MS MarlinSpike Passive OT/ICS Topology Workbench
Documentation hub

MarlinSpike documentation for deployment, architecture, and OT response workflows.

Use this wiki to understand how MarlinSpike is deployed, how the analysis chain works, where the repo family is headed, and how operators and contributors should navigate the project.

Passive OT analysis first

MarlinSpike is built around packet captures in and no packets sent back into the environment.

Shared workbench model

The normal deployment is a reverse-proxied Docker host that multiple responders can use together.

Portable report contract

The JSON report artifact is the handoff between packet analysis and downstream review.

Start here

If you only need the main picture, read the pages below in order: what MarlinSpike is, how to launch it, how the analysis chain is structured, and where the codebase is heading as the repo family splits out.

First read

Getting started

Product positioning, quick-start commands, core workflow, and the documentation trail for new operators.

Open page
Operators

Deployment

Docker Compose setup, reverse proxy guidance, persistent data, upgrades, backups, and remote deployment notes.

Open page
Responders

Architecture

The five-stage analysis chain, report artifact boundary, protocol coverage, exports, and standards-aligned findings.

Open page
Developers

Repo family

How the suite repo, workbench, engine, plugins, and Rust engines are being split into authoritative component repos.

Open page

Documentation map

The wiki is organized around the actual checked-in project docs, not invented marketing categories. Each page below has a clear source document trail back into the repository.

Page What it covers Main source docs
Getting Started Product identity, quick start, workflow, and the main reading path. README.md, INSTALL.md
Deployment Docker, reverse proxy, persistent volumes, upgrades, backups, remote deployment, live capture. INSTALL.md
Architecture Five-stage analysis chain, report artifact boundary, detection coverage, exports, and operator flow. README.md
Repo Family Suite repo, component repos, subtree model, and transition state. docs/repo-family.md, CONTRIBUTING.md
Extensibility Rust engines, Python plugins, YAML rule packs, and compatibility expectations. docs/extensibility-contracts.md
Presets What the public repo does and does not ship for local capture libraries. presets/README.md, README.md
Contributing Focused PR guidance, local checks, subtree helpers, and data-handling rules. CONTRIBUTING.md
Releases Engine history, web UI versioning, live-viewer track, and recent highlights. releases.md, releases-live.md

How to read the project

The repository makes more sense once you keep four ideas in view:

  • MarlinSpike is breach-triage-first, not a generic packet viewer. Passive traffic goes in, responder-facing output comes out.
  • The report artifact is central. The workbench reads it, plugins extend it, and teams can archive it or move it elsewhere.
  • The normal operating model is a temporary shared host with a shared URL, not a single-user desktop thick client.
  • The codebase is intentionally splitting into a repo family so the suite repo can vendor a known-good combination of engine, workbench, plugins, and Rust engines.
The report artifact remains the handoff between passive analysis, responder review, and downstream tooling.

Need source downloads or package status next?

The downloads page tracks the official repo, source archives, Docker deployment path, and the honest state of public binaries and packages.