PacketViper can be deployed as an Inline Transparent Bridge, Routing Mode, or in a Mirror configuration:
• Inline Bridge or Routing Mode: PacketViper can contain and block traffic while performing all other functions.
• Mirror Mode: PacketViper can perform all functions except blocking.
When fully deployed, PacketViper operates in either Inline Transparent Bridge or Routing Mode and in Mirror mode simultaneously. While PacketViper can operate in Mirror mode exclusively, it is also used alongside Inline or Routing Mode to provide additional visibility. Mirror mode enables monitoring of east west traffic within the environment, complementing the north-south traffic visibility from Inline or Routing Mode. Operating with both (Inline or Routing) plus Mirror provides a 360-degree view of all traffic in the environment.
When operating in Inline Bridge or Routing Mode, PacketViper monitors all traffic passing through it. If a Sensor or Deceptive Responder detects malicious traffic, and the sensor is configured to block, it will create a blacklist rule that is applied directly to the inline bridge or routing mode, containing and stopping the threat immediately.
1. Sensor and Deceptive Responder Deployment
• Sensors and Deceptive Responders are connected via a network cable to a switch on the segment, VLAN, or network chosen by the customer.
• Each Sensor or Deceptive Responder is configured with an IP address for the network, segment, or
VLAN.
• Deceptive Responders require an IP address to respond to malicious attempts.
• Sensors can monitor all traffic and be configured to focus on specific source or destination attributes, including IP, network, groups, country, Global Network Lists "business" (GNL), ports, time, and traffic rates.
2. Threat Detection
• Sensors and Deceptive Responders identify suspicious or unauthorized activity.
• Deceptive Responders can emulate nearly any OT or IT service, not limited to SCADA, PLC, or HMI,
in order to engage attackers with believable and context-aware responses.
• DR ID Decoys present realistic login prompts, capture credentials, block the source (in inline/routing
mode), and alert incident response.
• Sensor-Only Mode monitors and, if configured, blocks sources without revealing presence.
3. Immediate Local Containment and Blocking
• In Inline Bridge or Routing Mode, blacklist rules are applied instantly to contain and block malicious sources at wire speed. 1
• Containment and blocking happen on the detecting unit without rerouting traffic.
4. Enterprise-Wide Propagation
• The detecting unit alerts the CMU, which propagates the blacklist rule to all PacketViper units.
5.Protocol-Agnostic, Non-Disruptive Operation
• Inline Bridge and Routing Mode are agnostic to protocols because PacketViper does not inspect protocol payloads.
• In OT environments, SCADA/DCS systems can poll PacketViper via modbus to pull alert information.
• Operates transparently so attackers are unaware.
6. Zero Trust Enforcement for Network Behavior
• Ensures sources only communicate with approved destinations and ports; deviations trigger
• Immediate containment and blocking of violating source.
7. Resilient Remote Operations
• RSUs operate autonomously if CMU connectivity is lost.
• Industrial-grade when in OT
• DIN-mounted as needed
• OT harsh environments.
8. Threat Intelligence & Reporting
• Events can feed into AlertBox for risk scoring, context enrichment, and SIM-like analysis.
• Risk scoring uses GNL and proprietary indicators.
Key Advantages
• Wire-speed containment and blocking in inline/routing mode.
• Combined Inline/Routing plus Mirror deployment delivers 360-degree traffic visibility.
• No reliance on external firewalls, SIMs, or NAC.
• Lower SIM/SOC noise.
• Protects unpatchable OT assets before threat contact. 2