We are launching a sister practice. Cascadia OT Security is a Pacific Northwest penetration testing firm built specifically for operational technology (OT) and industrial control system (ICS) environments — the BMS that keeps a hyperscale data center cool, the PLCs that run a food processing line, the SCADA system supervising a water utility. It is a separate brand and a separate operations team because OT pentesting is not IT pentesting with industrial assets in scope. It is a different methodology, different tooling, different safety constraints, and a different buyer.
This post explains why we spun it out, what Cascadia does that MSP Pentesting does not, and when an MSP partner or client should bring Cascadia in.
Why a separate brand
MSP Pentesting is a channel-only IT pentesting practice. We do external network, internal network, web application, cloud, social engineering, and Wi-Fi pentesting for SOC 2, PCI DSS, HIPAA, and other compliance frameworks. The methodology is built around IT assets that are designed to fail safely under network stress — servers that gracefully reject malformed packets, applications that throw a 500 instead of corrupting state, cloud control planes that auto-heal.
OT and ICS environments do not work that way. A Building Management System will not gracefully reject a malformed Modbus packet — it can lock up. A vendor remote-access jump host into a plant network that crashes during testing can lock out the integrator who needs to respond to a real alarm. A loud port scan against a production PLC can stop a production line. The IT pentest playbook is dangerous in OT. Trying to bolt OT capability onto an IT pentest team is how you create that danger.
So we built Cascadia as a separate practice with separate operators, separate methodology, and separate safety protocols designed for industrial environments. Same parent company, same channel-friendly partnership model, completely different testing discipline.
What Cascadia does that we do not
Cascadia covers two specialties:
OT penetration testing — the enterprise OT layer. Building Management Systems, DCIM, the IT-to-OT boundary, vendor remote access, and the network and identity infrastructure that surrounds a control system. The buyer is typically a data center director, a plant manager, or a CISO who has inherited OT scope. The methodology is mapped to NIST SP 800-82 Rev. 3 and MITRE ATT&CK for ICS.
ICS penetration testing — the controls layer itself. PLCs, RTUs, SCADA servers, HMI workstations, process historians, and Safety Instrumented Systems (SIS). Protocol-aware tooling for Modbus, DNP3, Profinet, EtherNet/IP, and OPC-UA. The buyer is typically a controls engineer, a process safety lead, or a CISO with audit pressure. The methodology is mapped explicitly to IEC 62443-3-3 and IEC 62443-4-2.
Both specialties operate under the same non-negotiable: zero impact on production. Active exploitation only against vendor-spare lab units, never against production controllers. Passive observation against live segments. Change windows for any test that touches boundary devices. Operations holds a kill switch that halts all testing within 60 seconds.
When to bring Cascadia in
Three situations come up often enough to be worth flagging:
Your client’s scope expands into OT. A client running a SOC 2 program adds a manufacturing facility, a data center, or a critical infrastructure tenant. The auditor wants the OT environment in scope but the client’s usual MSP and pentest vendor do not have OT capability. This is the most common Cascadia engagement: an MSP refers the OT scope to Cascadia, keeps the IT pentest in-house, and presents a unified compliance package to the client.
Your client is a Pacific Northwest data center, manufacturer, or utility. Cascadia is regionally focused on Oregon, Washington, and Idaho — the hyperscale corridor (Hillsboro, Prineville, Boardman, Umatilla, The Dalles, Quincy WA), Pacific Northwest manufacturers (food & beverage, semiconductor, paper & pulp, metals, aerospace), and PNW water and hydropower utilities. On-site engagements anywhere in the region are standard.
Your client’s cyber insurance underwriter or auditor is asking for an ICS-specific pentest. A growing number of underwriters now require an ICS-specific penetration test — not a generic IT pentest with industrial assets in scope — before they will renew or write a policy on a facility with significant OT exposure. Cascadia’s reports are written specifically to satisfy that requirement, with explicit IEC 62443 control mapping.
How the referral works
For MSP partners: introduce the client by email or a quick three-way call. Cascadia handles scoping directly with the client’s operations team. We protect the MSP relationship — Cascadia is positioned as your specialist sister practice, not a competing vendor.
For direct clients: contact Cascadia at hello@cascadiaots.com or use the briefing form at cascadiaots.com. The first conversation is a 30-minute scoping discussion with the practice team. No sales engineer in the loop — you talk to the people who will actually run the engagement.
What does not change for MSP Pentesting
MSP Pentesting continues as the channel-only IT pentest practice. Same wholesale pricing, same white-label reporting, same partner program. Cascadia is not absorbing or reshuffling any of that. If your client’s scope is IT — external network, internal network, web app, cloud, Wi-Fi, social engineering — you are still working with us directly through the partner program.
If you have a client whose scope is creeping into OT and you want a quick sanity check on whether Cascadia is the right call, send us a note. We will read the scope and tell you honestly whether it is something Cascadia should handle or whether it can stay in the IT pentest envelope.
Welcome to the family, Cascadia. Now go make the Pacific Northwest’s critical infrastructure measurably harder to attack.
.avif){kind=logo}
.png){kind=logo}
.png)
.png)
