OT-NATIVE · ACTOR-ATTRIBUTED
You can't defend against an unidentified attacker.
OThello Threat Intelligence delivers actionable actor-attributed OT threat intelligence, the campaigns, TTPs, and attack indicators of groups actively targeting industrial environments, enriched with full context.
Request a demo →
Download a sample OT Threat Advisory
Clear attribution
Identify the threat actor.
Every threat indicator includes full actor attribution. Not just an IP address. The group, their history, their TTPs, their campaigns.
Full picture
Contextual OT threat intelligence.
Not filtered to your sector or filtered by relevance. You receive the complete OT threat picture and decide what matters.
Expert
Specialist advisory included.
Specialist OT threat intelligence advisories written by analysts who understand industrial attack tradecraft. Not automated summaries.
Malicious IPs offer little strategic value. Effective defense requires understanding threat infrastructure, routing, and attribution.
OT attackers operate differently than IT attackers. They are patient. They are deliberate. They pre-position infrastructure months before an attack begins. They study protocols, zone topologies, and operational schedules. They move slowly because industrial environments don't tolerate disruption, and neither do their objectives. Generic threat intelligence services built for IT environments miss this. OThello doesn't.
OT attackers are sophisticated.
Campaigns unfold over months. Infrastructure is pre-positioned. Reconnaissance is comprehensive. The attack profile doesn't match generic IOC databases. OThello tracks OT actor behaviour specifically and not as a subset of IT threat intelligence.
Generic tools produce generic outputs.
A flagged IP address tells you almost nothing. An IP address attributed to an actor with a documented history of targeting power infrastructure tells you what to prepare for.
Months go by undetected.
OT breaches go undetected for an average of 287 days. The gap between initial compromise and discovery is measured in quarters, not hours. Actor attribution helps close that gap by identifying campaigns during reconnaissance.
SHIELDWORKZ · OT THREAT INTELLIGENCE
Handala · Threat Actor Profile
TLP: AMBER
APRIL 2026 · RESTRICTED
01 · OPERATIONAL SCALE
$7.7
M / yr
Estimated annual operating budget
Infostealer logs · commercial VPN
Starlink C2 · RaaS procurement
02 · DESTRUCTIVE REACH
200K
Devices wiped — Stryker attack
Microsoft Intune MDM weaponised
11 Mar 2026 · SEC 8-K filed
03 · TARGETING FOOTPRINT
79
countries
Simultaneous wipe — global device estate
4 phases · Dec 2023 – present
US · Gulf · EU · Middle East CII
RISK: CRITICAL
Source: Shieldworkz Handala Threat Intelligence Assessment Dossier · April 2026 · Prepared by Shieldworkz Cyber Threat Intelligence Team
TLP:AMBER — Distribute to trusted security partners only
Actor-attributed OT threat intelligence. Specialist advisories. Full context.
The difference between intelligence and data is context. OThello provides both.
OT threat intelligence feed.
Real-time feed of actor-attributed threat indicators — IP addresses, domains, malware hashes, protocol-level attack signatures. Every indicator includes full actor context. STIX-formatted. Mapped to MITRE ATT&CK for ICS. Structured for ingestion into SIEM, SOAR, and threat hunting platforms.
Complete actor attribution.
Every threat indicator is attributed to the actor or campaign responsible. Actor profiles include known TTPs, target sectors, infrastructure patterns, and campaign timelines. When an indicator surfaces, you know who it belongs to and what they typically do next.
Specialist advisory service.
Written advisories on active OT campaigns, emerging threats, and actor TTPs. Not automated summaries. Specialist analysis from analysts who understand OT attack tradecraft. Delivered as structured reports with actionable defensive recommendations.
Early warning alerts.
When a new campaign surfaces targeting OT environments, you receive an early warning alert. Not after the campaign is public knowledge — when initial indicators surface in OThello's honeypot network. Early warning means hours or days of advance notice, not weeks of catch-up.
Campaign and TTP trend analysis.
Quarterly trend analysis showing shifts in OT actor behaviour, emerging TTPs, protocol-specific attack patterns, and sector targeting trends.
Executive reporting.
Executive-level reporting on OT threat landscape changes, actor activity trends, and campaign developments. Structured for board and leadership consumption. Shows what changed, what's emerging, and what requires attention.
Built on live attack data. Not scraped databases.
OThello Threat Intelligence is built on a global network of OT honeypots — real industrial devices deployed specifically to attract and observe attacker behaviour. Not scraped from public databases. Not aggregated from third-party feeds.
1
Global honeypot network.
OThello operates a global network of OT honeypots — real industrial control devices (PLCs, HMIs, RTUs, IEDs) deployed at multiple geographic locations.
2
Automated collection.
Attack activity captured by the honeypot network is automatically ingested, structured, and correlated against known actor TTPs and infrastructure patterns. MITRE ATT&CK for ICS mapping happens automatically. Protocol-specific indicators are extracted and tagged by industrial protocol type.
3
Validation and attribution.
Automated collection feeds into analyst validation. Every indicator is reviewed by a specialist before release. Actor attribution is performed by matching observed TTPs, infrastructure patterns, and campaign characteristics against known actor profiles.
4
Advisory structuring.
Validated intelligence is assembled into structured threat advisories. Each advisory packages an executive summary, technical detail, full TTP mapping table, and an IOC appendix — classified at the appropriate TLP level for distribution. Advisories are tagged by sector relevance, target geography, and affected industrial protocol
5
Actionable threat advisory.
The finished advisory reaches the OThello platform as a ready-to-use operational output. Every advisory carries three things: prioritised mitigation actions mapped to IEC 62443 controls, detection guidance in the form of ready-to-deploy SIEM, EDR, and OT NDR rules, and recommended security architecture controls referenced to the specific TTP observed.
SHIELDWORKZ · OT THREAT INTELLIGENCE
OT intelligence pipeline — from honeypot signal to actionable advisory
POWERED BY ONEIQ ENGINE
01
Honeypot network
PLC
HMI
RTU
6 global sensor locations
US
EU
GCC
IN
SG
JP
Emulates PLC / HMI / RTU
to attract OT-targeted threats
Passive · always-on
02
Event collection
Event stream
scan attempt
probe
exploit delivery
C2 beacon
Triggered on anomaly
detection threshold
IoT / Modbus / DNP3
IEC 60870 · EtherNet/IP
Protocol-aware capture
03
Analysis and contextualization
MITRE ATT&CK
for ICS mapping
TTP classification
Campaign
correlation
Actor linkage
Impact
assessment
OT blast radius
Severity
classification
Critical / High / Med
Powered by OneIQ engine
IEC 62443 · NERC CIP aligned
04
Advisory structuring
Document assembly
Executive summary
Technical detail
TTP mapping table
IOC appendix
TLP classification
and distribution tagging
WHITE · GREEN · AMBER · RED
Structured CTI output
05
Threat advisory
output
Mitigations
Prioritised control actions
Detection guidance
SIEM / EDR / NDR rules
Recommended controls
IEC 62443 mapped
Delivered to OThello Assess
Shieldworkz OT Intelligence Network · Global honeypot + analysis infrastructure · OThello Assess · OneIQ Engine
Aligned with IEC 62443 · MITRE ATT&CK for ICS · NERC CIP · NIS2
shieldworkz.com
ANIMATION
{REPLACE: OneIQ abstract animation flowing from bottom-right. Particle streams/nodes forming zone-conduit topology, flowing left toward text. Cyan (#00D4FF) and purple (#9B8FFF) gradients. Ambient, continuous flow. 10-second loop, seamless.}
100% × 100%
OneIQ knows your environment. You decide what's relevant.
Most threat intelligence platforms filter threat data to your sector — and hide everything else. OThello doesn't. You receive the complete OT threat picture. OneIQ uses your environment model — protocols, asset types, zone configuration — to prioritise what matters most to you.
Prioritization
OneIQ ranks threat indicators against your environment. High-relevance indicators surface at the top. Lower-relevance indicators remain visible beneath. You control the threshold.
Actor context travels with every indicator.
When an indicator is prioritized, full actor attribution travels with it. You don't just see that an IP is flagged — you see which actor it belongs to. Context is built into prioritisation, not stripped out of it.
OT-NATIVE · ACTOR-ATTRIBUTED
Contextual threat intelligence built for industrial cyber defense
OThello Threat Intelligence continuously gathers, enriches, and correlates OT-specific IOCs, adversary infrastructure, malware telemetry, and attack TTPs to deliver actionable, actor-attributed intelligence for industrial environments.
Request a demo →
Download a sample OT Threat Advisory
Accurate IOCs
Identify the threat actor.
To facilitate detection and response
CTI that matters
Contextual OT threat intelligence.
Not filtered to your sector or filtered by relevance. You receive the complete OT threat picture and decide what matters.
Expert
Specialist advisory included.
Specialist OT threat intelligence advisories written by analysts who understand industrial attack tradecraft. Not automated summaries.
Malicious IPs offer little strategic value. Effective defense requires understanding threat infrastructure, IOCs, and TTPs
OT attackers operate differently than IT attackers. They are patient. They are deliberate. They pre-position infrastructure months before an attack begins. They study protocols, zone topologies, and operational schedules. They move slowly because industrial environments don't tolerate disruption, and neither do their objectives. Generic threat intelligence services built for IT environments miss this. OThello doesn't.
OT attackers are sophisticated
Campaigns unfold over months. Infrastructure is pre-positioned. Reconnaissance is comprehensive. The attack profile doesn't match generic IOC databases. OThello tracks OT actor behaviour specifically and not as a subset of IT threat intelligence.
Generic tools produce generic outputs
A flagged IP address tells you almost nothing. An IP address attributed to an actor with a documented history of targeting power infrastructure tells you what to prepare for.
Months go by undetected
OT breaches go undetected for an average of 287 days. The gap between initial compromise and discovery is measured in quarters, not hours. Actor attribution helps close that gap by identifying campaigns during reconnaissance.
SHIELDWORKZ · OT THREAT INTELLIGENCE
Handala · Threat Actor Profile
TLP: AMBER
APRIL 2026 · RESTRICTED
01 · OPERATIONAL SCALE
$7.7
M / yr
Estimated annual operating budget
Infostealer logs · commercial VPN
Starlink C2 · RaaS procurement
02 · DESTRUCTIVE REACH
200K
Devices wiped — Stryker attack
Microsoft Intune MDM weaponised
11 Mar 2026 · SEC 8-K filed
03 · TARGETING FOOTPRINT
79
countries
Simultaneous wipe — global device estate
4 phases · Dec 2023 – present
US · Gulf · EU · Middle East CII
RISK: CRITICAL
Source: Shieldworkz Handala Threat Intelligence Assessment Dossier · April 2026 · Prepared by Shieldworkz Cyber Threat Intelligence Team
TLP:AMBER — Distribute to trusted security partners only
OT threat intelligence built around attribution, operational context, and actionable indicators.
The difference between intelligence and data is context. OThello provides both.
OT threat intelligence feed
Real-time feed of actor-attributed threat indicators, IP addresses, domains, malware hashes, protocol-level attack signatures. Every indicator includes full actor context. STIX-formatted. Mapped to MITRE ATT&CK for ICS. Structured for ingestion into SIEM, SOAR, and threat hunting platforms.
Enriched and actionable CTI
OThello gathers OT-focused threat intelligence from multiple intelligence sources including adversary infrastructure tracking, malware research, industrial attack campaigns, honeypot telemetry, and threat intelligence feeds to continuously identify and validate actionable IOCs.
Specialist advisory service
Written advisories on active OT campaigns, emerging threats, and actor TTPs. Not automated summaries. Specialist analysis from analysts who understand OT attack tradecraft. Delivered as structured reports with actionable defensive recommendations.
Early warning alerts
When a new campaign surfaces targeting OT environments, you receive an early warning alert. Not after the campaign is public knowledge, when initial indicators surface in OThello's honeypot network. Early warning means hours or days of advance notice, not weeks of catch-up.
Campaign and TTP trend analysis
Quarterly trend analysis showing shifts in OT actor behaviour, emerging TTPs, protocol-specific attack patterns, and sector targeting trends.
Executive reporting
Executive-level reporting on OT threat landscape changes, actor activity trends, and campaign developments. Structured for board and leadership consumption. Shows what changed, what's emerging, and what requires attention.
Built on live attack data. Not scraped databases.
OThello Threat Intelligence is built on a global network of OT honeypots, real industrial devices deployed specifically to attract and observe attacker behaviour. Not scraped from public databases. Not aggregated from third-party feeds.
1
Global honeypot network.
OThello operates a global network of OT honeypots, real industrial control devices (PLCs, HMIs, RTUs, IEDs) deployed at multiple geographic locations.
2
Automated collection.
Attack activity captured by the honeypot network is automatically ingested, structured, and correlated against known actor TTPs and infrastructure patterns. MITRE ATT&CK for ICS mapping happens automatically. Protocol-specific indicators are extracted and tagged by industrial protocol type.
3
Comprehensive validation
Automated collection feeds into analyst validation. Every indicator is reviewed by a specialist before release. Actor attribution is performed by matching observed TTPs, infrastructure patterns, and campaign characteristics against known actor profiles.
4
Advisory structuring.
Validated intelligence is assembled into structured threat advisories. Each advisory packages an executive summary, technical detail, full TTP mapping table, and an IOC appendix, classified at the appropriate TLP level for distribution. Advisories are tagged by sector relevance, target geography, and affected industrial protocol
5
Actionable threat advisory.
The finished advisory reaches the OThello platform as a ready-to-use operational output. Every advisory carries three things: prioritised mitigation actions mapped to IEC 62443 controls, detection guidance in the form of ready-to-deploy SIEM, EDR, and OT NDR rules, and recommended security architecture controls referenced to the specific TTP observed.
Built for the teams who can't afford to miss what's coming
OT Security Operations
Ingest actor-attributed threat indicators into your SIEM, SOAR, and threat hunting platforms. Hunt for campaigns actively targeting OT environments. Prioritise defensive actions based on actor TTPs and campaign timelines.
Incident Response Teams
When an indicator surfaces during IR, you need to know immediately if it's part of a known campaign, which actor it belongs to, and what they typically do next. OThello provides that context in real time.
Security Leadership
Track OT threat landscape changes. Understand which actors are active, what sectors they're targeting, and what TTPs are emerging. Quarterly trend reporting and executive summaries keep leadership informed.
Know who is targeting OT environments. And what they do next.
Actor-attributed. Full picture. Specialist advisory included.
Request a demo →
Download a sample OT Threat Advisory
About Us
We secure Operational Technology environments and protect businesses with best-in-class professional services and cyber security solutions.
Resources
Modules
Copyright © 2026, Shieldworkz - All Rights Reserved.
Built for the teams who can't afford to miss what's coming.
OT Security Operations
Ingest actor-attributed threat indicators into your SIEM, SOAR, and threat hunting platforms. Hunt for campaigns actively targeting OT environments. Prioritise defensive actions based on actor TTPs and campaign timelines.
Incident Response Teams
When an indicator surfaces during IR, you need to know immediately if it's part of a known campaign, which actor it belongs to, and what they typically do next. OThello provides that context in real time.
Security Leadership
Track OT threat landscape changes. Understand which actors are active, what sectors they're targeting, and what TTPs are emerging. Quarterly trend reporting and executive summaries keep leadership informed.
Know who is targeting OT environments. And what they do next.
Actor-attributed. Full picture. Specialist advisory included.
Request a demo →
Download a sample OT Threat Advisory
Product
Platform
OneIQ Engine
Integrations
Pricing
Modules
Assess
Pentest Studio
Threat Intelligence
Media Scan
Resources
Documentation
API Reference
Case Studies
Blog
Company
About
Careers
Contact
Security
OThello
© 2026 Shieldworkz. All rights reserved.
