DEV Community: 404Saint

Securing the Air-Gap: Building a Hardware-Aware Forensic Suite for ICS/OT by Rugero Tesla (404saint)

404Saint — Mon, 13 Apr 2026 18:58:04 +0000

The Problem

In industrial environments, the "Air-Gap" is a myth as long as USB drives exist. Removable media remains the primary bridge for malicious logic (Stuxnet, etc.). Standard AV often misses the subtle indicators of industrial protocol manipulation or high-entropy obfuscation hidden in legitimate vendor installers.

Introducing Guardian-OT

I built Guardian-OT to provide a minimalist, high-signal audit of any drive before it touches a critical engineering workstation. It’s a part of my long-term journey into Operational Technology security.

Key Technical Pillars

Hardware Fingerprinting (Anti-Spoofing)
Instead of trusting the filesystem, the tool extracts the USB Hardware UUID and maps it against a local SQLite Vault. If the ID is unknown or doesn't match the expected hardware, the audit flags it immediately.
Recursive Integrity Vault
Using a tree-hashing algorithm, the tool verifies every bit on the drive. If a single file has been modified since the last "known-good" scan, it triggers a deep forensic audit.
Deep Forensic Pipeline
YARA Scanning: Hunts for ICS-specific strings (Modbus, S7Comm, Ethernet/IP).

Entropy Analysis: Scores files from 0.0 to 8.0. Anything above 7.8 (like encrypted payloads or packed executables) is isolated for manual review.

Magic Number Validation: Detects header/extension mismatches used to disguise scripts as documents.

The Researcher Dashboard

I integrated a Streamlit-based dashboard to turn raw JSON forensic data into actionable intelligence. It allows for rapid triage, separating 1,000+ standard assets from the 10-20 "Suspicious" items that actually require a human eyes-on approach.

Why I'm Building This

As I work through my 4-6 year roadmap toward becoming an ICS/OT Security Researcher, I want to move beyond using tools and start building them. Guardian-OT is the first step in creating a resilient, reproducible forensic workflow for industrial environments.

Check out the project on GitHub: https://github.com/404saint/guardian-ot

SurfaceLens V2 — Infrastructure Attack Surface & Shadow IT Intelligence Engine by Rugero Tesla (404saint)

404Saint — Sat, 11 Apr 2026 14:07:49 +0000

Most organizations don’t actually understand their infrastructure attack surface.

Across enterprise networks, cloud environments, and hybrid architectures, visibility breaks down quickly. Assets drift, services get exposed, and Shadow IT emerges outside controlled network boundaries.

From my work in network and infrastructure security—through hands-on lab simulations, recon workflows, and tool development—I kept running into the same limitation: we can discover assets, but we struggle to understand how they relate within an environment.

I’m Rugero Tesla (404saint), and SurfaceLens V2 is my attempt to approach attack surface analysis from an infrastructure-first perspective—focusing not just on discovery, but on attribution, context, and exposure patterns.

What is SurfaceLens V2?

SurfaceLens V2 is a modular Attack Surface Management (ASM) & Shadow IT Intelligence Engine designed to analyze infrastructure exposure across distributed environments.

Instead of acting as a traditional scanner, it operates as an intelligence pipeline—aggregating, correlating, and enriching asset data to produce structured visibility into an organization’s external footprint.

The goal is simple:

Move from raw discovery to meaningful infrastructure insight.

The Problem: Fragmented Visibility

Modern infrastructure isn’t centralized anymore.

During recon and lab simulations, I consistently observed:

Subdomains pointing to decommissioned or unclaimed infrastructure (takeover risk)
Publicly exposed services (RDP, SSH, databases) outside intended boundaries
Assets that belong to an organization but don’t align with its DNS patterns
TLS misconfigurations and missing security controls

Individually, these issues are well known.

But together, they form something harder to detect:

A fragmented and poorly understood attack surface.

Design Approach: Intelligence Over Enumeration

SurfaceLens wasn’t designed to be another high-speed scanner.

Instead, I structured it as a multi-stage intelligence pipeline.

1. Multi-Source Discovery

SurfaceLens aggregates asset data from:

Shodan
Censys
LeakIX
CriminalIP
Local datasets

This creates a diverse and provider-agnostic asset pool.

2. State & Delta Tracking (SQLite)

One of the most important design decisions was introducing persistence.

Instead of treating scans as isolated events:

Assets are stored locally
First seen / last seen timestamps are tracked
New exposures become immediately visible

This transforms recon into:

Continuous infrastructure monitoring rather than one-time discovery.

3. The Intelligence Pipeline (Core System)

Each asset is passed through a series of modular analysis components:

SSL Auditor
Extracts certificate data and evaluates TLS configurations
DNS Correlator
Performs attribution analysis to identify Shadow IT and misaligned assets
Fingerprinter
Identifies technologies and service layers (e.g., reverse proxies, web servers)
Sensitive File Hunter
Checks for exposed files like .env, robots.txt, and other common leaks
Risk Prioritizer
Assigns a weighted risk score (0–10) based on combined signals

This pipeline is where raw data becomes structured intelligence.

What Actually Matters: From Exposure to Attack Paths

Building SurfaceLens shifted my perspective from simple discovery to structural analysis.

Coming from a background in network and infrastructure research, I realized that individual findings—open ports, TLS issues, or orphaned domains—don’t mean much in isolation.

What matters is how these pieces connect.

When you start correlating:

DNS attribution
service exposure
certificate data
historical visibility

You begin to understand how assets fit (or don’t fit) within an environment.

That’s where Shadow IT becomes visible.

And more importantly:

That’s where exposure starts turning into potential attack paths.

This shift—from listing assets to understanding relationships—is what drives more realistic security insight.

Output & Operational Use

SurfaceLens presents the same intelligence through multiple interfaces:

CLI Output
Real-time, high-signal analysis for quick assessments
Markdown Reports
Structured, audit-ready documentation
Web Dashboard (Flask)
A centralized view of assets, risks, and historical changes

Each interface serves a different purpose—but they all rely on the same underlying data model.

Design Philosophy & Tradeoffs

SurfaceLens prioritizes:

Passive intelligence collection
Low-noise analysis
Structured correlation over raw volume

It is intentionally not:

an aggressive scanner
or a noisy enumeration tool

Because in real-world environments:

Clarity and context matter more than volume.

Future Direction

SurfaceLens V2 is a foundation, not a finished system.

Areas I’m currently exploring:

Improved attribution models for asset ownership
Context-aware risk scoring
Integration into automated security workflows
Expanded detection for infrastructure misconfigurations

🛡️ Ethical Use

SurfaceLens is built for:

defensive security research
authorized assessments

It primarily relies on passive data sources, with non-intrusive active checks.

Do not use this tool on infrastructure without proper authorization.

Project

Explore the project or contribute:

👉 https://github.com/404saint/surfacelens_v2

👤 About the Author

Rugero Tesla (404saint) is an offensive security researcher focused on infrastructure and network security, with a strong interest in attack surface analysis, Shadow IT discovery, and attack path modeling.

His work centers around building practical tools, designing lab environments, and exploring how real-world exposure emerges across modern network architectures.

GitHub: https://github.com/404saint

MEA – Modbus Exposure Analyzer: Passive ICS/OT Security Analysis by Rugero Tesla (404saint)

404Saint — Sat, 28 Feb 2026 23:40:01 +0000

MEA (Modbus Exposure Analyzer) is a Python-based tool I developed for assessing the exposure of Modbus devices in ICS/OT environments. It uses passive behavioral analysis, entropy measurements, and register monitoring to help security researchers, pentesters, and blue teams safely evaluate device exposure and risk. This article explains the architecture, workflow, and practical use cases of MEA.

ICS/OT networks often have devices that are publicly exposed, misconfigured, or simulated. MEA helps professionals identify real vs simulated Modbus devices, assess exposure, and generate audit-ready reports — all without impacting operations.

All features and code are available at MEA GitHub Repository

Explore all my projects on GitHub: 404saint