New Features - Device Security - May 2026

( May 2026 ) The Octoplant Octovision integration now brings component and job result data into Device Security . For each OT asset, you can see the program or configuration file associated with it in Octoplant, and whether it is currently locked for editing. Job result data shows you whether scheduled backup and comparison tasks succeeded and whether live configuration has drifted from the last stored backup, helping you detect unexpected changes to OT assets without leaving Device Security .

Integrating Device Security with Octoplant Octovision lets you view and apply OT-specific context directly to your device profiles in Device Security . Octoplant Octovision contains information for OT devices, such as PLCs, HMIs, and robot controllers, which Device Security may not be able to learn from network traffic. This gap causes incomplete device profiles and requires more manual correlation of threats and vulnerabiltiies to OT devices.

Through the Octoplant Octovision integration, Device Security pulls asset and server data from Octovision and correlates it with devices already in your inventory. Device records in Device Security are enriched with Octoplant-sourced attributes, such as which Octoplant server manages a given asset, the device's hardware module and order number, and its identifiers, giving you a more complete picture of the OT devices in your environment without requiring manual data entry.

Bringing Octoplant asset data into Device Security reduces the manual effort of reconciling your OT asset management and security inventories. With Octoplant-sourced context available alongside Device Security network monitoring data, your team can assess OT device risk and coverage from a single, consolidated view rather than cross-referencing separate systems.

The EXACTLY operator for IP-MAC Source in the Query Builder lets you find devices discovered by precisely the set of sources you specify, solving the limitation where existing operators like IN return devices associated with any of those sources, and possibly also including ones seen by additional sources not specified in the query. Select one or more IP-MAC sources and Device Security returns only devices whose full source list matches your selection, with no additional sources included.

For example, a device seen by ARP, DHCP, and Syslog traffic is excluded when you apply EXACTLY for ARP and DHCP only. The results only display devices discovered by that exact combination. This lets you audit which devices a specific set of discovery methods is responsible for tracking, or identify gaps where a particular source combination is the only attribution for a group of devices.

You can also navigate to a filtered inventory view from the Networks page. Clicking a data point in the subnet details graph opens the Asset Inventory with an EXACTLY query pre-applied, so you see the devices for that source set without rebuilding the filter by hand.

Device Security now supports fractional Purdue levels, letting you accurately classify OT devices in intermediate network zones, such as level 3.5 - IDMZ. Fractional Purdue levels help you visualize devices that bridge the gap between internal and external networks.

The supported levels follow half-level increments from 0 to 5. You can assign fractional levels through custom attribute rules, or as per-device overrides on a Device Details page. The network visualization displays each fractional level as a distinct zone, so devices at Level 3.5 appear in their own lane, visually separated from Level 3 and Level 4. Levels with no devices in the current visualization scope are automatically hidden.

With fractional levels available across inventory filters, reports, and network maps, your team can apply segmentation policies and compliance reporting that accurately reflect your OT network architecture rather than approximating it with the nearest integer level.

You can now generate an Inventory Gap Report in Device Security against any third-party integration you have enabled. The report identifies devices that appear in one system but not the other, and catches data entry errors without manually reconciling each source separately.

When generating or scheduling a Gap Report, select any enabled integration from the Compare with dropdown and choose a device type to scope the comparison. The report produces four files covering devices unique to each source, near-matches where a MAC address or serial number may differ by a character, and devices where the classification conflicts between the two systems.

Device Security in Strata Cloud Manager supports Gap Report generation across all available integrations that provide data for assets and devices. The Gap Report helps ensure that every connected system reflects the same asset data that Device Security discovers, making it easier and faster to validate coverage when you manage multiple integrations.

( May 2026 ) Device Security now enforces tiered source priority for IP-to-MAC bindings, ensuring that live traffic always take precedence over conflicting data from third-party integrations. Data sources are ranked by confidence: live network traffic observations (ARP and DHCP) carry the highest confidence, followed by network management tools, then endpoint and vulnerability management integrations, and finally static database entries. Your device inventory maintains accurate IP addresses and subnet assignments even when multiple sources report conflicting bindings.

( July 2025 ) When viewing the Assets Inventory and the Device Details page, you can now see the source for each device's IP-MAC binding. Select IP-MAC Sources in the column selector to display the IP-MAC binding source in the Assets Inventory. This column displays where a device's IP-MAC binding came from, whether from network traffic or a third-party integration.

You can now generate network access control list (ACL) policies directly from device profiles in Device Security in Strata Cloud Manager . Create ACL rules based on each profile's observed device behavior without authoring them by hand. Each device profile includes a new Policies (Network ACL) tab with a recommended rule set generated from the network behavior Device Security has learned for that profile type.

You can copy the recommended rule set, customize individual rules, or create new rule sets in dACL ISE, SGACL ISE, or Cisco WLAN Controller format. A time range filter controls which window of observed behavior the recommendations draw from, giving you the flexibility to base rules on recent or longer-term device activity.

When you activate a rule set, the ACL rules are pushed to Cisco ISE or your WLAN Controller at the next scheduled integration job, enforcing network segmentation for that device profile type based on what Device Security actually observed on your network.

This provides parity with the existing feature in the legacy IoT Security portal.

Monitor OT process variables such as temperature, pressure, and flow rate directly in Device Security to ensure your device behavior is within normal range. Device Security passively inspects OT protocol traffic from industrial devices such as PLCs and RTUs on your network and surfaces the data values exchanged between devices in a new Process Variables tab on relevant Device Details pages.

Depending on the process variable, you can view its current value, value trend over time, and the transmission history showing which clients read or wrote it and when. You can set manual thresholds with configurable high and low limits that trigger alerts when a variable drifts outside the expected range, with options to set the alert severity and the time window in which the threshold applies.

Monitoring process variables inside Device Security lets your team detect anomalous operating conditions alongside the device security context already in your inventory, without switching to a separate OT monitoring platform.

Device Security introduces several risk management enhancements: creation of custom risk factors using multiple attributes through the query builder; a resolution workflow that lets you resolve risk factors so they no longer contribute to a device's risk score; and an updated Risk Factor table that shows a device count per risk factor.

You can now define risk factor criteria using multiple attributes and logical conditions in Device Security, removing the restriction that each risk factor could only match a single device attribute. This lets you accurately model risk scenarios enhanced by combined conditions in a single factor.

Risk factors on the device details page now include a resolution workflow. You can mark a detected risk factor as resolved (mitigated, remediated, or ignored) and unresolve it later if circumstances change. Resolved risk factors no longer contribute to the device's risk score, and the resolution appears in the risk factor's even history.

The Risk Factor table now shows how many devices match each risk factor. Clicking the count opens the Asset Inventory, pre-filtered to those devices, so you can immediately see which assets a given risk condition affects.

You can now access the threat logs associated with a firewall alert directly from the Alert Detail page in Device Security, so you can analyze threat context faster without navigating to Log Viewer separately and manually reconstructing filters to locate the relevant entries. This option requires having a Strata Logging Service license.

The Alert Detail page includes a View Threat Detail in Log Viewer link for firewall-sourced alerts that have associated threat logs. Clicking it opens the Strata Cloud Manager Log Viewer in a new tab with the Network/Threat Logs view pre-filtered to the alert's source address, destination address, threat ID, and a 24-hour window anchored to the originating log.

From the filtered view, you can review every log entry tied to the alert and download PCAPs for offline forensic analysis. This provides you more threat context without reconstructing queries or switching between tools.