How it works
Detection you can actually explain to an auditor.
Maigadi catches the OT attacks signatures miss — and shows you exactly why each alert fired. No black box, no cloud, no agents. Here's the approach.
The starting point
Signatures only catch what's already been seen.
The OT attacks that do real damage — novel malware, insider misuse, and legitimate protocol commands turned against you — frequently have no signature. And no signature library keeps pace with thousands of bespoke control networks. Waiting for a rule to be written is waiting to become the example.
So Maigadi doesn't wait. It works from two kinds of intelligence.
Two kinds of intelligence
It learns your normal — and knows what healthy looks like.
It learns your network
Unsupervised and self-baselining, Maigadi learns the unique rhythm of your environment — every asset, every conversation — with no rules to write and no labelled data to supply.
It knows healthy OT
Grounded in OT engineering first principles and standards like IEC 62443, Maigadi knows the heartbeat a well-run control network should have — so it delivers value from day one, before a site-specific baseline exists.
What it detects
The signature-less attacks — and the quiet problems.
Novel & insider attacks
Behaviour that has never happened on your network before — including legitimate protocol commands issued by the wrong device, at the wrong time, in the wrong sequence.
Never-before-seen commands
Function codes, operations, and parameters an asset has never used — the signature-less actions that precede manipulation.
Composition & drift
New devices, new flows, and shifts in the overall traffic profile — the network quietly becoming something it wasn't.
Health & hygiene issues
Misconfigurations and unhealthy patterns, measured against what a well-run OT network should look like — value from day one.
Why you can trust it
Built on novel, academically-validated algorithms.
Maigadi's detection uses novel algorithms developed and validated in academic research — and every alert comes with the evidence to back it: the flows, the assets, and the technique.
Every alert shows its work
The contributing flows, the assets involved (with role and Purdue level), and the exact protocol commands — mapped to MITRE ATT&CK for ICS. Verifiable, not a verdict you take on faith.
Baseline integrity
An attack can never rewrite Maigadi's sense of normal. It freezes the baseline, not the detection — the attack is still fully captured and investigated, so the model can't be poisoned.
Honest about noise
Anomaly detection lives or dies on false positives. We'd rather show you how Maigadi keeps them low — a stabilisation period, robust statistics, and analyst tuning — than pretend they don't exist.
Do-no-harm by design
A passive sensor on a SPAN/TAP port. Zero injected packets, zero risk to a live process. It watches; it never touches.
See what it finds on your network.
Bring a packet capture — passively, offline, nothing leaves your hands — or talk to us about a proof-of-value.