deadband logodeadband
Open Source · MIT Licensed

Firmware Vulnerability Detection for ICS/OT

A lightweight, offline-capable CLI tool that discovers industrial devices on your network and cross-references their firmware against 3,600+ CISA ICS advisories to identify known CVEs. No agent, no sensor, no license fee.

DownloadView on GitHubGet Started
terminal
# Fetch the latest CISA advisory database
$ deadband --update
[OK] Fetched 3,647 advisories from CISA CSAF (512 vendors)

# Discover devices on a network segment
$ deadband --cidr 10.0.1.0/24 --mode auto
Scanning 10.0.1.0/24 (254 hosts, 7 protocols, concurrency=50)
[CIP]    10.0.1.10  Rockwell 1756-L83E/B  v33.011
[S7]     10.0.1.22  Siemens S7-1500      v2.9.4
[Modbus] 10.0.1.35  Schneider M340      v3.40

# Check firmware against known vulnerabilities
$ deadband --inventory devices.csv --min-cvss 7.0

CRITICAL  ICSA-23-306-01  Rockwell 1756-L83E/B v33.011
         CVE-2023-3595  CVSS 9.8  CIP RCE — firmware <=33.011 affected
HIGH      ICSA-24-011-03  Siemens S7-1500 v2.9.4
         CVE-2023-44374 CVSS 7.5  TLS certificate parsing DoS

Found 2 vulnerabilities across 3 devices (exit code 1)

CISA publishes the advisories for free. Your devices report their firmware for free. The only thing missing was something to connect the two — without a sales call, a sensor, or a subscription.

3,600+CISA AdvisoriesICS-CERT CSAF feed
500+Vendors Coveredacross all sectors
7Discovery Protocolsactive scanning
14+Top Vendors Scanneddirect protocol support

Multi-Protocol Discovery

Actively scan for industrial devices using 7 native ICS protocols. No agents to install, no sensors to deploy.

CIP/EIP

UDP 44818

ListIdentity broadcast + unicast

Rockwell Automation

S7comm

TCP 102

COTP + S7 Setup + SZL 0x001C

Siemens

Modbus TCP

TCP 502

Device ID (FC 43 / MEI 14)

Schneider ElectricABBDeltaMoxaPhoenix ContactWAGO

MELSEC/SLMP

TCP 5007

Read Type Name command

Mitsubishi Electric

BACnet/IP

UDP 47808

Who-Is + ReadProperty

TraneHoneywellJohnson ControlsCarrier

FINS

UDP 9600

Controller Data Read

Omron

GE-SRTP

TCP 18245

INIT handshake + Type Read

Emerson / GE

How It Works

Three steps from zero to vulnerability report. No account, no cloud, no recurring cost.

01

Update Database

Fetch the latest CISA ICS advisories. The database is cached locally for offline use.

$ deadband --update
02

Discover or Import

Scan your network for devices or import an existing inventory from CSV, JSON, or flat text.

$ deadband --cidr 10.0.1.0/24
03

Check Vulnerabilities

Cross-reference firmware versions against known CVEs. Filter by CVSS score or confidence level.

$ deadband -i devices.csv --min-cvss 7.0

Quick Start

Up and running in under a minute.

quick-start.sh
# Download the latest release
$ curl -LO https://github.com/jmeltz/deadband/releases/latest/download/deadband-linux-amd64
$ chmod +x deadband-linux-amd64 && mv deadband-linux-amd64 /usr/local/bin/deadband

# Or build from source
$ git clone https://github.com/jmeltz/deadband.git
$ cd deadband && make deadband

# Fetch advisory database (one-time, ~30s)
$ ./bin/deadband --update

# Scan a network segment
$ ./bin/deadband --cidr 10.0.1.0/24

# Or check an existing inventory file
$ ./bin/deadband -i devices.csv --out-format json -o report.json

# Launch the web UI
$ ./bin/deadband serve

Design Partner Program

Now Accepting

We're looking for OT operators to help shape deadband. Selected partners get free managed scanning services in exchange for product feedback.

Learn More

Start securing your ICS infrastructure

Free, open-source, and built for air-gapped environments. No vendor lock-in, no subscription.

DownloadView on GitHubRead the Docs