Breaking Research

447K Industrial Control Systems
Accept Remote Commands.
No Authentication.

Everyone reports "2.5M exposed ICS devices." We filtered the cloud noise. 53% are honeypots and scanners. The real number: 447,000 write-capable devices that accept Modbus, S7COMM, and CIP commands from the internet. We're the first to count what actually matters.

447K
Write-Capable
53%
Cloud Noise Filtered
0%
Multi-Protocol
100%
Unauthenticated

Sniper Methodology: We Don't Count Everything

We find the one thing everyone else missed

🎯 Write-Capable Analysis

Not "devices that respond." Devices that accept commands. Modbus Function Codes 5/6/15/16. S7COMM write operations. CIP tag manipulation. We counted remote control capability, not generic "exposure."

🔍 Cloud Noise Filtering

53% of reported ICS devices are Aliyun scanners, Fly.io test VMs, and Incapsula honeypots. IEC 104: 77% noise. S7COMM: 63% noise. We filter cloud providers and report real infrastructure.

🧬 Protocol-Level Patterns

Zero IPs run multiple ICS protocols. Perfect isolation. This invalidates common lateral movement assumptions. We found patterns Dragos, Nozomi, and Claroty don't discuss.

Active Threat Landscape

State actors targeting write-capable infrastructure

Original Research

What we found that nobody else published

447K Write-Capable ICS Devices: What OT Defenders Need to Know

First comprehensive analysis filtering cloud honeypots from ICS exposure data. 53% of reported devices are scanners. Real attack surface: 1.176M, not 2.5M.

OT Watering Hole Attacks: How Threat Actors Target ICS Communities

Threat actors compromise OT forums and vendor portals to target engineers. Pattern analysis reveals watering hole risks. Defensive measures for industrial defenders.

JadePuffer: First Fully Autonomous AI Ransomware

Documented case of ransomware run entirely by AI agent. No human operator. Implications for OT environments and critical infrastructure defense.