It has been 18 months since my last OT Detection Market Update. The market shook itself out in 2020/2021 and changes have been smaller. No serious new competitors entering. The VC money coming into the space is greatly reduced, although this is likely due to economic issues more than market dynamics. Acquisitions are also way down.
Note: While I have historically called this the OT Detection Market, because this was the initial purpose of the products, most of the solutions also include an asset inventory, vulnerability management, and increasingly risk management capability.
Two Companies With Little Competition Between Them
Dragos and Nozomi Networks (Nozomi) are the clear top tier pure plays in the OT Detection Market. The funny thing is the decision when these two go head-to-head is simple. If asset inventory and vulnerability management is most important to you, then Nozomi wins. If threat intel and incident response is most important to you then Dragos wins.
Where they excel is based on each company’s heritage, their leadership, their philosophy, who they hire, and everything else. It’s not a flaw or something to change, and they both have credible offerings in other areas (with the exception of incident response which Nozomi outsources to partners and in some cases is actually Dragos).
I slightly prefer Dragos’ position because it is harder to get cut out. I’ve predicted for five years now, and I’m still asserting, that a large part of the market will move to sensors in containers in switches sending info directly to a SEIM like Splunk or QRadar. And your Splunk and QRadar will have increasingly sophisticated OT Add Ons. OT specialized threat intel and IR doesn’t go away even if this prediction comes true.
Claroty and Armis
Claroty drops down from Top Tier to Tier 2 as expected at the last update in Q4 of 2021. It isn’t a product issue as they are a close competitor to Nozomi from a technical standpoint. It’s been leadership and execution, which to be fair has been a huge challenge in this fast growing market.
Claroty ‘acquired’ healthcare IoT company Medigate weeks after my last update. Acquired in quotes because it was tied with a $400M Series E round, and could have been a graceful way to get needed cash and avoid a public down round. This may give Claroty an advantage in healthcare at the cost of less focus on the traditional verticals (electric, oil/gas, water, manufacturing) buying OT detection. While Tier 2, they still win deals and their Team82 research group is impressive.
The big miss in my last update was leaving off Armis. It was a blind spot for me since they got removed from RFPs I saw due to the cloud-only offering. They are investing a lot to go after the OT market and cloud is not so scary any more. In fact, Nozomi is seeing a lot more of their business come from their Vantage cloud option. It may be premature, or predictive, to move them up to Tier 2, but I would include them in a RFP if cloud-only was an option you are willing to consider.
Otorio is noteworthy in this group as they are showing a positive activity level, as compared to other Tier 3 participants who may have peaked. Figuring out the right time and price to be acquired will be key. Indegy and Security Matters nailed it, some others have missed their window.
RunZero, formerly Rumble, also joins Tier 3, primarily because it is led by HD Moore of Metasploit fame. It is limited to asset inventory and vulnerability management, so it’s a stretch putting it in against products that do that plus detection.
There are some other companies that continue to fight in Tier 3, such as SCADAfence, Radiflow, and Industrial Defender. They can still win some deals with a good team on the sale, but it is hard to see them scaling up to get to Top Tier. Time to sell or pivot.
IT / OT Integrated Solutions
Tenable and Forescout
Tenable added OT with their acquisition of Indegy. Forescout added OT with their acquisition of Security Matters. This significantly hurt their ability to win pure OT detection deals. I’m guessing this is not a surprise or even considered bad news for these companies. They want OT so they can provide a complete solution to customers who use their enterprise solutions and have OT.
Most of the product advancements have been to integrate the OT solution into the enterprise product family so the security team and CISO can have the vaunted single pane of glass. There are real benefits to this. Tenable enterprise customers should consider the Tenable OT solution. Forescout enterprise customers should consider the Forescout OT solution. Even if the OT product lags a bit due to less attention, the integration benefits often are worth it.
Cisco has a great theoretical solution. Get the sensors with the Cisco switches. Pay based on ip address, regardless of the number of switches. You would think this, and a desire to get into this market, would make Cisco very price attractive. Not so, and this is a problem.
Cisco doesn’t have a good track record acquiring security products and making them successful, or even keeping them around. The Cisco firewall, originally called PIX, was largely successful because it was sold at about 10% – 20% of the price of the market dominating Checkpoint firewall.
The other difficulty Cisco is having is their channel sales model. Why would a channel want to spend the time and money to develop an experitise on a hard to sell and support, low volume product as compared to other Cisco offerings?
Cisco is either going to change their strategy or fade out of this offering.
When Microsoft acquired CyberX, it seemed obvious they wanted the ICS protocol technology for Azure rather than the product offering. This has proven to be true and they have faded from the OT Detection market.
I do wonder though if they could try to use other peoples sensors and compete in this area with a cloud only, asset management focused option. I need to think and research more on this.
As always I welcome your comments, corrections, additions and differing analysis.
Full Disclosure: Many of the vendors mentioned in this article are sponsors of past and future S4 Events. No company pays for inclusion or analysis in my articles or the Unsolicited Response show.