MS MarlinSpike Passive OT/ICS Topology Workbench
Heritage

How MarlinSpike inherits the GrassMarlin role.

How MarlinSpike inherits the GrassMarlin role — what NSA released in 2017, what stopped working, why CVE-2026-6807 forced a successor, and what carried over.

CISA · ICSA-26-118-01 CVE-2026-6807 github.com/nsacyber/GRASSMARLIN
Same first principle

Passive packet-capture analysis for OT/ICS. No probes, no transmission, no active scanning.

Modern architecture

Multi-user web workbench, Docker-deployable, portable JSON reports. Not a Java desktop client.

Actively maintained

Tagged releases, versioned engine + UI, mid-scan recovery. The role is stewarded, not abandoned.

MarlinSpike is the modern continuation of GrassMarlin. This page is the public record of what that means: what GrassMarlin was, why it stopped being usable, and what carried over into the successor.

What GrassMarlin was

GrassMarlin was an open-source passive network mapping tool for industrial control systems (ICS), published by the NSA’s Information Assurance Directorate around 2017 at github.com/nsacyber/GRASSMARLIN. It was a Java desktop application that read packet captures (.pcap, .pcapng) — or live traffic from an interface — and built a network topology, identified industrial protocols, classified devices, and surfaced traffic relationships. No probes, no active scanning, no transmission back into the environment.

For a community used to the trade-off “either you stay safe by not touching the OT network, or you get visibility by scanning it,” GrassMarlin was a real third option. It was the right idea: vendor-neutral, passive-only, free, and aware of OT-specific protocols at a time when most network tools treated industrial traffic as opaque.

The tool was widely adopted by ICS security teams, response consultants, and asset owners doing greenfield network discovery on segmented plant-floor environments where active scanning was off the table.

What changed between 2017 and 2025

GrassMarlin was never aggressively maintained after the initial public releases. NSA’s GitHub repository has explicitly listed the project as end-of-life since 2017. The Java desktop architecture aged: a single-user thick client doesn’t fit a world where OT response is increasingly a team activity on temporary engagement hosts, where Docker is the default install path, and where reports need to be reviewable across machines without re-installing the tool.

The OT response community moved on to web-based workbenches in adjacent product spaces — but the open-source, passive-only, vendor-neutral slot GrassMarlin filled stayed empty. There was no obvious successor. Operators who wanted that exact role kept running GrassMarlin on increasingly old Java runtimes, accepting the trade-off because the alternative was nothing.

CVE-2026-6807

On 28 April 2026, CISA published advisory ICSA-26-118-01 disclosing CVE-2026-6807 — a medium-severity XML External Entity (XXE) information-disclosure vulnerability in GRASSMARLIN v3.2.1 (CWE-611). Crafted session data triggers improper handling of XML input, which can result in unintended exposure of sensitive information from the host. Public proof-of-concept code is available.

NSA confirmed in its response that the project has been end-of-life since 2017 and will not receive a patch. All versions are affected. CISA’s mitigation guidance reduces to “stop running it.”

For teams who depended on the role GrassMarlin filled, this was the trigger event. The original tool can no longer be safely used. The role still has to be filled.

Why MarlinSpike

MarlinSpike was already in development before the CVE landed — the responder workbench architecture, the multi-user model, the portable JSON report contract, the OT-native protocol coverage, the bilingual EN/FR surface, the ATT&CK lens, the asset-context-driven contextual severity, and the IOC threat-hunting pipeline were already designed and shipping in v3.5.0.

What CVE-2026-6807 made explicit was that the role itself needs an actively-maintained, modern, multi-user successor. MarlinSpike picks that up. We took the grassmarlin.com domain because we are committing to the role publicly, not just shipping a product that happens to look similar.

What carried over from GrassMarlin’s design:

  • Passive analysis only. No probes, no transmission, no active scanning.
  • OT-native protocol coverage as a first-class concern, not an afterthought.
  • Vendor-neutral. Modbus, S7, DNP3, IEC 60870-5-104, CIP, MMS, GOOSE, BACnet, OPC UA, PROFINET, and more.
  • Topology reconstruction from observed traffic alone — Purdue-level inference, vendor fingerprinting, role hints.
  • Free and open source. AGPL-3.0.
  • Aware of segmented plant-floor environments where active scanning is unsafe.

What changed:

  • Multi-user web workbench instead of a single-user Java desktop application.
  • Docker Compose deployment (1 core / 1 GB RAM) instead of a JAR install on a workstation.
  • Portable JSON report artifacts as the engine ↔ workbench contract — reports survive the tool that produced them.
  • Active maintenance. Tagged releases. Versioned engine and web UI. Mid-scan recovery. Per-tier concurrency limits.
  • Bilingual UI (English / Français). Locale-aware engine output. Architecture supports more locales as a content drop, not an engineering project.
  • Asset-context-driven contextual severity. MEDIUM on a safety controller can outrank CRITICAL on a print server when context is in place.
  • IOC threat-hunting across every report in a project. Live MITRE ATT&CK matrix (ICS + Enterprise) sourced from plugin output.
  • HP-HMI mode for control-room wall displays. Time scrubbing + sub-PCAP carve-out for the analyst loop.

Migration path

If you have been running GrassMarlin:

  1. Stop running v3.2.1 (or any version) given the CVE-2026-6807 advisory.
  2. Continue using your existing capture pipeline. Whatever produced .pcap / .pcapng files for GrassMarlin works for MarlinSpike unchanged — taps, SPAN ports, dumpcap, tshark.
  3. Stand up MarlinSpike with docker compose up -d --build (see the getting started guide). Five minutes from git clone to a working workbench at 127.0.0.1:5001.
  4. Upload your captures. The analysis chain is run as a per-scan subprocess; topology, asset inventory, and findings appear in the workbench.
  5. Share the URL with the rest of your engagement team. Multi-user is the default; everyone works the same project.

The output side is materially different: where GrassMarlin produced an in-memory view bound to the desktop session, MarlinSpike emits a portable JSON report artifact. That report can be reviewed in the MarlinSpike workbench, archived as evidence, or consumed by downstream tooling. The report is the contract.

Acknowledgments

Credit is due. GrassMarlin’s design was right and its release was generous — NSA Information Assurance Directorate published the source code under an open license at a time when the OT visibility tooling space was dominated by closed, expensive, vendor-locked products. The architectural choices (passive only, vendor-neutral, OT-aware) carried the right values forward into a public artifact the community could use, study, and learn from.

MarlinSpike inherits those values directly. The implementation is independent code with a different architectural shape, but the role and the principles are continuous with what GrassMarlin established. We are stewarding a slot the original team opened.

References

Ready to stand up the successor?

The Getting Started page covers the full Docker, capture-input, and shared-URL story for the modern MarlinSpike workbench.

Getting Started Deployment