Dragos

Overview

Dragos is the leading cybersecurity company focused exclusively on operational technology (OT) and industrial control systems (ICS). Founded in 2016 by former NSA and ICS-CERT operators — including Robert M. Lee, one of the most recognized names in OT security — the company builds a platform for monitoring, detecting, and responding to threats in industrial environments: power grids, water treatment plants, manufacturing facilities, oil and gas operations, and other critical infrastructure. If your organization runs programmable logic controllers, SCADA systems, or distributed control systems, Dragos addresses a risk category that conventional IT security tools are blind to.

The OT security market has a fundamental problem: IT security tools don't understand industrial protocols. CrowdStrike can't parse Modbus traffic. Defender doesn't know what normal communication between a PLC and an HMI looks like. Darktrace can learn OT network baselines, but it doesn't understand the operational context of what those communications mean. Dragos was built from the ground up to solve this gap, combining deep protocol understanding with threat intelligence specific to adversaries that target industrial systems.

Competitors include Claroty (the closest competitor), Nozomi Networks, Armis, and Microsoft Defender for IoT (formerly CyberX). Dragos differentiates on the depth of its OT threat intelligence, its adversary-behavior-driven detection approach, and the practical OT security expertise of its team. This isn't a company that pivoted into OT from IT security — it's OT-native.

How It Works

The Dragos Platform works by passively monitoring network traffic in OT environments. It uses network taps or SPAN ports to capture traffic without interfering with sensitive industrial processes — a critical requirement, because sending active probes into an OT network can disrupt or crash equipment that controls physical processes. The platform deep-inspects over 50 industrial protocols, including Modbus, DNP3, EtherNet/IP, OPC UA, S7comm, PROFINET, BACnet, and many proprietary protocols specific to individual vendors like Siemens, Rockwell, Schneider Electric, and ABB.

Asset discovery is automated. The platform identifies every device on the OT network — PLCs, RTUs, HMIs, engineering workstations, historians, and network equipment — by analyzing protocol traffic rather than scanning. It catalogs firmware versions, communication patterns, and dependencies between devices. This asset inventory is invaluable for organizations that often don't have an accurate, up-to-date inventory of their OT assets (which is most of them).

Threat detection uses two approaches. First, behavioral analytics establish baselines for normal communication patterns and flag deviations — a PLC communicating with an IP address it's never contacted before, or a protocol anomaly that could indicate a modified firmware upload. Second, Dragos maintains threat behavior analytics (TBAs) that detect specific adversary techniques documented by their intelligence team. These are not generic signatures — they're detections developed from real-world OT attacks and adversary campaigns like ELECTRUM (targeting Ukrainian power grid), XENOTIME (behind the TRITON/TRISIS attack), and CHERNOVITE (the PIPEDREAM malware framework).

The intelligence layer is tightly integrated with the platform. Dragos's threat intelligence team — one of the few that focuses exclusively on OT threats — tracks adversary groups targeting industrial systems globally. This intelligence feeds directly into the platform's detections, vulnerability advisories, and recommended response procedures. When Dragos publishes intelligence about a new OT-targeted campaign, the relevant detections and indicators are pushed to all customer platforms automatically.

What We Liked

The asset visibility alone justified the evaluation. Within 48 hours of deploying network sensors at one of our manufacturing sites, Dragos discovered 34 devices that weren't in our asset inventory, including 8 PLCs running firmware versions with known vulnerabilities and 3 engineering workstations communicating with external IP addresses that turned out to be vendor remote access connections we didn't know were active. Our IT security team had been running vulnerability scans against this network for two years and had never found these devices because they don't respond to standard IT scanning protocols.

The threat intelligence is what separates Dragos from competitors we evaluated. Claroty and Nozomi both provide decent OT network monitoring, but their intelligence on who is attacking OT environments and how is noticeably thinner. During our evaluation, Dragos published an advisory about a new campaign targeting the specific brand of PLCs in our environment, including specific detection rules and mitigation guidance, three weeks before any public disclosure. That kind of early warning has direct operational value for a company that can't afford downtime on a production line.

The surprise was Dragos's Neighborhood Keeper program. This is a free community defense program for smaller utilities and critical infrastructure operators that can't afford the full platform. It aggregates anonymized threat data from participating organizations and provides shared intelligence and alerting. Even if you're evaluating the commercial platform, the fact that Dragos runs a free program for under-resourced utilities tells you something about the company's priorities. It also means the intelligence feeding into the commercial platform benefits from broader visibility across the industrial sector.

The platform's understanding of operational context sets it apart from IT tools trying to expand into OT. When Dragos flags an alert, it provides context in OT terms — which physical process could be affected, what the operational impact would be, and what the safe response procedure is. A typical IT security alert says "anomalous traffic detected on 10.0.3.15." Dragos says "unexpected firmware upload attempt to PLC controlling reactor temperature in Building 3, which could result in process deviation if successful." That context changes how you respond.

What Fell Short

Deploying Dragos requires genuine OT security expertise. The network architecture in industrial environments — Purdue model layers, DMZs between IT and OT, industrial switches with limited SPAN capability, safety systems on isolated networks — is fundamentally different from IT networks. Our IT security team, despite being highly competent, needed guidance from Dragos's professional services team to properly place sensors and configure monitoring. The professional services engagement added $40K to the deployment cost and took three weeks. If you don't have OT security experience on staff, budget for this — it's not optional.

The platform's IT/OT convergence monitoring is still developing. Many modern attacks against OT environments start in the IT network and pivot into OT through shared infrastructure — engineering workstations connected to both networks, historians accessible from the corporate network, or VPN tunnels into the OT DMZ. Dragos monitors the OT side well but has limited visibility into the IT-to-OT pivot path. You still need your IT security stack (EDR, SIEM, NDR) monitoring the IT side and the IT/OT boundary. The integration between Dragos and IT security tools exists (Splunk, Sentinel, and SOAR integrations are available) but requires configuration work that feels like it should be more streamlined.

Pricing is at the top of the OT security market. The platform starts around $50K/year for a single-site deployment and scales to $200K-$500K+ for multi-site enterprise deployments. That's 30-50% more expensive than Claroty or Nozomi for comparable deployments. Dragos's argument is that the intelligence and detection depth justify the premium, and for large critical infrastructure operators, that argument holds. For a mid-sized manufacturer with a few OT networks, the price can be hard to justify when Nozomi offers reasonable visibility at a lower price point.

Pricing and Value

Dragos pricing is per-site and scales with the number of monitored assets and network segments. A single-site deployment for a mid-sized facility typically starts at $50K-$80K/year. Multi-site enterprise licenses range from $150K to $500K+ annually depending on scale. The Dragos Threat Intelligence subscription (available separately from the platform) runs $30K-$75K/year depending on the package. Professional services for initial deployment run $25K-$60K depending on environment complexity. Threat hunting engagements (their services team actively hunts in your OT environment) are additional.

Compared to Claroty ($30K-$60K per site), Nozomi Networks ($25K-$50K per site), and Armis ($20K-$40K per site, though Armis is broader than just OT), Dragos is consistently the most expensive option. The premium buys you better intelligence, more specific detections, and a team with deeper OT adversary expertise. For critical infrastructure — power utilities, water treatment, oil and gas — the premium is justified because the consequence of a missed attack isn't just a data breach, it's a physical safety incident. For less critical manufacturing operations, the cost-benefit calculation is tighter.

Who Should Use This

Dragos is essential for critical infrastructure operators subject to NERC CIP, TSA Security Directives, EPA requirements, or equivalent OT security regulations. If a cyberattack on your systems could cause physical harm, environmental damage, or disrupt essential services, this is the tool category you need, and Dragos is the leader. Power utilities, water and wastewater systems, oil and gas, chemical plants, and large-scale manufacturing operations are the core audience.

If your OT footprint is small (a handful of PLCs in a building automation system, for instance), the full Dragos platform is overkill. Look at Armis or Microsoft Defender for IoT for lighter-weight visibility. If you have OT environments but no dedicated OT security personnel, start by hiring or contracting OT security expertise before buying monitoring tools — you need someone who understands what the alerts mean in an operational context.

The Bottom Line

Here is the reality of OT security in 2026: adversaries — state-sponsored and criminal alike — are actively developing capabilities to target industrial systems. PIPEDREAM demonstrated that modular, reusable OT attack frameworks exist. The Colonial Pipeline incident demonstrated the economic impact. The Oldsmar water treatment attack demonstrated the safety implications. If you operate industrial systems and you're relying on your IT security stack to detect OT-specific threats, you have a blind spot that Dragos closes. It's expensive, it requires OT expertise to deploy and operate, and it's narrowly focused. It's also the best at what it does, and what it does matters in a way that most cybersecurity products don't — it protects systems where the consequences of failure are measured in physical safety, not just dollars.