PCAP-driven OT/ICS discovery without transmitting a single packet
MarlinSpike ingests captures, reconstructs topology, infers Purdue placement, and surfaces role and vendor hints from passive traffic alone.
Open-source OT/ICS passive topology mapping
Turn packet captures into topology, findings, and a shared responder workbench.
MarlinSpike is the open-source multi-user workbench for passive OT and ICS network analysis. Feed it `pcap` or `pcapng`, keep packet transmission at zero, and review topology, asset context, cross-Purdue paths, suspicious external communications, and portable JSON report artifacts with the team.
Shared web workbench
Portable JSON report contract
Docker-first deployment
Open-source core of Fathom
Shared analyst workbench
Project-scoped intake, report review, and responder collaboration built around passive OT and ICS analysis.
Collection model
Passive only
Deployment
Docker first
Artifact boundary
Portable JSON
Operator fit
Team workbench
Why teams use it
Built for OT engagements, not generic packet tinkering
MarlinSpike is designed around operational workflow, report portability, and responder-facing output, not just protocol decoding.
A shared workbench instead of a single-user desktop analyzer
Projects, scans, report history, diffing, and findings review are built for team engagements on temporary field hosts or lab servers.
The JSON report is the product boundary
Packet analysis feeds a portable report artifact that can be reviewed in MarlinSpike, passed to downstream tooling, or preserved as evidence.
Built for temporary deployments and real OT handling constraints
The app is designed for reverse-proxied Docker Compose deployments, lightweight engagement hosts, and air-gapped operational realities.
OT-aware topology, risk, and suspicious external communication review
MarlinSpike surfaces cross-zone paths, write-capable paths, beaconing, DNS exfiltration indicators, and high-priority targets from passive traffic.
Source, issues, and release tracking live on GitHub
The public repository carries the source code, license, issue tracker, and release surfaces for MarlinSpike.
Start here
Full wiki
Everything a visitor should be able to find fast
Start with the docs, deployment path, source repository, and release channel without digging through the repo first.
Documentation and deployment guide
Read product, deployment, architecture, and workflow documentation in one place.
Open docsDownloads and package status
See the real distribution surface, including source downloads, Docker deployment, and what binaries and packages are still not published yet.
Open downloadsOfficial source repository
Browse the codebase, license, issues, and source archives in the official GitHub repository.
Open source repoOfficial release channel
The GitHub releases surface is the official place to watch for tagged binaries once they start being published.
Open releases page
Actual product screens
Show the workbench, not abstract promises
These screens show the actual product surfaces teams use after deployment.
Shared analyst workbench
A public-facing view of the multi-user product surface and the project-oriented responder workflow.
Topology viewer
Purdue-layered topology review with OT-aware context, connection detail, and responder-focused investigation.
Assessment report
Structured findings, remediation guidance, and detailed report review built around the portable JSON artifact.
Distribution
Full downloads page
Source and Docker today, broader packaging later
MarlinSpike is source-first right now, with Docker as the supported deployment path and no fake installer story layered on top.
Source code repository
The public GitHub repo is the canonical source code surface for MarlinSpike, including issues, license, and history.
Open repositorySource zip archive
Download the current main branch as a zip snapshot when you want the source tree without cloning.
Download zipDocker deployment path
The supported install path today is source plus Docker Compose behind a reverse proxy.
Open deployment docsTagged binary releases
The official binary release surface exists on GitHub, but it does not currently contain published artifacts.
Watch releasesTypical deployment flow
Clone the repo, set secrets in `.env`, build with Docker Compose, and place the app behind a reverse proxy. That remains the cleanest supported install path for now.
git clone https://github.com/riverrisk/marlinspike.git
cd marlinspike
cp .env.example .env
docker compose up -d --build