<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2849132&amp;fmt=gif">
claroty-logo-svg

Elisity + Claroty xDome: Identity-Based Microsegmentation for OT and IoMT

Claroty xDome identifies and classifies every OT, IoMT, and XIoT device on your network, down to firmware version and Purdue level. Elisity enforces identity-based microsegmentation through your existing switches. The bidirectional integration closes the loop: xDome’s device intelligence drives your segmentation policies, and Elisity’s enforcement status flows back to xDome so your team can verify coverage from either console.

Download Elisity x Claroty Integration Brief
Device Intelligence
Network Enforcement Point
Elisity and Claroty xDome integration architecture diagram for OT and IoMT microsegmentation

  • Integration Demo

    Stronger Identity, Smarter Policies: Claroty xDome Integrated with Elisity

    See how Claroty xDome device attributes (device type, manufacturer, firmware version, Purdue level, and custom tags) flow into Elisity IdentityGraph and become the match criteria for your microsegmentation policies, enforced through your existing switches.

    Watch Demo Here
 

Support Documentation

 Read the comprehensive integration details and resources.
Learn more about the integration details.
 
Claroty xDome Classification Details

Step-by-step guide to connecting Claroty xDome with Elisity IdentityGraph for OT/IoMT microsegmentation.

Claroty xDome

View Claroty xDome device classification attributes, data fields, and enrichment details.

Challenge

OT and IoMT Asset Visibility with Claroty xDome

Your network scanner sees an IP address at 10.4.12.87. It doesn’t tell you that’s a Siemens S7-1500 PLC running firmware v2.8, sitting at Purdue Level 1, communicating with an HMI it has no business talking to. That gap between “connected” and “classified” is where your OT risk lives. Without knowing what a device is, what firmware it runs, and where it sits in your Purdue model, your security team is writing segmentation policies based on guesswork.

Elisity Solution

Claroty xDome Asset Intelligence Enriches Elisity IdentityGraph

Claroty xDome (formerly Medigate for healthcare environments) uses deep protocol inspection to classify every OT, IoMT, and XIoT device on your network. It doesn’t just find devices. It profiles them: device type, model, manufacturer, serial number, operating system, firmware version, Purdue level, and custom Claroty tags. That’s 8 attributes per device flowing into Elisity IdentityGraph through a native API connection. Elisity uses those attributes as match criteria to assign devices into Policy Groups automatically. And because the integration is bidirectional, Elisity returns your Policy Group classifications, enforcement status, and device labels back to xDome, so your operations team can verify segmentation coverage without switching consoles.

Challenge

Protecting Legacy OT Devices That Cannot Run Endpoint Agents

A GE CT scanner in your radiology department runs an embedded OS that hasn’t been patched in four years. A Rockwell Allen-Bradley PLC on your production floor can’t accept an endpoint agent without voiding the warranty. Both devices will be on your network for another decade. You can’t patch them. You can’t install agents on them. And you can’t take them offline because they’re running patient care and production lines right now.

Elisity Solution

Agentless Microsegmentation Enforcement via Existing Infrastructure

Elisity enforces least-privilege access policies at your existing switch ports, with nothing installed on the device itself. That CT scanner gets a policy based on its xDome classification (device type, Purdue level, manufacturer) that restricts it to communicating only with PACS servers and authorized diagnostic workstations. The PLC gets a policy that limits traffic to its designated HMI and historian. If a device’s Claroty classification changes (new firmware, new behavior pattern), Elisity updates the policy automatically. The device doesn’t know it’s been segmented, which is exactly what you need when downtime isn’t an option.

Challenge

Complex Microsegmentation Deployment and Extended Time to Value

You’ve seen the pattern. A segmentation project kicks off with a 12-month timeline. Six months in, the team is still manually inventorying devices because nobody can agree on the VLAN architecture. Twelve months in, the project stalls because the policy matrix has 4,000 rules and the team that built it can’t maintain it. Meanwhile, your IEC 62443 compliance deadline hasn’t moved. The problem isn’t willpower. It’s that traditional segmentation forces you to redesign your network before you can protect it.

Elisity Solution

Deploy Claroty-Powered Microsegmentation in Weeks, Not Years

Connect Claroty xDome to Elisity through the API integration in the Elisity Cloud Control Center. Once connected, xDome’s device classifications flow into IdentityGraph, and Elisity maps them into Policy Groups using attributes like Purdue level, device type, and custom Claroty tags. Those Policy Groups align directly with IEC 62443 zones and conduits, so your compliance mapping is built into your segmentation architecture from day one. No VLAN redesign. No new hardware. Your existing switches become the enforcement point. Organizations that have done this move from integration to enforced policies in weeks, not the 12-to-18-month timelines traditional projects require.

Challenge

Compliance and Regulatory Alignment Across OT and IoMT Environments

Your compliance audit asks you to prove that 3,400 OT devices are segmented into IEC 62443 zones and conduits. Your spreadsheet says they are. Your network says otherwise. Auditors want evidence that a Purdue Level 1 PLC can’t reach a Level 3 historian outside its designated zone. They want proof that infusion pumps in the cardiac unit are isolated from general hospital IT traffic per HIPAA requirements. Your team has been mapping devices to zones manually, reconciling Claroty inventory exports against firewall rules in a spreadsheet that’s already two weeks stale. Every new device that connects to the network invalidates your last mapping exercise. The gap between your compliance documentation and your actual enforcement posture widens every day, and it only takes one auditor pulling one device at random to expose it.

Elisity Solution

Automated Zone-to-Policy Mapping with Claroty and Elisity

Claroty xDome classifies every device by Purdue Level (0 through 3), device type, and operational context. Elisity maps those classifications directly to microsegmentation Policy Groups that align with IEC 62443 zones and conduits automatically. A Purdue Level 1 PLC gets assigned to a Policy Group that enforces zone boundaries through your existing switches, no manual rule-writing required. For healthcare environments, xDome (formerly Medigate) provides MDS2 security data and clinical workflow context, so identity-based policies restrict device communications without disrupting patient care. Infusion pumps reach their medication dispensing systems. CT scanners talk to PACS. Nothing else. Because the integration is bidirectional, your compliance team can verify segmentation coverage for every device directly in xDome without switching consoles. When an auditor asks for proof that 3,400 devices are segmented according to IEC 62443 zone definitions, you show them a live view, not a spreadsheet from last quarter. The mapping stays current because every new device Claroty classifies flows into IdentityGraph and receives its zone-appropriate policy within minutes of connecting to the network.

Challenge

Vulnerability Response and Risk-Based Enforcement for OT Devices

A critical CVE drops on Tuesday morning. It affects Rockwell Automation firmware versions running on 847 of your PLCs across 12 plant floors. Your security team needs to contain exposure before the next shift change, without pulling a single device offline. In IT, you’d push a patch and move on. In OT, patching means scheduling downtime windows, validating firmware compatibility, and coordinating with operations teams who won’t accept unplanned outages. So those 847 PLCs sit exposed while your team manually identifies affected devices, cross-references asset inventories, and debates which firewall rules to tighten without breaking production traffic. The real risk isn’t just the CVE itself. It’s the lateral movement opportunity it creates. One compromised PLC becomes a pivot point to reach historians, HMIs, and engineering workstations across your industrial network. Every hour you spend identifying affected devices is an hour an attacker could be moving laterally.

Elisity Solution

Risk-Aware Policy Tightening Powered by Claroty Vulnerability Intelligence

Claroty xDome’s vulnerability assessment identifies every device running the affected firmware and feeds risk scores into Elisity IdentityGraph. Elisity uses those risk attributes to trigger policy tightening for affected devices automatically. Those 847 PLCs get restricted to essential operational traffic only: communication with their designated HMIs and historians, nothing else. You contain the blast radius through OT microsegmentation without pulling a single device offline and without rewriting firewall rules under pressure. Production keeps running. The vulnerable PLCs still perform their process control functions, but their network access is locked down to the minimum required for operations. Meanwhile, Claroty continues monitoring those devices for exploitation attempts and anomalous behavior. If a device shows signs of compromise, Elisity can tighten the policy further or isolate the device entirely, all enforced at the switch port with no agent required. Once the patching window arrives and firmware is updated, Claroty’s updated risk score flows back to IdentityGraph and the policy relaxes to normal operational parameters. The entire response cycle, from CVE disclosure to containment to remediation, runs through the same bidirectional integration without your team touching a single manual rule.

SIH healthcare customer spotlight showing Elisity-Claroty microsegmentation deployment

Webinar On Demand

Watch the integration walkthrough: Claroty xDome device classification powering Elisity microsegmentation policies in a live OT environment.

Watch On Demand

Explore Our Integrations

Elisity integrates with leading IT, OT, and IoT asset intelligence platforms. Combine deep device discovery and classification with identity-based microsegmentation enforced through your existing network infrastructure.

Device Intelligence / Risk Status

EDR / Risk Status

CMDB

Network Enforcement Point

User Identity / Device Metadata

SIEM

Claroty xDome + Elisity Integration FAQ

Get answers to common questions about how Elisity integrates with Claroty xDome to deliver identity-based microsegmentation for OT and IoMT environments.

How does the Claroty xDome and Elisity integration work?

Claroty xDome discovers, classifies, and profiles every OT and IoMT device in your environment, building a comprehensive asset inventory. This device intelligence is automatically shared with Elisity's IdentityGraph through a bidirectional API integration. Elisity then uses this enriched context to create and enforce identity-based microsegmentation policies through your existing network switches, delivering Zero Trust protection without requiring new hardware or endpoint agents.

Can the Claroty-Elisity integration protect OT and IoMT devices without installing agents?

Yes. Both Claroty xDome and Elisity operate entirely without agents on endpoints. Claroty uses passive network monitoring and deep packet inspection to discover and classify devices, while Elisity enforces microsegmentation policies through your existing network infrastructure. This agentless approach is critical for OT and IoMT environments where devices cannot support software agents due to regulatory constraints, legacy operating systems, or operational sensitivity.

What types of OT and IoMT devices does the integration cover?

The Claroty-Elisity integration covers the full spectrum of cyber-physical systems: industrial controllers (PLCs, RTUs, DCS), medical devices (infusion pumps, imaging systems, patient monitors), building management systems (HVAC, access control), and IoT endpoints across healthcare, manufacturing, energy, and critical infrastructure environments. Claroty xDome's Extended Internet of Things (XIoT) visibility ensures no connected device goes unidentified.

How quickly can you deploy Claroty xDome with Elisity microsegmentation?

The API integration between Claroty xDome and Elisity connects in minutes, with immediate data enrichment flowing into IdentityGraph. Organizations typically achieve full microsegmentation deployment in weeks rather than years because Elisity uses Claroty's device classifications to automatically create policy groups. There is no need for network redesign, VLAN reconfiguration, or complex firewall rule management.

Does the integration support IEC 62443 and other OT compliance requirements?

Yes. The Claroty-Elisity integration directly supports IEC 62443 zone and conduit segmentation requirements by enabling granular, identity-based access policies mapped to OT asset classifications. Claroty provides the device context needed to define security zones, while Elisity enforces least-privilege network segmentation policies that align with IEC 62443, NIST CSF, and other regulatory frameworks for industrial control system security.

Back to top

Resources

Securing OT: Elisity Integration with Claroty xDome
Elisity OT Factory Workers

Securing OT: Elisity Integration with Claroty xDome

Sep 9, 2024 5:23:05 PM 5 min read
Healthcare Cybersecurity in 2025: Why Claroty's Medigate, Microsegmentation and IoMT Security Are Critical for Compliance
Elisity Doctor Hospital Infusion Pump

Healthcare Cybersecurity in 2025: Why Claroty's Medigate, Microsegmentation and IoMT Security Are Critical for Compliance

Dec 10, 2024 11:25:11 AM 5 min read
Elisity Release 16.14: Network Traffic Analytics That Actually Help You Make Decisions
Elisity Release 16.14 Network Traffic Analytics
Enterprise Cybersecurity

Elisity Release 16.14: Network Traffic Analytics That Actually Help You Make Decisions

Nov 24, 2025 10:55:35 AM 3 min read