> CRITICAL EXCEPTION | ICS/OT THREAT INTELLIGENCE | WEEKLY BRIEFING

Threat intelligence for the people defending critical infrastructure. Not the people selling to them.

A weekly briefing for ICS/OT security practitioners. Active threat actors, prioritized CVEs with OT context, and recommended actions you can run Monday morning. Practitioner-written. Vendor-independent.

Subscribe free Read a sample issue

Free tier: monthly summary. Paid: the full weekly briefing. No spam, no vendor pitches.

MONITORING: CISA ICS Advisories NVD / CVE MITRE ATT&CK for ICS Vetted threat research RECENT COVERAGE: Engineering workstation RCE | CVSS 9.8 Water sector targeting expansion HMI exposure: 4 vendors ATT&CK for ICS: T0843 breakdown
What's Inside

One issue. Two layers. Zero filler.

Every briefing is split into two clearly bounded parts: one your leadership can read in three minutes, one your analysts can act on the same day.

# COMMAND BRIEF

For CISOs and security leadership

Board BriefThe week in 90–120 words. Forwardable to the board as-is.
Where to Focus This WeekThree to four leadership decisions, not a news roundup.
Threat LandscapeStrategic narrative: who is targeting which sectors, and why it matters to yours.

# THE WORKBENCH

For analysts and OT admins

CVE PrioritizedAffected products first. CVSS, attack vector, exploitation status, IOCs, mitigations.
Threat Actor TTPs & IndicatorsMITRE ATT&CK for ICS mappings, infrastructure indicators, blocking actions.
Recommended ActionsDetection opportunities, hunting hypotheses, patching priority.
From a Recent Issue

Read it the way subscribers do

This is the actual format, not a marketing rewrite. The briefing is built to be skimmed by leadership and searched by analysts.

CRITICAL EXCEPTION | ICS/OT THREAT INTELLIGENCE | WEEK OF 2026-06-08
CVE PRIORITIZED
CVE: CVE-2026-XXXX | Product: [Vendor] Engineering Workstation
Affected: v4.2.0 – v4.7.1 | CVSS: 9.8 CRITICAL
Attack Vector: Network, unauthenticated | Exploitation: PoC public, ITW unconfirmed

If your engineering workstations share a flat network with anything internet-adjacent, this is your patching priority for the week. The vulnerability allows an unauthenticated attacker to push modified project files to the workstation, which in an OT context means logic changes downstream of your change-control process.

Based on the exploitation pattern observed with similar workstation-class vulnerabilities, the realistic window between public PoC and in-the-wild use is two to four weeks. In order to buy time without an emergency patch cycle, the immediate compensating control is...

Read the full sample issue →
Why This Exists

The weekly OT practitioner lane was empty. So we built it.

Vendor reports are annual and have a sales motive. The major OT security vendors publish excellent research once a year, written to position a product. Useful, but not operational, and not weekly.

Free security news is broad and unsorted. The trade press covers everything for everyone. Finding the three items that matter to a water utility or a manufacturing floor is left as an exercise for the reader, every single day.

Critical Exception™ covers one lane, every week. Collected daily from primary sources, scored for OT relevance and severity, and given a practitioner editorial pass before it reaches your inbox. No product to sell you. The briefing is the product.

Pricing

Start free. Upgrade when it earns it.

Break-even on the paid tier is one prevented bad patching decision. Probably less.

Free

$0/month
  • Monthly summary briefing
  • Delivered on a 2-week delay
  • No credit card required
Subscribe free

Paid CORE

$20/month
  • Full weekly briefing, Monday evening
  • A day before the public preview
  • Command Brief + The Workbench
  • CVEs, IOCs, ATT&CK mappings, actions
  • Cancel anytime
Start with the free tier

Annual

$180/year
  • Everything in Paid
  • 25% discount: 12 months for the price of 9
  • One expense report instead of twelve
Subscribe annually
FAQ

Reasonable questions

Who writes this?

A working security practitioner with a background in vulnerability management, threat intelligence, and threat hunting, with a focus on ICS/OT environments. Independent: no vendor employs or sponsors the editorial content. More on the About page.

How is it produced?

Primary sources (CISA ICS advisories, NVD, MITRE ATT&CK for ICS, vetted research) are collected daily and machine-scored for OT relevance, severity, and novelty. Every issue then gets a practitioner editorial pass before it ships. The synthesis is AI-assisted; the judgment is not.

What do free subscribers get?

A monthly summary on a two-week delay. Enough to judge whether the analysis is worth $20 a month. Paid subscribers get the full briefing every week, while it is still actionable.

Will there be ads or sponsored content?

The editorial sections will never contain sponsored content. If sponsorship is introduced, it will be a single, clearly labeled slot, separate from the analysis.

Can I expense this?

Yes. Annual billing exists for exactly this reason. A receipt is issued automatically.

Subscribe

Monday evening. Your inbox. The OT week, sorted.

Paid subscribers get the briefing Monday evening — a full day before the public preview posts.

Start free. No credit card. Unsubscribe in one click.

Paid upgrades ($20/mo or $180/yr) are handled on the next screen after you confirm your email.
Prefer the app? Subscribe on Substack →

Subscribe free