Labshock: The OT Security Revolution That’s Turning BSides Paris into a Live Cyber Battlefield + Video

Listen to this Post

Featured Image

Introduction:

The gap between theoretical OT security knowledge and practical, hands-on capability has long been the industry’s Achilles’ heel. Traditional training relies on slides, documentation, and sanitized case studies—none of which prepare defenders for the chaotic reality of an industrial control system under active attack. Labshock, an open-source OT/ICS cybersecurity laboratory built by Zakhar Bernhardt, is changing that paradigm by delivering real industrial components, real protocols, and real telemetry in a safe, containerized environment. After debuting at BSides São Paulo 2025 and BSides Aarhus 2025 through early adopters Wagner Rodrigues and Michael Weng, Labshock now takes center stage as the first headline partner of BSides Paris on 22 October 2026.

Learning Objectives:

  • Understand the architecture and deployment of a Docker-based OT/ICS cyber range using Labshock
  • Master industrial protocol analysis, with a focus on Modbus TCP exploitation and defense
  • Develop hands-on skills in attacking, defending, and scoring within realistic industrial environments
  • Learn to integrate SIEM visibility, log normalization, and detection logic for OT systems
  • Build repeatable, isolated lab environments for security testing and team training
  1. Deploying Your OT Cyber Range in Under 10 Minutes

Labshock is not a simulator—it is a controlled OT security laboratory. The entire platform is containerized using Docker, ensuring a lightweight, reproducible environment that can be spun up or torn down in minutes. This accessibility is what makes Labshock revolutionary: anyone with a machine and Docker can build a complete OT/ICS cyber range with SCADA, PLC, Engineering Workstation (EWS), and DMZ components.

Step-by-Step Installation on Ubuntu/Debian:

Before proceeding, ensure you are working in an isolated, non-production environment. Labshock is provided strictly for educational and training use.

Step 1: Install Docker

!/bin/bash
set -e
 Remove old Docker versions
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do
sudo apt-get remove -y $pkg || true
done
 Prepare system
sudo apt-get update
sudo apt-get install -y ca-certificates curl gnupg lsb-release
 Add Docker's GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/$(. /etc/os-release && echo "$ID")/gpg | sudo tee /etc/apt/keyrings/docker.asc > /dev/null
sudo chmod a+r /etc/apt/keyrings/docker.asc
 Add Docker repository
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/$(. /etc/os-release && echo "$ID") $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
 Verify installation
docker --version
sudo systemctl enable --1ow docker
sudo usermod -aG docker $USER

Step 2: Deploy Labshock

git clone https://github.com/zakharb/labshock.git
cd labshock
docker-compose up -d

The platform requires minimum specifications of CPU 2, RAM 2G, and HDD 10G, with recommended specs of CPU 4, RAM 8G, and HDD 20G. Labshock runs in trial mode with a 5-minute initialization delay and 40-minute session limit—restartable as needed—making it ideal for hands-on workshops and individual practice.

  1. Understanding the OT Security Philosophy: System Behavior First

Before writing exploits or configuring SIEM rules, Labshock forces users to understand what they are securing. As Zakhar Bernhardt emphasizes: “You cannot test what you do not understand. You cannot secure only documentation”. The platform is built around event-driven OT security understanding: hands-on first, theory when needed; focus on system behavior, not tools; learn from real events, not synthetic alerts; distinguish faults from attacks through evidence.

The Automation Anatomy:

OT security starts not from exploits or pentest tools, but from system behavior. A sensor becomes a signal; a signal becomes PLC memory; logic changes state; output moves equipment; HMI shows result; network carries data. This chain must be understood before security can be applied. Labshock’s “World of Labshock” expands this concept into a connected OT security landscape with structured progression, zones, and guided learning paths across industries, architectures, and maturity levels.

Key Capabilities:

  • Real industrial protocols and authentic OT traffic
  • Hands-on interaction with ICS components
  • Event and log generation from OT environments
  • Safe execution of offensive techniques and tactics
  • SIEM-focused visibility, analysis, and correlation
  • Progressive learning from fundamentals to advanced detection
  1. Attacking the Industrial Network: Modbus Exploitation in Practice

Modbus TCP lacks authentication and encryption, making it one of the most vulnerable protocols in industrial environments. Labshock provides a safe environment to test these flaws without risking production systems.

Reading Modbus Registers (Python Script):

from pymodbus.client import ModbusTcpClient

Target PLC IP (within Labshock environment)
target_ip = "192.168.1.100"
client = ModbusTcpClient(target_ip, port=502)

if client.connect():
 Read holding registers starting at address 0, count 10
result = client.read_holding_registers(0, 10)
if not result.isError():
print(f"Register values: {result.registers}")
else:
print("Error reading registers")
client.close()
else:
print("Connection failed")

Writing to Modbus Coils (Attack Simulation):

from pymodbus.client import ModbusTcpClient

client = ModbusTcpClient("192.168.1.100", port=502)
if client.connect():
 Write True (ON) to coil at address 0
client.write_coil(0, True)
print("Coil 0 set to ON")
 Write False (OFF) to coil at address 1
client.write_coil(1, False)
print("Coil 1 set to OFF")
client.close()

These scripts demonstrate how an attacker can manipulate industrial processes by modifying PLC memory—potentially stopping pumps, altering pressure readings, or triggering safety alarms. The key insight is that industrial protocols were designed for reliability and speed, not security, and Labshock allows defenders to understand these weaknesses firsthand.

4. Defensive Strategies: SIEM Integration and Detection Engineering

Labshock includes a Collector Service responsible for gathering logs, events, and network traffic from different OT components, including PLCs, SCADA systems, IDS, and other services. This enables log aggregation, normalization, and contextualization—essential capabilities for building effective OT security monitoring.

Setting Up OT Visibility:

The platform supports integration with SIEM tools, allowing users to:

  1. Capture traffic from industrial protocols (Modbus, DNP3, IEC 61850, etc.)
  2. Test SIEM rules and refine IDS detection in a safe lab

3. Write correlation of security-relevant signals

  1. Understand operational and safety impact of detected events

Detection Logic Grounded in Operational Reality:

Labshock’s philosophy emphasizes building detection logic grounded in operational reality. This means understanding what normal looks like before identifying anomalies. For example, a sudden write to a holding register that controls a pump’s speed might be normal during a production changeover or malicious during off-hours. Context matters—and Labshock provides the telemetry to build that context.

  1. The BSides Paris Experience: No Slides, Just Action

At BSides Paris on 22 October 2026, Labshock is not bringing slides—they are bringing something never seen in OT security labs. Attendees will not watch a talk; they will play real industrial systems. They will attack, defend, and score in a live, gamified environment that feels closer to CTF but is more modern and more fun.

This approach represents a fundamental shift in OT security education. Traditional training relies on documentation and theoretical models. Labshock delivers a “ready-to-use environment to learn, simulate and test defensive strategies”. The platform has already been used in talks, discussions, and hands-on tests at BSides São Paulo 2025 and BSides Aarhus 2025. Now, as the first headline partner of BSides Paris, Labshock is scaling that impact to a global audience.

What Undercode Say:

  • Key Takeaway 1: OT security must be testable, not documented. The industry has spent decades writing standards and checklists while attacks on critical infrastructure continue to rise. Labshock provides the missing piece: a practical, hands-on environment where security professionals can actually test their skills.

  • Key Takeaway 2: Understanding system behavior precedes security. You cannot secure what you do not understand. Labshock forces users to learn the automation anatomy—sensors, PLC memory, cyclic scan, HMI tags, outputs, and physical processes—before touching security tools. This foundational knowledge is what separates effective OT defenders from those who merely run vulnerability scanners.

Analysis: The Labshock model directly addresses the most critical gap in OT security today: the shortage of practitioners who have actually touched industrial systems. Most cybersecurity professionals come from IT backgrounds and have never seen a PLC, let alone programmed one. Labshock democratizes access to industrial environments, enabling anyone with a laptop to learn OT security hands-on. The platform’s open-source nature and Docker-based deployment lower barriers to entry while its progressive learning paths ensure structured skill development. By bringing this experience to BSides Paris as a headline partner, Labshock is signaling that the future of OT security training is interactive, gamified, and accessible—not locked behind expensive vendor labs or proprietary simulators.

Prediction:

+1 The democratization of OT security training through platforms like Labshock will significantly accelerate the development of industrial cybersecurity talent, reducing the global skills gap within 3-5 years.

+1 Gamified, CTF-style OT security experiences will become the industry standard for training, replacing traditional slide-based courses as organizations recognize the superior retention and practical applicability of hands-on learning.

-1 The ease of access to realistic OT attack simulations may lower the barrier for malicious actors to learn industrial exploitation techniques, necessitating stronger defensive training and proactive threat hunting.

+1 BSides Paris 2026 will mark a turning point where the OT security community embraces open-source, community-driven training platforms over proprietary, expensive alternatives, fostering innovation and collaboration across the industry.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Zakharb Labshock – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky