Monitoring 11 sources · Updated daily

Vulnerability tracking for OT/ICS professionals

terminal

OT vulnerability advisories are packed with technical detail that can be complex and overwhelming, especially when you're managing dozens of them a week. OTPulse translates them into plain language so you can quickly understand what's affected, what's being exploited, and what to do about it.

The question this tool answers: “I have S7-300 PLCs and Schneider EcoStruxure on my network. Do I need to do something this week?”

Open the feed See how it works

✓ Free✓ No account required✓ Updated daily

terminal

Advisory Sources

Daily

Update Cycle

Exploitation Feeds

Setup Required

// what we monitor

What OTPulse monitors

Advisory sources are checked daily. Only ICS/SCADA/OT-specific advisories appear. No general IT CVEs.

CISA ICS-CERT

The primary US source for ICS advisories from all major OT vendors. Updated multiple times per week.

Siemens ProductCERT

Covers SIMATIC, SINUMERIK, SCALANCE, WinCC, and the full Siemens OT portfolio. CSAF JSON format.

Schneider Electric

Security Events and Vulnerabilities Disclosures. Covers EcoStruxure, Modicon, and AVEVA products.

Rockwell Automation

Covers Allen-Bradley, FactoryTalk, Logix, and related industrial automation products.

ABB

Covers ABB Ability, AC500, Relion, and industrial automation and power products.

Moxa

Covers industrial networking equipment including EDS switches, protocol gateways, and serial device servers.

CERT@VDE

European ICS coordinator covering Phoenix Contact, WAGO, CODESYS, Pilz, Beckhoff, Festo, Pepperl+Fuchs, and Helmholz.

Cisco PSIRT

IT-in-OT coverage. Cisco IOS, IOS XE, NX-OS, and ASA/Firepower advisories that touch routers, switches, and firewalls used to segment OT networks.

Fortinet PSIRT

IT-in-OT coverage. FortiGate, FortiManager, FortiAnalyzer, and FortiOS advisories. Fortinet edge devices commonly sit between IT and OT networks.

Palo Alto Networks

IT-in-OT coverage. PAN-OS, Prisma, and Cortex advisories. Palo Alto firewalls are widely deployed at the IT/OT boundary.

Microsoft MSRC

IT-in-OT coverage. Windows Server, Active Directory, and SMB/RPC advisories. Engineering workstations and historians often run on Windows.

Each advisory is enriched with CVSS scores from NVD, exploitation data from CISA's KEV catalog, EPSS probability scores from FIRST.org, and proof-of-concept and Metasploit module availability from public exploit databases.

// reading the feed

How to read a card

Hover over any part of the card below to see what it means.

Siemens SIMATIC S7-300 Remote Code Execution via Improper Authentication

Act Now

CISA KEVExploited in wildExploit likelyMetasploitPoC public

Remotely exploitable, could allow full system takeover, no credentials needed

SiemensManufacturingEnergy

In progressNo fixCVE-2024-47901SSA-1807042 days ago

Hover over any part of the card above to see what it means.

// urgency tiers

Urgency tiers reference

How each tier is determined:

Tier	When it applies	Typical action
Act Now	On the CISA KEV catalog OR EPSS exploit probability > 10%	Compensating controls immediately. Escalate to operations.
Plan Patch	CVSS ≥ 7.0 with a fix available, or CVSS ≥ 8.0	Schedule a maintenance window within your normal patch cycle.
Monitor	CVSS ≥ 4.0 without exploitation evidence	Track. Re-evaluate if exploitation status changes.
Low Risk	CVSS < 4.0 or low-impact local/physical issues	Log for awareness. Low priority unless specific exposure.

Why “Act Now” needs real exploitation evidence. A 9.8 CVSS with no known exploit and a 0.1% probability of being exploited isn't the same emergency as a 7.5 CVSS that's already on CISA's KEV catalog. OTPulse only escalates to Act Now when someone is actually exploiting the vulnerability, not when CVSS alone says it would be bad if they did. High CVSS without exploitation evidence drops to Plan Patch.

// detail panel

How to read the detail panel

Click any advisory card to open the detail panel. Here's what each section means:

Attack Path strip

Four icons that break down how an attack works, derived from the CVSS vector:

Attack Vectorhow the attacker reaches the target. Globe = Network, Wifi = Adjacent network, Monitor = Local access, USB = Physical access.

Auth Requiredwhether the attacker needs credentials. Lock = yes, Unlock = no.

Complexityhow difficult the attack is to pull off. High or Low.

User Interactionwhether someone needs to click or open something. Required or None.

Exploitability indicator

Color-coded dots showing exploitation status: Red = actively exploited (CISA KEV) or high EPSS (>10%) Amber = moderate EPSS (1-10%) or public Proof-of-Concept code on GitHub Purple = Metasploit module available (weaponized, production-ready exploit) Green = low or no exploitation risk

Fix availability

Derived from the affected products data. Fix available means at least one product has a patched version listed. No fix means no vendor patch exists yet and compensating controls are your only option.

"What This Means" block

Plain-language impact from the vulnerability class and product context. Replaces “CWE-787: Out-of-bounds Write” with “Memory corruption in the device firmware could allow a remote attacker to crash the PLC or execute arbitrary code.”

Affected Products table

Product | Affected Versions | Fixed Version. Use the filter input to check whether your specific version is affected. “No fix yet” means compensating controls are your only option.

Tiered remediation

Do Now: compensating controls, no outage required. Schedule: requires maintenance window and device reboot. Long-Term: network architecture and defense-in-depth.

Remediation checklist

Checkboxes persist in your browser with a progress bar. Useful for tracking during an incident review or maintenance cycle.

// weekly workflow

How to triage a week of advisories

Monday morning, 20 minutes, new week of advisories:

Scan the top of the feed

The newest advisories are at the top, with stat cards summarizing the week (critical count, high count, vendors affected, average CVSS). The next step matters more than the stats — keep moving.

Filter to your vendors

Check the boxes for the vendors you run in the left sidebar. The feed filters immediately to show only advisories that affect your gear. No toggle, no profile setup.

Filter to Act Now

Click the Act Now chip in the top right of the feed. You'll see only advisories that are actively being exploited (KEV) or have high exploit probability (EPSS > 10%). This is the “put down your coffee” list.

Work through Act Now items

Read the impact preview, check your products, open the detail panel for compensating controls. Use w/s or arrow keys to move between advisories without leaving the keyboard. Mark dispositions as you go.

Dismiss what doesn't apply

Hover any card and click the dismiss icon to hide advisories that aren't relevant. Toggle “Show dismissed” in the toolbar to review them later. Use bulk selection to dismiss multiple at once.

Switch to Plan Patch for the patch cycle

Click Plan Patch in the top-right filters to scope the feed to advisories that need a maintenance window rather than emergency action. These go on the change calendar, not in your inbox.

Bookmark your URL

Your filter selections live in the URL. Bookmark the page once your filters are set the way you like and you'll come back to the same view next Monday.

Export for compliance

Download CSV with CVSS scores, KEV status, EPSS scores, exploit status, patch availability, action level, and your disposition states. That's your audit trail.

// why not just cvss

CVSS score vs. OTPulse urgency

CVSS scores vulnerability severity in isolation. How bad is this bug if someone exploits it? It doesn't account for whether anyone is actually trying to exploit it, whether your network makes it reachable, or whether a fix even exists.

A 9.8 CVSS requiring physical access to an air-gapped RTU is not the same as a 7.5 CVSS that's remotely exploitable and already on CISA's KEV list. OTPulse's urgency tier factors in attack vector, exploitation status, and patch availability. Three things CVSS ignores.

The raw CVSS score and EPSS probability are still shown in the detail panel for compliance reporting. They're there for reference, not as the primary triage signal.

// personalization

Filter the feed

By vendor. Check the boxes for your vendors in the left sidebar. The feed filters immediately, no toggle and no profile setup. Your vendor selection persists in your browser's localStorage so it's still there next time you open OTPulse.

By urgency tier. Use the Act Now / Plan Patch / Monitor / Low Risk chips in the top right of the feed to scope to a single action level. Picking Act Now gives you only advisories that need attention right now (KEV or high EPSS). Picking Plan Patch gives you the patch-cycle backlog. The cards are color-coded to match the chips.

By sector, date range, or search. Sector chips live in the sidebar. Date range and search live in the top toolbar. Everything composes — vendor + tier + date all narrow down at once.

// keyboard shortcuts

Keyboard shortcuts

Navigate the feed without touching your mouse:

s / ↓Next advisory

w / ↑Previous advisory

SpaceOpen / close detail panel

EscClose detail panel

Shortcuts are disabled when you're typing in a search box or filter input.

// feed management

Dismiss and bulk actions

Dismiss hides advisories that aren't relevant to you. Hover any card and click the eye icon, or use bulk selection to dismiss several at once. Dismissed advisories stay accessible behind the “Show dismissed” toggle in the toolbar.

Bulk actions let you select multiple advisories, then export or dismiss them together. A bottom bar appears with your selection count and available actions.

Bookmarkable filters — your active filters live in the URL. Bookmark the page after setting your vendors, urgency tiers, and date range to come back to the same view next time.

// workflow states

Disposition tracking

Mark each advisory with a workflow state from the detail panel dropdown:

Not Applicable

You don't have the affected product. Dismissed from active review.

Acknowledged

Reviewed and understood. No action needed beyond monitoring.

In Progress

Actively working a mitigation or patch. Stays visible with orange badge.

Remediated

Patch applied or mitigation complete. Green “Done” badge.

Dispositions persist in your browser. CSV export includes disposition status for compliance audits.

// data sources

Data freshness and sources

CISA ICS-CERT and vendor feeds are checked daily. CVSS scores come from the advisory (vendor-reported) and NVD. CVSS v3.1 preferred, v3.0 as fallback.

Exploitation data: CISA's KEV catalog (checked daily) and EPSS from FIRST.org (updated daily). Both are automatically applied to all advisories with CVE IDs.

Proof-of-concept and exploit availability is checked daily against two public sources: nomi-sec/PoC-in-GitHub (tracks public PoC code by CVE) and the Rapid7 Metasploit Framework module index (indicates a weaponized, production-ready exploit exists).

// about the author

About the author

Jerrid Brown

OT/ICS security practitioner. Built OTPulse on personal time after years of tracking ICS advisories the slow way - bookmarked vendor pages, CISA RSS, and a spreadsheet that always fell out of date. OTPulse is the tool I wanted to exist, built to make it easier for OT professionals (not just security folks) to manage vulnerability risk in their environments.

Stop reading CVEs. Start triaging them.

See what's actually urgent for your environment.

Open the vulnerability feed

Built for the people who protect operational technology. Feedback from practitioners shapes everything. Reach us at hello@otpulse.io.