In 2013, the Department of Defense gave permission to three employees to develop a tool in their off-hours — the CyberLens tool. These employees, Dragos founders Justin Cavinee, Jon Lavender, and Robert Lee, created CyberLens as an assessment tool to help the community quickly process packet captures and visualize ICS environments.

The analysts were later joined by Matt Luallen and formed an LLC called Dragos Security. The purpose of the LLC was a protective legal entity for the housing of CyberLens, so development could continue in the off-time with the intent of getting it out to the community for training and assessment purposes.

CyberLens is intended for packet captures under 10Gb that include a few hundred assets or less. CyberLens provides basic protocol inspection for major protocols, such as ModbusTCP and DNP3, and customizable fingerprints based on ports.

Originally developed in 2012 at Idaho National Laboratory as “Sophia,” the exclusive rights to commercialize the tool were awarded to NexDefense in 2013. At NexDefense, the tool was rebranded as “Integrity” and underwent massive improvements before being acquired by Dragos in 2019 and returned to “Sophia.”

During development, it was apparent that Sophia had a role to help the community as a private sector offering. NexDefense enlisted the help of numerous colleagues and developers to extend Sophia beyond the initial vision and turn it into an even more highly-capable and scalable tool. The tool garnered positive recognition as an RSAC Innovation Sandbox finalist, Gartner Cool Vendor, and best network security solution by Cyber Defense Magazine.

Sophia is intended for packet captures of any size with asset counts of up to 100,000. Sophia provides ongoing industrial asset identification, ICS network, and data flow visualization with basic deep packet inspection of ICS protocols–such as ModbusTCP, DNP3, EthernetIP, BacNet, and OPC UA–and customizable fingerprints based on ports.