Virtual PLC · Enterprise tier

A real PLC, on your side of the wire.

Docker-delivered, deterministic PLC simulation that runs entirely inside your VPC. Ladder-logic and Structured Text execution, real industrial protocols on bind-mounted ports, and a BLAKE3-sealed cycle trace — without telemetry leaving the enclave.

Request a VPLC licence See Virtual SCADA

Image size: ~280 MB
Min cycle: 1 ms
Outbound: 0 calls
Protocols: 6

vplc / clarifier-2 · Modbus 502 · OPC-UA 4840live · 2 ms cycle

process trend · last 5 min3 tags

FT-101PT-204TT-309

FT-101 flow

342.7L/min

PT-204 pressure

5.42bar

TT-309 temp

62.1°C

LT-412 level

78.4%

AT-518 pH

6.92

MT-621 motor speed

1462rpm

MT-621 over-speed alarm · ack pending

cycle 482 911

Why teams insist on a Virtual PLC.

Real plants don’t share their PLCs. Vendor demos are scripted videos. SaaS simulators leak by definition. A signed Docker image you run in your enclave is the only path that satisfies OT security review.

why · 01

Air-gapped by design

The PLC image runs inside your own VPC or on a bare Linux host. No outbound telemetry, no phone-home, no licence-server dependency. The evidence chain signs locally with a per-deployment key.

why · 02

Docker-delivered

One signed image. Operators pull it, set environment flags, and start generating PLC behaviour on day one — no separate installer, no driver hell, no kernel modules.

why · 03

Enterprise tier only

VPLC is included only with Enterprise and Sovereign plans. The rest of the platform may continue to run in our cloud — the VPLC sits firmly on your side of the wire.

What it does on day one.

Ladder-logic and Structured Text programs run deterministically from a sealed seed.

Configurable cycle time (1 ms – 250 ms), input/output table sizes, scan cadence.

Operator actions scripted, replayed from a captured session, or driven by the SDK.

Modbus/TCP, OPC-UA, BACnet, MQTT, DNP3, and IEC 61850 endpoints exposed on bind-mounted ports.

Full cycle trace persisted as a BLAKE3-sealed evidence ledger, verifiable offline.

Red-team scenario library: timing attacks, register spoofing, logic-bomb injection.

Physics-honest response model per analog tag; event-driven state machines with safety interlocks for every discrete state.

Per-cycle structured logs ready for ingest into Splunk, Elastic, or your SIEM of choice.

Architecture

Five layers, each one auditable.

No magic. No kernel modules. No out-of-process daemons your security team has to chase down at 2 a.m.

01 — Image

Single signed Docker image (~280 MB, distroless base). Reproducible build, SBOM published, signed with cosign.

02 — Runtime

Deterministic scheduler running ladder/ST programs. Per-tag calibrated response model. Strict scan-cycle accounting.

03 — Protocol

Six industrial protocols on bind-mounted ports: Modbus/TCP (502), OPC-UA anon+cert (4840), BACnet (47808), MQTT 3.1.1/5 (1883), DNP3 (20000), IEC 61850 MMS (102). You choose which to expose per deployment.

04 — Evidence

Cycle trace + I/O snapshot + alarm log → BLAKE3 chain → signed .tar.zst bundle on a host volume.

05 — Scenario

REST + SDK to load programs, set tag values, schedule disturbances, inject red-team events.

three commands to first cycle

# 1. Enterprise tarball — delivered via signed offline channel.
#    Load the signed image into the customer's registry / daemon.
docker load < radmah-vplc-1.4.2.tar
# Keyless Sigstore verification against the GitHub Actions OIDC identity
# used by our CD pipeline. No separate public key to distribute.
cosign verify \
  --certificate-identity-regexp '^https://github\.com/ITLOXENT/radmah-ai/\.github/workflows/cd\.yml@' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  $VPLC_IMAGE

# 2. Run with bind-mounted ports + evidence volume
docker run -d --name vplc \
  -p 502:502 -p 4840:4840 -p 47808:47808/udp \
  -p 1883:1883 -p 20000:20000 -p 102:102 \
  -v /opt/vplc/evidence:/evidence \
  -e VPLC_TENANT=acme-prod \
  -e VPLC_LICENSE_FILE=/license/key.bin \
  -v /opt/vplc/license:/license:ro \
  $VPLC_IMAGE

# 3. Drive a scenario
rady vplc simulate \
  --target localhost:502 \
  --program ./programs/clarifier.st \
  --disturbance storm-surge --duration 30m

~/soc-bench / verify v1.4.2offline · air-gapped

$ slt evidence verify ./scada-2841.bundle.tar.zst
→ unpacking 14 artefacts ………………… ok
→ checking BLAKE3 chain ………………… ok
→ verifying ed25519 signature ……… ok
manifest: sha 9c10ab…
contract_K: sha a4f2d8…
pcapng: sha 5e2c1a… 42.7 MB
signals.parquet: sha 1b8d44… 3.4 MB
truth.ndjson: sha 5e2c1a… 6 events
blake3.chain: sha a4f2d8… root a4f2…d801
✓ chain verified — 9 / 9 artefacts intact
✓ signed by acme-soc-prod (cosign · key-id 0x4f1c)
$ slt evidence summary --truth
6 attack events · 3 MITRE classes · 70% benign
earliest 14:30:06 latest 14:35:42 span 5m36s
✓ ready for IDS scoring

Who runs it, and why.

SOC engineering, OT cyber teams

IDS / SIEM detection-engine validation

Replay the same attack sequence dozens of times to prove a detection rule fires at the expected confidence. Ground-truth labels travel inside the bundle.

Plant operations, training teams

Operator training without touching prod

Give a trainee a live PLC — synthetic but behaviourally identical to your real plant — and let them drive a full scenario without risk to the running process.

Internal red teams

Red-team exercises under NDA

Run intrusion exercises inside the enclave. Nothing about the environment, the attack, or the evidence crosses the boundary unless you push it.

Procurement, OT architecture

Vendor PoC sandbox

Stand up a clean PLC image per vendor evaluation. Reset to the sealed baseline between PoCs. The evidence bundle gives you an audit-grade record of what each vendor saw.

30-day evaluation licence on a signed image.

Tell us your plant type, your protocol surface, and the scenarios you need to prove. We cut a 30-day evaluation licence pinned to your registry hash.

Request the evaluation Back to Industrial overview