Vigil brings machine learning anomaly detection, AI-powered analysis, and an immutable blockchain audit trail to your operational technology environment without the complexity.
Vigil integrates the three things modern industrial security teams need most and makes them work together automatically.
Every sensor gets its own ML model trained on what "normal" looks like for that specific sensor. When readings drift, spike, or behave unexpectedly, Vigil flags it and tells you how far off it is.
Detected anomalies are automatically fed into an AI that produces structured, readable reports — identifying the riskiest assets, distinguishing real faults from sensor noise, and recommending what to do first.
Every alarm, AI report, device config and operator action is cryptographically hashed and permanently anchored to a blockchain — giving you a tamper-evident chain of custody that holds up to any audit or investigation.
Every feature is designed around how industrial operations actually work.
Each sensor is monitored against its own learned baseline, not a shared static threshold. Models train on your historical data and flag deviations with a severity score that reflects how far a reading has strayed from normal.
When anomalies are detected, the AI produces a prioritized site report — ranking the riskiest assets, separating true faults from noise, and listing concrete actions with P1/P2/P3 priority labels.
High-severity anomalies automatically generate alarms with full lifecycle tracking — from New through Acknowledged to Resolved. No manual scanning of raw sensor feeds required.
Organise your infrastructure as Sites, Assets, and Sensors. Train and analyse an entire asset or site in a single operation. Safe operating ranges are stored per sensor and can be auto-populated from equipment documentation.
Upload equipment spec sheets and let the AI extract safe operating ranges directly into your sensor database. Pull device configurations via SSH and get an instant security audit with ranked findings and remediation steps.
Using asset health data and anomaly history, the AI estimates how much operational life an asset likely has remaining — giving maintenance teams the lead time they need to plan proactively, not reactively.
Three built-in UI themes and a customization system lets you match your organization's visual identity. Upload your company logo and define your own accent and header colors. All appearance changes apply instantly, with no restart or redeployment required.
Every user action — logins, anomaly runs, settings changes, file uploads — is written to an immutable activity log. Settings change entries include a colour-coded before/after diff showing exactly which fields changed and what their values were.
Alarms automatically open tickets in ServiceNow, Jira Service Management, PagerDuty, or any generic webhook endpoint. Authentication, payload templates, and minimum severity are all configurable — no code changes required. Every dispatch is logged to the activity audit trail.
Vigil addresses the specific threats, failures, and compliance demands that vary by sector — not generic IT security retrofitted to industrial environments.
Predict battery cell degradation, detect inverter and PCS failure risk early, and balance thermal load across storage racks — including during high-stress weather events. ML models learn the normal behaviour of each unit and flag deviations before they cascade.
Detect misuse of DNP3, Modbus, and other OT protocols, catch unauthorized set-point drift, and receive instant alerts on any unverified firmware or logic modifications — with a blockchain-anchored record of every change for forensic investigation.
Optimize charge and discharge scheduling around energy market signals and curtailment events — all within ML-verified safe operational boundaries. AI recommendations are logged and cryptographically proven before any set-point change is applied.
Detect early signs of CRAC/CRAH fan degradation, pump seal wear, and airflow pattern deviations before hot spots form and threaten uptime. Per-asset ML models track each unit's specific thermal signature — not a generic threshold shared across the floor.
Continuously monitor for efficiency degradation and receive AI-guided recommendations for thermal-aware workload placement and cooling adjustments. Detect UPS anomalies and SCADA irregularities that quietly erode power usage effectiveness over time.
Every SCADA configuration change, firmware update, and operator action is cryptographically fingerprinted and anchored to blockchain. If a breach or insider threat is ever suspected, you have a verifiable, tamper-proof record of exactly what changed and when.
Track robot joint wear, spindle bearing health, conveyor diagnostics, and motor condition — catching degradation early and scheduling maintenance before production lines go down. Each machine gets its own ML model built from its actual operating history.
Identify cycle-time variance, compressed air leaks, and recipe parameter drift that silently erode throughput, availability, and quality. AI reports rank which issues are costing the most production and recommend corrective actions with clear priority labels.
Detect PLC state anomalies and unauthorized configuration changes across the production floor. Every control system modification is logged with a cryptographic fingerprint — giving security teams and auditors a complete, verifiable history of what was changed.
Detect pump cavitation, VFD degradation, and blower performance decline before treatment capacity is compromised. Each asset's ML model learns its normal vibration and thermal profile — flagging deviations that static thresholds routinely miss.
Monitor chemical dosing accuracy, tank level behaviour, and aeration efficiency in real time. Automatic alerts on process drift keep permit compliance proactive rather than reactive — and every event is blockchain-logged for regulatory reporting.
Schedule aeration, pumping, and UV treatment around peak electricity tariff windows without compromising treatment quality or permit limits. AI recommendations are verified against process safety constraints before being surfaced to operators.
Monitor traction motor wear, wheel-flat development, brake system thermal profiles, and HVAC performance — keeping vehicles in service and avoiding the costly disruptions of in-service failures. ML models are trained per vehicle, not per fleet average.
Detect deviations in safety-critical signaling systems and substation SCADA before they become incidents. Transformer thermal runaway, substation configuration changes, and communication anomalies are all monitored with blockchain-backed evidence of every event.
Maximize regenerative braking energy capture and optimize headway scheduling to reduce traction energy consumption across the network. AI models identify the specific operational patterns that offer the greatest energy savings without impacting service reliability.
Instant alerts on temperature, humidity, and pressure deviations in cleanrooms, stability chambers, cold chain environments, and controlled manufacturing areas. Every environmental excursion is timestamped, hashed, and blockchain-anchored at the moment of detection.
Predict chiller failures, AHU faults, and CIP/SIP cycle anomalies before they affect batch quality or put regulatory status at risk. ML models are trained on each facility's utility systems individually — accounting for seasonal load patterns and local process conditions.
Automatically generate cryptographically signed evidence bundles mapped to FDA GMP, ISO, and relevant regulatory requirements — cutting audit preparation from weeks to hours. Every alarm, AI analysis, and operator action is preserved in a tamper-evident blockchain record.
Vigil follows a clear loop: learn what normal looks like, detect when things deviate, understand why, and prove what happened.
Select a period of normal operation and train the ML model on it. Vigil learns what each sensor looks like when everything is running correctly — building a unique baseline per sensor, not per asset type.
As new readings arrive, each one is scored against the trained baseline. Points are flagged as anomalous and assigned a deviation score reflecting severity. Built-in filters suppress nuisance alerts from sensor jitter and short-lived spikes.
Anomalies are automatically routed to the AI for analysis. The result is a structured report — which assets need attention now, which signals are likely noise, and exactly what actions your team should take first.
Every alarm, AI report, and operator change is permanently anchored to the blockchain. If anything is ever questioned — by regulators, auditors, or insurers — you have a cryptographically verifiable record of every decision made.
Generic thresholds create noise. Vigil's ML models are trained on the actual behaviour of each individual sensor — so a flag means something is genuinely wrong, not just outside a manufacturer's generic range.
Each sensor tag gets its own ML model. Pump A and Pump B may be identical hardware, but their real-world behaviour differs — and their models reflect that.
Every scored point receives a deviation score showing how far it has moved from the learned baseline. This lets you triage by severity, not just by on/off anomaly flags.
Configurable warm-up suppression, stability guards, and refractory periods prevent short-lived spikes and sensor jitter from flooding your team with false alarms.
Trained models are stored on disk and reloaded automatically. Restarting the service — or updating it — does not require re-training your sensor baselines.
When something goes wrong in an industrial environment, the first question is always "what happened and when?" Vigil gives you a cryptographically provable answer — one that no one can alter after the fact.
Alarms, AI analyses, and operator changes are hashed at the moment they are created. The fingerprint is stored alongside the record for instant re-verification at any time.
Fingerprints are submitted to a permissioned blockchain network. Once anchored, they cannot be altered, deleted, or backdated — by anyone, including system administrators.
Any record can be verified in seconds — checking both that the data in the database matches the original fingerprint, and that the fingerprint exists unchanged on the blockchain.
Sample Audit Chain
Each event fingerprinted independently · anchored to an immutable blockchain · verifiable at any time
Every core capability was designed to satisfy specific controls across the frameworks that govern industrial environments. Here's how they align.
| Control | Requirement | Vigil Capability | How It's Addressed |
|---|---|---|---|
| SR 6.2 | Continuous Monitoring | ML Detection |
Per-sensor ML models continuously score incoming readings against learned baselines, flagging deviations with severity scores in real time. |
| SR 6.1 | Audit Log Accessibility | Activity AuditBlockchain |
Every user action, setting change, and security event is written to an immutable activity log with before/after diffs, then cryptographically anchored to blockchain. |
| SR 2.8 | Auditable Events | Activity Audit |
Logins, anomaly runs, alarm state changes, configuration modifications, file uploads, and AI analyses are all captured with timestamps, user identity, and change details. |
| SR 3.3 | Security Functionality Verification | AI Analysis |
Device configurations are pulled via SSH and automatically audited by the AI, producing ranked security findings with remediation steps. |
| SR 7.6 | Network & Security Config Settings | Config AuditBlockchain |
Device configuration snapshots are stored, diffed against previous versions, and anchored to blockchain — creating a verifiable configuration history. |
| SR 2.1 | Authorization Enforcement | RBAC |
Role-based access control with admin and viewer roles. Admin-only actions (settings, training, user management) are enforced at both UI and API levels. |
| Control | Requirement | Vigil Capability | How It's Addressed |
|---|---|---|---|
| 6.2.1 | ICS Monitoring & Detection | ML DetectionAI Analysis |
Dual-engine detection: ML models identify statistical anomalies in sensor data, then AI analysis triages findings and separates real threats from noise. |
| 6.2.6 | Audit & Accountability | Activity AuditBlockchain |
Complete activity logging with user attribution, before/after change diffs, and blockchain-anchored cryptographic proof that records have not been altered. |
| 6.2.7 | ICS Incident Response | Alarm TriageAI Reports |
Anomalies automatically generate prioritized alarms with full lifecycle tracking. AI reports rank risks as P1/P2/P3 with specific remediation actions. |
| 6.2.2 | Access Control | RBAC |
JWT-authenticated sessions with role-based permissions. Sensitive operations require admin role. All access events are logged. |
| 6.2.4 | Configuration Management | Config AuditChange Tracking |
Device and system configurations are pulled, audited, and tracked with versioned diffs. Every configuration change is recorded with the responsible user. |
| 6.2.16 | ICS Security Assessment | AI AnalysisML Detection |
Continuous security posture assessment via ML anomaly scoring and AI-driven device configuration audits with ranked findings and remediation guidance. |
| Article | Requirement | Vigil Capability | How It's Addressed |
|---|---|---|---|
| Art. 21(2)(a) | Risk Analysis & Information System Security | AI ReportsML Detection |
AI-generated risk assessment reports rank assets by severity and likelihood, providing continuous risk visibility across the entire OT environment. |
| Art. 21(2)(b) | Incident Handling | Alarm TriageAI Analysis |
Automatic alarm generation with lifecycle management (New → Acknowledged → Resolved). AI reports provide structured incident context for response teams. |
| Art. 21(2)(d) | Supply Chain Security | Config AuditBlockchain |
Device firmware and configuration changes are detected, audited, and blockchain-anchored — providing evidence of unauthorized supply chain modifications. |
| Art. 21(2)(e) | Security in Acquisition & Maintenance | ML DetectionChange Tracking |
ML models detect behavioural changes after maintenance or equipment replacement. Full change audit trail proves when and how systems were modified. |
| Art. 21(2)(g) | Security Policies Assessment | Activity AuditBlockchain |
Comprehensive activity logs with tamper-evident blockchain anchoring enable continuous assessment of whether security policies are being followed. |
| Art. 23 | Incident Reporting Obligations | Activity AuditBlockchain |
Timestamped, blockchain-verified event records provide the evidence required for mandatory incident reporting to national authorities within mandated timeframes. |
| Standard | Requirement | Vigil Capability | How It's Addressed |
|---|---|---|---|
| CIP-007-6 R1 | System Security Management — Ports & Services | Config Audit |
AI-driven configuration audits detect unauthorized open ports, enabled services, and insecure protocol settings on OT devices, with prioritized remediation steps. |
| CIP-007-6 R4 | Security Event Monitoring | ML DetectionActivity Audit |
Continuous ML-based monitoring of all sensor feeds with complete event logging. Security-relevant events are automatically flagged and logged with full context. |
| CIP-008-6 | Incident Reporting & Response | Alarm TriageAI ReportsBlockchain |
Automated alarm generation with AI-produced incident reports and blockchain-timestamped evidence — ready for NERC reporting requirements. |
| CIP-010-4 R1 | Configuration Change Management | Config AuditChange TrackingBlockchain |
Device configurations are snapshotted, diffed, and blockchain-anchored. Unauthorized changes trigger alerts. Full before/after history is maintained. |
| CIP-011-3 | Information Protection | BlockchainActivity Audit |
Cryptographic fingerprinting of all critical records with permanent blockchain anchoring. Tampering with any record is immediately detectable. |
| Section | Requirement | Vigil Capability | How It's Addressed |
|---|---|---|---|
| §11.10(e) | Audit Trail | Activity AuditBlockchain |
Secure, computer-generated, time-stamped audit trail records every creation, modification, and deletion. Blockchain anchoring makes the trail tamper-evident and independently verifiable. |
| §11.10(a) | System Validation | ML Detection |
Per-sensor ML models are trained and validated against known operating data. Training metrics and model performance are recorded for validation documentation. |
| §11.10(d) | Limiting System Access | RBAC |
Role-based access control restricts system functions to authorized individuals. Admin-only operations require elevated privileges enforced at both UI and API layers. |
| §11.10(k)(2) | Device Checks — Authority | RBACActivity Audit |
All user actions are attributed to authenticated individuals. Unauthorized attempts to access restricted functions are logged and blocked. |
| §11.50 | Signature Manifestations | Blockchain |
Cryptographic fingerprints serve as electronic signatures for records — displaying the signer identity, timestamp, and meaning (creation, review, approval) tied to each record. |
| §11.10(c) | Protection of Records | BlockchainActivity Audit |
Records are protected through cryptographic hashing and blockchain anchoring. Any alteration is instantly detectable via hash verification against the immutable chain. |
| Control | Requirement | Vigil Capability | How It's Addressed |
|---|---|---|---|
| A.8.15 | Logging | Activity AuditBlockchain |
Comprehensive logging of all user activities, exceptions, faults, and security events with colour-coded before/after diffs and blockchain-backed integrity. |
| A.8.16 | Monitoring Activities | ML DetectionAI Analysis |
Networks, systems, and applications are continuously monitored by ML models. Anomalous behaviour is automatically analysed and triaged by AI. |
| A.5.24 | Incident Management Planning | Alarm TriageAI Reports |
Automated alarm lifecycle (New → Acknowledged → Resolved) with AI-generated incident reports containing prioritized actions and root cause analysis. |
| A.5.28 | Collection of Evidence | BlockchainActivity Audit |
Cryptographically fingerprinted and blockchain-anchored evidence suitable for legal proceedings, regulatory audits, and insurance claims. |
| A.8.9 | Configuration Management | Config AuditChange Tracking |
Hardware, software, and network configurations are documented, monitored for changes, and audited by AI with versioned diffs stored for review. |
| A.5.2 | Information Security Roles | RBACActivity Audit |
Defined admin and viewer roles with enforced separation of duties. All role-based actions are fully attributed and logged in the activity audit. |
Vigil is self-hosted. No cloud account, no vendor lock-in, no professional services engagement required to get started.
Runs entirely within your network. Your sensor data never leaves your environment. The AI model can be a locally hosted instance with no external API calls required.
ML models are stored on disk and survive container restarts and upgrades. Your months of training work is never lost to a routine service update.
Every tunable — model sensitivity, AI endpoint, secrets, blockchain credentials — is set inside the GUI.
Upload your certificate through the Settings page. The web server reloads it automatically — no container restart, no downtime.
What's included
Self-hosted. No vendor lock-in. Built for the realities of industrial environments.