Nozomi Networks Labs

Nozomi Networks Labs is dedicated to reducing cyber risk for the world’s industrial and critical infrastructure organizations. Through our cybersecurity research and collaboration with industry and institutions, we’re helping defend the operational systems that support everyday life.

Labs Blogs

Read the latest blog content from our security research team.

View all Labs blogs

Vulnerabilities on Sensor Net Connect and Thermoscan IP Could Allow Admin Privileges Over Medical Data Systems


Nozomi Networks Labs Announces Vulnerabilities Affecting the AiLux RTU62351B and the “Codename I11USION” Whitepaper


Open Drone ID: Nozomi Networks Adds Support to Detect Drones with Guardian Air


Vulnerabilities on GE HealthCare Vivid Ultrasound Could Allow Malicious Insiders to Locally Install Ransomware, Access and Manipulate Patient Data


Threat Intelligence

Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.

Learn more
Threat Intel screenshot
Nozomi Logo circle

“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”

Research Projects


TRITON is the first known cyberattack that directly interacted with a Safety Instrumented System (SIS). Labs reverse engineered the TriStation suite of software and delivered a report and two free tools for security researchers. This research was presented at Black Hat USA 2018.

Learn More


The Labs team reverse engineered the GreyEnergy malicious document (maldoc) that leads to the installation of the malware (backdoor) on a victim’s network. Project outcomes include a report, multiple blogs and two free tools for security researchers.

Learn More

IEC 62351

IEC Working Group 15 (WG15) is developing technology standards for secure-by-design power systems. Labs contributes to the standards and has demonstrated how they can be used to identify hard-to-detect cyberattacks. Research from this effort was presented at Black Hat USA 2019.

Learn More
See all


Guardian Community Edition Assertions (Queries) for COVID-19 Cybersecurity

New assertions (queries) have been added to Guardian Community Edition to help with COVID-19-related cybersecurity challenges.

Assertions for COVID-19 Network IndicatorsAssertions for Remote Access Monitoring

COVID-19 Malware: OT and IoT Threat Intelligence

To help your organization proactively detect and prevent COVID-19 themed cyberattacks, download our network indicators, ransomware and malware threat intelligence.

COVID-19 themed Network IndicatorsCOVID-19-Themed Ransomware RulesCOVID-19 Informer Malware RulesCOVID-19-Themed HashCOVID-19 Chinoxy Backdoor Malware

URGENT/11 Nmap NSE Script for Detecting Vulnerabilities

Our Nmap NSE script for detecting URGENT/11 vulnerabilities is a research tool for quickly checking industrial systems for vulnerable assets based on the version of VxWorks exposed within the FTP service.

Due the fact that is not always possible to detect the running version, we recommend that industrial operators use full featured security products for effective vulnerability assessment.

Radamsa Enhancement, Introducing PCAPNG Awareness

Our contribution allows Radamsa to mutate PCAPNG files focusing only on the packets themselves, eliminating the bytes and data structures used by the PCAPNG format itself. It is useful for testing the robustness of protocol stacks, helping to improve the quality of OT-device software.

GreyEnergy Unpacker + Yara Module

GreyEnergy UnpackerGreyEnergy Yara Module


TriStation Protocol Plug-in for WiresharkTriconex Honeypot Tool

Take the next step.

Discover how easy it is to identify and respond to cyber threats by automating your IoT and OT asset discovery, inventory, and management.