OT Compliance Management Built for Consultants

OT Comply is a multi-tenant compliance management platform designed specifically for OT/ICS cybersecurity consultants and consulting firms. It helps you manage compliance assessments, track incidents, generate AI-powered audit reports, monitor asset vulnerabilities, manage SBOM per device, and build post-quantum cryptography inventories across all your industrial clients — covering SCADA, ICS, DCS, PLCs, RTUs, SIS, and BAS systems — from a single portfolio dashboard.

OT Comply natively supports all major OT/ICS cybersecurity frameworks: NERC CIP, IEC 62443, NIST SP 800-82, ISA/IEC 62443, IEC 61511 (Functional Safety / SIS), NIST Cybersecurity Framework (CSF), ISO/IEC 27001, and CMMC 2.0. Custom frameworks are also supported for clients with bespoke requirements.

The PQC Inventory lets you document every cryptographic algorithm in use across a client's OT assets — built entirely from vendor datasheets, firmware changelogs, and protocol specifications, with no scanning of OT systems required. OT Comply auto-classifies each algorithm against NIST IR 8547 and NSA CNSA 2.0 (vulnerable, conditional, or safe), recommends NIST PQC replacements (ML-KEM, ML-DSA, SLH-DSA under FIPS 203/204/205), and calculates a 'Harvest Now Decrypt Later' risk score weighted by Purdue level and asset criticality. It also includes an AI extraction tool — paste vendor document text and the AI identifies all cryptographic algorithms automatically.

No. OT Comply is a documentation-driven platform by design. Asset inventories, SBOM entries, cryptographic inventories, and compliance assessments are all built from vendor documentation, network diagrams, firmware changelogs, and consultant knowledge — not live scanning. This is intentional: most OT environments cannot safely support network scanning or agent installation on safety-critical systems.

OT Comply uses AI (powered by Anthropic Claude) to analyze your assessment data and identify control gaps across your chosen frameworks. It produces prioritized remediation roadmaps with task assignments, detailed gap analyses, and full executive audit reports — all streamed directly in the platform in seconds. Beyond gap analysis, the document-driven assessment feature evaluates each control against your uploaded policies and SOPs (PDFs, text, or markdown) — Claude reads the relevant document text, recommends a status per control, and cites the supporting evidence. Per-document summaries and per-control verdicts are cached, so re-running the assessment after a single document update only re-evaluates what changed. There's also AI-powered incident triage and AI extraction of cryptographic algorithms from vendor documents.

General GRC tools are built for IT and enterprise compliance. OT Comply is purpose-built for operational technology: it understands the Purdue Reference Model, supports OT-specific frameworks like NERC CIP and IEC 62443, includes ATT&CK for ICS threat mapping, integrates with NVD for ICS-specific CVE scanning, includes a post-quantum cryptography inventory (unique to OT Comply), and is designed for multi-client consulting practices — not internal IT teams.

Yes — multi-client portfolio management is the core of OT Comply. The Command Center gives you a unified view across all clients with aggregate compliance scores, risk metrics, active alerts, and upcoming deadlines. The Professional and Enterprise plans support unlimited client portfolios with full engagement timelines, milestone tracking, and evidence management per client.

The asset inventory covers the full OT technology stack — SCADA servers, HMIs, PLCs, RTUs, DCS controllers, SIS systems, and BAS devices — organized using the Purdue Reference Model (Levels 0–4 plus DMZ). Each asset supports a Software Bill of Materials (SBOM) for tracking component versions, EOL dates, and CVE counts. You can import CycloneDX 1.4+ BOMs directly, auto-correlate every component against the CISA Known Exploited Vulnerabilities (KEV) catalog, and score each finding with the CISA SSVC decision tree (Act / Attend / Track* / Track) using Purdue level and asset criticality. Individual assets can also be scanned against the NVD for CVEs specific to their vendor, product, and firmware version.

Yes — the Evidence Bundle feature generates a single auditor-ready ZIP per framework with one click. Each bundle contains a machine-readable manifest, an executive narrative, the full control register, an exception register, the incident log, and every linked evidence file pulled from secure object storage. Bundles are pre-formatted for NERC CIP, TSA Pipeline, EU NIS2, and other major OT audit programs, and are retained for 90 days with audit-trail metadata.

Yes. Every bundle hashes each ZIP entry with SHA-256, signs the manifest with an Ed25519 key, and obtains an RFC 3161 trusted timestamp from FreeTSA.org — the signature.json and timestamp.tsr are embedded directly in the ZIP. Each new bundle also chains to the SHA-256 of the previous bundle for that client, producing a tamper-evident, append-only evidence chain. Auditors can verify with the public key exposed at /api/audit-packages/signing-key. The manifest also includes a per-control crosswalk to NERC CIP v7, IEC 62443-3-3, NIST 800-82r3, TSA Pipeline SD-02C, and EU NIS2 references.

From the Audit Package tab, click Share to mint a time-bounded download link (default 7 days, configurable). The link is an HMAC-signed token validated against a server-side hash and rate-limited; auditors download the signed ZIP without a Replit or Clerk account. Every download is logged with timestamp and IP, and you can revoke a link instantly from the same dialog.

Every AI call — gap analysis, incident triage, tabletop generation, and config-drift narratives — is wrapped in a reversible redaction layer before leaving our servers. IPs, IPv6, MAC addresses, emails, hostnames, framework control IDs, and asset names from your inventory are tokenized (e.g. ASSET_a1b2, IP_c3d4) and per-client custom regex patterns can be added. Each call writes an auditable trace (surface, entity counts, redacted/original length) to the Redaction Audit Trail tab, and the rehydration mapping is stored server-side so values can be reversed when needed.

The AI/Cloud Vendor Risk Registry is an org-scoped catalogue of every external AI, cloud, OT-SaaS, storage, identity, and data-feed provider. It tracks SOC 2 / ISO 27001 / FedRAMP attestation status and expiry, DPA on-file with document URL, region and data residency, OT-data sensitivity (none / metadata / full / restricted), contract renewal calendar, monthly spend, internal owner, and a four-tier risk rating. Procurement, legal, and the CISO finally share a single source of truth — with renewal and attestation-expiry warnings on the dashboard.

The tabletop generator produces framework-aligned exercises (IEC 62443, NERC CIP, NIST 800-82, etc.) grounded in the client's actual assets, network zones, and conduits — not generic templates. You pick a scenario type (ransomware, supply-chain, insider, physical) and difficulty, and the AI streams a complete exercise in real time: scenario background, objectives, participant roles, a timed inject timeline with decision points, discussion questions, expected actions, success criteria, hotwash questions, and explicit mapping of injects to specific framework controls.

Every PCAP configuration audit run is persisted as a snapshot. The drift forensics view diffs the two most recent snapshots and highlights exactly what changed: added or removed firewall rules, new or resolved findings, zone additions and deletions. An optional AI narrative explains the change in plain language — what drifted, why it matters, and which controls or attack paths it affects. It lets consultants answer the regulator's favourite question: 'what changed since the last audit?'

Access to OT Comply requires admin approval to ensure the platform is used by qualified OT/ICS security professionals. Sign up and your account will be reviewed and activated within one business day. Contact us to arrange a guided demo before committing to a plan.