About the platform

MarlinSpike is a passive OT/ICS topology mapper and analyst workbench.

The product takes packet captures in, sends no traffic back into the environment, and turns passive observations into topology, asset inventory, responder-grade findings, and portable JSON report artifacts. It is the open-source core behind Fathom and is intentionally built as a shared web workbench rather than a single-user thick client.

Map-first workbench with topology canvas and lens chip strip — Map-first workbench

Persistent topology canvas with multi-lens overlays.

Report viewer rendering a JSON report artifact — Portable JSON report

The contract boundary between engine and reviewer.

Asset ledger with project-scoped inventory — Asset ledger

Project-scoped inventory, dedupe by MAC then IP.

Findings pane ranked by contextual severity — Findings, ranked by context

Severity bumps with asset criticality, not raw rule output.

Lineage

The modern GrassMarlin, built for shared engagements.

MarlinSpike picks up where GrassMarlin left off. Same first principle — passive OT/ICS visibility from packet captures alone — but rebuilt for the way responders actually work today: a shared web workbench instead of a single-user thick client, a portable JSON report contract instead of a session-bound view, and a multi-stage extensibility model that takes Rust engines, Python plugins, and YAML rule packs.

We're not a fork; we're a successor. The product is independent code, ground-up architecture, and a deliberate alignment with what GrassMarlin originally promised the OT community: passive analysis, vendor-neutral protocol coverage, and tooling that respects the operational reality of the plant floor.

Passive onlyMulti-user workbenchPortable JSON reportOT-native protocol coverageOpen source

Product boundary

The report artifact is the contract

MarlinSpike keeps the engine standalone and treats the generated report artifact as the handoff between packet analysis and downstream review.

Project → Scan → Report → Workbench → Triage

Deployment model

Designed for temporary field hosts and team access

The preferred install path is a reverse-proxied Docker Compose deployment that multiple responders can share during an assessment, outage investigation, or tabletop.

Docker ComposeShared URLZero-JS core

5-stage analysis chain

From raw capture to responder-facing output.

The analysis pipeline stays intentionally legible: ingest and validation, protocol dissection, topology building, risk surfacing, and report generation.

STAGE 1

Ingest

STAGE 2

Dissect

STAGE 3

Topology

STAGE 4

Risk

STAGE 5

Report

Protocol coverage

OT-aware by default, with L2 context preserved.

MarlinSpike is built around industrial protocol visibility, then enriches that with network-discovery context so infrastructure relationships are not thrown away.

OT / ICS

ModbusEtherNet/IPCIPS7commDNP3IEC 60870-5-104OPC-UABACnetPROFINETHART-IPFINSGOOSEMMSOMRON

Layer 2 / discovery

LLDPCDPSTPLACPARPVLAN

Standards support

Context that supports operator and security review.

The public story stays bounded to what the platform actually exposes today. MarlinSpike supports standards-oriented review without pretending to be a broader compliance suite.

IEC 62443

Stage 4 remediation guidance is framed around IEC 62443 SR-oriented remediation support for supported finding classes.

MITRE ATT&CK

Full ATT&CK implementation in the report workflow including tactic-grouped matrix views, sub-techniques, mitigations, and response guidance — for both ICS and Enterprise domains.

Purdue / ISA-95

ISA-95 and Purdue-style zoning remain central to topology layout, asset placement, and cross-level communication review.

Architecture overview

One Flask web app, one Python engine, one optional Rust DPI substrate.

MarlinSpike is intentionally extensible for working OT/ICS responders, not just systems programmers. Three formal extension surfaces cover the breadth of customization.

Rust engines

Packet-facing and event-heavy components such as DPI. The standalone marlinspike-dpi substrate ships 34 protocol dissectors and is built into the Docker image at a pinned ref.

Python plugins

Report-facing analysis, enrichment, and triage logic. The MITRE ATT&CK plugin, ARP analysis plugin, and APT plugin all live behind this surface and are loaded by module name from env.

YAML rule packs

Declarative mappings, suppressions, and local policy. Default packs ship under rules/<plugin>/base.yaml; per-deployment overrides via env vars.

Next stop

Docs, deployment, and the package status — all in one place.

Continue with deployment, architecture, and download channels.

Open Wiki Downloads Official repo