTTP, SSH, Telnet, RTSP and ONVIF — trying vendor-specific defaults first, then a generic list, and stopping on the first success.
Why it matters in OT: Default passwords are the #1 foothold in OT networks. The guardrails — comparing authenticated vs unauthenticated responses, and stopping on first success — keep the check itself from locking out an account or hammering a fragile device.
Multi-protocolVendor-first selectionAuth/unauth diffStop-on-success
Phase 1 only — no active probing. This panel shows credential check logic and priority ordering. No authentication attempts are made.
Protocol Scope
HTTP
SSH
Telnet
RTSP
ONVIF
Modbus
Vendor Filter
Guardrail Settings
Auth vs Unauth comparisonENABLED
Stop on first successYES
False-positive checkResponse diff > 40%
Credential Priority Table
| # | Vendor | Protocol | Username | Password | Source |
|---|---|---|---|---|---|
| 1 | Siemens | HTTP | admin | admin | vendor-default |
| 2 | Siemens | HTTP | Administrator | (blank) | vendor-default |
| 3 | Siemens | HTTP | service | service | vendor-default |
| 4 | Generic | HTTP | admin | password | common-list |
| 5 | Generic | SSH | root | root | common-list |
| 6 | Siemens | SSH | user | user | vendor-default |
What this does
Combines six signals — CVSS severity, exploit probability (EPSS), known-exploited status (CISA KEV), evidence strength, network exposure, and device role — into one ranked risk score. Click any row to see the breakdown.
Why it matters in OT: A camera and a safety PLC with the same CVE are not equal risks. Weighting by role and consequence pushes the device that can halt production — or hurt people — to the top of the queue, instead of just sorting by raw CVSS.
CISA KEV enrichmentEPSS scoreComposite prioritization
Risk Formula
Risk = severity(0.30) + EPSS(0.25) + KEV(0.20) + evidence(0.10) + exposure(0.10) + role(0.05)
2
CRITICAL findings
1
HIGH findings
2
KEV matches
0.85
Avg EPSS
Prioritized Vulnerability List
| Device | CVE | Severity | EPSS | KEV | Exposure | Role | Risk Score |
|---|---|---|---|---|---|---|---|
PLC-01 192.168.1.10 |
CVE-2019-13945 | HIGH 7.5 | 0.847 | YES | External | Safety | 9.4 CRITICAL |
|
Description Unauthenticated DoS via crafted packet to S7comm port 102. Causes CPU halt.Remediation Apply Siemens Security Advisory SSA-568101. Firmware ≥ V3.X.17.EPSS Context Top 5% of all CVEs. Active exploitation reported in the wild (CISA KEV 2022-02-10). |
|||||||
HMI-02 192.168.1.20 |
CVE-2020-15782 | HIGH 8.8 | 0.623 | NO | Internal | Control | 7.8 HIGH |
|
Description Memory protection bypass in SIMATIC S7-1200/1500. Allows arbitrary code execution.Remediation Siemens SSA-434534. Firmware update required. Network segmentation as interim.EPSS Context Above-average exploitation likelihood. Not in KEV but actively researched. |
|||||||
Cam-03 192.168.1.30 |
CVE-2021-36260 | CRITICAL 9.8 | 0.921 | YES | External | Monitor | 9.7 CRITICAL |
|
Description Command injection in Hikvision camera web server. Unauthenticated RCE via /SDK/webLanguage.Remediation Upgrade to firmware V5.5.800 build 210628. Disable remote web management if not needed.EPSS Context Top 1% of all CVEs. Massively exploited in Mirai botnet variants. Immediate action required. |
|||||||
EPSS Distribution
CISA KEV Status
2 CVEs in KEV
Requires immediate remediation per CISA BOD 22-01
Last synced: 2024-01-15 08:00 UTC
CVE-2019-13945Added 2022-02-10
CVE-2021-36260Added 2021-11-03
What this does
Separates candidate findings (unconfirmed) from confirmed weaknesses, shows which detection methods agree (convergence), and records each validation decision — confirm, false-positive, or risk-accept — with owner, reason and expiry.
Why it matters in OT: A scanner finding is an observation, not truth. Acting on a false positive can mean a needless plant shutdown. Evidence discipline forces an applicability check before anyone touches a control system — and pair-scoped suppression silences known-noisy CVEs per device.
Observation ≠ truthCandidate vs confirmedValidation decisionsPair-scoped suppressionMulti-method correlation
Scanner finding = observation, not truth. Validate applicability before scheduling remediation action.
Candidate (Unconfirmed)
CVE-2019-13945
Siemens SIMATIC S7-300 DoS via crafted S7comm packet. Unauthenticated, network-accessible.
NVD-CPE
OpenVAS
Nuclei
✓ 3/3 methods agree → HIGH confidence
CVE-2020-15782
Siemens S7-1500 memory protection bypass allowing arbitrary code write to PLC memory.
NVD-CPE
OpenVAS
⚠ 2/3 methods agree → MEDIUM confidence
CVE-2021-36260
Hikvision command injection in web server. Unauthenticated RCE via crafted request.
NVD-CPE
Nuclei
⚠ 2/3 methods — Nuclei unconfirmed version
Confirmed Weaknesses
No confirmed weaknesses yet — use Confirm on candidate cards
Suppression
Pair-scoped suppression
CVE-2019-13945 @ 192.168.1.10
Scope: this device only · Expires: 2024-04-15 · Owner: analyst@gwu.lab
What this does
Shows, for every discovery method, whether it completed, was disabled, unavailable, or failed — plus its confidence and safety posture — and streams live progress events as a scan runs.
Why it matters in OT: "We found nothing" and "we couldn't check" are completely different conclusions. Surfacing coverage gaps (a method that timed out or was skipped) stops a missing check from being mistaken for a clean bill of health.
Per-method provenanceConfidence & safetyStreaming progressCoverage gaps
Coverage gap: Nuclei partial — 3 templates timed out on 192.168.1.30. Results for Cam-03 may be incomplete.
Discovery Method Coverage
Method
Status
Confidence
Safety
Findings
NVD CPE Lookup
✅ Completed
High
Passive
14 CVEs
OpenVAS GMP
✅ Completed
High
Active
8 findings
Nuclei Templates
⚠️ Partial (timeout)
Medium
Active
3 findings
CISA KEV
✅ Completed
Definitive
Passive
2 matches
EPSS Scores
✅ Completed
Computed
Passive
all CVEs
Default Credentials
🚫 Disabled
—
Requires Auth
—
SBOM Import
⬜ Unavailable
—
Passive
—
Streaming Discovery Log
[10:23:01] PHASE-START passive-discovery
[10:23:02] NVD-CPE query: cpe:2.3:o:siemens:simatic_s7-300:*
[10:23:03] NVD-CPE → 14 CVEs found (cache HIT)
[10:23:05] KEV-MATCH CVE-2019-13945 → IN KEV (added 2022-02-10)
[10:23:07] EPSS batch query → all 14 CVEs scored
[10:23:08] PHASE-COMPLETE passive-discovery [3 critical, 4 high]
[10:23:10] PHASE-START active-scan (authorized)
[10:23:11] OpenVAS GMP → task launched (id: task-abc123)
[10:23:45] OpenVAS → 8 findings normalized
[10:23:47] Nuclei CVE templates → 192.168.1.100:102
[10:23:55] Nuclei → 2 findings, 3 TIMEOUT (partial)
[10:23:56] PHASE-COMPLETE active-scan
[10:23:57] CONVERGENCE-CHECK → 3 CVEs confirmed by 2+ methods
What this does
A natural-language guide over your scan results. Ask which devices need attention, what a CVE means in plain English, which findings are KEV, or for a summary — and get an answer grounded in this session's data.
Why it matters in OT: OT defenders are often controls engineers, not vulnerability analysts. The guide translates CVE / CVSS / KEV jargon into operational decisions — "patch this PLC first, and here's why" — over the MCP interface.
Plain-English answersGrounded in scan dataMCP interface
Ask Breakwater
What should I review next?
Review the RTSP-only camera first; it has 2 evidence records and 54% confidence — the lowest in the run.
Confidence75% average identity score
Evidence33 records in run-sim-small-industrial
Freshnesslatest completed run
Ask about this run
Summarize what changed in plain English.
Which assets need review first?
Why does Breakwater think this device identity is uncertain?
What can Claude or ChatGPT ask through MCP?
AI analyst is evidence-bound. MCP policy is enforced; MCP is read-only. Breakwater cloud does not scan private LANs directly. This prompt builder sends nothing externally — you choose where to paste it.
Connected services
MCP connector setup
Connect Breakwater's read-only discovery evidence to AI web clients without giving the cloud permission to scan private networks.
https://mcp-auth.bwtr.ai/mcp2c1mcql8is1jv0svdivghui1h3breakwater.discovery/readChatGPT / OpenAI
Web connector ready
Use ChatGPT developer-mode custom connectors to attach Breakwater's read-only MCP server.
- Open ChatGPT settings and enable developer mode for custom MCP connectors.
- Create a new custom connector and enter the Breakwater remote MCP server URL.
- Use the OAuth client ID if ChatGPT asks for one; leave the client secret blank.
Claude
Web connector ready
Use Claude custom connectors to connect the same Breakwater remote MCP endpoint.
- Open Claude Settings, then Connectors, and choose Add custom connector.
- Enter the Breakwater remote MCP server URL.
- If Advanced settings asks for a client ID, paste the Breakwater OAuth client ID; leave secret blank.
What this does
The Rules-of-Engagement and RBAC gate. It shows exactly which actions are permitted in each phase and refuses active scanning or credential checks until the run is explicitly authorized.
Why it matters in OT: The first rule of OT assessment is do no harm. Phase-1 work is passive-only; anything active (OpenVAS, Nuclei, credential testing) requires authorization recorded here, and exploitation is never permitted.
Phase-1 refusalROE / RBAC gatingNo exploitation, ever
PHASE 3 — Authorized Assessment
Role: Security Analyst · Org: GWU Lab · Session: 2024-01-15
Rules of Engagement (ROE)
| Action | Phase 1 | Phase 2 | Phase 3 |
|---|---|---|---|
| Passive network observation | ✓ | ✓ | ✓ |
| Service banner grabbing | ✓ | ✓ | ✓ |
| CPE / CVE lookup | ✓ | ✓ | ✓ |
| OpenVAS active scan | ✗ | ✗ | ✓ (auth req.) |
| Nuclei templates | ✗ | ✗ | ✓ (safe only) |
| Credential testing | ✗ | ✗ | ✓ (guardrailed) |
| Exploitation | ✗ | ✗ | ✗ (never) |
RBAC / Authorization Context
User RoleSecurity Analyst
OrganizationGWU Lab
Authorization LevelPhase 3
Session Tokensess-a1b2c3d4…
Expires2024-01-15 23:59 UTC
Audit Log (Recent)
10:23:57Scan completed — 3 devices, 14 CVEs
10:23:10OpenVAS task launched (task-abc123)
10:23:01Phase 3 scan authorized by admin
10:22:45Session established — analyst@gwu.lab
What this does
A roll-up of the latest run — assets discovered, evidence collected, and your top risks at a glance.
Why it matters in OT: One screen to read your security posture before diving into any single workspace.
16
Assets
↑ 4 new this run
14
Risks (CVEs)
2 critical · 2 KEV
2
CISA KEV
Active exploitation
6
Protocols
S7comm · Modbus +4
4
Vendors
Top: Siemens
4
Zones
Purdue-segmented
Live Network Map
Normal
Warning
Critical
Real-time
2 Critical assets
4 New devices
14 Vulnerabilities
3 Unmanaged
Discovery Status
Passive discovery complete. Active identification in progress on the control zone — safe-rate, no disruptive probes.
Passive Monitoring100%
Network Mapping100%
Modbus Discovery82%
DNP3 Discovery64%
BACnet Discovery42%
Active Identification18%
OT Discovery AI
7 findings
4
Unmanaged PLCs
No agent / owner mapped
2
Unknown HMIs
Identity review needed
11
Unsupported firmware
End-of-life versions
Recommended action
Review segment 10.20.5.0/24 (Control Zone) — PLC-01 is externally reachable and KEV-listed.
Purdue Model
L5 · Enterprise
12 assets
L4 · Business
28 assets
L3 · Operations
8 assets
L2 · Supervisory
3 assets
L1 · Control
4 assets
L0 · Process
2 assets
Protocol Explorer
S7comm 30%
Profinet 20%
HTTP/S 18%
Modbus 14%
RTSP 10%
ONVIF 8%
Attack Path
Highest risk
Internet
Perimeter Firewall
Engineering WS
PLC-01 (10.20.5.10)
Safety System
Risk Overview
CVE severity25%
Firmware age20%
Exposure20%
Criticality20%
What this does
Groups every discovered asset into a category topology — a hub-and-spoke map where the Core links out to each device class, vendor, zone or risk tier. Click a group to focus it; re-group from the selector.
Why it matters in OT: A flat IP list hides structure. Grouping reveals what kinds of things you own and which clusters still need review — the fastest way to spot an unmanaged camera fleet or an unknown device hiding among PLCs.
Network Map
Category topology
9 top groups · 16 asset candidates · 4 need review · Click a category to focus
● Grouped topology ready.
Core
9 groups
What this does
Every discovered asset with its identity, role, and product fingerprint (CPE).
Why it matters in OT: You can't protect what you can't see. The inventory is the foundation every later phase — CVE lookup, scanning, risk scoring — builds on.
Asset Inventory 16 assetsClick a row for full asset detail →
| IP | Hostname | Type | Vendor | OS / Firmware | CVEs | Risk |
|---|---|---|---|---|---|---|
| 192.168.1.10 | PLC-01 | PLC | Siemens | SIMATIC S7-300 v3.2.6 | 5 | 9.4 |
| 192.168.1.20 | HMI-02 | HMI | Siemens | WinCC v7.4 | 3 | 7.8 |
| 192.168.1.30 | Cam-03 | Camera | Hikvision | DS-2CD2342WD v5.3.0 | 4 | 9.7 |
| 192.168.1.1 | Gateway-01 | Router | Cisco | IOS 15.4 | 1 | 3.1 |
What this does
Maps every finding to the controls that recognized frameworks require — turning a CVE into an auditable compliance gap expressed in NIST CSF 2.0, NIST SP 800-53, IEC 62443 and MITRE ATT&CK for ICS language.
Why it matters in OT: Auditors, regulators and cyber-insurers ask "which control failed?", not "which CVE?". OT also has its own standards (NIST SP 800-82, IEC 62443) that IT-centric scanners ignore. This translates scan evidence into the language each stakeholder expects.
NIST CSF 2.0SP 800-53SP 800-82r3IEC 62443MITRE ATT&CK ICS
Session evidence mapped across 4 frameworks · 19 controls referenced · 5 gaps · 3 CVEs linked to ATT&CK techniques. Use the tabs to view each lens.
NIST CSF 2.0
NIST SP 800-53
IEC 62443
MITRE ATT&CK ICS
The 6 CSF 2.0 Functions, with NIST SP 800-82 Rev 3 as the OT overlay. Badge = how strongly this session's evidence exercises each function.
GV · GovernPartial
ROE / RBAC gating and risk-acceptance decisions (owner + expiry) recorded. No org-wide policy management.
ID · IdentifyStrong
16-asset inventory, CPE fingerprinting, multi-method vulnerability identification (NVD/OpenVAS/Nuclei).
PR · ProtectPartial
Default-credential exposure surfaced; configuration-hardening gaps flagged. Enforcement is downstream.
DE · DetectPartial
OpenVAS + Nuclei adapters and continuous CVE / KEV monitoring with streaming events.
RS · RespondPartial
Composite risk prioritization and exportable remediation plan; no automated containment.
RC · RecoverGap
Backup / restore and recovery planning are out of this tool's scope — track separately.
SP 800-53 Rev 5 — Control Mapping
| Control | Family | Evidence in this session | Status |
|---|---|---|---|
| CM-8 Component Inventory | CM | 16 assets enumerated with CPE | Satisfied |
| RA-5 Vuln Monitoring & Scanning | RA | NVD + OpenVAS + Nuclei (multi-method) | Satisfied |
| RA-3 Risk Assessment | RA | Severity + EPSS + KEV + role scoring | Satisfied |
| CA-8 Penetration Testing | CA | Phase-3 authorized active assessment | Satisfied |
| SI-2 Flaw Remediation | SI | 14 CVEs; 2 KEV flagged for priority | Partial |
| SI-4 System Monitoring | SI | Streaming detection events | Partial |
| IA-5 Authenticator Management | IA | Default credentials present on PLC-01 | Gap |
| AC-17 Remote Access | AC | External exposure on PLC-01 & Cam-03 | Gap |
Zone target SL-T 2 · achieved SL-A 1 — 4 of 7 Foundational Requirements below target. Remediate FR1, FR3, FR5, FR7 to reach SL 2.
IEC 62443-3-3 — Foundational Requirements
| FR | Requirement | Related finding | Target | Achieved |
|---|---|---|---|---|
| FR1 | Identification & Authentication Control | Default creds — PLC-01 | SL 2 | SL 1 |
| FR2 | Use Control | RBAC enforced | SL 2 | SL 2 |
| FR3 | System Integrity | CVE-2020-15782 memory write | SL 2 | SL 1 |
| FR4 | Data Confidentiality | TLS present on HMI | SL 1 | SL 1 |
| FR5 | Restricted Data Flow | No segmentation — external exposure | SL 2 | SL 1 |
| FR6 | Timely Response to Events | Detection adapters active | SL 1 | SL 1 |
| FR7 | Resource Availability | CVE-2019-13945 DoS | SL 2 | SL 1 |
Initial Access
Impair Process Control
Inhibit Response Function
3 tactics · 6 techniques observed
CVE → ATT&CK for ICS Technique Mapping
| CVE | Device | Technique(s) | Tactic |
|---|---|---|---|
| CVE-2019-13945 | PLC-01 | T0814 Denial of Service · T0816 Device Restart/Shutdown | Inhibit Response |
| CVE-2020-15782 | HMI-02 | T0836 Modify Parameter · T0839 Module Firmware | Impair Process |
| CVE-2021-36260 | Cam-03 | T0866 Exploitation of Remote Services · T0822 External Remote Services | Initial Access |
Techniques map to the ATT&CK for ICS matrix (not Enterprise). Use them to drive detection engineering and tabletop scenarios for each affected device.
What this does
Controls where the lab gets its threat data (inbound feeds) and where it sends findings (outbound forwarders). Today it's simulator-backed; flip a source to Live to pull from the real NVD / CISA KEV / EPSS APIs with Redis caching + rate-limit backoff, or enable a forwarder to push findings to your SIEM.
Why it matters in OT: A one-time scan goes stale within days as new CVEs and KEV entries land. Live feeds keep severity, exploitability and known-exploited status current — and forwarders put OT findings into the same SOC pipeline (Splunk, Sentinel, Elastic) as the rest of the enterprise.
NVD / KEV / EPSS feedsRedis cache + TTLSyslog / CEFSplunk HECWebhook
Data Mode
Simulator mode: all data comes from the bundled small-industrial fixture. Safe, offline, deterministic — ideal for training.
Threat Intelligence Sources (inbound)
| Source | Mode | Last sync | Records | |
|---|---|---|---|---|
| NVD CVE API services.nvd.nist.gov | Cached | 2h ago | 14 | |
| CISA KEV Catalog cisa.gov/kev | Live | 1h ago | 1,180 | |
| EPSS Scores api.first.org/epss | Cached | 6h ago | all | |
| OpenVAS NVT Feed feed.community.greenbone.net | Live | 1d ago | 89,420 | |
| MITRE ATT&CK ICS attack.mitre.org (STIX 2.1) | Cached | 7d ago | 95 |
Forwarders (outbound)
Enabled forwarder is sending on scan completion. 33 events forwarded this session · 0 failed · TLS verified.
How the data flows
1 · Pull / poll
Sources are polled on a schedule (KEV hourly, EPSS daily) or on demand. Each request carries the API key and honours exponential backoff on 429s.
2 · Cache + dedup
Responses land in Redis with a TTL; CPEs are de-duplicated across hosts so one lookup serves many assets. Stale-while-revalidate keeps the UI fast.
3 · Forward
Normalized findings are batched and pushed to enabled forwarders over TLS, with retry + dead-letter on failure. Realtime or on scan-complete.
What this does
Turns confirmed findings into tracked remediation tasks on a board — To do → In progress → Done — each with a priority, owner, due date, and links back to the asset and CVE that justify it.
Why it matters in OT: A vulnerability report is only useful if someone fixes it. OT patch windows are rare and require change control, so work has to be queued, owned, and tracked against an SLA — not lost in a PDF. Click any card's chips to drill back into the evidence.
Owner & due datePriority SLAAsset / CVE backlinksStatus workflow
0
Open
0
In progress
0
Done
0
Due ≤ 7 days
To do0
In progress0
Done0
What this does
Manages the local collector that runs inside the network and uploads evidence — its enrollment, run authorization, health, and exactly what each run observed, method by method.
Why it matters in OT: You never let a cloud reach into the plant. A scoped, token-bound collector runs locally, and every upload must bind the collector, run, site, credential and signed policy scope — so evidence is provably authorized and tamper-evident.
Enrollment & tokensRun authorizationPer-method run processEvidence provenance
Collectors
Local collector lifecycle
Enroll, authorize, run, and audit collectors that run inside the network.
1 enrolled
Run authorization
Operator
simulator fixture
Authorized at
2026-05-17T14:05:00.000Z
Scope
simulator fixture scope
Allowlist
simulator fixture scope
Collector
collector-site-main-light-industrial-lab-collector
Run
run-sim-small-industrial
Approval
simulator
1 online
Heartbeat, version, platform, site, current task, and last run are tracked.
Tokens hashed
Collector tokens are shown once at enrollment and never returned through MCP or UI status.
Revocation enforced
Uploads must bind collector, run, site, credential, and signed policy scope.
| Collector | Health | Version | Platform | Site | Capabilities | Token |
|---|---|---|---|---|---|---|
| Light industrial lab collectorcollector-site-main-light-industrial-lab-collector | ONLINE | 0.1.0 render-only-local |
local fixture | site-main | ARP, mDNS, RTSP, HTTP, MQTT, Modbus, ONVIF | ACTIVE Secret value hidden |
Run process
What worked, failed, and how many devices each method touched
| Technique / step | Status | Observed | Rejected | Duration | Devices | Detail |
|---|---|---|---|---|---|---|
| Load scope | COMPLETED | 2 | 0 | 0ms | Edge router/firewall, Core access switch | Prepare the simulated site ranges, segments, and passive hints. |
| Find active devices | COMPLETED | 2 | 0 | 0ms | Office wireless AP, Admin workstation | Reveal devices that respond inside the simulated environment. |
| Read service signals | COMPLETED | 8 | 0 | 0ms | Lobby camera, Loading dock camera, RTSP-only camera, File NAS, Office printer +3 | Use protocol, hostname, banner, and service evidence. |
| Classify inventory | COMPLETED | 2 | 0 | 0ms | Line 1 PLC, Line 1 HMI | Attach device type, vendor, owner, model, and location when evidence supports it. |
| Flag review items | COMPLETED | 2 | 0 | 0ms | Unknown unmanaged device, Legacy controller | Surface unknown, unmanaged, low-confidence, or conflicting assets. |
Evidence services
Which protocol / service contributed to which devices
HTTP
6 devices · 6 evidence
Lobby camera, Loading dock camera, File NAS, Line 1 PLC +2
HTTPS
3 devices · 3 evidence
Edge router/firewall, Office wireless AP, Operations server
MDNS
3 devices · 3 evidence
Office printer, MQTT temperature sensor
RTSP
3 devices · 3 evidence
Lobby camera, Loading dock camera, RTSP-only camera
SSH
3 devices · 3 evidence
Core access switch, Operations server, IoT gateway
ARP
2 devices · 2 evidence
RTSP-only camera, Unknown unmanaged device
MODBUS
2 devices · 2 evidence
Line 1 PLC, Line 1 HMI
MQTT
2 devices · 2 evidence
IoT gateway, MQTT temperature sensor
SMB
2 devices · 2 evidence
File NAS, Admin workstation
SNMP
2 devices · 2 evidence
Edge router/firewall, Core access switch
BACNET
1 device · 1 evidence
Legacy controller
DHCP
1 device · 1 evidence
Edge router/firewall
DNS
1 device · 1 evidence
Admin workstation
IPP
1 device · 1 evidence
Office printer
UNKNOWN
1 device · 1 evidence
Unknown unmanaged device
Collector action status
Recent lifecycle actions — signed and audited
| Action | When | Bound to | Result |
|---|---|---|---|
| Enroll collector | 2026-05-17T14:05:00Z | site-main · token hashed at rest | signed |
| Authorize run | 2026-05-17T14:05:01Z | run-sim-small-industrial · simulator fixture scope | authorized |
| Heartbeat | every 30s · last 2s ago | collector + site-main | online |
| Upload evidence | 2026-05-17T14:05:03Z | collector + run + site + credential + policy | accepted · 33 items |
| Rotate token | on demand | collector secret | available |
What this does
Generates customer-grade discovery reports locally — executive summary, operator review, and a technical evidence appendix — each a deterministic export with source provenance, ready as HTML, PDF, JSON or CSV.
Why it matters in OT: The deliverable of an assessment is the report. Deterministic exports with evidence IDs and secret redaction mean an auditor can reproduce every claim, and nothing sensitive (collector tokens, credentials) leaks into the artifact.
Deterministic exportEvidence appendixSecret redactionHTML / PDF / JSON / CSV
Reports
Customer-grade discovery reports
Report builder
Ready to generate the default discovery report set locally with Chapter 03 evidence appendices.
executive summary
Breakwater Light Industrial Lab · run-sim-small-industrial · generated 2026-05-20T12:00:00.000Z
Assets
16
Review
4
Unknown
1
Confidence
75%
Discovery-only report
Includes scope, authorization, source provenance, confidence distribution, method coverage, unresolved assets, and an evidence appendix for inventory review.
Chapter 03 evidence appendices
Provider state, Greenbone sidecar mode, Nuclei safe-template manifest, credential profile status without secrets, evidence IDs, redaction status, and coverage gaps are appended to HTML and JSON exports.
Providers
0
Gaps
0
Evidence
0
Secrets
0
Executive discovery summary
Deterministic export · source provenance included
33 evidence records
Operator review report
Deterministic export · source provenance included
33 evidence records
Technical evidence appendix
Deterministic export · source provenance included
33 evidence records
Export
Download current view
16 of 16 assets, 33 evidence items. Files include simulator source metadata.
What this does
Local, discovery-only controls — appearance, default scan profile, retention, report defaults, collection mode, and secret redaction. Saved on this device; nothing here triggers a later-phase action.
Why it matters in OT: Defaults are policy. Setting "IoT/OT cautious", local-collect-then-review, and secret redaction on as the baseline means the safe path is the path of least resistance — operators can't accidentally exfiltrate a credential or run an aggressive profile.
AppearanceScan profileRetentionSecret redaction
Settings
Discovery-only controls
Appearance
Choose a skin and tune reading comfort. Saved on this device only.
Skin
Reading font
Text size
Density
Motion
Contrast
Appearance defaults are ready.
Local settings status
Default discovery settings loaded for this local Phase 1 session.
Current local policy: IoT/OT cautious, 90 day retention, Summary plus evidence appendix, Collect locally / review HTML / then upload, Breakwater-hosted dedicated namespace, secret redaction on.