Claroty Named a Strong Performer in The Forrester Wave™: Operational Technology Security Solutions, Q2 2024
Download the Report
Claroty Toggle Search

Safe Queries

Collection Method Overview

As one of Claroty’s five collection methods, Safe Queries support XIoT asset discovery and related industrial cybersecurity use cases by providing rapid, non-disruptive visibility into industrial environments.

About Safe Queries

As Claroty's version of what the industry refers to as active scanning, Safe Queries fuse our proven-safe technology with unmatched flexibility that lets customers easily combine this collection method with any of our four others based on their XIoT asset discovery needs.

This approach reflects two tenets of our industrial cybersecurity portfolio:

First, we recognize there is no one-size-fits-all collection method because each and every customer, path to XIoT asset discovery, OT environment, and industrial cybersecurity journey is unique.

Second, despite the strengths of our Safe Queries, we also recognize that to achieve a truly comprehensive asset inventory, Safe Queries (or any other singular method) likely won't cut it. Most customers seeking 100% visibility must combine multiple collection methods to get there.

This limitation isn't a weakness of Claroty’s technology — it’s a vendor-agnostic reality of collection itself. It’s also why we're proud to be the only vendor to offer five mix-and-match collection methods designed to empower you to gain full visibility into your OT environment, your way.

Key Benefits of Safe Queries

As the second most commonly used collection method for XIoT asset discovery, Safe Queries offer distinct benefits, such as:


Recognizing the risks posed by standard active scans, we've built, extensively tested, and proven our Safe Queries to be truly safe for all XIoT assets. This caliber of safety has even been validated by manufacturers of the industrial assets themselves.


The precision and depth of visibility typically provided by Safe Queries is largely unmatched — even when this method is utilized to discover assets and/or asset-level details that other collection methods are unable to adequately pinpoint.


Safe Queries offer an exceptionally speedy time-to-value (TTV). This collection method is consistently able to return robust, granular visibility results quickly, easily, and without requiring extensive sensors or other hardware installations.

Safe Queries FAQ

Have questions about Safe Queries? You're not alone! See below for answers to questions we often receive about this collection method — and if you're seeking additional information or would like to speak with one of our experts, contact us here.

Q: How do Safe Queries work?

A: Claroty's Safe Queries work by sending targeted, non-disruptive communications to certain segments of the industrial environment and reporting back on which assets are present and what their key details — such as firmware versions, patch levels, and more — are.

Safe Queries are often used to supplement other collection methods when deeper details about a specific asset or segment are needed. A common example is when Passive Monitoring discovers an asset's type and protocol but little else due to various limitations. Using those basic details provided by passive monitoring, Safe Queries can then exchange targeted communications with that asset to quickly and easily gather its remaining details.

Clarory customers often use Safe Queries to supplement our other collection methods, such as Passive Monitoring, to rapidly discover all XIoT assets in their industrial environments.
CISA's latest Cybersecurity and Infrastructure Security Agency (CISA) guidance documents in this comprehensive blog post

Q: Are Safe Queries truly safe for OT?

A: Yes. While traditional approaches to active scanning have rightfully earned a reputation of being disruptive and even dangerous to OT environments — we designed Claroty's Safe Queries in a manner that virtually eliminates these risks.

Specifically, the biggest concerns around active scans are those that generate more and/or different traffic than what an asset can handle. Safe Queries do just the opposite: they mimic the exact amount and type of traffic an asset is already accustomed to receiving from the other assets with which it communicates. This traffic is also sent in the asset's native protocol, further ensuring it does not encumber the network and cannot be distinguished as related to anything but the OT environment's standard operations.

Q: Are there any limitations with Safe Queries?

A: Yes. Since this collection method works by exchanging communications with assets, it is ineffective at discovering assets that lack properly functioning communication mechanisms. Although it is relatively rare, this can happen when an original equipment manufacturer (OEM) or operator inadvertently or otherwise disables an asset's ability to respond to queries.

Thankfully, this limitation does NOT prevent our customers from gaining 100% visibility. While neither Safe Queries nor any collection method is a silver bullet by itself — the right combination of methods absolutely can be. This is why we make it easy for customers to combine Safe Queries with our Passive Monitoring, Claroty Edge, Project File Analysis, and/or Ecosystem Enrichment methods to suit their needs.

Every collection method — whether from Claroty or elsewhere — has its limitations, which is why we're proud to offer our customers multiple, mix-and-match collection methods that empower them with 100% visibility as the foundation of their industrial cybersecurity journeys.

Q: Do Safe Queries support continuous monitoring?

A: No. Unlike Passive Monitoring, Safe Queries do not continuously inspect the traffic sent between assets in the industrial environment — instead, they target and exchange communications with specific assets when needed. The deep visibility provided by this method reflects the point in time at which such communications are exchanged.

For customers seeking continuous monitoring (such as to support threat detection, change management, and related use cases), we enable and encourage them to combine our Safe Queries, Claroty Edge, and/or other methods with our Passive Monitoring. This type of combination ensures full, real-time visibility and cybersecurity coverage without compromise.

Our Industrial Products that offer Safe Queries

Claroty xDome

Claroty xDome is a highly flexible, modular, SaaS-based platform that supports all use cases and capabilities across your entire industrial cybersecurity journey.

Claroty CTD

Claroty Continuous Threat Detection (CTD) is a robust industrial cybersecurity platform that supports on-premise deployments without compromise.

Learn about our other Collection Methods

Safe Queries are only one of the five highly flexible, mix-and-match collection methods that we offer our industrial cybersecurity customers. Our others include:

Passive Monitoring

Claroty’s unique approach to Passive Monitoring, the most common collection method for industrial asset discovery and anomaly detection, offers continuous visibility with cybersecurity and operational monitoring across OT environments.

Claroty Edge

Claroty Edge is a unique method that uses our patented technology to deliver easy and non-disruptive — yet comprehensive — visibility into all types of assets in OT environments in just minutes without any additional hardware or configuration.

Project File Analysis

Pioneered by Claroty, project file analysis discovers and enriches assets in a rapid, highly effective, non-intrusive manner by parsing the configuration and other project files typically stored on workstations in OT environments.

Ecosystem Enrichment

Claroty’s vast technical ecosystem includes ready-made integrations with CMDB, EDR, and dozens of other tools that extend the value of customers’ existing investments while enhancing the visibility provided by our other collection methods.

Explore Additional Resources

Claroty xDome - Industrial Cyber-Physical Security Platform
Platform Overview

Claroty xDome

Read More
Blog / 8 min read

Extended Internet of Things (XIoT) FAQ

Read More
How to Accelerate OT Industrial Network Segmentation
Blog / 7 min read

How to Accelerate OT Industrial Network Segmentation

Read More
xDome Secure Access Continuous Threat Detection (CTD)

Claroty Demo

Want to see how Claroty will support your entire XIoT cybersecurity journey?

LinkedIn Twitter YouTube Facebook