Emmanuele Zambon

Emmanuele Zambon

Assistant Professor

Eindhoven University of Technology


I am an Assistant Professor at the Security Group of the Eindhoven University of Technology, in the Netherlands. I investigate the security of Industrial Control Systems (ICS) to improve their defense capabilities. My research focuses in the areas of network intrusion detection and incident response. I collaborate with the Eindhoven Security Hub Security Operations Center initiative.

I was one of the three founders of the spin-off SecurityMattters, with the goal of bringing to the market SilentDefense, a platform for network monitoring, asset inventory and network intrusion detection for Industrial Control Systems. At SecurityMatters I served as the CTO, and I was responsible of the company’s R&D.

Download my resumé.

  • Industrial Control System Security
  • Intrusion Detection
  • PhD in Computer Science, 2011

    University of Twente

  • MSc in Computer Science, 2005

    Ca’ Foscari University of Venice

  • BSc in Computer Science, 2002

    Ca’ Foscari University of Venice


Eindhoven University or Technology
Jan 2021 – Present Eindhoven
Forescout Technologies BV
Sr. Director of OT Technology
Nov 2018 – Dec 2020 Eindhoven

Responsibilities include:

  • Senior advisor for product architecture and engineering.
  • Supervision of a team of elite engineers (6 engineers).
  • Network security and operation analysis for top customers.
  • Analysis of Industrial Control System network protocols and vulnerabilities.
  • Product development of OT technology support and of new detection mechanisms.
SecurityMatters BV
Jan 2011 – Nov 2018 Eindhoven

Responsibilities include:

  • Research and engineering of new and cutting edge network monitoring and intrusion detection solutions for Operational Technology networks.
  • Product vision, architecture and design.
  • Analysis of Industrial Control System network protocols and vulnerabilities.
  • Management of the product engineering team (20+ engineers).
  • Network security and operation analysis for customer production environments.
  • Coordinator of activities and tasks within national and international research projects.
University of Twente
Postdoc Researcher (part-time)
Jan 2011 – Sep 2016 Enschede (NL)

Responsibilities include:

  • Principal contributor of several national and EU successful research projects.
  • New EU project proposals
  • Supervision of PhD student
  • OT security research
ValueTeam SpA
IT Consultant
Apr 2005 – Aug 2006 Mestre (IT)
Technical and Architectural consulting, design of distributed architectures for accessing the telephone traffic data of Telecom Italia SpA.
KPMG Italy SpA
IT Security Consultant
Sep 2003 – Sep 2004 Treviso (IT)
Penetration Testing and IT Risk Assessment.

Recent Publications

(2024). A Methodology to Measure the "Cost" of CPS Attacks: Not all CPS Networks are Created Equal. In EuroS&PW2024.

PDF Cite Project

(2024). Attacking Operational Technology Without Specialized Knowledge: The Unspecialized OT Threat Actor Profile. In EuroS&PW2024.

PDF Cite Project

(2024). A Tale of Two Industroyers: It was the Season of Darkness. In S&P 2024.

PDF Cite Project

(2024). From Power to Water: Dissecting SCADA Networks Across Different Critical Infrastructures. In PAM 2024.

PDF Cite Project

(2023). ICSvertase: A Framework for Purpose-based Design and Classification of ICS Honeypots. In ARES ‘23.



Intrusion Detection Laboratory (2IMS40)

The goal of this course is to provide students with a platform to get in-depth, hands-on experience on all three of the building blocks of cyber security monitoring: network-based, host-based and log-based intrusion detection.

To do so, the course adopts a reverse classroom setup: the course starts by providing students with material covering practical and theoretical elements of security monitoring and additional material and pointers covering all three pillars, and their relationship. The students then form groups, and are able to choose one of the building blocks to explore in depth by developing a fully-fledged laboratory activity for the other students of the course to attend. The lab activities require the analysis of realistic threat scenarios and systems, with the goal of developing effective detection techniques accounting for the specificities of the proposed scenario.

The lab activities are run and coordinated, in class, by the very students that developed them. The development and delivery of these lab sessions in class is also the final examination of the course for the group of students handling it.


For details contact me.


Download my PGP key. Fingerprint: AF58 B421 3E79 08FC 0ACE BE6D 3F45 80EA 5293 0E70.

  • e <dot> zambon <at> tue <dot> nl
  • +31 040 247 2853
  • P.O. Box 513, Eindhoven, Noord-Brabant 5600 MB
  • Enter the MetaForum (MF) building and take the elevator to the 6th Floor to Office 6.072
  • Tuesday 10:00 to 17:00
    Thursday 10:00 to 17:00