The Durable Defense: Why the Cross- Disciplinary OT Analyst Wins

Jori VanAntwerp

CEO and Founder at EmberOT || Web

For over two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and improving their overall security efforts. He has had the pleasure of working with companies such as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now CEO & Founder at EmberOT, a cybersecurity startup focused on making security a reality for critical infrastructure.

The OT analyst role is changing, and the teams that understand that shift early will be better prepared for what comes next. Following on from Cutting Through the Mythos, we’ll take a closer look at the skill set that will outlast any AI capability shift, written from the perspective of someone who has worked in security and OT for over two decades.

In Part 1, I argued that the Mythos coverage has stripped away most of the asterisks that matter for OT. The model failed AISI’s only OT range. The training distribution doesn’t include most OT firmware. The Glasswing partner list has zero OT vendors. Centralized AI in OT is a real architectural concern that few are naming. The vulnerability discovery firehose is not the OT bottleneck.

That is the diagnosis. This is the response.

A few things are genuinely different than they were six months ago. The compression of vulnerability discovery timelines is real. The mitigation bottleneck is widening rather than narrowing. The architectural choices made in the next eighteen months will shape OT security for the decade after. Defenders should plan accordingly. Build mitigation capability that doesn’t depend on patching: segmentation, restricted communication, network visibility, and incident response that assumes compromise rather than preventing it.

But the most important shift is about people, not technology.

The Cross-Disciplinary OT Analyst

The skill set required to defend OT is changing, and this is the longest-runway shift in the conversation. Worth more than a passing reference.

For a long time, the OT cybersecurity analyst role has been a fusion of two disciplines: cybersecurity fundamentals and OT/ICS knowledge. The good ones could pivot from a Snort signature to a Modbus function code in the same breath. That fusion was already hard to find and hard to train. The Mythos-class era is adding a third discipline to the mix, and the people who get good at all three are going to be measurably more valuable than the people who get good at two.

What does cross-disciplinary actually mean here?

Cybersecurity fundamentals. The basics matter more than ever. Threat modeling, network analysis, incident response, kill chains, indicator analysis, log review, the discipline of investigation. AI doesn’t replace this. It accelerates the analyst who already has it and confuses the analyst who does not. The fundamentals are the foundation that determines whether AI multiplies your output or multiplies your confidence in incorrect output.

OT and ICS depth. Process knowledge. Protocol fluency in DNP3, Modbus, IEC 61850, OPC UA, EtherNet/IP, and the rest. Understanding why a PLC behaves the way it does, what a setpoint change means in the physical world, why a fifteen-millisecond latency increase is a safety issue rather than a performance one. The ground truth that no IT analyst gets to skip in OT.

AI and data science fluency. This is the new column. The future OT analyst needs to know how AI tools actually work, not just how to prompt them. That includes understanding model strengths and weaknesses, recognizing when a model is hallucinating versus when it has caught something real, structuring queries that get useful output instead of impressive-sounding nonsense, validating AI findings against ground truth, and knowing when to trust an AI’s analysis and when to throw it out and start over. It also means basic data literacy: how to look at a dataset critically, how to spot when an analysis is being skewed by bad assumptions, how to translate between what the model produces and what the operations team can act on.

All three competencies live in one role. An OT analyst who can run a Mythos-class model against a packet capture, recognize that the model is over-confident on a particular finding because the protocol context is unusual, validate the real finding against the actual control logic, and translate it into a mitigation that respects the operational constraints of the environment, is doing all three at once.

That analyst is rare today. Honestly, the analysts that combine even the first two disciplines are rare. SANS and ISC2 have documented the OT cyber talent shortage repeatedly, and the volume of such analysts the industry needs has been a known problem for years. Adding AI fluency as a baseline requirement doesn’t make that supply problem easier. The teams that win will be the ones that treat this as a deliberate investment: in-house training programs, university partnerships, structured AI fluency development, and a willingness to grow the analysts they need rather than waiting for them to arrive pre-formed.

This is investable. Programs that start now will be ahead of programs that wait. The shift is going to happen anyway, and the teams that lean into it deliberately will run circles around the teams that picked it up by accident.

The cross-disciplinary analyst is the most durable defense against Mythos-class capability the OT industry can build. Not because the analyst out-competes the model. Because the analyst, equipped with all three disciplines, can do something the model cannot: make context-aware judgments about a specific environment, with all its operational quirks and constraints, that no general-purpose model has been trained to handle.

This shift isn’t unique to OT. Cybersecurity broadly is moving toward cross-disciplinary practice, and technology as a whole is too. OT has its own version of the story, with its own constraints and stakes, but the underlying truth is industry-wide.

The Community Conversation OT Deserves

Here is the thing that actually matters about Mythos for OT: the conversation is happening, and the OT industry is largely missing from it.

The Glasswing partner list has no OT vendors. The AISI evaluations cover IT-flavored attack ranges with one OT range as a footnote. The headlines are written by IT security press for IT security audiences. Even the skeptic voices, who are doing genuinely useful work cutting through the hype, are mostly working from an IT lens.

OT has a different reality. We always have. The frameworks that govern us, the pace of change in our environments, the constraints on our tooling, the consequences of our failures, all of it is different from the IT story being told.

The OT community needs to be louder in this conversation. Asset owners, operators, OT-native security vendors, sector ISACs, regulators, the people who actually understand what it means to defend a substation or a refinery or a treatment plant. We have insight the broader industry needs. We have constraints the broader industry doesn’t understand. And we have skepticism that has been earned the hard way over decades of being told that the latest IT thing will solve our problems.

Mythos is a real capability advance. Glasswing is a serious effort. Neither was built with OT in mind, and the OT industry should say so, loudly and constructively, while there is still time to shape what comes next.

Build the cross-disciplinary skill. Invest in mitigation that doesn’t depend on patching. Take the security of AI tooling itself seriously, including the architecture that determines where the AI lives. And join the conversation, because the people writing the future of AI-augmented cybersecurity are not, currently, listening for the OT voice.

That’s on us to fix.

~Jori 🤘🔥