Monitoring 4 sources · Updated daily

Vulnerability tracking for OT/ICS professionals

OT vulnerability advisories are packed with technical detail that can be complex and overwhelming, especially when you're managing dozens of them a week. OTPulse translates them into plain language so you can quickly understand what's affected, what's being exploited, and what to do about it.

The question this tool answers: “I have S7-300 PLCs and Schneider EcoStruxure on my network. Do I need to do something this week?”

Open the feed See how it works

✓ No account required✓Free & open source✓ Browser-based

terminal

Advisory Sources

Daily

Update Cycle

Urgency Signals

Setup Required

// what we monitor

What OTPulse monitors

Advisory sources are checked daily. Only ICS/SCADA/OT-specific advisories appear. No general IT CVEs.

CISA ICS-CERT

The primary US source for ICS advisories from all major OT vendors. Updated multiple times per week.

Siemens ProductCERT

Covers SIMATIC, SINUMERIK, SCALANCE, WinCC, and the full Siemens OT portfolio. CSAF JSON format.

Schneider Electric

Security Events and Vulnerabilities Disclosures. Covers EcoStruxure, Modicon, and AVEVA products.

Rockwell Automation

Covers Allen-Bradley, FactoryTalk, Logix, and related industrial automation products.

Each advisory is enriched with CVSS scores from NVD, exploitation data from CISA's KEV catalog, and EPSS probability scores from FIRST.org.

// reading the feed

How to read a card

Hover over any part of the card below to see what it means.

Siemens SIMATIC S7-300 Remote Code Execution via Improper Authentication

Act Now9.8·36.9%

CISA KEVExploited in wildExploit likely

Remotely exploitable, could allow full system takeover, no credentials needed

SiemensManufacturingEnergy

In progressIn your environmentNo fixCVE-2024-47901SSA-1807042 days ago

Hover over any part of the card above to see what it means.

// detail panel

How to read the detail panel

Click any advisory card to open the detail panel. Here's what each section means:

Attack Path strip

Four icons that break down how an attack works, derived from the CVSS vector:

Attack Vector - how the attacker reaches the target. Globe = Network, Wifi = Adjacent network, Monitor = Local access, USB = Physical access.
Auth Required - whether the attacker needs credentials. Lock = yes, Unlock = no.
Complexity - how difficult the attack is to pull off. High or Low.
User Interaction - whether someone needs to click or open something. Required or None.

Exploitability indicator

Traffic-light dot: Red = actively exploited (CISA KEV). Amber = elevated EPSS (>10%). Green = low probability.

Fix availability

Derived from the affected products data. Fix available means at least one product has a patched version listed. No fix means no vendor patch exists yet and compensating controls are your only option.

"What This Means" block

Plain-language impact from the vulnerability class and product context. Replaces “CWE-787: Out-of-bounds Write” with “Memory corruption in the device firmware could allow a remote attacker to crash the PLC or execute arbitrary code.”

Affected Products table

Product | Affected Versions | Fixed Version. Use the filter input to check whether your specific version is affected. “No fix yet” means compensating controls are your only option.

Tiered remediation

Do Now: compensating controls, no outage required. Schedule: requires maintenance window and device reboot. Long-Term: network architecture and defense-in-depth.

Remediation checklist

Checkboxes persist in your browser with a progress bar. Useful for tracking during an incident review or maintenance cycle.

// weekly workflow

How to triage a week of advisories

Monday morning, 20 minutes, new week of advisories:

Check the stat cards

Critical count this week, High count, vendors affected, average CVSS. If Critical is 0, quiet week. If 3+, start there.

Set up My Environment (once)

Check the boxes for the vendors you run. Advisories matching your vendors get flagged with “In your environment.”

Sort by Most Exploitable

KEV-flagged and high-EPSS advisories surface first. If it's being exploited right now, you see it first.

Work through Act Now items

Read the impact preview, check your products, open the detail panel for compensating controls. Use j/k or arrow keys to move between advisories without leaving the keyboard. Mark dispositions as you go.

Dismiss what doesn't apply

Hover any card and click the dismiss icon to hide advisories that aren't relevant. Toggle “Show dismissed” in the toolbar to review them later. Use bulk selection to dismiss multiple at once.

Sort by Severity to cross-check

Make sure no Critical items were missed - sometimes a Critical advisory has low EPSS and sorts below the fold.

Save the view for next week

Click “Save view” in the active filter bar to bookmark your current filter combination. Load it next Monday with one click from the Views dropdown.

Export for compliance

Download CSV with CVSS scores, KEV status, EPSS scores, exploit status, patch availability, action level, and your disposition states. That's your audit trail.

// urgency tiers

Urgency tiers reference

How each tier is determined:

Tier	When it applies	Typical action
Act Now	CVSS ≥ 9.0 + network vector, OR CISA KEV, OR EPSS > 10%	Compensating controls immediately. Escalate to operations.
Plan Patch	CVSS ≥ 7.0 with fix available, or CVSS ≥ 8.0	Schedule a maintenance window within your normal patch cycle.
Monitor	CVSS ≥ 4.0, limited exploitability, local/physical access	Track. Re-evaluate if exploitation status changes.
Low Risk	CVSS < 4.0 or physical access + high complexity	Log for awareness. Low priority unless specific exposure.

// why not just cvss

CVSS score vs. OTPulse urgency

CVSS scores vulnerability severity in isolation. How bad is this bug if someone exploits it? It doesn't account for whether anyone is actually trying to exploit it, whether your network makes it reachable, or whether a fix even exists.

A 9.8 CVSS requiring physical access to an air-gapped RTU is not the same as a 7.5 CVSS that's remotely exploitable and already on CISA's KEV list. OTPulse's urgency tier factors in attack vector, exploitation status, and patch availability. Three things CVSS ignores.

The raw CVSS score is still shown in small text on the badge for compliance reporting. It's there for reference, not as the primary triage signal.

// personalization

My Environment

Click “My Environment” in the feed toolbar, check the boxes for your vendors, optionally add product names. A live counter shows how many advisories match your draft selection before you save. Advisories matching your profile show a green “In your environment” label. Matching is at the vendor level - if it's tagged Siemens and you have Siemens checked, it gets flagged.

Stored in your browser's localStorage. No account or login required. Persists across sessions on the same device.

// keyboard shortcuts

Keyboard shortcuts

Navigate the feed without touching your mouse:

j / ↓Next advisory

k / ↑Previous advisory

EscClose detail panel

Click cardOpen detail panel

Shortcuts are disabled when you're typing in a search box or filter input.

// feed management

Saved views and dismiss

Saved viewslet you bookmark filter combinations. Set your severity, vendor, date range, and search filters, then click “Save view” in the filter bar and give it a name. Load any saved view from the Views dropdown in the toolbar. Up to 10 views are stored in your browser.

Dismisshides advisories that aren't relevant to you. Hover any card and click the eye icon, or use bulk selection to dismiss several at once. Dismissed advisories stay accessible behind the “Show dismissed” toggle in the toolbar.

Bulk actions let you select multiple advisories, then export or dismiss them together. A bottom bar appears with your selection count and available actions.

// workflow states

Disposition tracking

Mark each advisory with a workflow state from the detail panel dropdown:

Not Applicable

You don't have the affected product. Dismissed from active review.

Acknowledged

Reviewed and understood. No action needed beyond monitoring.

In Progress

Actively working a mitigation or patch. Stays visible with orange badge.

Remediated

Patch applied or mitigation complete. Green “Done” badge.

Dispositions persist in your browser. CSV export includes disposition status for compliance audits.

// data sources

Data freshness and sources

CISA ICS-CERT and vendor feeds are checked daily. CVSS scores come from the advisory (vendor-reported) and NVD. CVSS v3.1 preferred, v3.0 as fallback.

Exploitation data: CISA's KEV catalog (checked daily) and EPSS from FIRST.org (updated daily). Both are automatically applied to all advisories with CVE IDs.

Stop reading CVEs. Start triaging them.

See what's actually urgent for your environment.

Open the vulnerability feed

Built for the people who protect operational technology. Feedback from practitioners shapes everything. Reach us at hello@otpulse.io.