About the platform

MarlinSpike is a passive OT/ICS topology mapper and analyst workbench.

The product takes packet captures in, sends no traffic back into the environment, and turns passive observations into topology, asset inventory, responder-grade findings, and portable JSON report artifacts. It is the open-source core behind Fathom and is intentionally built as a shared web workbench rather than a single-user thick client.

Product boundary

The report artifact is the contract

MarlinSpike keeps the engine standalone and treats the generated report artifact as the handoff between packet analysis and downstream review.

Project -> Scan -> Report -> Workbench -> Triage

Deployment model

Designed for temporary field hosts and team access

The preferred install path is a reverse-proxied Docker Compose deployment that multiple responders can share during an assessment, outage investigation, or tabletop.

Docker Compose Shared URL Zero-JS core workflows

5-stage analysis chain

From raw capture to responder-facing output

The analysis pipeline stays intentionally legible: ingest and validation, protocol dissection, topology building, risk surfacing, and report generation.

Ingest Dissect Topology Risk Report

Protocol coverage

OT-aware by default, with L2 context preserved

MarlinSpike is built around industrial protocol visibility, then enriches that with network-discovery context so infrastructure relationships are not thrown away.

OT / ICS

Modbus EtherNet/IP CIP S7comm DNP3 OPC-UA BACnet PROFINET HART-IP FINS

Layer 2 / discovery

          LLDP
          CDP
          STP
          LACP
        

Standards support

Context that supports operator and security review

The public story stays bounded to what the platform actually exposes today. MarlinSpike supports standards-oriented review without pretending to be a broader compliance suite.

Current surface

IEC 62443

Stage 4 remediation guidance is framed around IEC 62443 SR-oriented remediation support for supported finding classes.

Current surface

MITRE ATT&CK

Selected ATT&CK mappings are published for current C2 and exfiltration-oriented findings and analyst context.

Current surface

Purdue model

ISA-95 and Purdue-style zoning remain central to topology layout, asset placement, and cross-level communication review.

Next stop: docs and downloads

Continue with deployment, architecture, and package status documentation.

Open Wiki Downloads Official Repo