⚙️ Our free OT PCAP Analyzer has been updated! View PCAP Analyzer v2.0 features
> > > Build Your First OT Toolbox: It’s Dangerous to Go Alone, So Take These T...
Blog

Build Your First OT Toolbox: It’s Dangerous to Go Alone, So Take These Tools!

Jori VanAntwerp
CEO and Founder at  || Web

For over two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and improving their overall security efforts. He has had the pleasure of working with companies such as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now CEO & Founder at EmberOT, a cybersecurity startup focused on making security a reality for critical infrastructure.

What you keep in your digital toolbox is incredibly important. One of the lesser-discussed aspects of OT/ICS defense is how important the correct tool stack is for preventing downtime and keeping operations secure.

Given the wide variance across sites, systems, and operational environments, finding the right tool for specific needs is more challenging than one might think.

The good news is that, from the helpdesk to developers, operators, and defenders, we all share the same challenges of keeping our systems up, efficient, healthy, and safe. So it’s no surprise that a plethora of open-source tools have been designed to address these common challenges.

The bad news is… There is a plethora of free, open source tools designed to specifically address these challenges…and it can be difficult to understand what tool to use when or which tool best fits your needs. Fortunately, we are here to help ignite the path. It is dangerous to go alone, so take this. A curated set of community open source tools that help you see what is actually happening in your environment and start breaking through challenges.

Every OT environment is unique. Each one is purpose built, shaped by real operational needs, and engineered to keep critical processes running. Because of that, no single tool will be the perfect fit for everyone. The good news is that community open source gives you room to adjust and adapt many of these tools so they support your workflow as you learn.
To make things easy, we’ve grouped everything into three categories. Network Analysis. System and File Analysis. Emulation and Testbeds. Each one includes a quick note on the experience level usually needed so you can choose the right place to begin and build from there.

How to Use This Guide

You do not need to learn every tool in this list. Start with one or two that match your comfort level and the challenge in front of you. Use the difficulty and OS columns as quick filters.

Whenever possible, begin in a lab, test network, or low-risk segment. Capturing and analyzing traffic is usually safe, but generating or replaying traffic can affect sensitive systems. When in doubt, check with your OT or operations team before testing new tools in production.

Tool Categories

These tools help you understand what is happening across your environment. From network activity to system behavior and defensive insight, they give you a clearer view of assets, protocols, operational patterns, and environmental interactions across your environment no matter the Purdue level.

Network, System, and Defensive Insight Tools

These tools help you understand what is happening across your environment. From network activity to system behavior and defensive insight, they give you a clearer view of assets, protocols, operational patterns, and environmental interactions across your Purdue levels.

Reading the Table

  • Difficulty
    • 🟢Beginner: Good starting point if you are new to OT, networking, or security
    • 🟡Intermediate: Best if you have used basic command-line tools or similar utilities
  • OS shows where the tool is most commonly used
  • 🔥Indicates EmberOT Approved. We regularly use these tools ourselves.
Tool🧠 Difficulty💻 OSDescription & Use Case
🔥 Security Onion🟡 IntermediateLinuxA full-fledged Linux distro for network security monitoring. Bundles Zeek, Suricata, Wazuh, and the Elastic stack in one ready-to-deploy package, great for serious analysts and lab builders.
🔥 Wireshark🟡 IntermediateWindows, macOS, LinuxThe go-to packet analyzer. Let’s you dive deep into protocol behavior, decode industrial traffic, and see exactly what your PLCs and HMIs are saying.
tcpdump🟡 IntermediateLinux, macOSLightweight command-line tool for capturing packets. Perfect for scripting or quick captures in production networks.
tcpreplay🟡 IntermediateLinux, macOSLets you safely replay recorded traffic for testing or validating detection rules, for lab simulations.
🔥 NetworkMiner🟢 BeginnerWindows, LinuxExtracts files, credentials, and host data from packet captures. Easy to use and surprisingly powerful for digital forensics and quick triage.
🔥 OT PCAP Analyzer🟢 BeginnerWindows, macOS, LinuxBuilt for the OT community, this free EmberOT tool turns PCAPs into instant insights. Identify devices, protocols, and flows — no install headaches, no cost.

🧰 System & File Analysis Tools

These tools help you explore the inner workings of devices, logs, and file structures. They support troubleshooting, learning, and investigative work as you deepen your understanding of OT systems. Use these for forensics, vulnerability checks, and evaluating your OT environment’s security posture.

🔥 ICSAP Vulnerabilities🟡 IntermediateWindows, LinuxCommunity-driven dataset and tooling for identifying known ICS protocol and asset vulnerabilities. Useful for contextualizing risk across device types.

⚙️ Emulation & Testbed Tools

These tools let you practice, experiment, and learn in a safe space. You can model devices, simulate traffic, replay scenarios, and build intuition without touching production systems or even virtually.

🔥 Labshock🟡 IntermediateLinuxOpen-source OT lab automation environment for testing network security tools and responses.

Conclusion

The OT, technology, and security world runs on community. People who build, fix, operate, and protect systems and operations that keep everything moving. These open source tools come straight from that spirit. They are created by practitioners who face the same challenges you do and share the same drive to keep things running strong.
Explore them. Experiment with them. See what sparks new ideas as you grow your skills. And if you end up improving one or building something of your own, we would love to hear about it.

* This list will evolve over time as the community discovers new projects and improves existing ones. If you rely on a tool that belongs here, or you are building something you want others to try, share it with us and we may add it to a future update.

Back to Blog

You might also like:

NERC CIP Audit Blog pt 2
November 20, 2025

What to Expect When You’re Expecting… a NERC CIP Audit (Part 2)

This is the second in a two-part NERC CIP series, and now we get into the heart of it. Instead of looking at the audit process,...
Read more
NERC CIP Audit Blog pt1
November 13, 2025

What to Expect When You’re Expecting… a NERC CIP Audit (Part 1)

This is the first part of a two-part series that pulls back the curtains on NERC CIP audits, sharing what really happens...
Read more
SCADA Network Security Monitoring blog image
November 6, 2025

SCADA Network Security Monitoring: Tips for Implementation

Supervisory Control and Data Acquisition (SCADA) systems play a pivotal role in the industrial landscape. These systems oversee...
Read more