Your OT sensor sees that a DER is misbehaving. Your DERMS trusts a 2030.5 cert it can't revoke.
The OT-detection stack — Dragos, Claroty xDome, Nozomi, Armis, Forescout — and the DERMS/VPP platform riding your IEEE 2030.5 PKI are each good at their job, and you should keep running every one. But the fleet-takeover attack survives the whole stack, because it walks two rows no category was built to own: attribution that outlives egress rotation, and a device identity that is publicly verifiable and revocable at DNS-TTL.
whisper verify --trustless — the one thing no tool on this page offers: you never have to trust our API.
Every category here is good. The incident survives in the two rows none of them own.
The fleet-takeover attack — mint or reuse an aggregator bearer token, enumerate the LFDIs behind it, dispatch legitimate-looking setpoints from rotating egress — passes every check on purpose. Strip it down and it leans on exactly two structural gaps. Here's which category leaves each one open, and why.
OT detection is excellent at what's on your network and whether it's behaving — but its attribution is network-scoped. Rate-limit an IP and the operator spins up a fresh one across Amazon, Google and Azure, or a residential-proxy swarm, and the sensor loses them at the firewall. The last IP was never the operator — and known-indicator threat intel doesn't help either, because a just-spun cloud IP and a residential swarm are, by definition, not yet in anyone's feed.
Only Whisper closes it — the graph. A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the operator, not the IP. Cloud rotation collapses into one infrastructure genealogy (shared ASN, hosting, certificate lineage); a residential swarm collapses on a JA4/JA3 client fingerprint that rides the tooling regardless of the exit. Every answer is a reproducible evidence chain your OT SOC, your auditors and a regulator can replay — and it lands into your sensor and SIEM, not beside them.
"Our OT platform already does device fingerprinting and anomaly detection. Isn't that identity?"
It's observational identity. It's inferred from behavior and passive traffic, scoped to the monitored network, and non-revocable off-box — so it can't follow the operator once the egress rotates, and it can't prove a DER to anyone outside the sensor. The OT-detection category itself is moving toward machine identity — a sign this is the right layer, not a knock on the sensor. Whisper's identity is cryptographic and its attribution is internet-scale, and both arrive as a feed your sensor consumes.
Your DERMS/VPP consumes the manufacturer's IEEE 2030.5 certificate and its LFDI — a genuinely good key-derived name — but it doesn't mint identity, and it inherits the model wholesale: a private SERCA→MCA→MICA root, allow-listed per-utility out-of-band, app-layer only, and — in the standard's own words — "life-long certificates that cannot be updated or revoked." No CRL, no OCSP. When one inverter is compromised, there is no cross-operator off-switch to pull.
Only Whisper closes it — identity you can prove and revoke. Bind that existing LFDI to a routable, DNSSEC-anchored, DANE-EE /128 — keeping the key-derived property, adding public verifiability and revocation at DNS-TTL. A request that passes token-auth but can't prove the target DER's identity has no authority; one op:revoke and dig -x returns nothing, worldwide, at DNS-TTL. No re-keying the 25M+ inverters already in the field — you bind the identity they were born with.
"IEEE 2030.5 already gives every inverter a certificate and an LFDI. Why isn't that enough?"
Because it can't be revoked, and no one outside the utility can verify it. The LFDI is a SHA-256 of the device's own certificate — a good key-derived name — but it lives in a private SERCA root, is allow-listed out-of-band, isn't addressable, and cannot be revoked. Whisper keeps the key-derived property and makes it publicly verifiable, addressable, and revocable at DNS-TTL. Shipped today: pass the LFDI (or a DER serial) as device_id.
Gap 1 is detection made durable across rotation. Gap 2 is the root cause removed. Every category on this page owns its check; none owns these two rows — that's the white space, and it's exactly what the fleet-takeover attacks exploit.
The incident forces three questions. Your stack answers only the first.
Line the categories up against the questions an incident actually forces you to answer, and the picture is honest and simple: the OT layer is well covered, and the two rows underneath it are the seam.
OT detection sees that a DER is misbehaving. Whisper proves who commanded it — and follows them when the egress rotates.
The OT-detection incumbents — Dragos, Claroty xDome, Nozomi, Armis, Forescout — are excellent at passive asset discovery, protocol visibility (DNP3, IEC 61850, Modbus) and anomaly detection on the OT network, and you should run one. That's necessary, and it's where the picture stops: on the monitored network, at the sensor, with identity that is observational and non-revocable off-box.
Whisper adds the two rows OT detection doesn't own — internet-scale attribution across rotating clouds and residential proxies, and a publicly-verifiable, revocable device-identity plane. On their own turf we're honest: we're an additive feed, not a second sensor.
| Capability | OT detection | Whisper |
|---|---|---|
| Passive OT asset discovery, protocol visibility, anomaly detection | ✓ | additive feed |
| Device identity is… | observational (behavior / fingerprint) | ✓ cryptographic (the device's own key) |
| Attribute the operator across Amazon → Google → Azure rotation | — | ✓ |
Collapse a residential-proxy swarm to one operator (JA4/JA3) | — | ✓ |
| Publicly-verifiable identity off the monitored network (DNS/DANE) | — | ✓ |
| Revoke a compromised DER worldwide at DNS-TTL, cross-operator | — | ✓ |
| Per-device default-deny egress governance (source-bound /128) | — | ✓ native |
| Reproducible evidence chain a regulator can replay | alerts | ✓ |
| Trustless verification — no need to trust the vendor's API | — | ✓ |
| Deploys as | in-network OT sensor / collector | additive feed · on-prem / own-tenant |
| Pricing shape | per-site / per-sensor | flat, per-device / year |
"Our OT platform already flags anomalous DER traffic. What do I need you for?"
To answer the next two questions. Flagging that a DER is misbehaving doesn't tell you who is behind it once the egress rotates, and it can't stop a genuine, stolen aggregator token — it can only notice the pattern once it's anomalous enough. The graph names the operator and follows them across the rotation; the identity plane makes "one token → a whole fleet" physically impossible, not merely detected. Your sensor sees the symptom sharply; we close the two rows that let it recur — and we feed the finding right back into it.
Two categories own the top rows. Whisper owns the bottom — and enriches theirs.
The whole DER program in one grid: the OT-detection stack owns visibility and anomaly detection; the DERMS/VPP platform on your 2030.5 PKI owns the in-ecosystem device cert; and the rows underneath — publicly-verifiable identity, cross-operator revocation, attribution across rotating egress, egress governance — are the seam. No empty Whisper column and no empty incumbent column: that's the additive point.
Additive one layer deeper, too: Whisper rides on top of the anchors you already trust — the IEEE 2030.5 / SunSpec / Kyrio device certificate on the CSIP head-end, IEC 62351 on the substation bus, ISO 15118 Plug & Charge — anchoring that same identity in public DNSSEC/DANE, RDAP-registered and trustlessly verifiable off-ecosystem. You can DANE-pin the same 2030.5 certificate your CSIP head-end already speaks and cut single-CA trust risk. It layers out-of-ecosystem identity, attribution and egress governance on top of both your DER PKI and the OT sensor you run — and replaces none of it.
| Capability | OT detection | DERMS + 2030.5 PKI | Whisper |
|---|---|---|---|
| OT visibility & anomaly detection (discovery, protocol, threat) | ✓ | partial | additive feed |
| Per-device cryptographic identity | inferred | ✓ mfr cert / LFDI, in-ecosystem | ✓ from the key it already holds |
| Publicly-verifiable identity (DNS/DANE, not a private CA) | — | — | ✓ |
| Revocation at DNS-TTL, cross-operator | — | — life-long certs, no CRL/OCSP | ✓ |
| Operator attribution across rotating egress | — network-scoped | — | ✓ |
| Routable identity surviving IP / NAT / proxy rotation | — bound to IP/MAC | — LFDI is app-layer | ✓ |
| Per-device egress governance (source-bound to identity) | — | — | ✓ |
Whisper is additional depth — publicly-verifiable identity, cross-operator revocation, internet-scale attribution and egress governance — on top of the OT sensor and DERMS you already run. It makes them sharper; it doesn't replace them, and it doesn't add a console your analysts babysit.
Every tool here, you must trust. Ours, you don't have to.
Every sensor, console and feed on this page asks you to trust its verdict. Whisper's core claim — this address is that inverter — is checkable by anyone, against the IANA DNS root, with our own API deliberately outside the trust path. No account required.
# keyless — re-derive and verify any DER's identity, trustless
$ whisper verify --trustless 2a04:2a01:5e0::50c
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA) leaf matches the identity's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED — and our own API was never trusted
# the address is the inverter — reverse DNS names it by its LFDI
$ dig -x 2a04:2a01:5e0::50c +short
lfdi-3f2504e0.der.example-vpp.whisper.online.
# who really operates a suspicious aggregator controller — the graph API, with your key
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
operator: <fingerprinted> · seen across AWS / GCP / Azure
residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
Whisper is one layer, done well. It sits beside these — not over them.
Plenty of good vendors live inside the private DER PKI, the charging handshake, or the substation bus. That's a different lane, and we don't claim it. Naming the boundary is the point: it's how you know exactly what you're buying — and that we anchor at the IP/DNS boundary, never inside anyone's closed layer.
DER-cyber certification & the private DER PKI
The SunSpec/Kyrio SERCA→MCA→MICA root that issues the 2030.5 device cert, and the type-tests behind UL 1741 SB / UL 2941 / UL 2900. That's the private CA and the bench — a certified model, not a live per-unit revocable identity. Whisper is the publicly-verifiable, revocable layer on top of that cert: it DANE-pins it, it doesn't re-run the CA or re-certify the design.
EV Plug&Charge & the roaming/billing PKI
Hubject and the ISO 15118 V2G Root CA give the EV↔EVSE handshake a cryptographic contract cert (EMAID/EVCCID) — a walled roaming and billing garden with optional, fragile OCSP and multi-root path failures. That's the charging handshake, and we don't sit inside it. Whisper adds a verifiable, revocable network identity per EVSE, anchored at the IP/DNS boundary — alongside the 15118 PKI, never replacing it.
In-inverter firmware & the substation bus
IEC 62351 on the MMS/GOOSE bus, embedded firewalls, secure elements and the DNP3 outstation live inside the device and on the OT segment. That's the silicon and the bus — Whisper is on the wire and in the DNS above it, and it derives from the key those secure elements already hold. Fully complementary; it runs below us.
We don't run a private DER CA, we don't sit inside the 15118 charging handshake, and we don't touch the substation bus — and we don't pretend to. Whisper is the network-identity, attribution and revocation layer, and it's honest about being exactly that.
No new silo. Mapped to your standards. Availability-safe by construction.
The additive posture isn't just tidy architecture — it's what makes the buy defensible. Nothing you already run gets torn out; one line item owns two rows, feeds everything else, and adds no inline OT chokepoint.
A feed, not another console
The Splunk, Microsoft Sentinel and OpenCTI connectors — signed JSON → CEF/ECS — ship today, with STIX 2.1 over TAXII export on the roadmap. Findings land in the SIEM and the OT sensor you already run. Zero analysts babysitting a new pane of glass.
See who's enumerating your fleet
op:lookups returns who resolved or RDAP-queried a DER's identity — a reconnaissance tripwire the LFDI's private registry never gave you. Catch someone walking your fleet before the dispatch lands, not in the post-mortem after it.
Govern, cap, and kill each device
The control plane, not just identity: op:firewall allow/deny by host, cidr or port; op:budget caps a device's traffic; one op:revoke cuts a compromised inverter off worldwide at DNS-TTL. Default-deny per device, by name or subdomain.
Nothing issued in the dark
Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable trail for NERC and your regulator. Honest status: tamper-evident today; independent witnessing is the next step.
Availability-safe, mapped to your standards
Rides existing DNS/IPv6 with no inline OT chokepoint; the verify/DANE path is built to fail open — a Whisper outage never bricks an inverter. Direct evidence for NERC CIP-013 R1.2.3/R1.2.6 and CIP-005 R3.1/R3.2, EU NIS2 Art.21, the EU NCCS and NISTIR 7628. See the map →
Flat pricing, a vendor that lasts
Per-device, per-year and flat — not per-transaction, not usage-metered — a line item you can forecast. On real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. See pricing →
"Will you still be here in five years — and is my fleet's data yours?"
Real address space, your tenant, your call. AS219419 and founders who operated core internet registries and DNS aren't a burn-rate story. The graph and the per-agent logs run on-prem or in your own tenant for data residency; the identity plane fails open so our uptime never gates an inverter; and the trustless verify path means you can audit the core claim without trusting us at all. Additive also means low switching cost in both directions — the safest way to start.
Keep your stack. Own the two rows.
Whisper is the identity, attribution and revocation layer that sits on top of the OT sensor and DERMS you already run — additive, mapped to your standards, flat to price. Keyless to try, one call to provision, one more to revoke.
Or run whisper verify --trustless right now — our API isn't in the trust path.