Transform OT Telemetry into Actionable Threat Intelligence
CATCH provides security teams with the visibility and intelligence needed to protect critical infrastructure. By combining comprehensive data collection with advanced analytics, CATCH detects sophisticated threats that traditional security tools miss in operational technology environments.
Purpose-Built for Operational Technology Security
Traditional cybersecurity tools weren’t designed for the unique challenges of OT environments. CATCH was purpose-built to collect telemetry from industrial control systems, analyze it using MITRE ATT&CK for ICS techniques, and generate standards-based threat intelligence that integrates seamlessly with your existing security infrastructure.
STIX 2.1 Native Architecture
Every piece of data CATCH collects is immediately converted to STIX 2.1 formatβthe industry standard for sharing cyber threat intelligence. This means your telemetry integrates natively with SIEM platforms, threat intelligence feeds, and analysis tools like BAM (Bayesian Attack Model).
From Collection to Response in Minutes
CATCH combines two powerful toolsets: Collection Engines that gather telemetry from diverse OT sources via SSH, and Analysis Modules that query a Neo4j graph database to detect MITRE ATT&CK patterns. The result? Threat detection that happens in minutes, not days.
Developed by CyOTE for Critical Infrastructure Protection
Funded and developed through the CyOTE (Cybersecurity for the Operational Technology Environment) program, CATCH represents cutting-edge research translated into practical tools that strengthen the security posture of critical infrastructure nationwide.
Core Capabilities
Nine Collection Engines
Specialized Go-based engines gather telemetry from network traffic, system logs, processes, files, and ICS protocolsβall converted to STIX 2.1 Observed Data objects.
MITRE ATT&CK Detection
Analysis modules detect 26 ICS-specific attack techniques across 11 tactics using Cypher queries against the Neo4j graph database.
Neo4j Graph Storage
Store and query STIX 2.1 data with relationship preservation, enabling temporal attack chain analysis and pattern correlation.
CGUI Management
Terminal-based graphical interface for profile configuration, engine selection, real-time monitoring, and IOC alerting.
STIG Visualization
Interactive graph-based exploration of STIX relationships through the Structured Threat Intelligence Graph companion tool.
BAM Integration
Export STIX reports to Bayesian Attack Model for probabilistic threat analysis across Early, Middle, Late, and Impact attack stages.
MITRE ATT&CK for ICS Coverage
CATCH analysis modules provide detection coverage for 26 ICS-specific techniques across the MITRE ATT&CK for ICS framework. This comprehensive coverage ensures threats are detected across the entire attack lifecycle.
INL ICS Analysis Module Coverage - MITRE ATT&CK v14
26 of 78 Techniques (33% Coverage)
INL Analysis Module Implemented
Technique Not Covered
CATCH Workflow Demonstration
Walk through the complete CATCH workflow from configuration through collection, storage, analysis, visualization, and integration with BAM.
Resources and Documentation
GitHub Repository
Access the CATCH source code, technical documentation, installation guides, and contribution guidelines.
STIG Integration
Structured Threat Intelligence Graph provides visualization and analysis of STIX 2.1 data from CATCH.
BAM Integration
Bayesian Attack Model uses CATCH’s STIX output for probabilistic threat analysis and attack progression modeling.
OPTIC Companion Tool
Operational Process for Trigger Identification captures human observations to complement CATCH’s automated collection.
INL ICS 311 Course
CATCH demonstrated in “Detect the Attacker” OT threat hunting course alongside OPTIC and BAM.
STIX 2.1 Specification
Technical details on OASIS STIX 2.1 standard used throughout CATCH for threat intelligence exchange.
Demonstrated in INL ICS 311 “Detect the Attacker”: CATCH + OPTIC + BAM working together to support hypothesis-driven OT threat hunting across critical infrastructure environments.