MS MarlinSpike Passive OT/ICS Topology Workbench
Home / Wiki / Getting Started
Getting started

Understand MarlinSpike fast, then bring it up from source.

MarlinSpike is a passive OT and ICS network analysis platform built for shared field use. This page gives you the product model, the first deployment commands, and the shortest doc trail to the rest of the project.

README.md INSTALL.md
Passive only

Packet captures go in, and the platform does not transmit packets back onto the network.

Shared responder workbench

The normal user model is a shared web surface for the assessment team, not a thick desktop client.

Source plus Docker today

The current supported install path is still source-first with Docker Compose behind a reverse proxy.

What MarlinSpike is

MarlinSpike is not just a packet parser and not just a topology viewer. It is a field-deployable analyst platform for passive OT and ICS network analysis that turns capture files into topology, asset context, Purdue-level inference, risk findings, suspicious external communication review, and portable JSON report artifacts.

The main product ideas from the project README are straightforward:

  • Passive OT and ICS analysis first.
  • A modern GrassMarlin-style replacement with a multi-user workflow.
  • A shared workbench model with projects, uploads, scans, history, and review.
  • A portable report contract so analysis and review are not trapped in one UI session.

Quick start

The project documentation keeps the first-run path intentionally short. Clone the repo, set secrets in .env, and start the Docker stack.

git clone https://github.com/riverrisk/marlinspike.git
cd marlinspike
cp .env.example .env
docker compose up -d --build

Open the app at http://127.0.0.1:5001 or through your reverse proxy. On first boot, MarlinSpike creates an admin user. If ADMIN_PASSWORD is blank, a random password is generated and printed in the container logs.

Core workflow

The workflow that shows up throughout the project docs is:

  1. Create or choose a project.
  2. Upload or select a capture.
  3. Run a scan that produces a report artifact.
  4. Review topology, findings, inventory, and drift in the workbench.
  5. Export or archive the JSON report artifact for downstream use.
The report artifact is the main contract boundary. MarlinSpike can review it in the workbench, but the report is also meant to travel with the team.

Documentation trail

If you are new to the project, this is the recommended reading order after this page:

Operators

Deployment

Environment variables, Docker Compose, reverse proxying, volumes, upgrades, and backup expectations.

Open deployment docs
Analysts

Architecture

The five-stage analysis chain, protocol coverage, outputs, and the current standards-aligned detection story.

Open architecture docs
Developers

Repo family

How the suite repo is being split into authoritative component repos for engine, workbench, plugins, and Rust engines.

Open repo-family docs
Extenders

Extensibility

Where new work belongs across Rust engines, Python plugins, and YAML rule packs.

Open extensibility docs

Ready to actually install it?

The deployment page covers the full Docker, reverse proxy, data volume, upgrade, backup, and remote-host story from the checked-in install docs.

Deployment Downloads