# About MarlinSpike > Passive OT/ICS topology mapper and analyst workbench. The modern GrassMarlin, built for shared engagements. Open-source core behind Fathom. *Canonical HTML: https://grassmarlin.com/about/* *Markdown source: https://grassmarlin.com/about.md* *Français: https://grassmarlin.com/fr/about.md* --- MarlinSpike is a passive OT/ICS topology mapper and analyst workbench. The product takes packet captures in, sends no traffic back into the environment, and turns passive observations into topology, asset inventory, responder-grade findings, and portable JSON report artifacts. It is the open-source core behind Fathom and is intentionally built as a shared web workbench rather than a single-user thick client. ## Lineage MarlinSpike picks up where GrassMarlin left off. Same first principle, passive OT/ICS visibility from packet captures alone, but rebuilt for the way responders actually work today: a shared web workbench instead of a single-user thick client, a portable JSON report contract instead of a session-bound view, and a multi-stage extensibility model that takes Rust engines, Python plugins, and YAML rule packs. We're not a fork; we're a successor. The product is independent code, ground-up architecture, and a deliberate alignment with what GrassMarlin originally promised the OT community: passive analysis, vendor-neutral protocol coverage, and tooling that respects the operational reality of the plant floor. Key characteristics: Passive only · Multi-user workbench · Portable JSON report · OT-native protocol coverage · Open source ## Product boundary MarlinSpike keeps the engine standalone and treats the generated report artifact as the handoff between packet analysis and downstream review. ``` Project → Scan → Report → Workbench → Triage ``` The preferred install path is a reverse-proxied Docker Compose deployment that multiple responders can share during an assessment, outage investigation, or tabletop. ## 5-stage analysis chain The analysis pipeline stays intentionally legible: ingest and validation, protocol dissection, topology building, risk surfacing, and report generation. - **Stage 1, Ingest**: Capture file validation and metadata extraction. - **Stage 2, Dissect**: OT protocol parsing, L2 discovery, and conversation extraction. - **Stage 3, Topology**: Node and edge graph, Purdue placement, vendor fingerprinting, role assignment. - **Stage 4, Risk**: Cross-zone issues, suspicious external communications, beaconing, DNS entropy, MITRE ATT&CK mapping. - **Stage 5, Report**: Portable JSON artifact consumed by the workbench and downstream tooling. ## Protocol coverage MarlinSpike is built around industrial protocol visibility, then enriches that with network-discovery context so infrastructure relationships are not thrown away. **OT / ICS**: Modbus, EtherNet/IP, CIP, S7comm, DNP3, IEC 60870-5-104, OPC-UA, BACnet, PROFINET, HART-IP, FINS, GOOSE, MMS, OMRON **Layer 2 / discovery**: LLDP, CDP, STP, LACP, ARP, VLAN ## Standards support The public story stays bounded to what the platform actually exposes today. MarlinSpike supports standards-oriented review without pretending to be a broader compliance suite. **IEC 62443**, Stage 4 remediation guidance is framed around IEC 62443 SR-oriented remediation support for supported finding classes. **MITRE ATT&CK**, Full ATT&CK implementation in the report workflow including tactic-grouped matrix views, sub-techniques, mitigations, and response guidance, for both ICS and Enterprise domains. **Purdue / ISA-95**, ISA-95 and Purdue-style zoning remain central to topology layout, asset placement, and cross-level communication review. ## Architecture overview MarlinSpike is intentionally extensible for working OT/ICS responders, not just systems programmers. Three formal extension surfaces cover the breadth of customization. **Rust engines**, Packet-facing and event-heavy components such as DPI. The standalone `marlinspike-dpi` substrate ships 34 protocol dissectors and is built into the Docker image at a pinned ref. **Python plugins**, Report-facing analysis, enrichment, and triage logic. The MITRE ATT&CK plugin, ARP analysis plugin, and APT plugin all live behind this surface and are loaded by module name from env. **YAML rule packs**, Declarative mappings, suppressions, and local policy. Default packs ship under `rules//base.yaml`; per-deployment overrides via env vars. Continue with the [wiki](/wiki/) for deployment, architecture, and the report contract, or go to [downloads](/downloads/) for the official repo and package path.