When I started ORDR, the enterprise security conversation was almost entirely about managed devices. Laptops. Servers. Workstations. If you could push an agent to it, you could protect it. And for that class of device, endpoint detection and response had largely delivered.
But walk the floors of a modern hospital, a global automotive plant, or a major airport, and you see a completely different reality. CT scanners and infusion pumps. PLC controllers and HVAC systems. Badge readers and luggage movers. Thousands — sometimes hundreds of thousands — of devices that are high-value, safety-critical, and fundamentally unagentable. They run proprietary firmware. They can’t be patched on any reasonable schedule. And until very recently, they were invisible to the security operations teams responsible for them.
“A single compromised camera can become a foothold into a clinical network. That’s not a theoretical risk — it’s how attacks actually happen.”
That invisibility is the core problem. You cannot write policy for a device you can’t see. You cannot protect a ventilator you’ve mislabeled as a printer. In regulated industries, the consequences aren’t measured in reputational damage — they’re measured in patient outcomes, production shutdowns, and regulatory penalties.
The founding insight: the network sees everything
Every device, regardless of what software it runs or whether it accepts an agent, must reveal itself to the network. It has to communicate. And if it communicates, it can be observed, fingerprinted, and controlled, without ever touching the device itself.
ORDR’s platform is built around three verbs: discover, classify, and protect. Discovery is multi-method and agentless — deep packet inspection, active scans, infrastructure queries, and API ingestion from over 230 enterprise systems. Classification is where precision is non-negotiable. And protection means not just surfacing findings, but generating and enforcing least-privilege segmentation policy on the infrastructure you already own.
Each asset is described across four dimensions that together form a complete, continuously updated source of device truth:
Dimension | What ORDR resolves |
Identity | Manufacturer, OUI, make, model, modality, OS and patch level, hardware inventory, certificates, end-of-life status, ownership, and asset criticality |
Behavior | The Flow Genome — a baseline of how each device normally communicates (peers, ports, protocols, sessions, volumes, time-of-day) so deviations surface instantly |
Network & location | NetFlow / sFlow / IPFIX, ARP and LLDP/CDP, VLAN and subnet, wireless AP / controller / SSID, and physical attachment point |
Risk & exposure | CVEs and patch levels, FDA and manufacturer recalls, open ports, weak credentials, expired certificates, and unauthorized devices |
100M+ device library profiles · 230+ enterprise integrations · 8B+ flows analyzed per day · 2M+ assets per deployment
Why agentic AI changes the enforcement equation
The word “AI-driven” has been applied to so many security products it risks becoming meaningless. I want to be precise about what we mean by it at ORDR. Our platform is structured as a multi-agent system with three distinct layers:
Layer | Agents & function |
Perception | Asset-Fetch Engine, Flow Aggregator, and Asset-to-Network Mapper continuously assemble live state from assets, flows, peers, and topology |
Cognition | Baselining ML and a Policy-Domain Context Generator determine what each device group’s correct, least-privilege intent should be |
Action | An ACL Engine and Deployment & Enforcement Engine push validated policy to NAC, switching, wireless, and firewalls |
ORDR IQ, our conversational AI assistant, extends this further — operators query real-time asset posture in natural language and translate intent directly into policy action. That’s not a reporting interface; it’s an operational capability. And because intelligence and enforcement stay tightly coupled, regulated traffic that can’t reach the cloud is enforced locally, on the switches and firewalls already in place.
The Cisco integration and why it matters architecturally
As a Cisco SolutionsPlus partner, ORDR is engineered and validated across 3,000+ supported switch, wireless, and firewall models. The integrations go deep across every domain of the Cisco stack:
Cisco domain | Products ORDR enriches & activates |
Access & segmentation | ISE, TrustSec / SGT, Software-Defined Access, Catalyst Center, Cisco Prime, Catalyst switches, wireless controllers |
Meraki & cloud-managed | Meraki, Meraki Access Manager, Meraki Flows, Cisco Spaces |
Firewall & data center | Cisco Secure Firewall, FMC / CDO, ACI, HyperShield, the Catalyst 9300 application container |
Detection, SOC & identity | Cisco XDR, Splunk, Secure Network Analytics, Talos, Duo, Umbrella |
That last item deserves emphasis: ORDR can run as an application container directly on the Catalyst 9300, collecting telemetry and enforcing from inside the network device itself. The intelligence layer executing on Cisco silicon — not a cloud overlay that traffic routes through, but embedded policy intelligence at the enforcement point.
The broader ecosystem
Beyond Cisco, ORDR stays neutral across the rest of the stack, becoming the device-truth layer that sharpens every adjacent platform:
Category | Representative integrations |
CMDB / ITSM | ServiceNow CMDB and ITSM, CMMS — with automated inventory reconciliation |
Vulnerability | Tenable, Rapid7, Qualys — consume intelligence from any source |
EDR / XDR | CrowdStrike, Microsoft Defender for managed-device context |
SIEM / SOC | Splunk, QRadar, Exabeam, Microsoft Sentinel — asset and threat fusion |
NAC | Cisco ISE, Aruba ClearPass for multi-vendor enforcement |
Endpoint / MDM / ITAM | Intune, JAMF, Absolute, WinRM for ownership and lifecycle |
Network / IPAM / cloud | Infoblox, Azure, AWS, NetFlow / sFlow / IPFIX |
What this looks like at scale
The deployments we’re most proud of are the ones where the outcome was genuinely consequential — not dashboard metrics, but real-world results in industries where the stakes are patient safety, production uptime, and regulatory survival:
Deployment | Outcome |
World’s best healthcare provider | 640K+ devices protected. Cisco ISE automation segments outdated medical devices across a multi-hospital chain, supporting HIPAA compliance and protecting critical ER/OR systems — with an estimated $300M+ in capital costs avoided by securing aging equipment in place |
Largest US health system | ~2M devices secured. Accurate discovery and classification of IoMT and OT devices across 200 sites, plus simplified vulnerability prioritization for 300K medical devices |
Top global auto-parts manufacturer | 500K+ OT assets locked down across 300+ locations, with automated rogue detection, rule-based isolation, and granular OT segmentation satisfying rigorous government audits |
Largest US passenger airline | TSA cybersecurity mandate addressed. OT devices classified and baselined, with auto-generated firewall rules protecting luggage movers, badge readers, and kiosks |
Largest US credit union | 20K BMS/IoT/OT devices accurately classified across 300+ sites, with maximized ROI on the ServiceNow CMDB through automated inventory reconciliation |
Major US transit system | Discovery and classification of all assets including train-control systems, anomaly-based detection of unauthorized devices, and automated isolation from a single solution |
"Segmentation in regulated industries isn’t a best practice. It’s the only way to protect devices that cannot protect themselves.”
The problem that won’t solve itself
The number of unmanaged, unagentable devices in enterprise environments is growing, not shrinking. Industrial transformation, smart building infrastructure, connected medical technology, edge computing — every one of these trends adds devices the legacy security stack cannot see or protect.
The answer is not to find a way to put an agent on everything. The physics of OT and IoMT make that impossible for the foreseeable future. The answer is to make the network the place where every device is seen, understood, and governed — with enforcement that is automated, precise, and tightly integrated with the infrastructure already in place.
That’s what ORDR was built to do. And I believe it’s one of the most important unsolved problems in enterprise security today.
Pandian Gnanaprakasam
Co-founder & CEO, ORDR