OTLAB • Cybersecurity for Industrial Systems
Learn OT cybersecurity with hands-on, progressive labs.
An open-source platform to practice discovery, segmentation, monitoring, incident response, and hardening in IT/OT industrial environments.
OTLAB Project
https://github.com/substationworm/OTLab13Guided labs
3Levels
100%Open-source
New to OT/ICS Security?
Not sure where to begin?
Start with Lab 01 — no prior OT experience needed. It walks you through discovering devices on an industrial network from scratch.
Roadmap
Learning Path
Follow the recommended path by levels. You can also view labs individually.
Start with the basics and follow the recommended order.
Prerequisites and basic concepts to start with OTLab.
View Level 0 contentLearn in sequence, then practise right away.
Each level points to related exercises and labs, so you do not stay only in theory.
Browse all labs0
Level 0 — Fundamentals
Prerequisites and basic concepts to start with OTLab.
- Networks, IP, ARP and essential concepts.
- Base tools: ping, traceroute, tcpdump.
- First labs to build confidence.
1
Level 1 — Observation and discovery
Techniques for discovering hosts and mapping networks in controlled environments.
- Discover hosts and map services.
- Practise nmap, ARP and local observation.
- Apply discovery in a controlled network.
2
Level 2 — Protocol analysis
Inspect and analyze network traffic to understand protocol behavior.
- Read packets and recognise traffic patterns.
- Explore tcpdump, tshark and Wireshark.
- Understand handshakes, flags and payloads.
3
Level 3 — Offensive/defensive techniques
Ethical exploitation practices in isolated environments and basic defensive measures.
- Practise in an isolated and safe environment.
- Observe the impact of hardening and containment.
- Connect controlled exploration with defence.
4
Level 4 — Integration and advanced research
Advanced topics: event correlation, network forensics and investigation pipelines.
- Correlate events and prepare investigation.
- Introduction to automation, logs and network forensics.
- Close the cycle with advanced analysis.
Recommended path
Featured Labs
Start with the fundamentals and expand to the full curriculum when you're ready.
Lab 1
Discovery
Lab 01 - Basic OT-ICS Device Detection
Discovery of OT-ICS devices through network scanning, service enumeration, and industrial protocol analysis.
Lab 2
Discovery
Lab 02 - Siemens S7 PLC Emulation
Discovery and analysis of a Siemens S7 PLC through network scanning, service enumeration, and identification of vendor-specific protocols.
Lab 3
Discovery
Lab 03 - Service Station Control System Emulation
Discovery and analysis of a simulated service station control system through host identification, service enumeration, and ATG device analysis.
Lab 4
Detection
Lab 04 - Modbus/TCP Emulation and Register Access
Configuration of a Modbus/TCP simulator and interaction with holding registers through network discovery and Modbus register access.
Lab 5
Protection
Lab 05 - Modbus/TCP Routing Between Subnets
Discovery of subnet ranges, active OT-ICS hosts, TCP/UDP services, and intercepted Modbus/TCP communications.
Lab 6
Detection
Lab 06 - Industrial Protocols and Web Interface Exposure
Discovery of industrial devices through subnet enumeration, service analysis, web interface inspection, and SNMP information gathering.
Lab 7
Protection
Lab 07 - Default Password Exposure
Discovery of an OT-ICS host, identification of exposed services, and access to a management interface protected by default credentials.
Lab 8
Protection
Lab 08 - Subnet Masks and Segmentation
Exploration of subnet masks, IP addressing, network segmentation, and routing behavior across multiple workstations.
Lab 9
Discovery
Lab 09 - Nmap Scanning Techniques
Nmap scanning techniques in corporate subnets using ICMP, ARP, TCP and UDP analysis.
Lab 10
Detection
Lab 10 - TCP/IP and Three-Way Handshake
Introduction to TCP/IP communication, ARP discovery and TCP three-way handshake analysis.
Lab 11
Response
Lab 11 - MFA Bypass via AiTM
Simulation of an adversary-in-the-middle attack to capture session cookies and bypass MFA in an OT-ICS environment.
Lab 12
Protection
Lab 12 - Fundamental Network Topologies
Exploration of fundamental network topologies through ARP analysis, ICMP testing and Layer 3 path mapping.
Lab 13
Response
Lab 13 - Jump Host
Security assessment of an industrial network involving IT-to-OT pivoting, service discovery and enumeration.
Open Source
Help build OTLAB
OTLAB is free and open. You can add labs, fix docs, translate content, or improve tooling. Every contribution matters.
Why use it
Built for technical training with real-world context
🎓
Practical learning
Progressive exercises with objectives, steps, and expected outcomes.
🛡️
OT/ICS security
Focus on industrial networks, protocols, segmentation, and operational defense.
📚
Clear documentation
Quick guides to set up the environment, run labs, and contribute.
🔗
IT/OT without noise
Concepts explained with direct language applicable to critical infrastructure.
💡
Open-source
Open project for academic use, community growth, and continuous improvement.
🚀
Ready for GitHub Pages
Simple, fast, responsive Hugo structure, easy to maintain with CI/CD.
Learning roadmap
Lab structure
Fundamentals
OT discovery, Modbus, and PLC.
Protection
Industrial network, segmentation, firewall, and monitoring.
Secure operations
Logs, access control, backups, response, hardening, and auditing.