Remote access is how critical infrastructure gets managed today. Engineers connect from different locations to operate systems across energy, water, and manufacturing. That access keeps operations running, but it also creates a clear entry point for attackers.
Once someone gets in, time matters. Even a short delay between detecting suspicious activity and stopping it can leave systems exposed. In many OT environments, that delay still depends on manual response, which can take minutes or longer.
Xona Systems is trying to tighten that window with a new capability called Active Defense. The focus is simple: act on suspicious behavior while the session is still active.
The system connects OT detection platforms directly to enforcement at the session level. When something looks off, it evaluates the signal and applies a response right away. That response could be step-up authentication, limiting access, suspending the session, or ending it completely.
The goal is to reduce the gap between signal and action to almost nothing, so attackers don’t stay connected while teams figure out what to do.
This model depends on the quality of detection signals, and that’s where things are still developing. Raed Albuliwi, CPO at Xona Systems, told ChannelE2E, “Today we only integrate with Forescout. We have plans to extend this functionality to our other partners Nozomi and Dragos.”
That leaves a gap for organizations using other OT tools. Albuliwi said the longer-term plan is to move toward a more flexible approach. “Right now each OT asset detection vendor has a specific way to query and receive alerting information. Our goal is to create a vendor-agnostic way to consume this information and provide this capability as part of our open API.”
For now, the integrations are tied to a defined partner ecosystem. “Right now, this is specific to our partner ecosystem… our goal is to make consuming asset information and alerts vendor agnostic so any OT detection tool can work.”
Automation in OT comes with a different level of risk. A wrong move doesn’t just block a user, it can affect physical processes.
Xona’s approach is to keep enforcement limited to the remote access layer. “Active defense was designed from the ground up for OT environments and operates only at the secure remote access session layer. By design OT operations are never disrupted, only the remote access connection coming through the Xona platform.”
At the same time, organizations control how aggressive those responses are. “It is up to the individual user administering the Xona platform to select the appropriate severity and corresponding response actions, which can range from disconnecting a user to simply sending an alert to a SIEM.”
That control matters in environments where uptime is critical and false positives carry real consequences.
For MSPs, this shifts how OT security can be delivered. Instead of reviewing logs after an incident, the platform ties together detection signals, user sessions, and response actions in real time.
“This is a perfect use case whereby the Xona platform reconciles threat alerts from the OT visibility platform with the active user session information to construct a detailed SOC/MSSP log of activity, which is actionable,” Albuliwi said. “Instead of trawling through multiple sets of logs after the fact, Active Defense combines them along with a response action in real-time to tell a complete story of threat activity, which can be further investigated by the MSSP/SOC operator.”
That creates a clearer path for managed services built around response and containment, not just monitoring.
There’s growing pressure on critical infrastructure operators to act faster. Agencies like CISA have flagged remote access pathways as a common target for attackers. As remote connectivity expands, the expectation is changing. Detection alone isn’t enough if response lags behind.
What Xona is building reflects that shift. Security in OT is moving closer to the point of access, where decisions can be enforced immediately. For operators and MSSPs, that changes how response is measured and delivered, especially when access itself is the control point.