For the last decade, Dragos has centralized the industry’s most elite team of OT cybersecurity practitioners and cyber threat intelligence analysts and codified that into the Dragos Platform technology. The strategy was straightforward: the way to make the best technology is to have the best practitioners. Over the years, the team has gained insights from programs like Neighborhood Keeper, vulnerability analysis, tracking threat groups, adversary research, assessments of OT networks, incident response, and 24/7 managed services. These insights have become the largest collection of OT/ICS cybersecurity data on assets, vulnerabilities, and threats worldwide.
The Dragos Intelligence Fabric is this knowledge base, and with new technological capabilities such as AI, it can be tapped into by Dragos customers in ways previously not possible. The Dragos Intelligence Fabric ensures customers get the most accurate insights and prioritizes what matters most, with the context needed to make the right decisions quickly.
The Dragos Intelligence Fabric is the system that connects adversary tracking, OT telemetry, vulnerability research, detection engineering, threat hunting, incident response insights, and more into a continuously updating loop. It is not an extra research layer sitting beside a platform. It is the mechanism by which changes in one discipline alter the others.
It is built from several things working together:
- Data and Insights: Global OT telemetry, strategic and operational intelligence, adversary TTPs, vulnerability, and asset intelligence specific to industrial environments. This includes over 5 petabytes of daily telemetry and over a decade of frontline adversary research and incident response, not from IT networks, but from OT environments across every major critical infrastructure sector.
- People: Adversary hunters, intelligence researchers and analysts, incident responders, and proactive assessment experts all operating against a shared adversary model that is continuously updated by what they find in the field.
- Partnerships: Collaborative relationships with government agencies, intelligence communities, law enforcement, and industry partners extend the Dragos Intelligence Fabric’s reach beyond what any single organization can observe. These partnerships surface early signals, validate findings, and bring external OT context back into the shared model.
- Systems: The Dragos Platform, OT Watch, and the Neighborhood Keeper collective defense network are not just outputs; they are inputs. Telemetry from deployed environments validates whether analytic assumptions hold at scale. Findings from OT Watch, incident response, and assessment services continuously stress-test the adversary model. When something diverges, the model and detection logic are updated.
- Artificial Intelligence: All of the above inputs help train Dragos’s artificial intelligence capabilities, and those capabilities help our analysts garner new insights to generate more input into the fabric. At times, there can be a lot of hype around AI, but one thing remains consistent: when you have the right training and use cases, it can be a powerful tool. There is no larger, similar training dataset in the industry than the one at Dragos.
These elements operate against a shared, continuously evolving understanding of OT adversaries, vulnerabilities, assets, and more. That integration is what makes the Dragos Intelligence Fabric different from a collection of products or a periodic research output.
The Dragos Intelligence Fabric exists to provide OT-specific context that drives prioritization and execution, embedded directly into the platform, services, and intelligence guidance that customers rely on.
Vulnerability management reflects OT context and confirmed adversary use in OT environments, not just whether a CVE has been published. Detection content is engineered around observed OT adversary tradecraft and not just inherited enterprise logic or anomalies. When customers engage Dragos for incident response or assessments, teams arrive with context drawn from years of adversary tracking, cross-sector telemetry, and prior field engagements. Asset discovery is performed using context and insights from global visibility across thousands of sites to enhance accuracy and relevance.
Each adversary capability, telemetry signal, vulnerability finding, and field engagement feeds back into a shared model. As that model evolves, so do analytics, prioritization, and guidance. Customers benefit from that refinement continuously, not because a product version changes, but because the intelligence behind it does.
The Dragos Intelligence Fabric runs continuously and is used directly by the Dragos analysts and practitioners. Further, for Dragos Platform customers, the Dragos Intelligence Fabric can be accessed via the technology through the ongoing content they receive. Soon, customers will be able to query the Dragos Intelligence Fabric directly through the launch of a new add-on module to the Dragos Platform.
The collective defense and insights across all of Dragos’ efforts, analysts, and customers return the advantage to defenders against global risks and threats.
The findings of the 2026 Dragos OT/ICS Cybersecurity Year in Review draw on insights gathered from across incident response engagements, threat research, vulnerability analysis, and real-world industrial security assessments in the Dragos Intelligence Fabric. For a deeper look at the threats shaping industrial cybersecurity and the defensive actions organizations should prioritize, explore the full report below.
