Cyprobe -- overview
Cyprobe is an open-source OT/SCADA network discovery and posture scanner that powers the operational-technology layer of the Cybrium platform. It ships as a single Rust binary under Apache 2.0 and runs on x86-64 and ARM targets, including hardened gateways commonly deployed at the OT edge.
The Cybrium platform runs this exact binary -- same probes, same output, same exit codes. Anything you see working in cyprobe on a sensor appliance works identically when the platform orchestrates it.
Why it exists
IT and OT networks are converging, but security tooling has not kept up. Traditional vulnerability scanners crash PLCs, miss proprietary protocols, and produce results that OT engineers cannot act on. Cyprobe was built for this gap:
- Passive-first -- default mode is zero-packet observation via port mirroring.
- OT-safe active probing -- rate-limited, protocol-aware queries with explicit confirmation gates.
- Posture rules -- YAML-based checks aligned to IEC 62443 / NIST 800-82.
Supported protocols
| Protocol | Passive fingerprint | Active probe | Port(s) |
|---|---|---|---|
| Modbus TCP | Yes | FC 0x2B Device ID | 502 |
| DNP3 | Yes | Data link status | 20000 |
| S7comm | Yes | SZL request | 102 |
| OPC UA | Yes | GetEndpoints | 4840 |
| BACnet | Yes | Who-Is / Read-Property | 47808 |
| EtherNet/IP | Yes | List Identity | 44818 |
| IEC 104 | Yes | STARTDT | 2404 |
| MQTT | Yes | CONNECT probe | 1883/8883 |
What it does
| Capability | Details |
|---|---|
| Passive discovery | Sniffs mirrored traffic, fingerprints OT protocols, builds an asset inventory with no packets sent. |
| Active probing | Sends safe, protocol-native queries to enumerate device identity, firmware, and configuration. Gated behind --active-confirm. |
| Posture assessment | Evaluates discovered assets against YAML rules (PeriDex schema). Ships 10 seed rules covering authentication, encryption, firmware age, and network segmentation. |
| Output | SARIF 2.1.0, JSON, human-readable text -- same formats as cyscan for unified pipeline processing. |
What it doesn't do
Cyprobe is deliberately local and read-only:
- No exploitation, no fuzzing, no firmware modification.
- No cloud connectivity in the binary itself --
cyprobe uploadis a separate subcommand that pushes results over HTTPS. - No proprietary protocol decoding beyond the eight listed above (yet).
- No real-time alerting -- the platform adds that on top.
When to use cyprobe alone vs. the platform
| Situation | Reach for |
|---|---|
| One-off OT asset inventory on an air-gapped network | cyprobe alone |
| Continuous passive monitoring at a single plant | cyprobe alone |
| Unified IT + OT + cloud asset graph with drift detection | Cybrium platform |
| Compliance evidence for IEC 62443 / NERC CIP | Cybrium platform |
| Correlating OT exposures with cloud misconfigs | Cybrium platform |
Source
- Repo: github.com/cybrium-ai/cyprobe
- License: Apache 2.0
- Current release: v0.1.0