Claroty xDome OT Security Lacks Cross-Vendor Fleet-Health
by Nick Clark | Published April 25, 2026
Claroty's xDome platform — the renamed and re-engineered successor to Continuous Threat Detection (CTD) — anchors a substantial share of the OT and clinical-device cybersecurity market, with deployments across critical infrastructure, pharmaceutical manufacturing, and hospital networks worldwide. The architectural element missing from its current product surface is cross-vendor, attestable device-integrity health: not network-derived inference about what a PLC or infusion pump is probably doing, but cryptographically grounded evidence about what the device actually is. The health-monitoring primitive supplies that evidence.
Vendor and Product Reality
Claroty, headquartered in New York with significant R&D in Tel Aviv, operates xDome (industrial OT), xDome for Healthcare (clinical and biomedical devices), Continuous Threat Detection for the largest legacy ICS environments, and Secure Remote Access (SRA) for vendor and contractor connectivity into operational technology networks. xDome ingests passive network traffic from SPAN ports, packet brokers, and industrial protocol parsers covering more than 450 OT and IoMT protocols, builds an asset inventory keyed on MAC, IP, vendor, model, and firmware, and overlays a vulnerability and risk-scoring layer driven by Claroty's Team82 research group.
Customer references span Pfizer, Rockwell Automation, Schneider Electric joint deployments, large U.S. integrated delivery networks, and several national grid operators. The commercial wedge is asset visibility — security teams that previously could not enumerate what was on their plant or hospital network now have a defensible inventory — extended into vulnerability management, segmentation policy generation, and threat detection. SRA replaces jump-host and VPN-based vendor access with a brokered, session-recorded, just-in-time pathway that is the de facto standard among customers under NIS2, TSA pipeline directives, and FDA premarket cybersecurity guidance.
Architectural Gap
xDome is, fundamentally, a network-observer architecture. Its evidence base is the packet capture: it infers device identity from DHCP fingerprints, MAC OUIs, protocol behavior, and vendor-specific handshakes; it infers device health from network anomalies, baseline deviation, and CVE-to-firmware-version matching. This is a powerful inference layer, but it is inference. The platform cannot ask a Siemens S7 PLC, a GE Mac-Lab hemodynamic monitor, or a Baxter Spectrum infusion pump to attest cryptographically that its firmware has not been tampered with, that its boot chain matches the manufacturer's reference, or that the device responding on a given IP is the same physical unit it was last week.
The gap matters because the threat model has shifted. Volt Typhoon, the 2023-2024 wave of pipeline and water-utility intrusions, and the FDA's increasing premarket scrutiny of medical-device firmware integrity all point to adversaries who operate below the network-anomaly threshold. A compromised PLC executing attacker-supplied logic that mimics legitimate operation will not trigger an xDome alert. A re-flashed pump that passes its self-test but carries modified dosing logic will not register as anomalous on the wire. xDome cannot close this gap from network telemetry alone, and Claroty's own product literature concedes that endpoint-derived attestation is the missing axis.
What the AQ Primitive Provides
The health-monitoring primitive supplies four capabilities aligned with the threat shift. Device-integrity attestation: a stateless protocol by which a device proves to a verifier that its boot chain, firmware hash, and runtime configuration match a known-good reference, without requiring the device to hold long-lived secrets. Tamper-evident reporting: any deviation in the attested state — including physical enclosure-tamper, debug-port enablement, or unauthorized firmware swap — is surfaced with cryptographic evidence rather than network inference.
PUF challenge-response: device identity is bound to physically unclonable function silicon characteristics, so that even an exact firmware clone on identical hardware fails the challenge, defeating the spoofing class of attacks that network fingerprinting cannot distinguish. Zero-trust device management: the substrate refuses to grant any device — PLC, pump, HMI, or remote-access endpoint — implicit trust based on network position, requiring fresh attestation before each privileged interaction. Together these capabilities turn the question "what does this device look like on the wire" into "what is this device, cryptographically, right now."
Composition Pathway
For Claroty, the integration surface is the xDome asset record. Today each asset row carries network-derived attributes; composition with the health-monitoring primitive adds an attestation column whose value is a freshness-stamped cryptographic claim sourced from the device itself or from a co-located attestation appliance. The xDome alerting pipeline can then fire on attestation drift the same way it fires on traffic anomaly, but with materially higher fidelity and lower false-positive rate. For environments where the device cannot be modified — legacy PLCs, FDA-locked clinical hardware — the primitive composes at the network-tap layer, using PUF-based challenge protocols delivered over the existing maintenance bus.
The second composition surface is Secure Remote Access. SRA today authenticates the human operator and records the session; with the primitive composed in, every privileged session is gated on fresh device attestation of the target asset, so a vendor connecting to a substation RTU receives access only if that RTU currently attests as untampered. The third surface is the Team82 vulnerability feed, which today maps CVEs to firmware versions; with attestation in place, the feed maps CVEs to attested-running firmware, eliminating the gap between "patch reportedly applied" and "patched firmware actually executing."
Commercial Implication
Claroty's competitive frontier runs against Dragos, Nozomi Networks, Armis, and Medigate (now part of Claroty itself). All compete on asset visibility and threat detection, all operate from network telemetry, and all share the same architectural ceiling. A Claroty product surface that incorporates cryptographically grounded device-integrity attestation alongside network analytics is a category-defining move: it turns the conversation from "who has the best passive sensor" to "who can produce evidence rather than inference." For customers under NIS2, the FDA's 524B premarket cybersecurity requirements, and the SEC cybersecurity disclosure rules, evidence is increasingly the audit standard.
The hospital and pharma segments, where Claroty has invested heavily through the Medigate acquisition and xDome for Healthcare, are particularly receptive: clinical engineering teams already manage device recalls and firmware updates on a per-unit basis, and an attestation layer slots cleanly into existing biomedical-asset workflows. For OT, the substrate accelerates the path to true zero-trust ICS, a stated goal across the CISA Cybersecurity Performance Goals and the cross-sector Cybersecurity and Infrastructure Security Agency guidance that customers must demonstrably progress against.
Licensing Implication
The health-monitoring primitive is available under the Adaptive Query substrate license, structured to permit Claroty integration into xDome, xDome for Healthcare, CTD, and SRA without exclusivity restrictions that would limit Claroty's freedom to operate across its product line. The license model is per-attested-asset rather than per-seat or per-site, aligning Claroty's revenue model with the underlying primitive economics. Because the substrate is post-quantum-by-construction at the attestation layer, adoption also positions Claroty ahead of the CNSA 2.0 migration window that federal and defense-adjacent OT customers will face beginning in 2027, providing a multi-year procurement advantage over competitors still anchored to RSA-based device PKI.
