Critical Capabilities for CPS Protection Platforms

9 March 2026 - ID G00830518 - 34 min read
By Wam Voster, Ruggero Contu,  and 2 more
Cyber-physical systems protection platforms that discover assets and their connections in production or mission-critical environments (OT/ICS/IoT/robots) are key CPS security tools. This Critical Capabilities helps cybersecurity leaders find the right product to support their CPS cybersecurity journey.

Overview

Key Findings

  • The cyber-physical systems protection platforms (CPS PPs) market continues to evolve with vendors integrating various levels of AI in their products. The application of advanced analytics, AI/machine learning (ML), and generative AI in CPS protection platforms have significant variation in maturity and scope. This shift includes generating playbooks to address findings and employing large language models (LLMs) to analyze traffic, and generating alerts.
  • The CPS protection platforms market has experienced shifts in the last year, including vendors exiting the market, mergers and acquisitions, and vendor first appearances into the market. None of these new entrants, however, have met the inclusion criteria for this year’s Critical Capabilities report.
  • Key capabilities introduced by vendors with deep CPS security expertise are becoming permanent fixtures in the market, with valuations reflecting their importance.

Recommendations

  • Organizations in the market for their first CPS PP or looking for alternatives should probe for upcoming roadmap additions. Those who have already deployed a CPS PP should perform a gap analysis of capabilities between the version they bought and the latest release.
  • Asset discovery and network topology remain the leading use cases, but buyers need to define and prioritize what additional critical capabilities match their specific CPS security requirements.
  • Prioritize SaaS delivery if the organization cares most about new features and dynamic scalability, but gravitate toward software or appliance solutions if there is need for greater control and to face regulatory hurdles.
  • Evaluate a vendor’s ability to reduce the complexity of ongoing CPS security operations. Vendors offer varying ways to reduce complexity, such as workflow augmentation powered by automation and AI techniques, as well as solutions that are part of a larger security ecosystem provided by the same vendor.

What You Need to Know

CPS PPs present asset- and network-centric views of CPS environments in a combined platform, and use that combination to support such functions as threat and exposure management. CPS PPs have emerged as the leading category for organizations looking to develop their CPS security programs.
The CPS PPs market has largely emerged from providers with four types of backgrounds:
  • Vendors with industrial cybersecurity pedigrees that have received investment during the past five years to expand capabilities and market reach.
  • Vendors with IT cybersecurity pedigrees looking for adjacent growth in non-IT environments.
  • Vendors with network-security-centric pedigrees looking to boost industrial-grade equipment sales.
  • Vendors with industrial original equipment manufacturer (OEM) pedigrees looking to add cybersecurity solutions to their product portfolios.
Buyers should consider vendor evaluations that compare features and CPS PP performance, as well as each vendor’s ability to meet their promise on the overall outcome, such as ease of administration, complexity reduction, or tighter integration with existing IT security products (e.g., SIEM and CMDB).
This Critical Capabilities research is a companion to Gartner’s Magic Quadrant for CPS Protection Platforms. Whereas the Magic Quadrant focuses on understanding the CPS PPs market and the vendors’ relative positions therein, this Critical Capabilities report concentrates on those vendors’ CPS PPs products and their ability to provide the needed functionality.
Cybersecurity leaders looking for a more technical understanding of the vendors evaluated in the Magic Quadrant should review these Critical Capabilities to gather additional technical data that will inform their evaluation processes.

Analysis

Critical Capabilities Use-Case Graphics

Vendors’ Product Scores for the Discover and Map CPS Assets Use Case
Thirteen providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of the Discover and Map CPS Assets use case in the CPS Protection Platforms market, as of 4 April 2026. This allows comparison across a set of critical differentiators.
Vendors’ Product Scores for the Improve Threat and Vulnerability Management Use Case
Thirteen providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of the Improve Threat and vulnerability Management use case in the CPS Protection Platforms market, as of 4 April 2026. This allows comparison across a set of critical differentiators.
Vendors’ Product Scores for the Prioritize CPS Security Issues and Remediation Use Case
Thirteen providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of the Prioritize CPS Security Issues and Remediation use case in the CPS Protection Platforms market, as of 4 April 2026. This allows comparison across a set of critical differentiators.
Vendors’ Product Scores for Monitor CPS Security; Align to Enterprise Efforts Use Case
Thirteen providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of the Monitor CPS Security; Align to Enterprise Efforts use case in the CPS Protection Platforms market, as of 4 April 2026. This allows comparison across a set of critical differentiators.

Vendors

Armis
Armis Centrix Cyber Exposure Management Platform is currently at version 26, released in November 2025. Nearly three-quarters of clients have deployed it as a cloud-based SaaS solution. In 2025, Armis introduced Attack Path Mapping (thanks to the acquisition of OTORIO) to enhance risk ratings by modeling attack paths and refining risk scoring using device properties, anomaly behavior, supply chain risks (such as blacklisted manufacturers), and vulnerability scores.
Armis Centrix is most suitable for asset discovery. The platform achieved its highest use-case rating in this area, reflecting its comprehensive visibility of CPS environments, powered by the crowdsourced, cloud-based Armis Asset Intelligence Engine that tracks over five billion assets. This capability enables organizations to build accurate inventories and understand asset relationships.​​
The strongest capability of Armis Centrix is risk mitigation and scoring. By correlating multiple factors and leveraging attack path modeling, the platform helps clients prioritize remediation actions based on business impact and operational risks.
Armis Centrix’s biggest opportunity for improvement is its deployment strategy. The recent acquisition of OTORIO, which is what the on-promises solution is built on, means that currently the platform supports only a small fraction of clients using on-premises capabilities. Therefore, Armis has less experience with on-premise deployments for organizations in highly regulated sectors or those with strict operational requirements, such as energy, oil and gas, and defense.
Cisco
The Cisco Industrial Threat Defense platform is delivered as a suite that includes Cyber Vision, Secure Equipment Access, Identity Services Engine, Secure Firewall, and Extended Detection and Response. The platform integrates with Cisco’s broader security portfolio, including Splunk. Cisco Cyber Vision sensors can be embedded in Cisco networking appliances, which removes the need for dedicated hardware and reduces additional network resources or complex setups. The platform also supports network segmentation and zero trust network access (ZTNA) capabilities to provide operations teams with remote access to CPS assets while enforcing least-privilege policies.
Cisco Industrial Threat Defense is best suited for monitoring CPS security and aligning to enterprise efforts. Cisco Cyber Vision integrates the Snort IDS engine with Talos subscription rules to detect known and emerging threats, such as malware or malicious traffic. It also integrates with Cisco IT security platforms, feeding them with details on OT assets and events.
The strongest capabilities of Cisco Industrial Threat Defense are network segmentation and ease of administration. Its software sensor deployment model eliminates the need for additional rack space, new hardware entering the environment, or more port-mirror configurations. This approach enables engineers to group assets into zones (such as production cells, buildings, or substations) and enforce segmentation policies using Cisco Identity Services Engine or Cisco Secure Firewall.
Cisco’s biggest opportunity for improvement is in enabling event-driven packet captures. The program does not currently allow customers to automatically create packet captures (PCAPs) when suspicious events occur, which would enable faster incident response.
Cisco did not respond to requests for supplemental information. Gartner’s analysis is, therefore, based on other credible sources.
Claroty
Claroty’s CPS PP includes Claroty Continuous Threat Detection (CTD), an on-premises option (currently v5.2.2, released August 2025), and Claroty xDome, a cloud-based option (released weekly without version numbers). Claroty also offers deployment support services. About half of its clients have deployed it as an on-premises solution, and the other half as SaaS, with SaaS adoption accelerating in the industrial segment in 2025.
Claroty is best suited for asset discovery and mapping. The platform achieved its highest use-case rating here due to its “Coverage Score,” which proactively recommends actions to close visibility gaps using eight collection methods. Its growing CPS Library with detailed pedigree data and Device Purpose, an operational context model linking cybersecurity risk to operational impact, further strengthens this capability.
The strongest capability of Claroty’s platform is risk scoring. It provides native, fully configurable, continuous risk posture management based on likelihood of exploitability, potential impact, and compensating controls in place. This capability allows clients to continuously monitor and adjust their security posture as their environment evolves.
Claroty’s biggest opportunity for improvement is ease and speed of deployment. Clients have reported challenges with hardware-related logistics and complex deployment or network requirements, which can increase the time and effort required for implementation.
Darktrace
The Darktrace/OT platform is currently at version 7.0, released in November 2025. Darktrace/OT supports a range of deployment models, including on-premises, cloud, hybrid, and virtual options. The platform uses a self-learning AI module to assign risk scores and incorporates configuration, topology, and behavioral telemetry into its analysis.
Darktrace/OT is best suited for monitoring CPS security and aligning to enterprise workflows. The platform achieved its highest use-case rating here due to its self-learning AI, which continuously learns the normal “pattern of life” for each asset, user, and network segment without requiring separate learning phases or periodic rebaselining. Cyber AI Analyst applies an automated investigation to correlate multistage events and generate analyst‑level summaries. Darktrace integrates with over 90 IT and security tools, such as SIEM, SOAR, EDR, CMDB, and firewalls.
The strongest capability of Darktrace/OT is risk scoring. The platform prioritizes risks using a holistic scoring model that goes beyond CVEs, factoring in CVSS and EPSS scores, KEV catalog entries, asset configuration, network topology, and behavioral telemetry. It assigns four core risk scores: weakness, exposure, impact, and damage, using its self-learning AI module.
Darktrace/OT’s biggest opportunity for improvement is in asset discovery. Its CPS platform does not offer as many discovery options as some other vendors; for example, reading project files.
Dragos
The Dragos CPS PP is the Dragos Platform, currently at version 3.0.5, released in November 2025. Dragos also offers professional services supported by its platform.
Most clients have deployed Dragos as an on-premises solution, with cloud-based and hybrid adoption growing.
Dragos is best suited for improving threat and exposure management. The platform achieved its highest use-case rating here due to its investigation-centric workflow that consolidates detections, baseline deviations, forensic evidence and a “Now, Next, Never” methodology for vulnerability management. This approach provides clients with both exposure and operational impact insights.
The strongest capability of Dragos is threat management. The platform benefits from a dedicated threat intelligence and incident response team that researches adversaries, malware signatures, indicators of compromise, and lessons learned from incident response deployments. This expertise is directly embedded into the platform’s detection and response capabilities and is now accessible to users through Analyst Assist AI.
Dragos’ biggest opportunity for improvement is asset discovery. While progress has been made, Dragos started adding discovery capabilities beyond passive scanning later than its competitors and is still working toward full NP-view integration, which may affect organizations seeking advanced discovery features.
Forescout Technologies
The Forescout Technologies platform consists of the Forescout 4D Platform, currently in version 25.4.2, released in November 2025, and is also available as a managed service called Forescout SecureOps 24/7, formerly known as Assist for OT/ICS. Almost three-quarters of clients have deployed the platform as an on-premises solution, with the remainder using a hybrid model. Forescout supports LDAP, SAML, and OIDC authentication, enabling user and device verification through corporate directories or trusted identity providers.
Forescout 4D Platform is best suited for prioritizing CPS security issues and remediation. The platform achieved its highest use-case rating here due to its multifactor risk framework, which evaluates both security and operational risks and calculates the likelihood and impact of cyber or operational incidents on assets, systems, or network segments. For supply chain assurance, Forescout incorporates compliance checks for Section 889 (of the U.S. National Defense Authorization Act) to identify and flag banned or high-risk components from prohibited vendors.
The strongest capability of Forescout 4D Platform is integration with enterprise IT tools. One of the platform’s integrations is with NetRise to ingest SBOMs, firmware risk, and software component CVEs into asset records and risk models, supporting supply chain and SBOM risk management for clients.
Forescout’s biggest opportunity for improvement is in deployment models. With nearly three-quarters of implementations on-premises, organizations shifting priorities toward hybrid environments will require more flexible deployment options.
Fortinet
Fortinet OT Security Platform is currently at version 7.6.4, released in August 2025. Most clients use it as an on-premises solution, while a small number have deployed it as a cloud-managed solution.
The platform offers native enforcement with third-party integrations supported via API or REST API, and its security fabric is enhanced by AI and ML for asset identity and protocol flows.
Fortinet OT Security Platform is best suited for monitoring CPS security and aligning to enterprise efforts. The platform achieved its highest use-case rating here due to its unified Fortinet Security Fabric architecture, which supports enterprisewide security programs through centralized administration and consistent policy enforcement across NGFW, switches, and access points, while the portfolio of ruggedized versions of these devices is expanding. Its enterprise alignment is further strengthened by the Fortinet Fabric‑Ready Program, which includes over 500 integrations leveraging open APIs and connectors for deep interoperability with IT and security ecosystems.
The strongest capability of Fortinet OT Security Platform is network segmentation. The platform analyzes asset identity, Purdue-level placement, protocol flows, and behavioral baselines to recommend and orchestrate segmentation across NGFW, switches, access points, and NAC. The analytics platform prioritizes segmentation violations and provides AI-assisted policy optimization for clients managing complex environments.
Fortinet’s biggest opportunity for improvement is in deployment models. Most implementations are on-premises, which suits “air-gapped” environments; however, many clients now prefer hybrid deployment options for greater flexibility.
Honeywell
The Honeywell OT Cybersecurity Platform consists of Honeywell Cyber Insights, Honeywell Cyber Watch, Honeywell Secure Media Exchange, and Honeywell Cyber Proactive Defense. The platform is currently on version 4.1.1, released in October 2025. Honeywell provides managed security services supporting all platform applications. Approximately 40% of clients have deployed it as an on-premises solution, while the remaining 60% use a hybrid model.
The Honeywell OT Cybersecurity Platform is best suited for improving threat and exposure management. The platform achieved its highest use-case rating here due to its incorporation of threat intelligence from industry and government programs through partnerships and integrated STIX/TAXII feeds. The platform ingests threat intelligence, maps detections to the MITRE ATT&CK framework, and enriches alerts with known TTPs and indicators.
The strongest capability of the Honeywell OT Cybersecurity Platform is integration with enterprise IT tools. It offers integrations with major SIEM providers. Integration with Netrise, aDolous, and Finite State provides SBOM capabilities for clients seeking comprehensive supply chain risk management.
Honeywell’s biggest opportunity for improvement is in ease of administration. Platform administration still requires significant manual effort since AI is not fully implemented to reduce overhead. The architecture is designed to enable future AI-assisted administrative tasks.
Microsoft
Microsoft’s CPS PP is Microsoft Defender for IoT, which provides CPS capabilities though purpose-built sensors and can be extended through native integrations to Microsoft Sentinel, Microsoft Security Exposure Management, Microsoft Defender for Endpoint, Microsoft Entra Private Access, and Microsoft Security Copilot. These integrations benefit organizations standardizing on Microsoft products.
Microsoft gained a foothold in CPS security through its CyberX acquisition in 2020. After initial expansions, future product direction is unclear. Expansions included aligning CPS unique protocols into Defender for Endpoint, extending CPS discovery to Microsoft Defender XDR, and integrating CPS vulnerability management with Microsoft Defender Vulnerability Management.
Defender for IoT is best suited for monitoring CPS security and aligning to enterprise IT efforts. The platform achieved its highest use-case rating here because of its alignment with Microsoft’s broad security portfolio, enabling a joint IT-CPS security view without the need for additional integrations.
The strongest capability of Defender for IoT is integration with enterprise IT tools. It scored highest in this area among critical capabilities due to the number of integrations with other Microsoft solutions.
Microsoft’s biggest opportunity for improvement is in network segmentation. The platform does not provide detailed playbooks or unified integrations with network security solutions, as seen in other offerings, which may limit clients seeking advanced segmentation capabilities.
Microsoft did not respond to requests for supplemental information. Gartner’s analysis is, therefore, based on other credible sources.
Nozomi Networks
Nozomi Networks’ CPS PP consists of Nozomi Vantage as a cloud-based option and Nozomi Central management Console as an on-premises option. Version 25.6.0 of Nozomi Vantage was released in November 2025.
Nozomi Networks is best suited for improving threat and exposure management. Its platform achieved its highest use-case rating here due to its ability to leverage Nozomi Networks’ CVE numbering authority, a strategic partnership with Google’s Mandiant threat intelligence services, advanced rule engines, and strong AI capabilities.
The strongest capability for Nozomi Networks is risk scoring. Its AI-enabled risk models engine is built on 10 CPS security frameworks and incorporates exposure, behavioral anomalies, peer comparisons, supply chain pedigree concerns, and deployed mitigations. These models are customizable by asset, site, or zone and can focus on specific vendor prohibitions, such as Section 889 of the U.S. National Defense Authorization Act.
Nozomi Networks does not offer managed services but works through MSSP partners. Most clients have deployed the platform as an on-premises solution, with cloud-based and hybrid adoption growing.
Nozomi Networks’ biggest opportunity for improvement is in network segmentation. The platform integrates with seven next-generation firewall (NGFW) vendors, but it does not have native enforcement capabilities unless embedded and must rely on the NGFW’s segmentation functionality.
Palo Alto Networks
The Palo Alto Networks Strata platform consists of several components, including OT Device Security and OT Security Solution, an integrated unified solution built to protect a wide range of industrial operations. The platform combines real-time visibility, advanced threat prevention, and risk-based control across both OT and IT environments. It delivers CPS security capabilities through its network security platform, eliminating the need for additional CPS-specific dedicated hardware.
Palo Alto Networks is best suited for CPS security in line with integrated IT/CPS enterprise efforts. The platform achieved its highest use-case rating here due to its ease of administration, which comes from delivering integrated CPS PP capabilities as part of its broader solution set Strata Network Security Platform along with well-established third-party integrations in SIEM, CMDB, and access management.
The strongest capability for the Palo Alto Networks platform is ease of administration. The platform enablies consistent policy enforcement, centralized oversight, and centralized reporting across CPS environments, by leveraging its network security infrastructure for CPS PP configuration and management.
Palo Alto Networks’ biggest opportunity is asset discovery. In a market in which inventorying functionalities are expanding to cover an increasing range of assets, and dedicated CPS security infrastructure capabilities are required, the platform could enhance the ability to support comprehensive asset inventories.
Palo Alto Networks did not respond to requests for supplemental information. Gartner’s analysis is, therefore, based on other credible sources.
Tenable
The Tenable OT Security platform is currently at version 4.4.39, released in September 2025. Most clients use the on-premises product, but a hybrid solution is available as well.
Tenable OT Security is best suited for improving threat and exposure management. The solution achieved its highest use-case rating here due to its OT-focused database and multiple detection engines, combining 65,000 signature-based IDS rules with anomaly and traffic pattern detection, ensuring broad threat coverage. Its proprietary Vulnerability Priority Rating (VPR) is a risk score from Tenable Research that uses AI and machine learning to prioritize vulnerabilities based on exploitability, correlating signals from several threat intelligence sources.
The strongest capability of Tenable OT Security is ease of administration. The solution offers centralized administration with granular and customizable RBAC roles, combining configuration-level OT data from its industrial core platform with IT data from Nessus and agents for unified oversight.
Tenable’s biggest opportunity for improvement is in network segmentation. Tenable OT Security provides visibility into traffic, device relationships, and potential segmentation gaps; however, it relies more heavily on integrations and external enforcement points rather than native, automated segmentation, or inline prevention.
TXOne Networks
The TXOne platform consists of TXOne EdgeOne, currently at version 2.5, released in September 2025. All clients have deployed it as an on-premises solution.
TXOne EdgeOne is best suited for prioritizing CPS security issues and remediation. The platform achieved its highest use-case rating here by implementing key changes to its security frameworks capabilities, such as aligning and integrating asset attributes with common security frameworks. The OT security posture dashboard enables compliance documentation and framework-aligned security posture reporting for audit requirements.
The strongest capability of TXOne EdgeOne is network segmentation. The platform provides in-depth detail of network information; enables inline capabilities to restrict, redirect, and encrypt traffic; and offers endpoint-based protection through TXOne StellarProtect agents.
TXOne’s biggest opportunity for improvement is deployment models. The platform supports both on-premises and cloud-based deployments, but between 99% and 100% of customers have deployed it on premises.

Context

Gartner defines CPS PPs as a new product category that uses knowledge of industrial protocols, operational/production network packets or traffic metadata, and physical process asset behavior to discover, categorize, map, and protect CPS in production or mission-critical environments.
For CPS security teams, a CPS PP is the central tool that supports different core outcomes. In today’s market, asset inventories, topology visualizations, threat and exposure management, and recommended actions capabilities are standard components of a CPS PP offering. Traditionally these capabilities were delivered through a passive monitoring method, in which sensors were deployed to “listen” to network traffic from SPAN or TAP ports and use DPI to obtain detailed information about assets and events.
Technologies like safe active polling have been deployed for some time now, but the market is evolving to where lightweight agents have been developed by the vendors for deployment on suitable devices in the CPS environment. This approach allows users to obtain more detailed insights through an asset’s details and behavior.
As the market matures, buyers of CPS PPs expect high fidelity of asset inventory data, ease of deployment, and integration with IT security tools, like SIEM and CMDB. Vendors have invested time and effort into adding AI capabilities. AI-driven innovation is fundamentally transforming CPS security by moving beyond static asset inventories and manual alerts toward autonomous, context-aware visibility and predictive remediation.
The key objective is to reduce safety and security risks in production or mission-critical environments while minimizing performance impact and improving ease of use.

Market Definition

Gartner defines cyber-physical systems (CPS) protection platforms as products that discover, categorize, map and protect CPS in production or mission-critical environments outside of enterprise IT. They do so by analyzing or interacting with industrial/industry-specific protocols and operational network traffic. They understand physical process asset behavior and do not interfere with CPS operations. They can be delivered from the cloud, on-premises or in a hybrid form.
Gartner defines CPS as engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans). When secure, they enable safe, real-time, reliable, resilient and adaptable performance.
The CPS protection platforms market exists because:
  • The attack surface is growing: CPS are usually core value creation assets and, if they go down, they can impact human health and safety, halt production or derail missions. The more connected they become, the more they expand the attack surface. This increasingly makes them attractive targets for ransomware, industrial espionage or geopolitically motivated attacks. From operational disruptions of pipeline operators to halted machinery at shipbuilders, the number of disclosed attacks continues to rise.
  • Threats are on the rise: Malware purposely built for industrial environments, such as INDUSTROYER.V2 and Pipedream, are emerging.
  • More vulnerabilities are surfacing: They remain difficult to manage, as CPS cannot be patched at will.
  • More regulations, directives and frameworks are emerging: Due to the increased threats to critical infrastructure-related organizations, governments are recognizing that the ubiquitous CPS technology landscape supporting them is key to national security and economic prosperity.
  • Manual asset inventories are time inefficient and costly: IT security tools are inappropriate for many CPS environments.

Mandatory Features

The mandatory features for this market include:
  • Vendor-native asset discovery, visibility and categorization
  • Support for modern, but also unique, industrial/industry-specific protocols (including reverse-engineered ones deployed decades ago), while not interfering with the operation of any device
  • Detailed network topology and data flow diagrams
  • Detailed pedigree of assets, including but not limited to the manufacturer, model, serial number, MAC and IP addresses, operating system, version, service pack, etc. — included for nested devices
  • Vulnerability information and recommended actions to include contextualized CVE/CVSS scores and the likelihood of exploitability
  • Threat intelligence information and simulations, as well as recommended actions, to include playbooks and policy enforcement remediation options
  • Integration with IT security and asset management tools
  • Risk scoring and recommended actions to include remediation options and impacts on alignment to standards

Common Features

The common features for this market include:
  • Baseline and configuration management
  • Incident response and forensics
  • Network-segmentation-related features and functionalities
  • Security frameworks compliance reports
  • Various role-based user interfaces, such as one for security teams, one for maintainers, one for engineers or one for OEMs, to support various use cases
  • Machine learning capabilities to enhance asset discovery, establish behavioral baselines, improve anomaly detection and root cause analysis or fine-tune risk prioritization
  • Strategic partnerships with original equipment manufacturers (OEMs) and other security vendors

Product/Service Class Definition

CPS PPs are the foundation to CPS security. They combine asset- and network-centric approaches into a single platform, enabling their combined strength to add capabilities across a broad range of security controls.
Vendors are rapidly adding AI-/ML-based capabilities. Gartner has identified that AI currently addresses a number of specific needs in CPS PPs.
Improving asset discovery and visibility by using AI inference and normalization
  • Traditional discovery can struggle with the proprietary, legacy, and fragmented nature of CPS protocols. AI bridges this gap by inferring identity from partial data and by normalizing diverse inputs. Organizations can use AI and LLMs to enhance DPI parsing, allowing systems to extract asset attributes from proprietary protocols where standard parsers fail. When device data is incomplete, AI models use statistical inference to determine device type, vendor, and family.
Prioritizing risk via predictive analytics
  • CPS environments are often flooded with thousands of vulnerabilities that cannot all be patched. AI helps teams focus on the “true risk” by correlating technical severity with business impact and real-world exploitability. This strategy uses ML to analyze threat signals (e.g., dark web chatter, exploit code maturity) to predict the likelihood of a vulnerability being exploited. Likewise, organizations can deploy an AI-driven “early warning” system to predict which CVEs will be weaponized before public advisories are released.
Automating remediation and policy creation
  • AI is shifting CPS security from “read only” visibility to active defense by automating the creation of security policies and remediation tasks. CPS PPs can analyze traffic patterns and observed behavior and automatically generate allowlists and segmentation policies.
  • The emergence of “agentic AI” allows systems to autonomously perform complex tasks, like automated password rotation, configuration fixes, and patch management across devices. AI-driven analysis allows for “virtual patching” where network-level IPS rules shield unpatchable legacy assets from known exploits without requiring system downtime.
Using natural language to ease operation and administration
  • To address the skills gap in CPS security, vendors are integrating LLMs to simplify complex queries and reporting. They deploy natural language querying where users can ask questions like “Show me all PLCs with critical vulnerabilities exposed to the internet” in plain English. Behind the scenes these requests are translated into complex database queries, allowing non-experts to access deep insights. At the same time Gen-AI automates the generation of executive-level risk reports and compliance documentation, translating technical data into business-relevant metrics
Innovations that do not rely on AI include Windows Server Update Services (WSUS) and lightweight agents that play distinct but complementary roles in CPS PPs. They address specific challenges related to visibility, remediation, and deployment in complex or constrained industrial environments. In CPS PPs, WSUS integrations are primarily used to streamline vulnerability management and remediation validation for Windows-based assets (such as HMIs and engineering workstations) without requiring direct, intrusive scanning.
Some vendors also deploy lightweight agents (also referred to as collectors or endpoint sensors) allowing CPS platforms to extend visibility and control into areas where traditional passive network monitoring is insufficient, such as air-gapped networks, remote sites, or deep within endpoints.

Critical Capabilities Definition

Asset Discovery
This capability includes passive port mirroring and deep packet inspection, active queries using native industrial protocols, and project file analysis from such assets as human-machine interfaces (HMIs) and programmable logic controllers (PLCs).
It also involves enrichment from other tools in the ecosystem (e.g., CMDBs, directories, backup and recovery systems) or other proprietary approaches that support more granular outputs than ever before.
Asset Pedigrees and Attributes
This can determine asset name, category, type, vendor, product family, model, serial number, and chassis/backplane identification, as well as and connection info (e.g., first seen, last seen, last modified and persistence).
It also determines IP and MAC addresses; wireless AP location; OS/software/firmware versions; network, subnet, virtual LAN (VLAN); patch level; and open ports with a high degree of accuracy and integrity. Advanced features include financial profile, device owner, latitude and longitude geographic info, USB devices and status, contextual physical-process-centric variables, and the ability to configure many custom attributes.
Ease and Speed of Deployment
This capability includes the time and expense to deploy sensors and/or consoles, validate findings, enable licensing, develop meaningful reporting, implement RBAC, and complete out-of-the-box integrations.
It also involves finalizing infrastructure health checks and system monitoring. It does all of this in heterogeneous operational environments and architectures.
Topology and Data-Flow Mapping
This includes visualizations of linkages and data flows between all assets and sites. Common formats include Purdue model maps, VLAN maps, zone clusters maps, external communications data-flow maps, or assets and groups maps. Most offer drill-down capabilities.
Security Monitoring
This capability involves monitoring or analyzing network traffic and alerts to known threats, suspicious activities, or policy violations. It may also detect unexpected configuration changes to assets.
Network Segmentation
This includes approaches to contain the attack surface and limit blast radius, including Layer 2 and Layer 3 functions.
It also involves grouping by attributes (e.g., VLAN, asset category or type, and security posture) or generating a segmentation approach, based on the function of the systems that can be used by all leading network access control (NAC) or firewall solutions.
Vulnerability Management
This includes the correlation of outputs from asset discovery with common vulnerability and exposures (CVE)/manufacturer recall databases and third-party vulnerability repositories.
It also involves prioritization for known exploited vulnerabilities; flagging of unsecure application use and default passwords; remediation guidance, including alternative compensating controls; and meaningful reporting, custom integrations, and provision of ticketing mechanisms to track actions.
Threat Management
This includes indicators of compromise (IoCs) and tactics, techniques and procedures (TTPs) from TI feeds and advisories, signature-based detections, reports aligned with the MITRE ATT&CK for ICS framework, and the flagging of anomalous behavior.
Security Frameworks
This includes dashboards and reports aligned with various frameworks.
These frameworks include the NIST Cybersecurity Framework (CSF), NIST SP 800-82 Rev 3, MITRE, IEC-62443, HIPAA, ISO 2700x family, NERC-CIP, TISAX, HITRUST, CIS 20, TSA SD 2021-02, Food and Drug Administration (FDA) 21 CFR, and NIS2.
Enterprise IT Tools Integration
This includes integrations with such tools as CMDB; security information and event management (SIEM); security orchestration, analytics, and reporting (SOAR); or continuous threat exposure management (CTEM) solutions.
Ease of Administration
This includes all core functionalities for platform operability, which can be accessed and managed from simple access user interfaces (UIs), ease of management, and administration.
In addition, it involves such day-to-day activities as account access; policy configuration troubleshooting; infrastructure replacement; and disposition of alerting, monitoring, and the overall digital experience.
Risk Scoring
This includes contextual scoring of risks based on vulnerability exploitability, architecture, connection patterns, attack paths, modeling of possible remediation actions, and business/mission impact.
It also involves recommended actions (including alternatives of compensating controls), playbooks, traceability of actions taken, and dashboards/reports to show risk-reduction progress over time.

Use Cases

Discover and Map CPS Assets
Organizations cannot start their CPS security journey or support audits unless, and until, they know the environment with which they are contending.
They need to understand as much as possible about the type, pedigree, communications patterns, and security status of CPS assets before deciding on any strategy to improve their risk posture.
Improve Threat and Vulnerability Management
Organizations must understand not only what vulnerabilities might exist, but whether they are exploitable.
In addition, because CPSs are connected digitally, but exist in the physical world, attack paths can be bidirectional along a cyber-physical continuum. Hence, understanding attack vectors and attack actors becomes critical.
Prioritize CPS Security Issues and Remediation
CPS environments are characterized by high heterogeneity of equipment types, purposes, life cycles, configurations, architectures, operators, and risk profiles.
In addition, security controls cannot be deployed at will, often mandating evaluation of alternatives and mitigation approaches, in conjunction with business units/production engineers. Organizations need capabilities to prioritize what actions will have the biggest effect on risk reduction, while minimizing production/operational impacts.
Monitor CPS Security; Align to Enterprise Efforts
This use case involves allowing organizations to monitor or analyze network traffic and alerts, as well as track their progress against security frameworks.
It also includes integration with enterprise IT security tools and sharing with the C-suite and other decision-makers situational awareness, dashboards, reports, compliance posture, and bright spots and concerns. In addition, it helps with overall management and continuous improvements to the CPS security program.

Vendors Added and Dropped

Added

No new vendors were added.

Dropped

For this Critical Capabilities report, the following vendors have been dropped:
  • Opswat did not meet the industry reach and geographic reach criteria.
  • Otorio was acquired by Armis after the publication of the previous Magic Quadrant and Critical Capabilities report.
  • Radiflow did not meet industry reach, geographic reach, and revenue criteria.
  • Sepio did not meet customer count, industry reach, and revenue criteria.

Inclusion Criteria

Providers needed to meet the following criteria to qualify for inclusion.
General requirements:
  • A provider must be actively participating in the enterprise (i.e., end user) market as evidenced by actively investing in product capabilities and directly marketing to enterprise customers, even if only channel-based sales.
  • A provider must demonstrate active participation in the CPS PP market as a pure-play provider without requiring the purchase of other products or services.
  • Providers must meet Gartner’s definition for the CPS PP market.
  • The CPS PP must be generally available (GA) as of 25 November 2025. Gartner defines “general availability” as the release of a product to all customers. When a product reaches GA, it becomes available through the company’s general sales channel — as opposed to a limited or controlled release, pre-GA, or beta version.
Global adoption and relevance:
  • At least 100 unique enterprise customers have purchased and deployed the provider’s CPS PP in a production environment since GA.
  • Provider must offer cloud-based or managed, hybrid, and on-premises.
  • At least 10 paying CPS PP customers in at least eight of 22 industry categories (banking and financial industries; chemicals; consumer products; construction, materials, and natural resources; education; energy; food and beverage processing; government, national and international; government, state and local; healthcare provider; industrial electronic and electrical equipment; industrial manufacturing; insurance; media and entertainment; pharmaceuticals, life sciences and medical products; professional services; retail and wholesale; software publishing and internet services; telecommunications; transportation; utilities; all others).
  • Provider receives revenue from their CPS PP from at least three geographic regions, with at least two of them at or above 10% (North America, Latin America, Asia/Pacific, Europe, Middle East and Africa, All Other)
  • At least $50 million in revenue in 2024
    • or above $5 million in revenue and net-new paying CPS PP customers (logos) added through July 2025 are on track to exceed 2024.

Weighting for Critical Capabilities in Use Cases

Critical CapabilitiesDiscover and Map CPS AssetsImprove Threat and Vulnerability ManagementPrioritize CPS Security Issues and RemediationMonitor CPS Security; Align to Enterprise Efforts
Asset Discovery
20%
9%
9%
6%
Asset Pedigrees and Attributes
20%
9%
9%
6%
Ease and Speed of Deployment
7%
4%
4%
4%
Topology and Data-Flow Mapping
10%
9%
12%
6%
Security Monitoring
0%
2%
9%
20%
Network Segmentation
7%
2%
9%
6%
Vulnerability Management
0%
20%
9%
6%
Threat Management
0%
20%
8%
6%
Security Frameworks
3%
3%
3%
3%
Enterprise IT Tools Integration
13%
5%
9%
20%
Ease of Administration
10%
10%
7%
10%
Risk Scoring
10%
7%
12%
7%
Source: Gartner (March 2026)
This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighted in terms of its relative importance for specific product/service use cases.

Critical Capabilities Rating

Each of the products/services that meet our inclusion criteria has been evaluated on the critical capabilities on a scale from 1.0 to 5.0.

Product/Service Rating on Critical Capabilities

Critical CapabilitiesArmisCiscoClarotyDarktraceDragosForescout TechnologiesFortinetHoneywellMicrosoftNozomi NetworksPalo Alto NetworksTenableTXOne Networks
Asset Discovery
3.8
2.5
3.9
2.5
3.2
3.5
3.5
2.8
2.5
3.9
3.0
3.2
3.4
Asset Pedigrees and Attributes
3.8
2.5
4.0
3.6
3.5
3.6
3.0
2.6
2.5
4.1
2.5
3.6
3.4
Ease and Speed of Deployment
3.8
2.5
3.3
3.4
3.7
3.7
3.5
2.7
3.0
3.9
3.0
3.3
3.7
Topology and Data-Flow Mapping
3.8
3.5
3.8
3.2
3.6
3.8
2.8
3.5
3.0
3.9
3.3
3.4
3.6
Security Monitoring
3.4
3.3
3.3
3.5
3.6
3.6
3.3
3.1
3.0
3.7
3.3
3.5
3.4
Network Segmentation
3.8
4.0
3.6
3.7
3.7
4.0
4.1
3.6
2.0
3.7
4.0
2.8
4.0
Vulnerability Management
3.8
3.0
3.8
3.6
3.9
3.8
3.5
3.6
3.0
3.9
3.3
3.9
3.5
Threat Management
4.0
3.0
3.8
3.9
4.2
3.9
3.8
3.5
2.5
4.1
3.0
3.9
3.8
Security Frameworks
4.2
2.8
4.1
3.9
4.2
4.1
4.1
3.2
2.8
4.2
3.0
3.8
3.8
Enterprise IT Tools Integration
4.1
3.3
4.0
4.0
4.0
4.1
3.9
3.6
4.0
3.9
3.6
3.9
3.6
Ease of Administration
4.1
4.1
4.1
4.0
4.0
4.0
4.0
2.6
4.1
4.1
4.1
4.0
3.8
Risk Scoring
4.2
2.8
4.1
4.1
4.0
4.1
3.8
3.4
2.5
4.2
3.0
3.6
4.0
Source: Gartner (March 2026)
Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Product Score in Use Cases

Use CasesArmisCiscoClarotyDarktraceDragosForescout TechnologiesFortinetHoneywellMicrosoftNozomi NetworksPalo Alto NetworksTenableTXOne Networks
Discover and Map CPS Assets
3.90
3.00
3.90
3.49
3.66
3.81
3.51
3.03
2.91
3.98
3.18
3.50
3.61
Improve Threat and Vulnerability Management
3.91
3.06
3.86
3.62
3.84
3.84
3.54
3.23
2.91
3.99
3.19
3.69
3.65
Prioritize CPS Security Issues and Remediation
3.88
3.12
3.83
3.61
3.77
3.84
3.54
3.21
2.88
3.95
3.25
3.55
3.66
Monitor CPS Security; Align to Enterprise Efforts
3.86
3.20
3.79
3.68
3.79
3.85
3.60
3.20
3.12
3.92
3.34
3.61
3.63
Source: Gartner (March 2026)
To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.

Critical Capabilities Methodology

This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.
"Critical capabilities" are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.
In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.
The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.
Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.
Ratings and summary scores range from 1.0 to 5.0:
1 = Poor or Absent: most or all defined requirements for a capability are not achieved
2 = Fair: some requirements are not achieved
3 = Good: meets requirements
4 = Excellent: meets or exceeds some requirements
5 = Outstanding: significantly exceeds requirements
To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.
The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.