Who we are

Industrial
security
from the
inside out

Sec4OT was founded to address a gap that most IT security firms don't understand: the floor is not the office. Production environments run on protocols IT doesn't speak, hardware IT won't patch, and uptime requirements IT doesn't face.

We operate from the Netherlands, work on-site across industrial sectors, and bring OT-native expertise to every engagement — not an IT security methodology adapted for OT as an afterthought.

Sec4OT is deliberately small. When you engage with us, you work directly with Marc — a senior security engineer with a background in both production floor automation and offensive security. No junior consultants, no generic checklists.

M
Marc
Founder & OT Security Engineer

Over a decade of hands-on experience spanning industrial automation and OT cybersecurity. Fluent in both Modbus and MITRE ATT&CK for ICS — which means findings are grounded in production reality, not theoretical risk frameworks.

Backgrounds in PLC/SCADA engineering and penetration testing. Regularly engaged for asset discovery, vulnerability assessments, live-hack demonstrations, and OT-SOC design across manufacturing, water, and energy sectors.

PI Certified — Process Industry
IEC 62443 — Industrial cybersecurity standard
NIST SP 800-82 — OT security guidance
MITRE ATT&CK for ICS — adversary emulation
CISA ICS-CERT advisory alignment
Sectors served
Energy & utilities
🏭
Manufacturing
💧
Water treatment
Oil & gas
🚂
Transport
🧪
Chemicals
Our approach

Four principles that
guide every engagement

Hard-earned convictions about what actually works in industrial environments.

Uptime first
Every recommendation accounts for production schedules, maintenance windows, and the reality that a PLC running 24/7 for eight years cannot simply be patched on a Tuesday afternoon. We plan around your operations, not our methodology.
OT-native, not IT-adapted
We use passive discovery tools designed for OT networks — not Nessus against a Siemens S7. We understand Modbus, Profinet, DNP3, and EtherNet/IP. We know the difference between a PLC and a DCS, and why it matters for your security posture.
Evidence-based risk
No vendor fear-mongering. Every finding is tied to a specific asset, a specific risk, and a specific compensating control option. If we cannot quantify it, we do not report it as critical. Your risk register should be actionable, not alarming.
Built for operators
Security awareness training designed for the person running the SCADA screen, not the CISO. Incident response procedures that account for the fact that your most important safety system is also potentially your most vulnerable network node.

Work directly
with the engineer

Every Sec4OT engagement is led personally by Marc. Senior expertise from day one — not a project manager handing off to a junior analyst with a checklist.

info@sec4ot.nl
KvK: 89266692