Most Pentesters Have No Business Being Inside an OT Network. Learn to Operate in One.
A live, hands-on bootcamp for offensive security practitioners who need real ICS/OT red team tradecraft — Modbus, S7comm, EtherNet/IP, PLC exploitation, and IT-to-OT pivot methodology — delivered across four Sundays with a full virtual industrial lab over OpenVPN.
- 4 live sessionsSeptember 2026 · Sundays
- Virtual ICS/OT labFull environment via OpenVPN
- EOTRT on passingPractical exam · two attempts included
- Verifiable credentialPDF, badge, NFT on Hedera
Hero image placeholder
Trainer
Your instructor
Same profile and biography as on the Evaluris team page — live delivery, labs, and exam methodology.
Eng. Adrian Gaitan
Founder & CEO
Eng. Adrian Gaitan is the Founder and Chief Executive Officer of Evaluris Solutions FZCO, where he leads the company's vision and execution across advanced cybersecurity, artificial intelligence, blockchain systems, high-performance computing (HPC), and the protection of critical infrastructure.
With over a decade of hands-on experience in offensive and defensive security engineering, Adrian specializes in the design and deployment of next-generation, adversary-aware security platforms built for real-world, high-assurance environments. His work spans AI-driven cyber defense, quantum-resilient security architectures, secure distributed systems, and the protection of industrial control systems (ICS/SCADA) and operational technology (OT) environments.
For this cohort, Adrian leads the full OT red team curriculum: Purdue-style architecture, ICS reconnaissance and boundary pivots, live protocol tradecraft, and EOTRT exam preparation in the three-zone lab.
The Gap
Running Nmap against a PLC is not an OT pentest. It might be an incident. The offensive security industry has a problem with ICS/OT: standard IT methodology can physically damage industrial equipment, interrupt production, or trigger safety shutdowns. On the training side, excellent programs often cost over $8,000, run multiple days, and skew defensive — or they validate theory without exploitation. There are also no comparable alternatives in the UAE or wider GCC at this depth and accessibility. This bootcamp is built to close that gap with live, offensive-first tradecraft.
OT gap image placeholder
The Format
Four Sundays. A three-zone industrial lab. Real protocol exploitation.
The Evaluris OT Red Team Bootcamp runs across four consecutive Sundays in September 2026. Each session is four hours of live, instructor-led training. You connect to a full virtual industrial environment via OpenVPN — an IT network, a DMZ, and an OT network with live PLCs running real ladder logic — and you work through the kill chain progressively across all four sessions. By Session 4 you have access to all three zones simultaneously. The exam gives you six hours and a scenario brief. The rest is on you.
| Live Delivery | Zoom · instructor on screen for all 4 hours |
| Lab Access | Personal OpenVPN profile · three-zone industrial environment |
| Support | Private Discord cohort · async Q&A and lab help between sessions |
| Recordings | Full session recording + slides within 2 hours of close |
| Exam | Practical, flag-based · 6-hour scenario · unproctored |
| Cert | EOTRT · PDF + Digital Badge + NFT on Hedera |
Schedule
Full Calendar
All live sessions start at 9:00 AM EST.
| Session | Date | Time | Focus |
|---|---|---|---|
| 01 | Sun, 6 Sep 2026 | 9:00 AM EST | OT/ICS architecture for attackers |
| 02 | Sun, 13 Sep 2026 | 9:00 AM EST | ICS reconnaissance and initial access |
| 03 | Sun, 20 Sep 2026 | 9:00 AM EST | OT protocol exploitation and lateral movement |
| 04 | Sun, 27 Sep 2026 | 9:00 AM EST | Red team operations, reporting, and exam prep |
Fit check
Is This For You?
This bootcamp is for pentesters who want to operate in critical infrastructure. Not learn about it.
This bootcamp is for you if:
- You're a penetration tester or red teamer being asked to assess OT environments with no formal ICS training
- You're an IT security professional working for an energy, utilities, manufacturing, or critical infrastructure organisation and need to understand how an attacker would actually move through your environment
- You hold a hands-on offensive cert (OSCP, CRTO, CPENT, or equivalent) and want to extend your methodology into the OT attack surface
- You want to be able to legitimately offer ICS/OT red team services — not just claim it on a scope document
- You're based in the UAE or GCC and there is simply no comparable training available to you locally at any price
This bootcamp is not for you if:
- You've never performed a penetration test and are starting from zero
- You're looking for a defensive ICS security programme, compliance framework training, or GICSP exam prep
- You expect to run standard IT pentesting tools against industrial equipment without modification
- You want vendor-specific OT platform training (Claroty, Dragos, Nozomi, etc.)
The Curriculum
The Kill Chain Across Four Sessions. Each One Builds on the Last.
The bootcamp is structured as a progressive kill chain. Session 1 is orientation and recon. Session 2 is initial access. Session 3 is OT exploitation. Session 4 is full red team operations and exam preparation. Your lab access expands each week to match where you are in the chain.
A pre-session guide unlocks seven days before each Sunday. It covers the tools you'll need and the concepts you'll be expected to apply — so you arrive ready to work, not spend the first hour on setup.
SESSION 01 — Sunday, 6 September
OT/ICS Architecture for Attackers
Before you can exploit an industrial environment, you need to understand how it's actually built — not from a textbook, but from the perspective of someone planning an intrusion. This session covers the architecture, the protocols, and the threat landscape with one question running through all of it: where does an attacker go, and why.
You'll be able to:
- Navigate the Purdue model as an attacker — identify the zones, the conduits, the crossing points, and the chokepoints that matter for red team operations
- Understand how PLCs, HMIs, SCADA systems, DCS, and historians interact — and what each one means as a target or a pivot point
- Identify ICS protocol traffic on a network: Modbus TCP, S7comm, EtherNet/IP, DNP3, Profinet — packet structure, standard ports, and what legitimate vs. anomalous traffic looks like
- Map real threat actor campaigns to the environment you're working in — Triton/TRISIS, Industroyer2, and PIPEDREAM are not abstract case studies. They are attack playbooks.
Hands-on: First connection to the lab environment. Navigate the IT network, identify all assets across IT and OT zones using only passive techniques and purpose-appropriate tooling. Capture and analyse live ICS protocol traffic with Wireshark. Document the full network topology. No exploitation — this session is about understanding the terrain before you move on it.
Session 01 image placeholder
SESSION 02 — Sunday, 13 September
ICS Reconnaissance & Initial Access
Every OT intrusion starts in IT. The path to a PLC almost always runs through an engineering workstation, a historian, or a remote access gateway — assets that live at the IT/OT boundary and are routinely misconfigured. This session covers how to find them, access them, and start moving toward the OT zone without triggering detection or causing unintended disruption.
You'll be able to:
- Execute ICS-specific OSINT using Shodan, Censys, and FOFA — the exact search syntax that surfaces exposed industrial devices, remote access gateways, and vendor web interfaces
- Identify and exploit remote access misconfigurations common in OT environments: exposed RDP and VNC on engineering workstations, weakly authenticated Secomea and eWon gateways
- Pivot from an IT foothold across the DMZ into the OT network using the historian as a lateral movement target — a technique used in real OT intrusions including the Colonial Pipeline attack
- Apply the stealth considerations that separate competent OT red teamers from pentesters who accidentally cause a production incident: what you do not scan, what you do not touch, and why
Hands-on: Full OSINT recon exercise against the simulated target organisation followed by initial access into the IT network via a simulated phishing payload. Begin the pivot toward the OT zone. The DMZ routes are now live in your VPN profile — the historian and the jump server are reachable. Proceed carefully.
Session 02 image placeholder
SESSION 03 — Sunday, 20 September
OT Protocol Exploitation & Lateral Movement
This is the session where IT pentesting knowledge stops being sufficient and OT-specific tradecraft becomes essential. You will interact directly with simulated PLCs using the protocols they actually speak — not through a vulnerability scanner, not through a CVE, but by understanding the protocol well enough to speak it yourself.
You'll be able to:
- Read and write Modbus TCP registers and coils — force digital output states, read sensor values, understand what the numbers mean in an industrial process context
- Exploit S7comm against Siemens PLC targets using python-snap7: CPU stop commands, block reads, program download — the same techniques used against Siemens hardware in real ICS attacks
- Query and manipulate Allen-Bradley targets over EtherNet/IP: list identity, read and write tags, understand the CIP protocol well enough to operate without an engineering software licence
- Attack the HMI web interface, extract historian process data, and move laterally from the DMZ into the OT network using credentials and access paths consistent with real incident data
Hands-on: OT network routes are now live in your VPN profile. Reach the PLC targets, enumerate them using appropriate tooling, read live process data from the running simulation, and demonstrate control plane access by writing to a specific coil. Flags are embedded in process data, configuration registers, and HMI configuration files. Find them.
Session 03 image placeholder
SESSION 04 — Sunday, 27 September
Red Team Operations, Reporting & Exam Preparation
The final session pulls the full kill chain together and covers the professional context around it — how to run an OT red team engagement that doesn't end with a production outage, a legal dispute, or a report that the engineering team dismisses as irrelevant.
You'll be able to:
- Scope and execute an OT red team engagement aligned to TIBER-EU and CBEST frameworks — rules of engagement, deconfliction with the SOC, safety boundaries, and what to document before you touch anything
- Write the OT red team report that actually gets read — by engineers who care about process impact and by a CISO who needs to justify remediation spend
- Map your findings to real threat actor campaigns: if your access path mirrors what PIPEDREAM would have used, say so — it makes the risk immediately legible to leadership
- Approach the EOTRT six-hour exam with a methodology: time allocation across the three zones, flag hunting strategy, documentation-as-you-go practice
Hands-on: Full unguided end-to-end exercise across all three zones using only a scenario brief. No instructor guidance, no hints. OSINT to initial access to IT lateral movement to IT/OT pivot to PLC interaction to flag capture. This is the exam rehearsal. Draft a one-page executive summary of your findings before the session closes.
Session 04 image placeholder
The Lab
Every participant receives a personal OpenVPN profile and connects into a dedicated virtual industrial range engineered for realistic OT red team work. Access expands as you progress through the kill chain so each session matches what you are authorized to touch — mirroring how real engagements are staged. You execute the hands-on blocks yourself against live protocol targets and process-backed scenarios, with instructor-led guidance and cohort support — not a passive demo.
Lab environment image placeholder
How It Compares
The Honest Comparison. Every Serious Alternative, Side by Side.
| Criteria | Evaluris OT Red Team | SANS ICS612 | GICSP (via ICS410) | CISA ICS301 | Generic OT / Pentest Crossover |
|---|---|---|---|---|---|
| Price | $200 | $8,000+ | $8,000+ (course + exam) | Free (US-only, in-person) | $15–50 |
| Format | Live, instructor-led | In-person / live online | Self-paced + exam | In-person, Idaho Falls | Self-paced |
| Offensive / red team focus | Yes | No | No | No | Partial |
| Live PLC interaction | S7comm + Modbus + EtherNet/IP | Partial | No | Partial | No |
| OpenVPN lab access | Yes | No | No | No | No |
| IT → OT pivot coverage | Yes | Partial | No | No | No |
| ICS protocol exploitation | Yes | Partial | No | No | Partial |
| Practical exam | 6-hour scenario | No | Partial | No | No |
| Cert + NFT on chain | Hedera | No | No | No | No |
| Available in UAE / GCC | Yes | No | Partial | No | Yes |
What You Earn
Attendance Certificate: signed PDF, verifiable at evaluris.com/verify, documenting 16 hours of live ICS/OT red team training. EOTRT — Evaluris OT Red Team Professional: six-hour practical exam (two attempts), VPN scenario, three-zone environment, executive summary requirement. On passing: PDF certificate, digital badge, and NFT on Hedera with permanent verification. The EOTRT certification carries no expiry date.
EOTRT certificate placeholder
Pricing
$200. For the training that costs $8,000 everywhere else.
$300 $200
- 4 live instructor-led sessions (16 hours of training)
- Personal OpenVPN profile with progressive three-zone lab access
- Pre-configured attacker VM image with OT tooling (distributed before Session 1)
- Lab access for 30 days post-bootcamp with on-demand environment reset via Discord
- Session recordings and slides (lifetime access)
- Private Discord cohort for real-time Q&A and between-session support
- 2 EOTRT exam attempts with dedicated 6-hour exam VPN profile
- Attendance Certificate (PDF, verifiable)
- EOTRT Certificate on passing (PDF + Digital Badge + NFT on Hedera)
Cohort capped at 30 practitioners. Starts Sunday, 6 September 2026.
Evaluris OT Red Team Bootcamp
The Questions a Serious Practitioner Would Ask Before Signing Up
Do I need ICS or OT experience before attending?
No, but you need solid IT offensive security experience. If you understand how to pivot through a Windows network, think about lateral movement, and work with Linux command-line tooling, you have the foundation this bootcamp builds on. OT-specific knowledge — protocols, architecture, tradecraft — is what the bootcamp provides. You are not expected to arrive knowing what S7comm is. You are expected to arrive knowing what a pentest is.
Is it safe to run these techniques? I've heard OT environments are fragile.
This is the right question to ask, and it's exactly why OT-specific training matters. The bootcamp lab is a fully virtual environment — no physical equipment, no production processes, no safety risk. The techniques you learn are taught with explicit attention to why they would be handled differently in a real production environment. One full session is dedicated to OT red team methodology, rules of engagement, and the professional judgment required to operate in live industrial environments without causing harm.
What if I miss a live session?
Every session is recorded and the slides are distributed within two hours of close. Your lab access and VPN profile stay active throughout the bootcamp and for 30 days after, regardless of which sessions you attend live. Missing a Sunday means you catch up — it doesn't mean you lose your environment.
Is the EOTRT exam difficult?
It's a six-hour practical exam across a three-zone environment. It is designed to be completable by someone who attended all four sessions, worked through the hands-on exercises, and spent time in the lab between sessions. It is not designed to fail you — it is designed to verify that you can execute the full kill chain end-to-end. Two attempts are included.
Can my company pay? We have a training budget process.
Yes. We support bank transfer and invoice. Email training@evaluris.com with your company name and billing details. We can also provide a one-page training business case document for internal approval — this is common for energy sector and government-adjacent organisations with formal procurement processes.
Will this help me get OT red team work professionally?
The EOTRT demonstrates that you can interact with PLC protocols, execute an IT-to-OT pivot, and produce a red team report in an industrial context. That is a rare and demonstrably in-demand skill set — particularly in the UAE, Saudi Arabia, and the wider GCC where critical infrastructure security investment is growing significantly. The certification is practical evidence, not a knowledge test. That distinction matters to technical hiring managers.
I'm in the UAE. What time do the sessions run?
We'll publish the exact session time with the booking confirmation. Sessions are planned for Sunday afternoons — a working day in the Gulf — which means they can realistically be attended during business hours with employer support, or in the early evening. Exact time will be confirmed no later than four weeks before Session 1.
What is Hedera and why does it matter for the certificate?
Hedera is an enterprise-grade public distributed ledger — not a speculative cryptocurrency project. When your EOTRT certificate is minted on Hedera, the record is permanent, publicly verifiable, and independent of any central authority including Evaluris. The practical value: your credential cannot be falsified, never expires, and can be verified instantly by anyone with the link. You don't need the recipient to understand blockchain for this to work — the verification link behaves like any other verifiable URL.
The OT Attack Surface Is Real
September cohort · 30 seats · hands-on protocol tradecraft
Cohort starts Sunday, 6 September 2026 · evaluris.com