1. Introduction
Operational Technology (OT) - the systems controlling manufacturing, energy, utilities, and critical infrastructure - has historically relied on isolated infrastructure, often on unsecured networks (IoT, edge, etc.). Today, digitalization and cloud integration have exposed OT to unprecedented cyber threats. Unlike IT breaches that compromise data, OT attacks can cause physical harm, disrupt essential services, and threaten the normal course of business for enterprises. Regulatory mandates - e.g NIS2 (Network and Information Security 2)/CRA (Cyber Resilience Act) in Europe / CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) in the US, etc. - are forcing operators to modernize security, yet traditional IT security tools often fail in OT's safety-critical environments, given lack of integration and limited reach to many physical assets. Operators need to look for more OT solutions at scale.
Artificial Intelligence is transforming this landscape. Capabilities such as AI-driven anomaly detection, behavioural analytics, and risk prioritization enable OT operators to shift from reactive, rule-based security to adaptive systems that learn normal operations in real time and accurately flag genuine threats. Machine learning models can predict component failures, prioritize vulnerabilities by business context, and detect coordinated attacks that legacy tools miss.
AI adoption in OT security is still at an early stage. NVIDIA has made a strong infrastructure push in OT with the NVIDIA Bluefield in Q1 2026 and is bringing partners to integrate at the enterprise level. This advancement in the hardware infrastructure layer will enable OT application software startups to thrive by materially reducing the barriers to entry.
2. Market Trends
The Global OT security market is estimated at $20-30B in 2025 (scope varies by inclusion of services and IoT) and growing at 14–18% CAGR through 2030. OT security is at a regulatory and architectural inflection point, driven by 5 key trends:
- AI threats have accelerated risk of OT security breaches - requiring AI-native OT solutions:
- AI-powered reconnaissance and exploit generation has collapsed the skill barrier for ICS (industrial control system) attacks
- AI is simultaneously the offensive multiplier and the only economically viable defensive response, because human-scaled cybersecurity operations cannot keep pace with AI-accelerated adversary tooling
- Regulation has expanded the addressable market - dramatically:
- Current NIS2 regulation covers ~160k critical-infrastructure operators across the EU with fines up to €10M / 2% of global revenue if not compliant; first systematic audits begin in H2 2026
- The new Cyber Resilience Act (CRA) in Europe, however, is expanding the scope of devices covered, driving the step change (full conformity by December 2027 and penalties of €15M / 2.5% of global revenue if not compliant). CRA's obligated universe likely runs into the hundreds of thousands of companies (several times larger than the scope of NIS2)
- Most have no SBOM (Software Bill of Materials), no PSIRT (Product Security Incident Response Team), and no vulnerability disclosure programs today
- This is net-new spend, leading to more budget creation at scale, rather than wallet reallocation
- Threat escalation has made the budget defensible:
- Manufacturing ransomware is up 56% YoY in 2025 (1,466 incidents per Check Point), and an estimated 80% of European manufacturers run OT with known unpatched vulnerabilities
- Groups such as Volt Typhoon (a Chinese state-sponsored hacking group pre-positioned inside Western critical infrastructure since 2021) are taking advantage of this, escalating the potential threat, shifting the conversation from theoretical to actual risk
- IT/OT convergence has shifted the buyer persona:
- 52% of organisations now place OT security under the CISO (vs. 16% in 2022) - though plant managers and COOs retain a veto on anything that touches uptime
- As a result, the OT security buyer increasingly resembles to an IT security buyer
- The downside is that the CISO tends to look at OT through an IT lens, whilst physical assets need to be assessed from an operational standpoint. Hence, it is important to keep C-Levels leading operations in the decision making process
- Launch of NVIDIA BlueField lowers barriers to entry for startups:
- The BlueField DPU is a specialised processor that sits in the network rather than on the industrial equipment itself
- Industrial equipment usually runs old, closed software that can't be updated or have new security tools added to it - so the security has to sit in the network instead. A "smart NIC" is the standard network card that just speeds traffic up and does little else. A DPU is the next step up - a small computer in its own right - so it can run security software itself, inspecting the traffic flowing past and protecting the equipment without anything being installed on the machines
- From there, it can monitor activity, inspect the data flowing across the network, and isolate different parts of the network from each other - all without installing any software on the machines it protects
- This is key as legacy OT equipment often can't accept new software: doing so risks unplanned downtime, can void the manufacturer's warranty, and it is sometimes not even technically possible
- By working at the network layer instead, BlueField removes the objection that has long blocked OT security projects: no software to install, no production shutdowns, no warranty risk.
- BlueField is to OT startups what AWS / GPU clusters were to generative AI in 2022–24
- BlueField gives its users
- Edge compute for local inference
- An agentless deployment model that clears procurement hurdles
- Distribution rails via NVIDIA's partner ecosystem and Siemens' OEM channel
- The BlueField DPU is a specialised processor that sits in the network rather than on the industrial equipment itself
3. Investment Themes
The themes below follow the process required to secure OT, whilst looking at how AI is changing these categories and how some verticals may be emerging as a result of the AI acceleration.
3a. Visibility & Access
Visibility & Access encompasses the foundational security controls required to establish baseline security posture in OT environments. Visibility covers the discovery, inventory, and continuous monitoring of all OT assets across networks - from industrial control systems in a production centre to field devices and interconnected systems in an oil rig, for instance. Access focuses on controlling and authenticating who can interact with these systems, including operator authentication, third-party access management, and privileged access controls. Together, these domains answer critical questions: What systems do we have? Who has access to them? What are they doing? Without visibility and access controls, the security foundation is broken, and subsequent detection and response capabilities become ineffective.
Most OT operators lack comprehensive asset inventory, with legacy devices and new IoT additions often remaining invisible to security teams, making the overall environment increasingly chaotic. Traditional IT discovery tools fail in OT contexts because they generate false positives (flagging daily routines as threats) or miss OT-specific protocols. Access controls remain fragmented, with little visibility into who has access to what - default passwords persist, service accounts have excessive privileges, and third-party vendor access is often poorly managed. The result is a fundamental blind spot: organisations cannot answer basic questions about their asset footprint, and attackers have numerous pathways into critical systems becoming more and more connected.
AI is reshaping this landscape by enabling intelligent, non-disruptive asset discovery through passive fingerprinting and behavioural pattern recognition, automatically classifying devices based on network signatures without operational disruption. Machine learning models are learning normal access patterns and flagging deviations in real-time, detecting insider threats and compromised accounts that traditional access logs cannot surface. AI-driven risk-based access management dynamically adjusts authentication requirements based on context, balancing security with operational availability. This makes it possible to operate security at scale on a fully visible OT infrastructure.
3b. Detection & Response
Detection & Response covers the continuous monitoring, anomaly detection and incident response stack that sits above the asset-visibility layer.
Historically, this layer has been built around passive network taps and rule-based detection - high in false positives and dependent on signature feeds. Crucially, this has been an almost entirely manual process on the response side because the cost of mis-action in OT is too high to delegate to a deterministic system - given this would potentially stop a production line or halt an industrial process.
The result is a familiar pattern: large CapEx deployments, alert fatigue, and underutilized platforms supervised by stretched analysts who default to ignoring 80% of what the tool generates.
AI is fundamentally reshaping this segment of the OT market with 3 tiers of AI capabilities:
- Detection - table stakes:
- Behavioural anomaly models trained per-asset and per-protocol, meaningfully reduce false-positive rates and surface novel attacks that signatures miss
- These capabilities have already been retrofitted into every incumbent platform (Claroty, Dragos, Nozomi, Armis). There is no defensible moat at this layer
- Triage - differentiated for now:
- LLM-assisted investigation already cuts junior SOC analyst time by 60–80% in early deployments
- Frenos and N2K's recent partnership - pitched as the first AI-native OT security posture management platform with industry-validated intelligence - is illustrative of the broader pattern
- But the lead is already eroding. Copilots, plant-context reasoning, and automatic threat-intel enrichment are being replicated fast by incumbents that are bolting them onto legacy platforms (e.g. Nozomi AI platform, Vantage IQ)- so what differentiated a vendor in 2025 is becoming baseline buyer expectation
- Response - leading edge:
- Agentic systems that triage and prioritise resolutions to potential threats, contextualised to the specific context of an industrial site
- Today, this is still mostly human-in-the-loop, but increasingly executing pre-approved playbooks autonomously where the operational risk envelope is well understood
- The unlock is structural step change in TAM: agentic response drives ROI and enables broader security coverage with lower headcount, and critically expands the addressable market into the long tail of Tier 2/3 manufacturers and utilities that have historically been unable to afford either an OT security platform or a dedicated security team
Detection and triage are commoditising fast into incumbent platforms (Claroty, Dragos, Nozomi, Armis) with no defensible position for new entrants. The opportunity sits in agentic response: AI-native from day one, with digital-twin simulation, plant-context reasoning, and autonomous playbook execution as core capabilities - an architecture incumbents will likely have to acquire rather than build. In addition, agentic SOC response for OT threats will drive a step-change expansion of the addressable market into the Tier 2/3 long tail that has never been able to afford OT security at all. There are few OT-native pure-plays today; the universe is US-tilted and largely at seed stage.
3c. Compliance & Resilience
Compliance & Resilience encompasses the regulatory frameworks, governance structures, and operational continuity measures that enable OT operators to meet evolving mandates while maintaining business continuity during security incidents. Compliance covers adherence to standards such as NIS2/CRA (EU), CIRCIA guidelines (US), and industry-specific regulations that increasingly mandate cybersecurity controls for critical infrastructure. Resilience focuses on the ability to predict, prevent, and recover from disruptions - both through predictive maintenance that prevents unplanned downtime and through disaster recovery and incident response capabilities that enable operations to continue or quickly restore service after compromise. Together, these domains address a fundamental challenge: OT operators must simultaneously satisfy regulatory requirements, minimize operational risk, and maintain the availability that critical infrastructure demands. The regulatory environment is tightening globally, with enforcement accelerating and penalties for non-compliance rising. Yet most OT operators struggle to map their current security posture against regulatory requirements, identify compliance gaps, and demonstrate continuous compliance at scale.
Beyond infrastructure compliance, a critical and emerging segment addresses the compliance of the products and software themselves that operate within OT environments. As industrial software becomes increasingly interconnected and cloud-enabled, regulators and customers demand evidence that the products embedded in critical infrastructure meet security and safety standards. Companies like Certivity and Flinn provide solutions that help software vendors, system integrators, and OT equipment manufacturers demonstrate that their products comply with security standards as well. These solutions address a distinct pain point: product compliance automation, secure software development lifecycle (SSDLC) verification, and bill-of-materials transparency. OT operators increasingly require vendors to prove their products are secure before integration, creating a downstream compliance demand that software and hardware vendors must satisfy. This represents a significant market opportunity for companies enabling vendors to streamline compliance documentation, automate security testing, and maintain compliance evidence throughout the product lifecycle.
AI is transforming both infrastructure and product compliance by automating the labour-intensive work of gap assessment, evidence collection, and audit preparation. Machine learning models can analyse OT environments against regulatory frameworks, identifying which controls are missing, which are partially implemented, and which require strengthening - generating compliance roadmaps tailored to each organization's specific context and risk profile. For product compliance, AI can accelerate security assessment by automating vulnerability scanning, threat modelling, and compliance mapping against multiple standards simultaneously. Predictive maintenance powered by AI reduces unplanned downtime by forecasting component failures weeks in advance, as seen with companies like Stratio, directly supporting operational resilience. Behavioural analytics can predict which systems are most vulnerable to disruption, allowing operators to proactively harden defences. For compliance teams, this translates to continuous, automated evidence collection that keeps organisations audit-ready.
The Compliance & Resilience segment presents a compelling investment thesis driven by regulatory acceleration and high organizational urgency. The go-to-market is favourable - compliance is a forcing function for spending, regulatory deadlines create urgency, and customers often expand from compliance tools into broader security platforms. AI adoption here is also still early, as most AI use cases are being deployed for Detection & Response. We see more developments in how ensuring products remain compliant vs how the infrastructure would remain compliant. The latter has obviously a much broader scope.
3d. Physical AI & Robotics Security
Physical AI security covers the protection of intelligent robotic systems (industrial arms, humanoids, autonomous vehicles, drones, etc.), the cloud and edge infrastructure on which they run inference and orchestration, and the AI models embedded inside them.
The category is structurally early given that the deployment of robotics has yet to reach scale (though likely to accelerate over the next 5 years). Incumbent providers Claroty, Nozomi, Dragos, Armis are extending coverage without shipping robot-native capability and there are very few robotics OT security focused players in the market.
The breadth of potential attack vectors and required defences are still unclear. However, several failure modes have already emerged:
- Adversarial attacks on the robot's perception and decision-making:
- A robot can be deliberately tricked into misreading its environment - through fake sensor signals, doctored images designed to fool its vision system, or hidden malicious instructions slipped into the text its AI reasoning relies on. Unlike a conventional cyberattack, where the worst outcome is stolen data, fooling a robot makes it physically act on a false picture of the world - so the safety consequences are far more serious
- Unlike traditional OT, the attack vector targets the AI itself, not the network or the controller
- These risks are not hypothetical. In 2024, University of Pennsylvania researchers (the "RoboPAIR" study) jailbroke LLM-controlled robots - including a Unitree robot dog and an NVIDIA self-driving model - into executing dangerous physical actions such as pedestrian-collision and bomb-delivery scenarios, often at a 100% success rate.
- Increased complexity of OT network:
- The increased rollout of both IoT & Physical AI solutions is expected to significantly increase the number of endpoints that require monitoring
- Even within this, each robot is made up of several components (control software, on-board AI, cloud connections), with each one needing to be separately secured to prevent false commands from entering the system
- Furthermore, this is compounded by the same fleet-management cloud orchestrating all units, whether it is 50 or 5,000, - as such a single compromised robot can be a pivot point used to compromise all of them
- There have already been early examples of this. In 2025, the "UniPwn" exploit revealed a wireless flaw across Unitree's robotic lines that enabled a single compromised robot to infect every other unit in range, forming a self-spreading robot botnet
- Existing pre-AI OT cyber stack wasn't designed to monitor cross-fleet movement at this scale or speed and is expected to fail under this load
- The increased rollout of both IoT & Physical AI solutions is expected to significantly increase the number of endpoints that require monitoring
- Existing tools are not designed to monitor physical AI / robotics activity:
- The leading OT security tools (Claroty, Nozomi, Dragos, Armis) were built to communicate with factory equipment software and monitor these systems. Robots speak a different set of languages, and today's tools largely cannot interpret them - meaning suspicious behaviour goes undetected
- This is especially important for robots that are designed to move, whereby the consequences of a breach are far greater both for uptime and physical safety
- Model and software supply chain risk:
- The physical AI foundation model (often running locally on device at the edge) is built, trained, and shipped through a long chain of suppliers - and at any point along that chain it can be tampered with before it reaches the robot
- Unlike traditional software, there is no widely-adopted way to verify that the model running on a deployed robot is the exact, untampered version the manufacturer intended
- Upcoming EU regulation (the Cyber Resilience Act) will eventually require manufacturers to prove the integrity of what they ship, but the tools to actually do this for AI models are years behind the regulation
3e. Supply Chain Security
Supply chain security in OT covers three structurally different surfaces: the software shipped into the environment (firmware, embedded code), the hardware itself (components, boards, integrity), and the people and systems with privileged access to the plant (vendors, integrators, MSSPs). Each is a separate category with different buyers, incumbents, regulatory drivers, and stage profiles.
- Software inside the plant:
- Industrial firmware rarely ships with source code, so traditional CVE-matching (Common Vulnerabilities and Exposures - industry-standard public catalogue of known security flaws) tools miss most real vulnerabilities
- Currently defenders have to reverse-engineer the binary code to see what potential security flaws exist
- AI-driven binary analysis is the biggest unlock: early deployments cut false positives by 60%+ versus CVE-only approaches, with measurable customer-side ROI
- The CRA's September 2026 deadline (manufacturers must publish a software bill of materials and prove they fix vulnerabilities, or lose EU market access) makes this the most urgent of the three buyer mandates
- Hardware integrity:
- Hardware integrity is the assurance that a physical device - a server, an industrial controller, a robot - is genuinely what it claims to be, all the way down: the right chips, unmodified low-level firmware, no hidden implants
- It matters because this layer sits beneath the operating system, so it loads before any antivirus or monitoring tool is even running. Anything compromised here is effectively invisible to conventional security
- There are two primary threat surfaces: firmware tampering (malicious modification beneath the OS) and chip provenance / substitution risk (counterfeit or swapped components). Together they widen the "trust gap" - the distance between what a buyer assumes they own and what they can actually verify
- Whitespace is narrower here. ****This is technical, specialised territory, and US incumbents - Eclypsium most notably - already cover the core ground at scale, leaving less room for new entrants than in the other two themes
- Hardware integrity is the assurance that a physical device - a server, an industrial controller, a robot - is genuinely what it claims to be, all the way down: the right chips, unmodified low-level firmware, no hidden implants
- Vendor and remote access risk:
- The leading entry point for OT breaches is remote vendor, integrator, or MSP (Managed Service Provider) access - not the plant directly. Because these providers hold privileged, persistent connections into many sites at once, one compromised vendor becomes a fleet-wide incident across hundreds of customer sites (Dragos, 2026; Ponemon/Imprivata, 2025)
- The need: continuous checks on who can connect, with what software, against which compliance baseline (NIS2, CRA, etc.) - not a one-time onboarding check
- Existing remote-access tools (Claroty xDome Secure Access, Cyolo, Dispel) were built for human users, not for the automated software-to-software access patterns becoming standard in physical AI environments - the architectural mismatch is creating fresh white space.
Supply Chain Security is the most commercially urgent of these themes, anchored by the CRA September 2026 deadline - yet pure-play OT-focused startups remain scarce. Software inside the plant has the clearest buyer mandate but is dominated by US-tilted firmware analysis players, with limited European pure-plays at Series A-C maturity; hardware integrity is structurally unattractive, with the category leader (Eclypsium) past stage and no credible challenger below it; vendor and remote access is bifurcating between hardware isolation (Zeroport) and AI-native non-human identity (Riptides), but neither is yet OT-native at scale. Forestay will track the space closely and source opportunistically, but not commit thesis-led capital until clearer European pure-plays emerge.
4. Market Map by Investment Themes
Visibility & Access
Detection & Response
Compliance & Resilience
Physical AI & Robotics Security
Supply Chain Security
5. Conclusion
OT security is entering a new phase. Digitalization, cloud connectivity, AI-enabled threats, and tightening regulation are forcing operators to modernize environments that were never designed for today’s cyber-physical risk landscape. The consequences of failure now extend beyond data loss into production downtime, safety incidents, and disruption of critical infrastructure, making OT security a board-level priority across manufacturing, energy, utilities, transport, and other industrial sectors.
AI will increasingly reshape both sides of this market. Attackers are using AI to accelerate reconnaissance and exploitation, while defenders are beginning to apply AI to asset visibility, anomaly detection, vulnerability prioritization, compliance automation, predictive resilience, and eventually autonomous response. At the same time, new infrastructure such as edge compute and network-layer deployment models is reducing historical adoption barriers by enabling more agentless, non-disruptive security architectures.
The most important opportunities are likely to emerge where legacy OT tools are structurally weakest: AI-native response, continuous compliance, software and firmware supply chain assurance, and the security of physical AI systems such as robots, autonomous equipment, and edge-deployed models. While the market remains early and fragmented, the direction is clear: OT security is moving from passive monitoring and manual remediation toward intelligent, context-aware systems capable of protecting complex industrial environments at scale.
%20Research%20page%20(3)%20(1).png)




