The OT security market has consolidated rapidly. Following Nozomi Networks' acquisition by Mitsubishi Electric ($883M, closed January 2026), two independent pure-play OT security leaders remain: Claroty and Dragos. The market is also contested by IT security giants extending into OT — Palo Alto Networks, Fortinet, Cisco, and Microsoft — and by industrial automation vendors building security into their platforms. Below is a factual capability mapping of the eight primary vendors active in the space.
| Vendor | Focus | Market Position | Key Differentiator | Primary Verticals |
|---|---|---|---|---|
| Claroty | Cyber-Physical Systems (CPS) protection — OT, IoMT, BMS, IoT | Gartner Magic Quadrant Leader, CPS Protection Platforms (2025); #1 Ability to Execute | Broadest CPS coverage including IoMT (healthcare devices) and BMS | Manufacturing, Energy, Healthcare, Pharma, Government |
| Dragos | OT/ICS threat intelligence and incident response | Leader in ICS-specific threat intelligence; strong in energy and manufacturing | Threat intelligence depth; ICS-CERT pedigree; incident response capability | Electric utilities, oil & gas, manufacturing, water |
| Nozomi Networks | OT/IoT security visibility | Previously independent leader; acquired by Mitsubishi Electric (Sept 2025, $883M) | Passive asset discovery; strong IoT coverage; now backed by Mitsubishi's OT ecosystem | Energy, manufacturing, transportation, smart cities |
| Palo Alto Networks | Prisma Access / SASE extending into industrial; CyberArk PAM capabilities | Dominant in IT security; growing OT presence via Prisma SD-WAN | Platform breadth and SASE integration; strongest in IT/OT convergence zones | Enterprise-first; manufacturing and energy via partner ecosystem |
| Fortinet | FortiGate ruggedized OT security appliances; integrated network + OT security | Strong in network security; aggressive OT push with FortiOT solutions | Hardware-first approach; existing network security customer base; price competitiveness | Manufacturing, utilities, oil & gas |
| Cisco | Industrial network security; Cyber Vision (acquired from Sentryo) for OT visibility | Dominant in industrial networking; security overlaid on existing Cisco infrastructure | Embedded in industrial network infrastructure; Cyber Vision OT visibility built into switches | Manufacturing, utilities, transportation (existing Cisco networking customers) |
| Microsoft | Defender for IoT (formerly CyberX); Azure Arc for hybrid OT/IT management | Expanding rapidly via Azure customer base; government push (DoD Zero Trust mandate) | SIEM/SOAR integration via Sentinel; identity layer via Entra ID; scale of Azure | Government/defense, healthcare, manufacturing (Azure enterprise customers) |
| Armis | Asset intelligence — agentless device visibility across OT, IoT, IoMT | Strong in asset discovery; positioned between pure OT and IT security | Agentless deployment; broadest device type coverage including IoMT | Healthcare, manufacturing, smart buildings |
Notable Facts by Vendor
$3B valuation (Jan 2026 Series F); 24 of Fortune 100; IPO aspirations
Remains independent; founded by former NSA/ICS-CERT operators; OTZTA sponsor
$75–100M revenue at acquisition; OTZTA sponsor; now part of industrial conglomerate
$25B CyberArk acquisition adds PAM depth relevant to OT privileged access
Native OT protocols support in FortiGate; ruggedized hardware for plant floor
$28B Splunk acquisition adds security analytics depth
CyberX acquisition 2020; Defender for IoT now integrated with Sentinel SIEM
$1B+ valuation; Claroty competitor in IoMT and smart building space
Selecting an OT Security Platform
OT security platform selection is a consequential, long-horizon decision — deployment involves sensor placement in production environments, integration with SIEM and SOC workflows, and in many cases, multi-year support contracts with vendor professional services organizations. The evaluation criteria that matter most are not the same as those for IT security platforms.
Passive versus active asset discovery is the foundational capability question. In OT environments where active scanning is prohibited or operationally risky, a platform that requires active network probing cannot be used. Evaluate whether passive discovery provides sufficient asset coverage for your environment. Native OT protocol decoding matters equally: a platform that sees Modbus or DNP3 traffic as generic TCP flows cannot identify device types, flag unauthorized commands, or baseline normal control behavior. Verify which industrial protocols the platform decodes natively versus through generic port/traffic analysis.
SIEM and SOC integration determines whether the OT security platform becomes part of the organization's operational security capability or a standalone tool with limited response workflow. Platforms that export structured alerts to major SIEM platforms (Splunk, Microsoft Sentinel, IBM QRadar) and support SOAR playbook integration provide better long-term operational value than those requiring separate analyst workflows. Compliance reporting capabilities — the ability to generate audit-ready reports against NERC-CIP, NIS2, or IEC 62443 requirements — reduce the compliance burden for regulated operators. Vendor remote access management, if included, should be evaluated against dedicated PAM platform capabilities rather than assumed to be equivalent. Finally, the deployment model — on-premise sensors with cloud management, fully on-premise, or hybrid — must align with the organization's OT network segmentation posture and data governance requirements for OT telemetry.