Cyber Security Software Platform

First Watch® is a cyber-security asset management platform helping protect OT networks from cyber-attacks by securing the SCADA and PLC layers. First Watch® monitors endpoints, network and PLC/field device files, configurations, and data flows at the core of the industrial control system to provide near real-time situational awareness and monitoring of an asset integrity and cyber intrusion detection. First Watch® provides full visibility at the critical control layer and identifies changes to critical controllers, including change to firmware, logic, and device configuration, whether done over the network or directly on the device. First Watch® enables asset owners to make a timely response to attacks and unauthorised configuration changes.

Our software supports your opitmised network structure and management and works with the workflows of your plant operations team.


What can we do for you?

  • The platform monitors and logs in real-time all changes to files and data on monitored devices
  • Logs are sent to an aggregation server where all files’ “provenance” over time are also stored
  • Logs are monitored with rulesets for identifying malicious and anomalous activity
  • The system also monitors data flows in the network and will identify and log network devices and any change to their status
  • All actions are allowed via policies (eg user, time, source HMI, source application, destination HMI, action) 
  • The platform generates alarms if an event doesn’t comply with a policy or policies

Alarms are sent to the asset owner, enabling them to act in accordance with the incident management procedure to reduce harm.


What is this all about?


First Watch Endpoint Аgent

Malicious activities and unauthorised access can originate from any computer on the internal OT network bringing the need to monitor all possible blind spots. The FWED Agent solution provides continuous and comprehensive real-time visibility into what is happening on your endpoints (e.g HMI machines, engineering stations, historians, Active Directory servers, etc.) and detect actions like launching of unauthorised processes, USB device connection, installation of the new software, change of IP address, etc. All actions are attributed to the user.

The Microsoft authorised kernel-driver is the core component of the FWEDA. Operating at the kernel level FWEDA protects the industrial computer from cyber hack and makes the system overall considerably more secure from hackers who prefer to operate in the “user space” a level up from the OS (Operating System).


Features of the agent include: Software status monitoring, patch status and automated vulnerability alerts, whitelisting, data vault and monitoring of: user activity, files, drivers, memory usage, exceptions, network traffic in and out of the end point (and point of origin or target for the traffic).

Features include:  visibility of all activities performed over the network, event logs, monitor traffic flows incl most network and ICS protocols, native discovery of all devices on the OT network and their attributes.


First Watch Network Аgent

First Watch®’s Network Agent (FWNA) is a passive deep-packet inspection and network flow monitoring engine that observes industrial control network activity.  This technology was purposely built for the unique characteristics of   industrial control systems.  The FWNA is speci­fically designed to detect control layer events in SCADA application communications Ethernet/IP analysing protocols like CIP.



First Watch Security Center

Data from the end point agent(s) and network agent(s) across a plant (or multiple plants) are aggregated by the servers in the security centre where critical real-time analysis and configurations can be made. This provides an all-of-network view to understand the relationship between network and end point activity – linking these reduces the alerts to only those that impact operations and warrant attention.  Other features include:

Security Operations Center (SOC)



Our products