THE PROBLEM
Unmanaged IoT and OT devices are invisible to agent-based tooling β no agent, no entry in the CMDB, no owner. They sit at the network edge as soft targets: cameras, controllers, printers, lab gear. You can't protect what nothing in your stack admits exists.
WHAT IT DOES
Cerberus is a four-stage agent squad β Discovery β Expansion β Cross-Reference β QA β that fuses web-UI and banner text, UPnP/SSDP, mDNS, OT/ICS protocol, and OUI vendor signals into a confidence-scored inventory of unmanaged devices. Each find is tagged IoT:<name>, and the squad learns new detections as it goes.
KEY CAPABILITIES
- Confidence-scored fusion engine β web-UI and banner text, UPnP/SSDP, mDNS, OT/ICS protocol, and OUI vendor signals combine into one High/Medium/Low verdict per device. Five weak signals become one strong answer.
- OT/ICS protocol class β industrial protocols are recognized as their own device class, so a PLC is classified as OT gear instead of being lumped in as βunknown device.β
- OUI vendor and prefix mapping β MAC-derived vendor evidence maps to device class, adding a signal that works even when a device refuses to answer anything else.
- Managed-device down-weighting β hosts your tooling already manages are down-weighted, keeping the list focused on the truly unmanaged edge instead of re-discovering your own servers.
- Per-device signal breakdown β every verdict shows exactly which signals drove it, so network teams can verify before they isolate rather than acting on faith.
- Gated βIoT:<name>β tags β discovered devices become human-approved, routable inventory the rest of the pack can prioritize and protect.
HOW IT WORKS
Cerberus runs against the local navi.db built from your Tenable data β the vulns and assets tables plus the cert-derived device cache from Certania. All writes are proposed, human-approved, and logged.
WHY IT'S DIFFERENT
- Confidence scoring instead of brittle single-signal detection β one banner match isn't a verdict; five agreeing signals are.
- Signal transparency β every device shows its evidence breakdown, so network teams can verify before they isolate.
- OT-aware β industrial protocol classes are first-class citizens, not lumped in with smart lightbulbs.
- A squad that learns β the QA stage feeds new detections back into discovery.
PROOF POINTS
- Runs its four-stage sweep across a reference environment of 268 mixed assets β including IoT/OT gear β scoring each candidate device High, Medium, or Low confidence with the signals shown. Honest caveat: detection quality depends on what your scans can observe at the edge β blind segments and uncredentialed hosts are called out, not hidden. Confidence scores are evidence summaries, not certainties.
WORKS BETTER WITH
Cerberus feeds Anubis β so lab and OT devices can be down-rated (or up-rated) to their true criticality β and Fenrir, where weak-auth edge devices become attack-path entry points. It consumes Certania's cert-derived device cache.
WHO IT'S FOR
OT and IoT security teams who need an inventory they can defend; network teams hunting the unmanaged edge; vuln management extending coverage beyond agents.
CALL TO ACTION
Turn Cerberus loose on your edge β three heads see what one scanner misses.