Malcolm

Malcolm takes the three hardest-to-integrate open-source network security tools — Suricata (IDS), Zeek (protocol analysis), and Arkime (full packet capture) — and ships them as a single Docker Compose stack with OpenSearch, prebuilt dashboards, and a unified web interface. Instead of spending weeks wiring these together, you run one install script.

Built by CISA and Idaho National Laboratory for critical infrastructure defenders. Ships with ICS protocol parsers for Modbus, DNP3, S7, OPC-UA, BACnet, EtherNet/IP, and IEC 60870-5-104 out of the box.

Key features

• Full packet capture + search via Arkime — sessionize and search raw PCAPs by any field
• Signature-based detection via Suricata — matches traffic against community and commercial rule sets
• Deep protocol logging via Zeek + ICSNPP plugins — structured logs for 7+ industrial protocols
• Prebuilt OpenSearch dashboards for each ICS protocol, plus network overview, alerts, and file extraction
• Unified web interface with authentication (NGINX proxy)
• Accepts live traffic (SPAN/TAP), uploaded PCAPs, or existing Zeek/Suricata logs
• ~15 Docker containers, all preconfigured to work together

What Malcolm does

Feed it PCAPs, connect it to a SPAN port, or point it at existing log directories. It indexes everything into OpenSearch and gives you searchable, visualized network intelligence.

The ICS protocol coverage is the distinguishing feature. Via Zeek's ICSNPP plugin ecosystem, Malcolm parses Modbus function codes, DNP3 application-layer objects, Siemens S7 read/write requests, OPC-UA service calls, BACnet property requests, and EtherNet/IP CIP messaging. Each protocol gets its own dashboard, so you can filter by protocol, source, function code, or time range without writing queries.

The stack runs as ~15 Docker containers: Zeek and Suricata for capture and analysis, Logstash and Filebeat for log normalization, OpenSearch for indexing, OpenSearch Dashboards and Arkime for visualization, and NGINX for unified authentication.

Why choose Malcolm

• Government-backed — maintained by CISA, developed at Idaho National Laboratory. Not going away.
• ICS protocol depth — more industrial protocol parsers than any other open-source network analysis platform
• Forensic capability — full PCAP retention with Arkime means you can go back and examine any session packet-by-packet
• Permissive license — no copyleft restrictions

Getting started

Malcolm needs more hardware than a typical Docker stack. Minimum: 8 CPU cores, 24 GB RAM, SSD. Recommended for production: 16+ cores, 32+ GB RAM. Full packet capture at 1 Gbps generates roughly 10 TB/day of storage, so plan accordingly.

git clone https://github.com/cisagov/Malcolm
cd Malcolm
./scripts/install.py
docker compose up -d

The install script walks through configuration (network interfaces, retention policies, authentication). First-time setup takes about an hour including download of container images. The web interface is available at https://localhost once all containers are healthy.

The learning curve is real — you're operating Suricata, Zeek, Arkime, and OpenSearch simultaneously. Malcolm preconfigures the integration plumbing, but understanding what each component does and how to tune it still takes time. Budget a week to get comfortable with the interface and start writing useful queries.

Technical specs

• ~15 containers: Zeek, Suricata, Arkime, OpenSearch, OpenSearch Dashboards, Logstash, Filebeat, NGINX, plus helper services
• Orchestration: Docker Compose (primary), also supports Podman and Kubernetes
• Minimum hardware: 8 CPU cores, 24 GB RAM, SSD storage
• Recommended: 16+ cores, 32+ GB RAM, RAID SSD arrays
• Network input: SPAN port, network TAP, PCAP upload, or log directory ingestion
• REST API for programmatic access to indexed data
• Written in Python (orchestration), uses Zeek scripting language for protocol parsers

Limitations

• Heavy resource requirements. 24 GB RAM minimum, and that's tight. Production deployments with full PCAP and busy networks want 32+ GB. This isn't a "run it on a Raspberry Pi" tool.
• The 15-container stack is complex to troubleshoot. When something breaks, you need to understand which container is misbehaving and why. Docker Compose logs help, but the debugging surface area is large.
• Runs Suricata in IDS mode only (passive monitoring). If you need inline IPS (blocking traffic), deploy a standalone Suricata instance separately.
• 29 contributors is a small team for a project this complex. Response times on GitHub issues can be slow, and the documentation, while solid, lags behind feature development.
• Storage is the primary constraint for sustained deployments. Full PCAP at even moderate throughput fills disks fast. You'll need a retention policy from day one.