Your OT is not Ready for a Pentest

In this blunt and practical talk, we’ll challenge the assumptions that lead organizations down this high-risk, low-reward path without the foundational controls to support it.

Abstract: More and more asset owners are jumping on the “red team” bandwagon, convinced they need an internal offensive security program for their OT environments. But do they really? In this blunt and practical talk, we’ll challenge the assumptions that lead organizations down this high-risk, low-reward path without the foundational controls to support it.

We’ll unpack the common misconceptions, like thinking OT networks can even be “tested” like IT. Along the way, we’ll expose the blind spots in visibility, the lack of segmentation, and the overconfidence in vendor-supplied protections that make many OT environments unfit for bothering with offensive exercises.

Whether you’re an ICS engineer, CISO, or just trying to make sense of the hype, this talk will help you separate real readiness from risky wishful thinking and offer grounded alternatives for building a resilient OT security program before you bring in the red team.