Safe Queries
Collection Method Overview
As one of Claroty’s five collection methods, Safe Queries support XIoT asset discovery and related commercial cybersecurity use cases by providing rapid, non-disruptive visibility into commercial environments.
As one of Claroty’s five collection methods, Safe Queries support XIoT asset discovery and related commercial cybersecurity use cases by providing rapid, non-disruptive visibility into commercial environments.
As Claroty's version of what the industry refers to as active scanning, Safe Queries fuse our proven-safe technology with unmatched flexibility that lets customers easily combine this collection method with any of our four others based on their XIoT asset discovery needs.
This approach reflects two tenets of our commercial cybersecurity portfolio:
First, we recognize there is no one-size-fits-all collection method because each and every customer, path to XIoT asset discovery, OT environment, and commercial cybersecurity journey is unique.
Second, despite the strengths of our Safe Queries, we also recognize that to achieve a truly comprehensive asset inventory, Safe Queries (or any other singular method) likely won't cut it. Most customers seeking 100% visibility must combine multiple collection methods to get there.
This limitation isn't a weakness of Claroty’s technology — it’s a vendor-agnostic reality of collection itself. It’s also why we're proud to be the only vendor to offer five mix-and-match collection methods designed to empower you to gain full visibility into your OT environment, your way.
As the second most commonly used collection method for XIoT asset discovery, Safe Queries offer distinct benefits, such as:
Recognizing the risks posed by standard active scans, we've built, extensively tested, and proven our Safe Queries to be truly safe for all XIoT assets. This caliber of safety has even been validated by manufacturers of the commercial assets themselves.
The precision and depth of visibility typically provided by Safe Queries is largely unmatched — even when this method is utilized to discover assets and/or asset-level details that other collection methods are unable to adequately pinpoint.
Safe Queries offer an exceptionally speedy time-to-value (TTV). This collection method is consistently able to return robust, granular visibility results quickly, easily, and without requiring extensive sensors or other hardware installations.
Have questions about Safe Queries? You're not alone! See below for answers to questions we often receive about this collection method — and if you're seeking additional information or would like to speak with one of our experts, contact us here.
A: Claroty's Safe Queries work by sending targeted, non-disruptive communications to certain segments of the commercial environment and reporting back on which assets are present and what their key details — such as firmware versions, patch levels, and more — are.
Safe Queries are often used to supplement other collection methods when deeper details about a specific asset or segment are needed. A common example is when Passive Monitoring discovers an asset's type and protocol but little else due to various limitations. Using those basic details provided by passive monitoring, Safe Queries can then exchange targeted communications with that asset to quickly and easily gather its remaining details.
A: Yes. While traditional approaches to active scanning have rightfully earned a reputation of being disruptive and even dangerous to OT environments — we designed Claroty's Safe Queries in a manner that virtually eliminates these risks.
Specifically, the biggest concerns around active scans are those that generate more and/or different traffic than what an asset can handle. Safe Queries do just the opposite: they mimic the exact amount and type of traffic an asset is already accustomed to receiving from the other assets with which it communicates. This traffic is also sent in the asset's native protocol, further ensuring it does not encumber the network and cannot be distinguished as related to anything but the OT environment's standard operations.
A: Yes. Since this collection method works by exchanging communications with assets, it is ineffective at discovering assets that lack properly functioning communication mechanisms. Although it is relatively rare, this can happen when an original equipment manufacturer (OEM) or operator inadvertently or otherwise disables an asset's ability to respond to queries.
Thankfully, this limitation does NOT prevent our customers from gaining 100% visibility. While neither Safe Queries nor any collection method is a silver bullet by itself — the right combination of methods absolutely can be. This is why we make it easy for customers to combine Safe Queries with our Passive Monitoring, Claroty Edge, Project File Analysis, and/or Ecosystem Enrichment methods to suit their needs.
A: No. Unlike Passive Monitoring, Safe Queries do not continuously inspect the traffic sent between assets in the commercial environment — instead, they target and exchange communications with specific assets when needed. The deep visibility provided by this method reflects the point in time at which such communications are exchanged.
For customers seeking continuous monitoring (such as to support threat detection, change management, and related use cases), we enable and encourage them to combine our Safe Queries, Claroty Edge, and/or other methods with our Passive Monitoring. This type of combination ensures full, real-time visibility and cybersecurity coverage without compromise.
Claroty xDome is a highly flexible, modular, SaaS-based platform that supports all use cases and capabilities across your entire commercial cybersecurity journey.
Claroty Continuous Threat Detection (CTD) is a robust commercial cybersecurity platform that supports on-premise deployments without compromise.
Safe Queries are only one of the five highly flexible, mix-and-match collection methods that we offer our commercial cybersecurity customers. Our others include:
Claroty’s unique approach to Passive Monitoring, the most common collection method for commercial asset discovery and anomaly detection, offers continuous visibility with cybersecurity and operational monitoring across OT environments.
Claroty Edge is a unique method that uses our patented technology to deliver easy and non-disruptive — yet comprehensive — visibility into all types of assets in OT environments in just minutes without any additional hardware or configuration.
Pioneered by Claroty, project file analysis discovers and enriches assets in a rapid, highly effective, non-intrusive manner by parsing the configuration and other project files typically stored on workstations in OT environments.
Claroty’s vast technical ecosystem includes ready-made integrations with CMDB, EDR, and dozens of other tools that extend the value of customers’ existing investments while enhancing the visibility provided by our other collection methods.
Want to see how Claroty will support your entire XIoT cybersecurity journey?
