# MarlinSpike, the modern GrassMarlin > The maintained, multi-user, web-based successor to NSA's GrassMarlin. The original NSA Information Assurance Directorate tool reached end-of-life in 2017; CISA disclosed CVE-2026-6807 (XXE in v3.2.1) on 28 April 2026 with no patch coming. MarlinSpike picks up the role: open-source passive OT/ICS topology workbench, captures in, zero packets out, multi-user web workbench for shared OT engagements with Purdue-level inference, vendor fingerprinting, asset-context-driven contextual severity, IOC threat-hunting across reports, live MITRE ATT&CK matrix, bilingual EN/FR UI, and portable JSON report artifacts as the engine ↔ workbench contract. The full provenance is at https://grassmarlin.com/wiki/heritage.md. This file follows the llms.txt convention (https://llmstxt.org). Every documentation page is also available as plain markdown by appending `.md` to the URL, for example, https://grassmarlin.com/wiki/architecture.md. The full concatenated documentation in one document is at https://grassmarlin.com/llms-full.txt. A French translation of every page is available at `https://grassmarlin.com/fr/` and the French index is at https://grassmarlin.com/fr/llms.txt. ## Site - [About MarlinSpike](https://grassmarlin.com/about.md): Passive OT/ICS topology mapper and analyst workbench. The modern GrassMarlin, built for shared engagements. Open-source core behind Fathom. - [MarlinSpike Downloads](https://grassmarlin.com/downloads.md): Official repository, source archives, Docker deployment path, and current binary status, in one place. - [GlassMarlin, The successor to GrassMarlin](https://grassmarlin.com/glassmarlin.md): One file. PCAP in. Full OT/ICS triage workbench out. No Wireshark, no Python, no Docker, no internet. Defender-on-a-laptop tooling for engagements where the host has nothing. ## Overview - [Heritage](https://grassmarlin.com/wiki/heritage.md): How MarlinSpike inherits the GrassMarlin role, what NSA released in 2017, what stopped working, why CVE-2026-6807 forced a successor, and what carried over. - [Getting Started](https://grassmarlin.com/wiki/getting-started.md): Understand MarlinSpike fast, then bring it up from source, product model, first deployment commands, and documentation trail. - [Deployment](https://grassmarlin.com/wiki/deployment.md): Deploy MarlinSpike as a shared, reverse-proxied Docker workbench, environment setup, persistent volumes, upgrades, and live capture. - [Architecture](https://grassmarlin.com/wiki/architecture.md): Packet dissection, topology, triage, and reporting stay intentionally separate, the five-stage chain, DPI options, protocol coverage, and outputs. ## Project layout - [Repo Family](https://grassmarlin.com/wiki/repo-family.md): One suite repo, several focused component repos, and a clean artifact boundary, the subtree model and current transition state. - [Extensibility](https://grassmarlin.com/wiki/extensibility.md): Rust engines, Python plugins, and YAML rule packs each have a different job, the formal extension contracts and where new work belongs. - [Presets](https://grassmarlin.com/wiki/presets.md): The public repo does not ship third-party PCAP corpora, but MarlinSpike supports local preset captures for labs and repeatable field libraries. ## Maintenance - [Contributing](https://grassmarlin.com/wiki/contributing.md): Keep changes focused, respect data-handling boundaries, and run the local checks before opening a PR. - [Releases](https://grassmarlin.com/wiki/releases.md): The engine and web UI are versioned separately, with a distinct live-viewer track, recent highlights and the full history location. ## Standards - [MITRE ATT&CK for ICS](https://attack.mitre.org/matrices/ics/): The threat-modeling matrix MarlinSpike's ATT&CK lens projects findings into. Tactic-grouped technique grid for industrial control systems. - [IEC 62443](https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards): The industrial security standard MarlinSpike's Stage-4 remediation guidance is framed around, security requirements (SR) for industrial automation and control systems. - [Purdue Enterprise Reference Architecture](https://www.isa.org/standards-and-publications/isa-standards/isa-95-isa-99): ISA-95 / Purdue zoning model used for topology layout, asset placement, and cross-level communication review. ## Source - [Source repository](https://github.com/eris-ot/marlinspike): MarlinSpike source tree on GitHub. AGPL-3.0. - [Release notes](https://github.com/eris-ot/marlinspike/blob/main/releases.md): Engine and web UI release history. - [INSTALL guide](https://github.com/eris-ot/marlinspike/blob/main/INSTALL.md): Repository-side installation notes for operators. - [Standalone DPI engine](https://github.com/eris-ot/marlinspike-dpi): Rust DPI substrate, 34 protocol dissectors, Bronze v2 event output.