Stop asking “Which EDR is best?” Start asking “Which EDR can survive our maintenance windows, offline updates, and safety requirements without creating new downtime risk?”.

Air-gapped doesn’t mean risk-free. It means different failure modes:
– Limited connectivity
– Strict change control
– Safety-critical uptime

In OT, “agent-based vs agentless” is the wrong first filter. Start with requirements that match plant reality, then evaluate architectures.

A requirements-first checklist for air-gapped ICS EDR:
1) Deployment model: can it be installed, approved, and rolled back within change control?
2) Offline updates: signed packages, deterministic upgrades, no cloud dependency, clear SBOM and versioning.
3) Resource impact: CPU/RAM/disk caps, no surprise scans, predictable scheduling around maintenance windows.
4) Telemetry in an offline world: local buffering, store-and-forward, export via removable media, and clear data formats.
5) Forensics readiness: timeline and process tree visibility, integrity of logs, evidence handling that fits your procedures.
6) Recovery and containment: safe isolation actions, kill/deny options that won’t trip safety systems or stop critical processes.
7) Coverage of OT endpoints: legacy Windows, embedded boxes, HMIs, engineering workstations, plus vendor support lifecycles.
8) Auditability: repeatable reporting, configuration drift detection, and approvals traceability.

If the tool assumes always-on connectivity, frequent updates, or “we’ll tune it later,” it’s not OT-ready.

Select the EDR that fits the plant, not the plant that fits the EDR.