In January 2026, AV-Comparatives conducted its annual Operational Technology Protection Certification test. The certification evaluates whether security products can effectively prevent execution-based attacks in fully offline, air-gapped environments typical of Operational Technology (OT) deployments.

Operational Technology environments are common in critical infrastructure and sectors such as manufacturing, energy production, transportation, utilities, oil and gas, and healthcare. In these environments, systems frequently operate without internet connectivity and must rely exclusively on locally enforced protection mechanisms. Cloud-based reputation systems, external intelligence feeds, or continuous online validation are often unavailable by design.

For this reason, execution control under fully offline conditions represents a critical security requirement.

Focus of the Certification

The OT Certification is designed to assess execution-based protection in post-breach scenarios. The test assumes that an attacker has already obtained local access to the system, for example through insider activity, physical access, or removable media.

Under these conditions, the product must prevent the execution of untrusted binary code without relying on Internet connectivity, which prevents access to:

• Cloud-assisted intelligence
• External reputation services

Testing was conducted on Windows 10 systems configured in a fully offline, air-gapped state. All malicious and legitimate components were delivered via removable media in order to reflect realistic OT workflows.

Tested Attack Scenarios

The 2026 certification cycle evaluated five execution-based attack scenarios:

• Binary impersonation using legitimate metadata
• Binary with legitimate metadata and an invalid certificate
• Binary signed with a leaked but valid certificate
• DLL sideloading via a trusted executable
• Execution of a modified or backdoored legitimate binary

In addition to these malicious scenarios, a legitimate offline application update delivered via USB media was tested. This scenario evaluates whether the product can correctly distinguish between malicious execution attempts and valid administrative processes without causing operational disruption.

To achieve certification, a product must:

• Successfully prevent all defined malicious execution attempts at execution time
• Provide active enforcement, not merely post-execution detection
• Correctly allow the legitimate offline update to complete without breaking the application

Only products that meet all defined environmental and technical criteria are eligible for public certification reports.

2026 Certification Outcome

In the 2026 test cycle, two products successfully fulfilled all requirements of the Operational Technology Protection Certification:

• Kaspersky Industrial CyberSecurity for Nodes 4.5
• Trellix Endpoint Security 10.7

Both products prevented all defined offline post-breach execution scenarios and correctly handled the legitimate offline update under the tested configurations.

Certification results are valid exclusively for the specific product versions and configurations tested. Different configurations may lead to different outcomes.

OT Certification vs. Zero-Trust Certification

The OT Certification is distinct from AV-Comparatives’ Zero-Trust Certification programme. While both evaluate execution-based protection in post-breach scenarios, the OT track specifically requires effective enforcement in fully offline, air-gapped environments.

Products that depend on active cloud connectivity for trust decisions are not eligible for OT Certification and must apply under the Zero-Trust track instead. In the 2026 test cycle, none of the ZT products submitted to the Zero-Trust track reached certification.

Detailed certification reports, including methodology, configuration information, and technical findings, are available for both certified products individually via the links mentioned above.