Detection

Hello All. Most OT deception projects fall into one of two categories: they’re either too simple to fool anyone—or too static to provide meaningful insight.

So, I decided to build something different. Today, I’m announcing AdaptiveGrid — an open-source, adaptive OT honeypot designed to simulate real industrial environments and capture high-fidelity attacker behavior.

Why AdaptiveGrid?

Traditional OT honeypots tend to rely on:

  • Static banners
  • Basic protocol responses
  • Limited interaction depth

The problem? Modern attackers—and even basic tooling—can quickly identify these as fake.

It’s designed not just to look like an OT environment, but to behave like one.

What Makes It “Adaptive”?

At the core of AdaptiveGrid is the idea that deception should evolve during the interaction.

Instead of a fixed response model, the platform:

  • Tracks attacker behavior over time
  • Groups activity into per-attacker cases
  • Scores actions based on intent (e.g., scanning vs. exploitation)
  • Adjusts logging, alerting, and response depth dynamically

This means a simple port scan is treated very differently than:

  • Repeated authentication attempts
  • Protocol-specific manipulation
  • Attempts to access engineering interfaces or project files

Key Features

AdaptiveGrid is designed for both real-world detection and research/demo environments:

High-Interaction OT Emulation

  • EtherNet/IP (CIP), Modbus, OPC UA simulation
  • Emulated controller identities (e.g., PLC-style responses)
  • Realistic engineering workstation behavior

Enterprise + OT Hybrid Lures

  • Fake engineering portals (HTTP/HTTPS)
  • SMB shares for project file access attempts
  • Authentication traps (including credential capture)

Advanced Telemetry & Logging

  • Structured timeline.jsonl per event
  • Full session logging and artifact capture
  • Credential hashing and storage for analysis

ATT&CK-Aligned Detection

  • Automatic mapping to MITRE ATT&CK techniques
  • Clear linkage between behavior and adversary tactics

Burst & Behavior Analytics

  • Detects rapid scanning and brute-force activity
  • Identifies escalation patterns in attacker behavior
  • Use of AI to compile data and provide analysis on behavior

Per-Attacker Case Management

  • One case per attacker (not per event)
  • Full timeline of actions from recon → interaction → exploitation

AdaptiveGrid is designed to complement platforms like Claroty, Nozomi Networks, and Microsoft Defender for IoT—not replace them.

AdaptiveGrid is being released as an open-source project, with a focus on:

  • Transparency
  • Community-driven improvements
  • Realistic OT simulation for defenders, researchers, and educators

Future enhancements will include:

  • Expanded protocol support
  • Deeper controller emulation
  • Integration with SIEM/SOAR platforms
  • Optional AI-assisted alert summarization

Read more