What
MarlinSpike is a passive OT/ICS network analysis workbench for teams reviewing
packet captures from industrial environments. It builds topology, asset inventory,
protocol context, and responder-facing findings without transmitting a single packet.
The output is a portable report artifact and analyst workflow with Purdue Model
classification, ATT&CK context, IEC 62443-oriented remediation guidance,
C2 and exfiltration analysis, and optional malware IOC findings.
Current Release
Release v2.0.0 adds explicit fast and full scan profiles, chunk-aware
continuation for large PCAP workflows, and a cleaner analyst flow across dashboard,
projects, scans, reports, and viewer surfaces.
- Fast / Full Profiles — choose lower-cost triage runs or richer full-chain analysis.
- Chunk-Aware Continuation — split large captures, dissect in chunks, merge conversations, then continue report generation.
- Malware IOC Matching — optional Stage 4b matching across 919 rules in 29 threat categories, surfaced in report findings.
- Shared Analyst Workflow — projects, reports, scans, retries, and live-ready validation in one browser-accessible workbench.
How — 5-Stage Analysis Chain
Ingest
▶
Dissect
▶
Classify
▶
Analyze
▶
Report
Packet data moves through ingest, dissection, classification, analysis, and report
generation. In v2.0.0, large captures can continue through a chunk-friendly path
that splits the file, dissects chunks, merges conversations, and resumes topology
and risk analysis from the merged result.
Protocols
OT / ICS:
Modbus
EtherNet/IP
CIP
S7comm
DNP3
OPC-UA
BACnet
PROFINET
HART-IP
BSAP
ROCPlus
FINS
GENISYS
C1222
Layer 2 / Discovery:
LLDP
CDP
STP
LACP
Standards
- IEC 62443 Stage 4 remediation guidance aligned to SR requirements for supported finding classes
- MITRE ATT&CK Report-facing ATT&CK context with tactics, sub-techniques, mitigations, and response guidance
- Purdue Model ISA-95 reference architecture for zone classification
Built By
River Risk Partners