Windows
x86_64 · signed
MSI for managed deployments, NSIS .exe for hand-installs. No Wireshark, Npcap, or Python prerequisite.
v0.1.1 available now · Windows · macOS · Linux · Signed
GlassMarlin, the defender's local tool.
One file. PCAP in. Full OT/ICS triage workbench out. No Wireshark required. No Python install. No Docker. No internet. No team server. The thing you put on the engagement laptop, for engagements where the host has nothing.
Lineage
The successor field defenders quietly carried for years.
GrassMarlin was the NSA-released OT topology mapper that field defenders quietly carried on engagement laptops for years. It worked, until it didn't. Abandoned in 2017, Java-bound, single-platform, no longer maintained. CVE-2026-6807 (April 2026) made it actively unsafe to keep using.
GlassMarlin picks up where it left off. Same defender utility, modernised, cross-platform, with the full risk + MITRE ATT&CK + IOC + baseline + sub-PCAP-carve stack on top of topology mapping. Same drop-it-on-a-laptop spirit. Zero external dependencies. Full heritage on the GrassMarlin lineage page →
Sibling, not replacement
Two deployment shapes for the same MarlinSpike engine.
grassmarlin.com runs the multi-user web workbench you'd drop on an engagement host. GlassMarlin runs the same triage engine as a native desktop binary for the cases where a server is the wrong tool, air-gapped boxes, flight-deck work, vendor SCIFs, bunkers, laptops with nothing else on them.
| Aspect | grassmarlin.com (web) | GlassMarlin (desktop) |
|---|---|---|
| Deployment | Docker Compose, reverse proxy, persistent volumes | One signed installer per OS, embedded runtime |
| User model | Multi-user with auth, projects scoped per-user | Single-user, local only |
| OS target | Linux container (any host with Docker) | Windows .msi, macOS .dmg, Linux .AppImage |
| External tooling | tshark in the container, libpcap on the host | None, Rust dissection, no Wireshark needed |
| Database | PostgreSQL service | Embedded SQLite, single file |
| Internet | Optional (for ATT&CK Navigator export) | Never. Period. |
| Engine | Same MarlinSpike engine and plugins | Same MarlinSpike engine and plugins |
| Report artifact | Portable JSON, reviewable anywhere | Portable JSON + OCSF + STIX + Sigma + ATT&CK Navigator |
| Best fit | Engagement teams, shared field hosts, lab servers | Defender on a laptop, air-gapped hosts, SCIFs, plane rides |
No external dependencies. Period.
Everything inside the binary.
The promise on GlassMarlin's installer is exact: drop the file on the laptop, open a PCAP, get the workbench. No surprise dialogs asking you to install Wireshark, no Python missing on the target host, no internet round-trip to fetch ATT&CK data. Every dependency ships inside the binary.
Native bundle per OS
GlassMarlin.msi for Windows. GlassMarlin.dmg for macOS (signed, Gatekeeper-clean). GlassMarlin.AppImage for Linux (any glibc 2.28+ host). No "installer for the installer."
Pure-Rust PCAP dissection
No libpcap, no Npcap, no Wireshark install, no tshark shell-out, no editcap. marlinspike-dpi handles parsing and time-window carve-out natively in Rust.
Python runtime baked in
Bundled via python-build-standalone. No pip install, no venv, no system Python. The interpreter and every dependency wheel ride inside the binary.
Embedded SQLite, no DB server
Everything that grassmarlin.com stores in Postgres, GlassMarlin keeps in an embedded SQLite file inside the per-user data directory. Nothing to install, nothing to manage.
No internet required, ever
No telemetry, no license check, no MITRE updates fetched at runtime. The ATT&CK runtime and plugin packs are baked into the binary. Runs in SCIFs, bunkers, and on flights.
SIEM-ready exports
Every scan emits report.json + OCSF NDJSON + STIX 2.1 + Sigma rules + ATT&CK Navigator layer JSON, alongside the workbench view. Pipe straight into Splunk, Sentinel, AWS Security Lake.
Per-OS install shapes
Windows
GlassMarlin.msi Single MSI. No Wireshark / Npcap install prerequisite. No system Python.
macOS
GlassMarlin.dmg Signed and notarised. Gatekeeper-clean on first launch.
Linux
GlassMarlin.AppImage Runs on any glibc 2.28+ host. chmod +x, run.
What it does
The full triage stack, on a binary.
GlassMarlin isn't just topology. It's the entire MarlinSpike triage stack, findings with IEC 62443 mapping, MITRE ATT&CK alignment, IOC hunting, per-asset baselines, time-window sub-PCAP carve-out, running locally, on the binary you just opened.
Topology + asset fingerprinting
Purdue-level inference, vendor fingerprinting, asset role detection. 30+ OT protocol dissectors.
Risk findings, IEC 62443 mapped
Cross-Purdue comms, cleartext engineering, beaconing, suspicious external comms, port scans, missing authentication, OPC
SecurityMode=None, Modbus writes from unexpected sources, each with IEC 62443 SR mapping and remediation guidance.
MITRE ATT&CK (ICS + Enterprise)
Every finding mapped to techniques. Tactic-matrix workbench view. One-click export to ATT&CK Navigator layer JSON.
IOC threat hunting
Paste a CISA advisory, ingest a STIX bundle, or hand-curate a list. Scan a capture's nodes, DNS queries, flows, and payloads against IPs / domains / SHA-256 / MD5 / MACs / OUIs.
Per-asset baselines + drift
Walks every capture you've loaded and shows what changed for a given host, new peers, new protocols, new findings since last time, drift in vendor / role / device type.
Time-window sub-PCAP carve-out
Drag a span on the capture timeline, extract just those packets as a sub-PCAP for Wireshark. The drag is local, no upload, no server. Pure Rust, no
editcap.
30+ OT protocol dissectors
ModbusS7DNP3IEC 60870-5-104EtherNet/IPOPC UABACnetPROFINETOMRON FINSHART-IPEtherCATSparkplug BIEC 61850 MMSGOOSESVCIPMMSand more
Download · v0.1.1
Signed installers for Windows, macOS, and Linux.
Pick the OS. Run the installer (or unpack the package). The workbench opens in your browser. Every artifact is signed and listed in SHA256SUMS with GPG and OpenTimestamps signatures alongside the release.
macOS
Apple Silicon · signed
Universal-style DMG for aarch64. Signed and notarised, opens cleanly under Gatekeeper. Drag to Applications, launch.
Download .dmg Intel macOS coming
Linux
x86_64 · signed
Self-contained AppImage for any glibc 2.28+ host, or a Debian package for apt-managed systems.
Verify the download
Every artifact is signed and the SHA256SUMS file ships with a GPG signature, an X.509 certificate, and an OpenTimestamps proof. Use any of them to confirm authenticity before running the installer.
Who it's for
Engagements where the host has nothing.
The defender's local tool. The thing you put on the engagement laptop. The thing you run on an air-gapped host, on a flight to the site, in a vendor's SCIF, in a bunker. No infrastructure. No internet. No prep.
The engagement laptop
The tool you carry. Throw GlassMarlin on the assessor laptop, fly to site, work the captures the OT operator hands you. No client-side dependencies to negotiate before the work starts.
Air-gapped, SCIFs, bunkers
Hosts with no internet, no Docker, no package manager, and no clearance to install third-party runtimes. GlassMarlin is one file: drop it on a USB, open the PCAP, work the project. ATT&CK / IEC 62443 / IOC packs are baked in, nothing fetched at runtime.
Training, tabletops, classrooms
Drop GlassMarlin on the AD share or the USB you handed out at registration. Twenty students each have their own MarlinSpike running in 30 seconds. No server to provision, no Docker to teach.
Boundaries
What GlassMarlin isn't.
GlassMarlin is single-user. There are no auth backends, no multi-tenant scoping, no shared URL. If two analysts need to look at the same project, they each open the file locally, or they pull it into a grassmarlin.com deployment for cross-engagement collaboration.
GlassMarlin doesn't do live capture. It's PCAP-in, workbench-out. If you need a live sensor that talks to the team workbench, that's the marlinspike-capd sidecar on the server side, not on the laptop.
GlassMarlin is not trying to be Wireshark. It's the OT triage layer on top of a PCAP (topology, asset context, ATT&CK alignment, findings) that Wireshark deliberately doesn't try to be. Read with Wireshark when you need packet bytes; drive the engagement with GlassMarlin.