Continuous Threat Detection

Continuous Threat Detection (CTD) is the foundation of The Claroty Platform.


Continuous Threat Detection: Data Sheet

Continuous Threat Detection extends fundamental cybersecurity controls to industrial networks.


Feature Spotlight: Process Values


Use Case: Incident Response for Remote User Activity

This use case example demonstrates how The Claroty Platform's SRA and CTD components can enable IT and OT personnel to respond to incidents related to unauthorized activity from OT remote users.


Claroty Support for the MITRE ATT&CK for ICS Framework: White Paper

This paper details the extent that The Claroty Platform can detect adversary techniques listed in MITRE ATT&CK for ICS framework.


CTD provides fundamental cybersecurity controls that support the REVEAL, PROTECT, DETECT, CONNECT framework for industrial networks.

Effective industrial cybersecurity starts with knowing what needs to be secured. But unlike their IT counterparts, most industrial networks are inherently fragile and utilize proprietary protocols that make industrial assets and the processes they underpin tough to identify. Here’s how CTD empowers you to overcome this challenge:

  • The industry’s largest library of proprietary protocols and three distinct scanning methods enable CTD to offer 100% visibility into all three variables of risk in your industrial network: OT, IoT, and IIoT assets, connections, and processes.
  • This caliber of visibility is unmatched in terms of both breadth and depth. It extends to serial networks, the most granular details of each industrial asset, all actions taken and changes made during network sessions, and even the code sections and tag values of all industrial processes.
  • CTD’s Enterprise Management Console (EMC) ensures this visibility scales and can be effortlessly managed across all connected sites. It creates a single source of truth for all OT, IoT, and IIoT asset information and offers both pre-built and customizable reporting suitable for executive-level consumption.

Segmentation is an essential industrial cybersecurity control, but traditional means of segmenting industrial networks are prohibitively costly, time-intensive, and typically require considerable downtime. CTD’s Virtual Zones feature changes this. Here’s how:

  • CTD uses AI to segment your entire network into Virtual Zones, which are policy-defined groups of assets that communicate with one other under normal circumstances.
  • If you lack physical or logical segmentation, you can use Virtual Zones as a cost-effective, efficient alternative that offers comparable capabilities at a fraction of the cost.
  • If you are seeking to implement physical or logical segmentation due to regulatory requirements or other purposes, you can significantly accelerate these initiatives by using Virtual Zones as the blueprint.
  • Malicious or otherwise abnormal activity that violates Virtual Zones policies will immediately trigger an alert that is contextualized and scored based on risk to support prioritization and response efforts.
  • You can easily integrate CTD with your existing firewalls and NAC solutions to proactively enforce Virtual Zones policies and automatically mitigate active attacks.

Unpatched vulnerabilities and other security weaknesses are uniquely prevalent in industrial networks due to their visibility limitations, tendency to rely on legacy systems, and limited windows when patching can occur. These characteristics create a considerable amount of inherent risk that can be difficult to grasp, much less manage. Here’s how CTD can help:

  • CTD compares the granular details of each industrial asset to an extensive database of insecure protocols, misconfigurations, and vulnerabilities tracked by Claroty, as well as to the latest CVE data from The NVD, to rapidly pinpoint your network’s vulnerabilities with unmatched precision.
  • Vulnerability alerts triggered by CTD are automatically contextualized and scored based on the unique risk they pose to your specific network, enabling you to more easily and effectively prioritize and remediate or otherwise compensate for those that matter most.
  • CTD’s Attack Vector Mapping feature uses AI to analyze all vulnerabilities and corresponding risks in your network to determine the likeliest paths through which an attacker could compromise it. This information further enhances your ability to focus on the vulnerabilities that matter most.
  • The CTD Enterprise Management Console (EMC) includes Global Custom Attributes, a feature that enables you to enrich assets across all sites with custom-defined attributes such as business criticality, asset owner, and other context to drive prioritization and remediation efforts.
  • All of CTD’s risk and vulnerability management capabilities are backed by the award-winning Claroty Research Team. As the market leader in industrial vulnerability disclosures, the team was the first to develop, release—and make immediately available to Claroty customers—signatures for the notorious Ripple20, Wibu, and the threat actors that target these vulnerabilities.

No industrial network is immune to threats, so being able to detect and respond to them quickly and effectively when they surface is imperative. It is also difficult due to the unique specifications of industrial networks and the threats that target them. CTD empowers you with a resilient threat detection model that circumvents these challenges. Here’s how:

  • CTD monitors your network for all five signs of potential threats, which include:
    • 1. Early indicators of attack, such as abnormal DNS scans or failed login attempts
    • 2. The presence of known threat signatures via the latest Snort and YARA rules, including proprietary ones developed by The Claroty Research Team
    • 3. Behavioral anomalies associated with zero-day attacks, such as atypical communication between assets
    • 4. Engineering operations associated with advanced persistent threat (APT) activity, such as unexpected process value changes
    • 5. Any activity or indicator that meets your custom-defined criteria
  • CTD automatically weeds out false positives and consolidates all interrelated events into a single alert. Not only does this help optimize your prioritization and response, but it also reduces alert fatigue and gives you more time to focus on the threats that matter most.
  • Powered by The Claroty Cloud, CTD’s Wisdom of the Crowd feature enriches alerts with reputational context culled from similar events observed across Claroty’s vast customer base. This rapid insight into the validity of an incident can help further optimize your prioritization and response efforts.
  • CTD is fully integrated with Secure Remote Access (SRA) to form our platform, which means you can detect and respond to incidents related to SRA users’ activity directly from the EMC. If a remote user makes an unauthorized change, you will have the option to monitor and disconnect that user’s session.
  • Since these capabilities are all fueled by the renowned Claroty Research Team, you will always have the latest threat signatures and remediation guidance both at your fingertips and built-in to your industrial network’s defenses.


CTD’s intuitive interface offers a single-pane view into all assets, processes, sessions, and related risks & vulnerabilities in industrial networks.

CTD Feature Spotlight

Visit our blog to learn more about the specific features that set CTD apart

Visit Our Blog

What They Are Saying About Us

“Claroty excels at handling the myriad of proprietary industrial protocols and asset identification. Reference customers reported no issues with unsupported protocols and high satisfaction with The Claroty Platform’s asset identification capabilities.” —The Forrester Wave™: Industrial Control Systems (ICS) Security Solutions, Q4 2021

Request a Demo