# Your OT network doesn't need another sensor. Your assets need an identity they can prove.

Visibility appliances stack up — each one another passive sensor, and none of them stops a valid-looking command from anywhere with reachability, or a remote-access session that rotates across three clouds. Whisper isn't another console. It's one primitive — the address is the identity — expressed as three planes that plug into the IEC 62443 program and the OT stack you already run.

Derive an asset's identity once from the key already behind its OPC UA `ApplicationUri`; verify it anywhere with `dig`. That one primitive becomes three planes — identity, an attribution graph that survives IP rotation, and MUD-grade egress governance — standing on real routable space at AS219419, anchored at the IANA root. Our API is never in the trust path.

> `whisper verify --trustless` — anchored at the IANA DNS root. Our own API is not in the trust path.

## Everything below derives from one line: the address is the identity.

A routable IPv6 `/128` out of `2a04:2a01::/32` (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with `dig`.

OT's core problem is not a missing patch — it is a missing identity. On the plant floor a device cannot prove who it is, and a controller cannot verify what it is told; the network trusts an IP and a topology, so a valid-looking command from anywhere with reachability is obeyed as if it came from the operator. Most OT security tooling starts from that same observation — a packet, a session, a source IP — and tries to infer who is behind it. Whisper starts from the other end: it gives the asset an identity that is its address, cryptographically bound to a key the asset already holds, and publicly verifiable without trusting the issuer. Point it at a PLC, an OPC UA server, a protocol gateway, or an AI agent, and the question "who is this?" stops being an inference and becomes a fact anyone can check. Three products fall out of that one primitive — not three integrations you wire together, three faces of the same address.

## One address, three jobs: who is this asset, who's really behind that connection, and what may it talk to.

Identity answers *who is this asset, provably*. The attribution graph answers *who's really behind a remote-access session that rotates*. Egress governance answers *what may this asset talk to*. Each plane is useful alone; together they neutralize the access → convergence-bridge → flat-network → attribution stages that the 2023–25 wave of opportunistic OT compromise leaned on.

```
Identity           who is this asset, provably              asset /128 · DNSSEC · DANE-EE · OPC UA ApplicationUri
Attribution graph  who's really behind this                 identify · origins · walk · history · watch · Cypher
Egress governance  what may this asset talk to              policy · firewall · budget · lookups · revoke — default-deny
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
                   THE ADDRESS IS THE IDENTITY              AS219419 · 2a04:2a01::/32
```

## Plane 1 — An asset identity anyone can verify — not a private TrustList only your site can read.

This is the plane that closes OT's missing-identity gap: convert "trusted because it's on the segment / owns an IP" into "trusted because it proved its key." Bind authority to the asset, not to network position.

Point the primitive at assets. OPC UA already does key-derived naming — the `ApplicationInstanceCertificate` SAN "shall include a uniformResourceIdentifier equal to the `applicationUri`," exactly one URI, and a session *fails* with `BadCertificateUriInvalid` if the two disagree. Whisper derives each asset's `/128` from the public key behind that certificate — or an IEEE 802.1AR IDevID, a TPM, or a secure element — with the ApplicationUri or asset serial as the domain separator. The private key never leaves the asset; the address is a one-way function of its public half and that identifier. And for the identity-less legacy floor — a dumb Modbus PLC behind a gateway, a device that has no identity at all — the gateway's key plus the PLC's serial gives it a routable, verifiable `/128`, a PTR and an RDAP object for the first time.

```
OPC UA cert / IDevID key    ──public key + URI──▶   /128                    ──DNSSEC + DANE-EE──▶   a name anyone can verify
ApplicationUri in the SAN                           2a04:2a01:4840::a55e                            whisper verify --trustless
(private key stays on-chip)                         routable identity                               op:revoke → gone worldwide
                                                                                                     at DNS-TTL, cross-org
```

**"OPC UA already binds a globally-unique ApplicationUri into every asset's certificate. Why isn't that enough?"**
Because it lives in a private, per-site TrustList and can't be revoked anywhere but locally. OPC UA's own security model *discourages commercial CAs* — trust is a local TrustList or a per-site CA — so no outside party (an integrator, an insurer, a regulator, a peer operator across a conduit) can verify it, and a revocation is a CRL edit invisible cross-org. Whisper keeps the key-derived ApplicationUri and makes it publicly verifiable, addressable, and revocable at DNS-TTL — without a commercial CA, and without anyone joining your platform.

**A per-identity CA, not a shared root.** Each /128 carries its own leaf, deterministically derived and DANE-EE `3 1 1` pinned — one key per asset, per PLC, per agent. There is no issuing intermediate whose compromise mints look-alikes, and no shared secret an attacker steals once to forge the plant. Compromise one asset and you've compromised *that asset* — the single-CA-breach failure mode is structurally removed, not managed by policy.

**The ApplicationUri is the public index — the /128 is its cryptographic counterpart.** The ApplicationUri flows through every OPC UA session and every discovery response; useful for interoperability, but it is not a secret. The /128 is bound to the device's key *and* that identifier, so the identifier alone yields nothing: you cannot go ApplicationUri → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never the asset's whereabouts. Because the derivation is tenant-bound, the same asset under the owner and under an integrator yields two unrelated /128s — no one can link a unit across organizations.

**Even the insecure-by-design floor gets an identity.** Modbus/TCP, DNP3 base, EtherNet/IP CIP and PROFINET ship with no device identity — any IP that reaches them is obeyed. A per-asset /128 overlay, keyed from a gateway's own key, gives even a legacy PLC a verifiable network identity, PTR and RDAP object it never had. *Honest scope:* this changes **who may reach and speak to** the device across the network — it does **not** add authentication to Modbus on the wire, and a purely-internal write from an attacker already on the OT segment still needs enforcement in the command path (at the PLC, a protocol-aware broker, or the EWS).

Attaches to what you already run — the OPC UA application-instance certificate + local TrustList / GDS, 802.1AR IDevID/LDevID + BRSKI, TPM/HSM/secure elements — as the publicly verifiable, DNSSEC/DANE-anchored layer on top, anchoring the IP/DNS/transport boundary and never the fieldbus. No bespoke CA trust store to push to every asset; revocation at DNS-TTL speed instead of a CRL edit no peer ever sees. It satisfies IEC 62443-4-2 CR 1.2 RE(1) with an identifier that also holds across conduits. [See the standards map →](/for-ot-security)

## Plane 2 — Attribution that survives rotation — because it fingerprints the operator, not the remote-access exit.

This is the plane that closes the other gap: 55% of OT environments run four or more remote-access tools (a third run six or more), and a malicious session over shared, rotating egress leaves the SOC with a meaningless *last IP*. Behavioral OT fingerprinting stops at the Purdue boundary — the internet-scale graph does not.

A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — pulls two levers, kept honestly separate. For cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy. For a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a `JA4/JA3` client fingerprint travels with the remote-access tooling regardless of the exit and collapses the swarm to one operator. The egress IP is the one thing this plane never relies on.

**"When a remote-maintenance session rotates residential proxies and fresh cloud IPs, can you actually attribute it — or just block an IP and move on?"**
Track it. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. Every answer returns a reproducible, replayable JSON evidence chain your OT SOC, your auditors and a regulator can hand around, exactly the cross-org attribution your Purdue-scoped sensors can't produce.

- **`identify(ip)`** — who really operates a host, even behind a CDN, across any cloud or a rotating jump-host.
- **`origins(prefix)` + `walk(node,depth)`** — cluster rotating IPs into one infrastructure genealogy.
- **`history` / `watch`** — a timeline of an operator and a standing sentinel, plus `variants(domain)` to catch typosquat vendor and integrator domains before they activate.
- **read-only Cypher** — express "one source touching N distinct asset-identities in a window" as a query your agent runs, not a ticket your analyst files.

Additive to the OT visibility stack — Dragos, Claroty, Nozomi, Armis, Tenable OT — it consumes their inferred inventory and adds the cross-org operator attribution their behavioral fingerprinting can't. [Trace the full back-trace →](/ot-exposure)

## Plane 3 — MUD was a suggestion enforced at the nearest switch. Whisper makes it proof, enforced at the /128.

RFC 8520 MUD (an IETF Internet Standard) lets a device *declare* its intended egress — a MUD URL emitted via DHCP option 161/112, an LLDP TLV type 127, or the X.509 `id-pe-mud-url` extension. Its fatal weakness: the declaration is only a suggestion the local MUD manager enforces at the nearest hop, keyed to a spoofable URL, with no portable identity and no cross-org revocation.

Whisper fixes exactly that. It binds the MUD declaration to the asset's verifiable `/128` and enforces it as egress governance at the address itself: default-deny, allowing only the manifest's destinations by name, subdomain, CIDR or port. `op:policy` sets the allow-list; `op:firewall` allows or denies by host, CIDR or port; `op:budget` caps a runaway asset and arms a kill-switch; `op:revoke` cuts a compromised asset off worldwide in one call; and `op:lookups` shows who has been resolving or RDAP-querying an asset's identity — a reconnaissance tripwire that fires *before* the command lands, not a post-mortem after it. The manufacturer-declared intent finally becomes proof: cryptographically pinned, externally checkable, and enforced wherever the traffic actually egresses.

```
Device declares          ──bind──▶   Whisper binds it          ──enforce──▶   Enforced at the /128
its intended egress                  to the verifiable /128                   default-deny egress
MUD URL · RFC 8520                   DANE-pin the MUD URL                      ✓ historian.acme-water.int
DHCP 161/112 · LLDP 127              the /128 is the locator                  ✓ ota.plc-vendor.com
X.509 id-pe-mud-url                  2a04:2a01:4840::a55e                      ✗ everything else — dropped

           op:lookups → who tried to reach it        op:revoke → off worldwide at DNS-TTL
```

**"MUD is a decade old and barely deployed at OT scale — brownfield assets rarely emit a MUD URL. What do you actually add?"**
The two things plain RFC 8520 lacks. A globally-verifiable identity to key the policy to — not a spoofable URL enforced at a single hop — and an externally-managed profile enforced at the asset's own /128 wherever it egresses. For a brownfield asset that emits no MUD URL, you author the same allow-list against its /128 by hand — one `op:policy` call — and get default-deny egress plus per-/128 logs without ever touching the asset.

- **What an asset may reach is a policy, not a hope** — `op:policy` default-deny, then allow the historian, the OTA endpoint and the controller by name or subdomain — the MUD manifest made enforceable at the /128.
- **Per-asset firewall, budget, kill-switch** — `op:firewall` allow/deny by host, CIDR or port; `op:budget` caps a runaway asset; `op:revoke` cuts a compromised one off worldwide in one call.
- **Who's enumerating your assets is a query** — `op:lookups` returns who resolved or RDAP-queried an asset's identity — an early warning that someone is mapping your plant, before the write, not after it.
- **The same primitive governs your OT AI agents** — per-agent /128, per-agent logs via `op:logs`, default-deny egress, one `revoke` — the non-human identity surface the zero-trust vendors are only now reaching for, from day one.

This is micro-segmentation at the *asset*, not the VLAN — an identity-keyed conduit per device implementing IEC 62443-3-3 zones & conduits, keyed to a verifiable identity. Honest boundary: it governs what an asset may reach and who may reach it; the last-inch insecure-protocol write from an existing foothold still needs enforcement in the command path.

## The three planes drop into the systems your plant already runs — at the IP and DNS boundary, never inside the bus.

Whisper anchors the *network*, not the fieldbus. Each row below is a proposed integration onto a system you already operate — the device-identity `/128` is the one capability that is **shipped and live** today. Every one is additive: it complements whatever authenticates the message, and it never reaches into the closed, insecure-by-design fieldbus — Modbus/DNP3/PROFINET on the wire, the OPC UA SecureChannel handshake itself.

| Surface / standard you run | Where a plane plugs in | Complements — does not replace |
|---|---|---|
| **OPC UA + local TrustList / GDS** (Part 12) | **Identity.** Derive the `/128` from the same application-instance-certificate key, and DANE-pin the `ApplicationUri` certificate under the public DNSSEC chain — cross-org verifiable with no commercial CA, revocable by a DNS update everyone sees. | Complements the local TrustList and the OPC UA SecureChannel — makes an otherwise site-local, non-revocable identity globally verifiable. |
| **IEEE 802.1AR IDevID/LDevID** + TPM / secure element · *shipped & live* | **Identity.** Derive the `/128` from the same non-exportable IDevID key, and publish a globally resolvable, DANE-verifiable, RDAP-registered name bound to it — IDevID projected onto the public namespace, independent of the manufacturer root. | Complements the hardware birth-certificate and BRSKI onboarding — makes an un-routable, un-discoverable key resolvable and cross-org revocable. |
| **IEC 62443 zones & conduits** (3-3 SR 5.1 · 4-2 CR 1.2) | **Identity + egress governance.** A `/128`-per-asset plus default-deny egress is micro-segmentation at asset granularity — a conduit per device, keyed to a verifiable identity that survives across zones. Satisfies CR 1.2 RE(1)'s unique-identification capability. | Complements your zone model and SL-target program — Whisper is the conduit's identity + policy layer, not a new firewall in the bus. |
| **OT visibility & detection** (Dragos · Claroty · Nozomi · Armis · Tenable OT) | **Attribution graph + identity.** Turn their inferred, Purdue-scoped inventory into a cryptographically verifiable identity register, and add cross-org operator attribution across rotating egress; findings land as a reproducible, replayable feed. | Complements the sensor; Whisper does no protocol visibility, anomaly detection or asset discovery; it consumes and enriches theirs. |
| **NAC** (Forescout · 802.1X / MAB · VLAN) | **Egress governance + identity.** NAC admits a device to a network-local segment; Whisper adds a globally-verifiable identity and default-deny egress that travels with the asset's own `/128` beyond the switch, out to the cloud and cross-org boundary. | Complements NAC's on-switch admission and quarantine — extends the same allow/deny to the internet-facing egress a local VLAN can't reach. |
| **RFC 8520 MUD manager** (NIST NCCoE SP 1800-15) | **Egress governance.** Bind the device's own egress declaration to a verifiable `/128` and enforce default-deny at the address, DANE-pinning the MUD URL so the manifest is externally checkable — a genuine strengthening of a spoofable URL enforced at one hop. | Complements the MUD manager — Whisper is the verifiable identity the policy keys to, and the enforcement point wherever the asset actually egresses. |

Read together, these map to EU CRA Annex I essential requirements — 2(d) identity & access management, 2(j) attack-surface, 2(l) record & monitor access — on a hard 2027 CE-marking deadline, and to IEC 62443-4-2 CR 1.2 and 3-3 zones & conduits, plus CISA CPG 2.0's IPv6 asset inventory + logical segmentation — evidenced on day one, without touching your firmware roadmap. Honest: these remain *organizational* obligations; the product is the evidence, never automatic compliance. [Standards mapping →](/for-ot-security)

## Five things you can't stand up overnight — and a competitor can't clone from a slide.

A platform is only as durable as what sits underneath it. Whisper's three planes rest on five load-bearing pillars, each a real, checkable fact rather than a claim on a roadmap: **AS219419** (real routable space), **the graph** (7.44B nodes accreted over years), a **per-identity CA** (one leaf per asset, no shared root), **RDAP · WHOIS** (every /128 a registered object), and **DNSSEC** (anchored at the IANA root, not at us).

### Real routable space, not a namespace we invented

AS219419 and `2a04:2a01::/32` are announced to the global routing table with an RPKI-validated origin. You cannot allocate verifiable identities from address space you don't hold and can't announce — which is why this can't be reproduced with a database and a domain, or with a private ledger and an appliance.

### A graph you accrete, not one you query once

7.44B nodes and 39.3B relationships of BGP, DNS, WHOIS, TLS, hosting and threat intel, built over years. Attribution across rotation is only as good as the history behind it, and history is the one thing you can't buy this afternoon.

### A per-identity CA, so blast radius is one

One deterministically-derived leaf per asset, PLC or agent — DANE-EE `3 1 1` pinned, never a shared intermediate. The single-CA-breach failure mode that has burned this industry before is removed by construction, not by policy.

### Registry-anchored and root-anchored

Every /128 is a real RDAP/WHOIS object with an RPKI-validated route origin, resolvable as a `did:web` document, and the whole chain validates through DNSSEC to the IANA root. `whisper verify --trustless` checks an identity without trusting Whisper — public accountability and a trust anchor you already run.

**"Point-solution OT-security vendors come and go. Will you still be here in five years, and is this real or a checkbox?"**
It's infrastructure, and it's built by people who ran the internet's plumbing. Real routable address space at AS219419, run by a team that operated one of the internet's regional address registries and one of its root DNS servers. The moat is real space, an accreted graph and open standards — not a slide, not a private fabric you have to join. You can verify every claim on this page yourself, today, without an account and without installing a sensor.

## Exercise all three planes yourself — our API isn't in the trust path.

Two tiers, by design. No key: verify an asset's identity — the identity plane, trustless, anchored at the IANA root. Your key: back-trace a suspicious remote-access host across any cloud, bind a PLC to its ApplicationUri, govern its egress, revoke it worldwide.

```bash
# plane 1 — re-derive and verify any asset's identity, trustless
$ whisper verify --trustless 2a04:2a01:4840::a55e
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the asset — reverse DNS names it
$ dig -x 2a04:2a01:4840::a55e +short
  plc-line3-42.opcua.acme-water.whisper.online.

# plane 2 — with your key, attribute who really operates a remote-access host via the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
```

```bash
# plane 1 — bind a PLC to the OPC UA ApplicationUri it already carries
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the asset key>',
       device_id:'urn:acme-water:opcua:plc-line3-42'}})"   # device_id = the OPC UA ApplicationUri
  → identity 2a04:2a01:4840::a55e   DNSSEC + DANE live

# plane 3 — the MUD manifest, made enforceable: default-deny egress at the /128
$ whisper policy set --default deny --allow historian.acme-water.int,ota.plc-vendor.com
$ whisper logs --identity 2a04:2a01:4840::a55e --tail   # the asset's own outbound
$ whisper kill --revoke 2a04:2a01:4840::a55e            # worldwide, at DNS-TTL
```

## Three planes, and all three exit into the stack you already run — not a new silo.

### Feeds your SIEM, not another console

A machine-readable feed into your SIEM: the Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings map to CEF and ECS fields and arrive as a signed, replayable JSON evidence chain you can hand a regulator — STIX 2.1 over TAXII export on the roadmap.

### Nothing issued in the dark

Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance and revocation trail for a CRA or 62443 assessor. *Honest status:* tamper-evident today, independent witnessing is the next step.

### Two servers, one truth

Active/active anycast on AS219419, both nodes answering identically off the same source of truth. No single node in the path; a degradation is graceful, never a hard outage.

### Additive & availability-safe

It rides existing DNS/IPv6 and adds no inline OT chokepoint. If your gateway authorizes against the DANE/verify path, that plane is built to fail open — a Whisper outage never bricks an asset; checks degrade to your existing anchors.

### Speaks your compliance language

Maps to EU CRA Annex I 2(d)/2(j)/2(l), IEC 62443-4-2 CR 1.2 + 3-3 zones & conduits, CISA CPG 2.0 IPv6 inventory, NIST SP 800-82r3 and NIS2 — evidence, never a binder. Honest: additive; the org obligation stays yours.

### Flat pricing, a vendor that lasts

Per-asset/year and flat — a line item you can forecast, not per-transaction metering. On real routable space run by people who operated a regional address registry and a root DNS server. Keyless to start. [See pricing →](/pricing)

## One primitive. Three planes. Give every asset an identity it can prove.

Identity bound to the ApplicationUri it already carries, an attribution graph that survives IP rotation, and MUD-grade egress governance — additive to your 62443 program, mapped to EU CRA and IEC 62443, priced so you can say yes. Keyless to try, one call to provision, one more to revoke.

Or run `whisper verify --trustless` right now.
