In tabletop exercises the company conducted in 2025, 88% of participants had trouble detecting threats, 94% had difficulty with containment, and 82% struggled to activate their incident response plans. During real-world engagements, a third of incident response cases began not with an alert from a product but with an operator noticing something seemed wrong, and in most of those cases, the data needed to investigate the incident had never been collected.
Dragos also found that 82% of OT asset owners lack defined criteria for when an operational anomaly should trigger a cybersecurity investigation. On top of that, 81% of environments assessed had poor IT/OT network segmentation, and 56% of penetration tests found that attackers could move laterally inside OT networks using legitimate system tools without being detected.
“We’ve told our community, build a big glass house, but the moment that perimeter is breached, like, I don’t know, good luck,” Lee said, noting that roughly 90% of security guidance for OT environments focuses on perimeter defense (“patch, passwords, antivirus, access controls, secure mode access”), with less than 10% addressing detection and response once intruders are inside the network.
