Stop the Pivot.
Not the Plant.
An edge cybersecurity appliance that stops ransomware and Volt-Typhoon-class lateral movement before they reach your PLCs.
JA4 encrypted-flow analytics + ICS kill-chain tracking + dual-confirm safe blocking, all on commodity edge silicon. Catches the IT-to-OT pivot in microseconds — not the 42 days it takes Passive Monitors to find what already happened.
JA4 fingerprint hot path on production ARM Cortex-A76 edge
Earlier detection than Passive Monitors at LATERAL stage
Commodity ARM64 + NPU edge. One Sentinel per plant. SPAN-port install.
Three Pillars.
Engineered Against the Three Failures.
Encryption-aware detection. Pre-OT kill-chain tracking. Dual-confirm active response. All on commodity edge hardware. All inside the same sub-100 µs hot path.
Encrypted-Flow Analytics
The TLS ClientHello is in the clear by design. We fingerprint it in single-digit microseconds, well under 20 µs on production ARM Cortex-A76 edge silicon. The same OPC UA-over-TLS, MQTT-TLS, and IEC-104-TLS traffic that blinds your current monitor lights up against a known-malicious JA4 in our denylist — without decryption, without TLS keys, without breaking PKI.
- Sub-20 µs JA4 / JA4S parse on production edge silicon
- OPC UA-TLS / MQTT-TLS / IEC 104-TLS visibility
- No decryption. No PKI break. No keys.
- In-house impl — no vendored libraries
IT-Edge Kill-Chain Tracker
We sit on the IT/OT seam and classify every SMB, RDP, WinRM, and Kerberos packet against a monotonic 6-stage ICS kill chain. Volt-Typhoon-class lateral movement — admin$ writes, PSEXESVC pipes, AS-REP roasting, PSRemoting — lights up at LATERAL stage, typically 5+ days before a Passive Monitor would have seen the OT command.
- BASELINE → RECON → INIT → LATERAL → PERSIST → OT_PIVOT
- SMB, RDP, WinRM, Kerberos parsers
- 13 MITRE techniques classified out of the box
- Monotonic — regression-proof under adversary noise
Dual-Confirm Safe Blocking
Active mitigation requires two independent confirmations: the on-device autoencoder anomaly score AND a deterministic YAML guardrail. Both YAML rules are versioned in Git and auditable line-by-line. AI cannot block alone — by architecture, not by policy. This is the safety property that lets plant managers actually turn active defense on.
- AI anomaly AND deterministic guardrail both required
- YAML rules — versioned, inspectable, Git-tracked
- Default action=alert until operator escalates
- Surgical TCP RST or Cisco port quarantine, never device shutdown
And Much More
NPU-Accelerated Edge
Autoencoder anomaly scoring on an on-device NPU. All inference stays at the edge. No cloud round-trip in the detection path.
Hive Mind
Cross-tenant intelligence over anonymized JA4 and kill-chain stage events. A malicious fingerprint observed at one customer protects every other — without anyone's raw data leaving the edge.
Audit Shield
CI-enforced regression test mathematically proves no raw IPs, MACs, or hostnames leave a Vardar Sentinel. Privacy by code, not by policy.
Orchestrated Isolation
Confirmed threats trigger HITL Cisco port quarantine of the source workstation. Operator approves; switch ACL applies. No PLC ever sees the command.
Three Structural Failures
of Legacy OT Security
Passive Monitors built for a plaintext world. $200K Enterprise Suites priced for a market they cannot serve. Single-trigger AI plant managers refuse to turn on. The attack surface has moved — the incumbents have not.
Encryption Killed DPI
OPC UA, MQTT, IEC 60870-5-104, DNP3 — every OT protocol that matters is migrating to TLS. Legacy DPI inspects packet payloads. Every TLS rollout on your plant floor makes your existing OT sensor weaker. Encryption is not a future problem. It is already on your network.
Legacy DPI cannot see past the TLS handshake
The Pivot Is in IT. Your OT Monitor Isn't.
Volt Typhoon lived in U.S. utility IT environments for 6+ months before touching a single PLC. Black Basta operators move laterally over SMB admin shares, PsExec pipes, and Kerberos ticket abuse — none of which a Passive Monitor sees. Your OT IDS catches step 5 of a 5-step kill chain.
Typical IT-side dwell before an OT command is even issued
Single-Trigger AI Is Russian Roulette
The market's only active OT product lets a single AI anomaly score shut down your plant. That is why every plant manager leaves it in alert-only mode — and why it never actually defends anything. Unsafe AI is theatre, not security.
Where plant managers leave single-trigger AI in production
Vardar was engineered against all three. Edge-native. Encryption-aware. Dual-confirmed.
From Zero to Protected
in Under 24 Hours
No months-long deployments. No dedicated security teams required. Three simple steps to full OT/IoT visibility and protection.
Plug In
10 MinutesWe place a compact cybersecurity edge appliance next to your network switch. It connects to a mirror port — a standard, read-only tap that copies traffic without touching your production network. No agents installed. No configuration changes. No risk.
Learn
24 HoursWithin 24 hours, the Sentinel automatically discovers every device on your network and builds a behavioral profile for each one — what it talks to, when, how much, and using which protocols. The on-device autoencoder produces an anomaly score per device-window; this becomes the behavioral half of Dual-Confirm.
Protect
OngoingWhen any device deviates from its established behavior — unusual traffic, new connections, abnormal timing — you get a plain-English alert explaining exactly what changed and why it matters. No cryptic logs. No alert fatigue. Just clear, actionable intelligence.
Cross-Tenant Intelligence.
Zero Raw Data.
Every Sentinel feeds anonymized JA4 fingerprints and kill-chain stage events into the Vardar Hive. A malicious signature observed at one tenant becomes a deterministic guardrail entry at every other tenant — without anyone's raw network data leaving the edge.
The propagation works because the shared layer is identity metadata, not packet content. JA4 is public-by-construction. Device identities are HMAC-anonymized at the edge with a salt that physically cannot leave the Sentinel. The Audit Shield CI test enforces this invariant on every commit.
"A new ransomware JA4 caught at a utility in New York propagates as a guardrail rule to a manufacturer in Tokyo — without either side sharing a single byte of raw data."
Cross-Tenant Threat Intelligence
A malicious JA4 fingerprint observed at a utility in New York automatically protects a manufacturer in Tokyo. Every deployment makes the entire network smarter.
Continuous Baseline Refinement
Anonymized behavioral patterns refine the global model. The more networks we protect, the sharper the detection becomes for every tenant.
Privacy by Construction
Only JA4 fingerprints and HMAC-anonymized identity tokens leave the device — never raw network data, never IPs, never hostnames. Audit-shielded in CI.
Zero-Day Pattern Propagation
A new lateral-movement signature seen at any tenant feeds the deterministic guardrails at every other tenant — often before public CVE disclosure.
Mathematical Privacy.
Not Policy Privacy.
Most vendors hand you a privacy promise. We hand you a failing build. Every byte that leaves a Vardar Sentinel is governed by 7 inviolable invariants — and a CI test that blocks any regression before it merges.
The Audit Shield
Our CI runs TestAuditShield_EndToEndFingerprintWire on every pull request. It builds a payload from realistic raw IPs, MACs, and hostnames, ships it through the actual production uplink, captures the outbound bytes, and asserts via regex that ZERO raw-identifier patterns survived. A privacy regression breaks the build before merge. This is mathematical privacy, not policy privacy.
What Leaves the Edge — Exactly
JA4 fingerprints (public-by-construction protocol IDs). HMAC-SHA256-anonymized device IDs and hostnames, 16 hex chars, per-tenant salt. Numeric anomaly scores and kill-chain stage events. That is it. No raw IPs. No MACs. No payload bytes. No plant hostnames. No AD account names. Ever.
Salt That Cannot Leave
The per-tenant HMAC salt is generated on the device at provisioning time and stored at /etc/vardar/sentinel/tenant.salt mode 0600. By physical and architectural construction it is NEVER transmitted, NEVER logged, NEVER OTA-synced, NEVER backed up off-device. Salt rotation requires explicit operator re-provision.
Read the Source Yourself
ADR_011 documents the 7 inviolable Zero-Trust Privacy invariants. The Audit Shield test source is available to your CISO under NDA — clone the repo, run go test, reproduce the proof on your laptop in five minutes. We do not ask you to trust us. We give you the code that makes trust unnecessary.
SOC 2 Type II and IEC 62443 alignment underway. The privacy guarantee above stands independent of certifications — it is enforced by the code.
Transparent, Flexible Plans
for Every Scale
From a single factory floor to a global operation — our cloud-native architecture lets us price aggressively at every tier. No six-figure contracts. No surprises.
Starter
For small manufacturers getting started with OT visibility.
- Up to 100 monitored devices
- Behavioral profiling & anomaly detection
- Plain-English alerts via email
- Device inventory dashboard
- Standard support
Professional
For growing operations that need deeper protection and compliance.
- Up to 500 monitored devices
- Everything in Starter, plus:
- Hive Mind collective intelligence
- Role-based access control
- Email + Slack/Teams alert integrations
- Compliance reporting (NIS2, ISO, NIST)
- Monthly threat summary reports
- Active response with approval workflows
- Priority support
Enterprise
For multi-site operations with advanced security requirements.
- Unlimited devices & sites
- Everything in Professional, plus:
- Multi-site centralized management
- SSO / SAML 2.0 integration
- Dedicated Customer Success Manager
- SLA guarantees (99.9% uptime)
- Full API access & webhook integrations
- Custom compliance reporting templates
- Priority threat intelligence feeds
- On-site deployment option (coming soon)
Every plan starts with a free risk assessment — no commitment, no credit card.
Start with a Free AssessmentThe Clock Is Ticking
New regulations worldwide are mandating OT cybersecurity across industries. Non-compliance means fines, liability, and lost contracts. Getting compliant doesn't have to cost six figures.
NIS2 Directive
Mandatory cybersecurity risk management and incident reporting for essential and important entities — including manufacturing, energy, and healthcare.
Israel Critical Infrastructure
National Cyber Directorate regulations requiring OT security measures for critical infrastructure operators, with increasing enforcement and audit requirements.
Cyber Resilience Act
Products with digital elements must meet cybersecurity requirements throughout their lifecycle — directly impacting IoT device manufacturers and operators.
NIST Cybersecurity Framework (CSF)
The de facto standard for critical infrastructure cybersecurity in the US. NIST CSF's Identify, Protect, Detect, Respond, Recover framework maps directly to Vardar's capabilities — particularly the Detect and Identify functions.
IEC 62443 — Industrial Cybersecurity
The international standard for industrial automation and control system security. Vardar's passive monitoring, network segmentation visibility, and anomaly detection support key requirements across IEC 62443-2-1 and IEC 62443-3-3.
Start Your Compliance Journey Today
Vardar provides the device inventory, behavioral monitoring, and compliance reporting that regulators require — deployed in hours, not months, at a fraction of enterprise cost.
Free Compliance AssessmentTier-1 OT Defense
on Mid-Market Hardware Economics.
Vardar exists because $200K Enterprise Suites cannot price down to where the actual attack surface lives. Commodity ARM64 edge hardware closes the gap. Volt Typhoon did not target the Fortune 500 — it targeted the operators of the water and power systems your community runs on. That is who this is for.
5,000+ U.S. Utilities Currently Undefended
The CISA Volt Typhoon advisories (AA24-038A) explicitly named water utilities as a primary target. Most U.S. utilities under 50,000 customers cannot afford a $200K Enterprise Suite. They run with no OT IDS at all — which is exactly where the adversary already is.
Key Challenges
- Volt Typhoon and ransomware operator targeting
- Operational budget below Enterprise Suite entry pricing
- Distributed SCADA across pump stations, treatment plants, lift stations
How Vardar Helps
One Sentinel per plant on commodity edge hardware. SPAN-port install in under one day. Catches IT-side lateral movement at LATERAL stage before any HMI or RTU command. Aligns with EPA AWIA and the CISA Cyber Performance Goals.
Get a free assessment for water & wastewater→BACnet, KNX, and the Quiet Attack Surface
Roughly 150,000 smart commercial buildings in the U.S. run BACnet, Modbus, and increasingly TLS-wrapped building management protocols. Most have no OT-aware security — the IT firewall does not understand the protocols and the BMS vendor is not a security company.
Key Challenges
- BACnet / Modbus / KNX with limited authentication
- Tenant safety risk from HVAC, fire, and access control manipulation
- Capex sensitivity — Enterprise Suites are non-starters
How Vardar Helps
Sentinel deploys on the BMS subnet, baselines every controller, and catches the IT-to-BMS pivot the same way it catches IT-to-OT. Dual-confirm reflex means no false-positive HVAC shutdown.
Get a free assessment for smart buildings→Solar Farms, Wind Sites, Electric Co-ops
Distributed energy resources are the fastest-growing OT footprint in the grid and the least defended. A regional electric cooperative or community solar farm cannot justify a six-figure OT IDS — and so they run with none. Threat actors have noticed.
Key Challenges
- Geographically dispersed, low-bandwidth sites
- IEC 60870-5-104 and DNP3 increasingly TLS-wrapped (DPI-blind to incumbents)
- Limited on-site IT staff for traditional OT IDS operation
How Vardar Helps
One Sentinel per site, Tailscale-meshed, OTA-managed. JA4 encrypted-flow analytics covers the TLS migration incumbents are blind to. Air-gap-friendly: detection survives cloud loss.
Get a free assessment for distributed energy→Under 500 Employees, Still Worth a Ransomware Hit
Mid-market manufacturers are the modal ransomware target — large enough to pay, small enough to be undefended. Black Basta and LockBit operators pivot through IT (RDP, SMB) and reach the OT floor in days. Your existing IT firewall sees the RDP — it does not classify it against an ICS kill chain.
Key Challenges
- PLCs, HMIs, robotics with limited built-in security
- Six-figure-per-hour downtime in a ransomware event
- No dedicated OT security team
How Vardar Helps
Vardar straddles the IT/OT seam. SMB / RDP / WinRM / Kerberos parsing catches Volt-Typhoon-class lateral movement at LATERAL stage — typically 5+ days before a passive OT monitor would have seen the resulting OT command.
Get a free assessment for mid-market manufacturing→Don't see your industry? Vardar adapts to any OT/IoT environment.
Let's Discuss Your NeedsRequest a
Private Demo
See how VARDAR can transform your network security. Our team will walk you through a personalized demonstration tailored to your industry and use case.
Built by cybersecurity engineers. mTLS-only · payload-free uplink · 5 patents in flight.