Passive Cyber-Physical Asset Intelligence
WireTrace gives security teams complete visibility into every device on their network - IT, OT, IoMT, and IoT - without agents or cloud dependency. By combining passive deep packet inspection with optional active enrichment (SNMP polling, SSH service identification, AD correlation), WireTrace builds a continuously updated asset inventory, identifies security exposures, generates compliance evidence, detects threats including ransomware kill chain activity, monitors file operations across protocols, and provides AI-powered intelligence through natural language queries and streaming reports. One platform. Every environment. Zero disruption.
100%
Passive + Active Enrichment
Why WireTrace is Different
●
Passive-First Architecture
Sensor is 100% passive - zero network disruption. Optional active enrichment (SNMP, SSH, AD) operates from the server over the management network. Safe for OT, medical, and safety-critical environments.
●
Unified IT / OT / IoMT / IoT Visibility
One platform across all environments. No separate tools for industrial, medical, enterprise, and IoT domains.
●
Deep Protocol Intelligence
272 DPI parsers extract commands, field values, certificates, and device identity - not just port numbers and traffic volume.
●
Evidence-Based Compliance
Audit-ready evidence generated continuously from observed traffic. No manual evidence collection or periodic assessments.
●
Exposure-Aware Vulnerability Prioritization
CVEs ranked by real protocol exposure and firmware observations, not theoretical scan results.
●
Air-Gapped & Sovereign Deployment
Fully on-premises. No cloud dependency. No data leaves the network. Deployed in minutes with a single installer.
●
No Agents, No Footprint
Nothing installed on endpoints. Observes from SPAN or TAP ports. Discovers unmanaged and legacy devices that agents cannot reach.
●
Subscription-Based Per-Asset Licensing
Transparent per-asset pricing that scales with your environment. All platform capabilities, protocol intelligence, and compliance frameworks included in every subscription.
What Customers Gain
✓Complete asset inventory - every device, vendor, OS, and firmware version identified from traffic
✓Faster incident investigation - protocol-level evidence for forensic analysis and response
✓OT and medical-device visibility - industrial controllers and clinical devices classified by vendor and model
✓Reduced audit preparation - compliance evidence generated automatically, not collected manually
✓Prioritized remediation - vulnerabilities ranked by observed exposure, not theoretical risk
✓Ransomware kill chain detection - 12 rules covering reconnaissance through encryption and exfiltration, MITRE ATT&CK mapped
✓Legacy device discovery - unmanaged, agentless, and shadow devices visible from wire traffic
✓Operational safety - zero risk of disrupting OT processes, medical devices, or production systems
Platform Capabilities
Asset Discovery & Classification
411 classification rules with an intelligent multi-signal classification engine: protocol behavior, DPI identity, automatic device discovery from network announcements, manufacturer identification, device identity fields, and multi-source passive fingerprinting with thousands of fingerprint signatures. 68 device types with automatic Purdue level assignment.
AI Intelligence (Rumi)
Built-in on-premise AI agent with 21 query tools covering assets, connections, protocols, threats, vulnerabilities, file activity, compliance, and Purdue levels. Ask Your Environment answers natural language questions from real network data in under 200ms. Streaming reports generate progressively - executive summary first, sections following. Conversation memory for follow-up questions. No GPU or cloud dependency.
Active Enrichment
SNMP polling (all versions supported) with per-device credentials enriches assets with hardware model, serial number, firmware version, and device identity fields. SSH service identification, Active Directory correlation, VPN user detection from log-based correlation, and network topology discovery with switch port mapping.
Security Insights & File Activity
Cleartext credentials, weak or expired TLS certificates, exposed management interfaces, unprotected industrial protocols, plus SNMP device inventory. File activity monitoring tracks operations (read, write, delete, upload, download, rename) across SMB, FTP, TFTP, NFS, HTTP, and DICOM with full file paths and source/destination details for forensic investigation.
Ransomware & Threat Detection
12 detection rules covering the full ransomware kill chain: reconnaissance (port scanning, network enumeration), lateral movement (RDP spray, SMB enumeration, OT isolation violation), credential exposure, active encryption (mass file operations, ransomware extensions, ransom note delivery), and data exfiltration. Kill chain correlation scores multiple indicators per asset. MITRE ATT&CK mapped.
Vulnerability, Change & Medical Intelligence
CVE matching with risk-based prioritization and industrial security advisories. Full change tracking with before/after audit trail. 19+ proprietary medical protocols identify ventilators, monitors, pumps, and analyzers by vendor and model. Adaptive storage retention keeps data as long as disk allows across five priority tiers.
Primary Use Cases
OT Asset Discovery
Map every PLC, RTU, HMI, and engineering workstation. Identify cross-zone communication and help enforce segmentation policies.
Hospital / IoMT Visibility
Identify clinical devices by vendor and model. Monitor medical protocol communications across wards and departments.
Compliance Evidence
Auto-generate audit evidence for IEC 62443, ISO 27001, HIPAA, NCA ECC, and NCA OTCC from live traffic observations.
Vulnerability & Exposure
Prioritize CVE remediation based on real protocol exposure and active firmware, not theoretical scan outputs.
Ransomware & Threat Detection
12 kill chain detection rules identify ransomware activity from reconnaissance through encryption and exfiltration. IoC matching against threat intelligence feeds. MITRE ATT&CK mapped.
Air-Gapped Monitoring
Deploy fully on-premises with no internet or cloud dependency. Complete functionality in isolated and classified environments.
Legacy & Unmanaged Devices
Discover shadow IT, aging infrastructure, and agentless devices that traditional tools cannot reach or inventory.
Purdue Swim Lane View
Visual topology with device-type icons, horizontal bands per Purdue level, and asset-level connection arrows for network architecture review.
File Activity & Change Tracking
Monitor file operations across 6 protocols (SMB, FTP, TFTP, NFS, HTTP, DICOM). Track every asset change with full before/after audit trail.
Protocol Intelligence
Industrial / OT
Modbus, S7Comm, EtherNet/IP, PROFINET, BACnet, DNP3, IEC 104, OPC-UA, GOOSE, EtherCAT, HART-IP, FINS, MELSEC, CODESYS, KNXnet/IP, and more+
Healthcare / IoMT
DICOM, HL7, Philips, Draeger, GE CARESCAPE, Hamilton, Masimo, Abbott i-STAT, Capsule DCMP, Welch Allyn, and more+
Enterprise / IT
TLS, SSH, RDP, SMB, DNS, DHCP, LDAP, Kerberos, RADIUS, SNMP, HTTP/S, QUIC, WireGuard, OpenVPN, NTP, and more+
IoT / Discovery
SSDP, mDNS, LLDP, CDP, SDDP, NBNS, LLMNR, UPnP, ARP, STP, MPLS, PTP, PPPoE, IGMP, and more+
Representative examples. The DPI engine supports 272 protocol parsers across industrial, medical, enterprise, and proprietary communications - with continuous expansion.
Compliance & Audit Evidence
IEC 62443
ISO 27001
HIPAA
NCA ECC
NCA OTCC
Custom Frameworks
Integrations & Ecosystem
REST API
Syslog
CEF / SIEM
Threat Intelligence Feeds
Webhooks
Email Alerts
LDAP / AD / OIDC SSO
CSV Export
Firewall Rules
RBAC
Multi-Tenant
Air-Gap Supported
Licensing
WireTrace is licensed per asset, subscription-based. Pricing scales transparently with the number of monitored devices. Every subscription includes the full platform - all protocol intelligence, all compliance frameworks, all capabilities - with continuous updates throughout the subscription period.
✓ Per-asset subscription
✓ No module add-ons
✓ All protocols included
✓ Continuous updates
✓ No cloud dependency
WireTrace