Primary Vendors
The three leading data diode vendors for industrial, government, and enterprise use cases.
OPSWAT
MetaDefender Optical Diode
USA-based, widest OT protocol support with unique C1D2 hazardous environment certification.
Max Throughput
10 Gbps
Form Factor
DIN Rail / 1U Rack / Enterprise
Certifications
CC EAL4+
C1D2
IEC 62443
NATO NIAPC Listed
Hardware Enforced
✓ Optical fiber
Starting Price
~$14,431 (DIN Rail)
Origin
🇺🇸 USA
Use Cases
OT/ICS, Oil & Gas, Utilities
Key Differentiator
Only C1D2-certified diode
Hazardous/explosive environments
Hazardous/explosive environments
Waterfall Security
Unidirectional Security Gateway
Israeli-founded, industry leader in OT/ICS protocol support with the broadest SCADA ecosystem.
Max Throughput
10 Gbps (WF-600)
Form Factor
1U Rack / DIN Rail
Certifications
IEC 62443
UL 62368-1
NERC CIP
Hardware Enforced
✓ Fiber TX-only
Starting Price
Quote required
Origin
🇮🇱 Israel
Use Cases
Energy, Oil & Gas, Nuclear, SCADA
Key Differentiator
Widest OT protocol library
Native historian replication
Native historian replication
Owl Cyber Defense
Talon / OPDS Series
US defense heritage with the highest throughput in the market — up to 100 Gbps for classified networks.
Max Throughput
100 Gbps (Talon Torrent)
Form Factor
1U Rack / DIN Rail
Certifications
CC EAL4+
DoD Approved
NERC CIP
Hardware Enforced
✓ Optical / FPGA
Starting Price
Quote required
Origin
🇺🇸 USA
Use Cases
DoD, Intelligence, Gov, OT
Key Differentiator
Highest throughput on market
100 Gbps FPGA-based diode
100 Gbps FPGA-based diode
Suggested Additional Vendors
Based on your focus areas, these three vendors round out the competitive landscape with unique strengths in high-assurance certification and European government markets.
Sentyron 🇳🇱
EAL7+
Dutch spin-off of Fox-IT (NCC Group). Produces the Fox DataDiode — one of only three products globally with CC EAL7+ certification. The hardware contains zero software, firmware, or FPGAs — a purely passive photodiode.
→ Why consider: Highest assurance for classified/NATO deployments. NATO COSMIC TOP SECRET approved.
Advenica 🇸🇪
EAL4+
Swedish vendor with triple EU-nation military approval (Sweden, Austria, Finland) up to TOP SECRET classification. The DD1G Gen 2 (2024) adds DIN-rail and PoE in a single unit. Only vendor with Scandinavian national defense approvals.
→ Why consider: Essential for European defense/government buyers requiring national or NATO-allied approval.
Genua 🇩🇪
BSI SECRET
Now an Airbus subsidiary, Genua's vs-diode reaches ~8 Gbps — the fastest SECRET-classified approved diode in Germany. BSI-approved for DEU SECRET, EU SECRET, and NATO SECRET. The cyber-diode variant targets ICS/OT with built-in OPC UA and Modbus.
→ Why consider: Best choice for German government, Bundeswehr, or high-throughput NATO SECRET environments.
Technical Specifications
Hardware specifications, form factors, and throughput tiers for all six vendors.
OPSWAT
MetaDefender Optical Diode
DIN Rail10–50 Mbps
1U Rack100 Mbps – 1 Gbps
Enterprise10 Gbps
HardwareOptical fiber
Field Upgradeable✓ Software license
HA / RedundancyAvailable
Temp RangeStandard industrial
Special RatingClass 1 Div 2 (hazardous)
Waterfall Security
WF-500 / WF-600
WF-5001 Gbps
WF-6001 Gbps / 10 Gbps
HardwareFiber TX-only link
Form Factor1U rack + DIN Rail
HA / Redundancy✓ Dual config (WF-600)
Field Upgradeable✗ Hardware swap
Temp RangeStandard rack
Special RatingNuclear / critical infra
Owl Cyber Defense
Talon / OPDS
OPDS-100155 Mbps
OPDS-100026–1,000 Mbps
Talon One1 Gbps
Talon Torrent100 Gbps
HardwareOptical / FPGA
Form Factor1U rack / DIN rail
Field Upgradeable✓ Modular tiers
Special RatingDoD / classified networks
Sentyron
Fox DataDiode FDDV3
Standard1 Gbps
High Speed10 Gbps
HardwarePure passive photodiode
Form Factor1U rack / Ruggedised
Temp Range-20°C to +60°C (rugged)
TEMPEST✓ SDIP-27/A Level A
Firmware in diode✗ None (purest design)
MIL-STD-810✓ Ruggedised model
Advenica
DD1G Gen 2 / DD1000i
DD1000A1 Gbps (raw optical)
DD1000i1 Gbps (with proxy)
DD1G Gen 21 Gbps (EAL4+)
HardwareOptical fiber TX-only
Form FactorRack / DIN rail / standalone
PoE Support✓ DD1G Gen 2
Field UpgradeablePartial
SpecialPoE + DIN in one unit
Genua
vs-diode / cyber-diode
vs-diode8+ Gbps
cyber-diodeNot published
HardwareOptical + microkernel OS
Form FactorCompact rack / DIN rail
Codebase size~100s of lines (minimal)
Parent companyAirbus (since 2021)
OT variant✓ cyber-diode (DIN rail)
Fastest SECRET diode?✓ ~8 Gbps
Security Certifications
Certifications determine which classification levels and regulatory regimes each product can be deployed in. Higher EAL levels require more rigorous independent evaluation.
Common Criteria (CC) EAL Scale
EAL7+ — Formally Verified
Highest CC level. Formal mathematical proof. Only 3 data diode products worldwide.
EAL5+ — Semiformally Verified
Semiformal design and testing. Required by some NATO classified frameworks.
EAL4+ — Methodically Designed
Most common enterprise/government level. Required for many government procurement frameworks.
EAL2 — Structurally Tested
Basic structured evaluation. Adequate for commercial/enterprise use without classified data.
OPSWAT
MetaDefender Optical Diode
CC EAL4+ (Diode)
CC EAL4+ (MD CORE)
C1D2
IEC 62443
NERC CIP
NIST 800-82
ISO 27001
CFATS
NIS2
NATO NIAPC Listed
CC EAL4+ (Optical Diode) — Hardware independently evaluated, awarded September 2024. Covers hardware and software stack.
CC EAL4+ (MetaDefender CORE) — The file scanning engine also independently achieved EAL4+, awarded March 2026.
NATO NIAPC Listed — MetaDefender Optical Diode v1.7.1 and Transfer Guard v2.0.0 are listed on the NATO Information Assurance Product Catalogue (announced July 2025). Note: the specific NATO classification tier approved is not publicly disclosed — no public claim of NATO SECRET or COSMIC TOP SECRET approval.
Class 1 Division 2 (C1D2) — Only known data diode certified for hazardous/explosive environments (refineries, chemical plants).
IEC 62443 — Industrial cybersecurity standard alignment for OT/ICS deployments.
NERC CIP, NIST SP 800-82/53, CFATS, ANSSI — Comprehensive US regulatory framework alignment.
NIAPC listing does not confirm approval for NATO SECRET or higher classification. The exact classification tier is restricted to authenticated NATO users only. Competitors like Sentyron hold explicit NATO COSMIC TOP SECRET approval.
Waterfall Security
Unidirectional Security Gateway
IEC 62443
UL 62368-1
EN 62368-1
NERC CIP
NIST CSF
No Common Criteria EAL certification publicly stated. Relies on industrial safety and ICS security standards instead.
IEC 62443 — Primary industrial cybersecurity framework. Aligns with zone/conduit model for OT security.
UL/EN 62368-1 — Safety certification for audio/video, IT, and communications equipment.
NERC CIP compliant design — Suitable for power grid and energy sector regulatory requirements.
No CC EAL rating means it may not qualify for government/classified procurement requiring formal evaluation. Best suited for commercial OT environments.
Owl Cyber Defense
Talon / OPDS Series
CC EAL4+
CC EAL2+
DoD Approved
NERC CIP
IEC 62443
CC EAL4+ — OPDS-1000 series. EAL2+ for OPDS-100 DualDiode cards. Multiple independently evaluated configurations.
DoD / US Government approved — Deep heritage in NSA cross-domain solution lineage. Used in classified intelligence environments.
Talon Torrent meets Protocol Filtering Diode (PFD) standards for US defense and intelligence community use at 100 Gbps.
NERC CIP and IEC 62443 compliant for industrial/energy sector use on the commercial Talon line.
EAL4+ (not EAL7+) may not meet highest European/NATO classification requirements. NATO-specific products use OPDS with additional configuration requirements.
Sentyron
Fox DataDiode FDDV3
CC EAL7+
NATO COSMIC TOP SECRET
Dutch AIVD
TEMPEST SDIP-27/A
BSI TL 03305
NIS2
CC EAL7+ — One of only three data diode products in the world at the highest possible Common Criteria level. Formally mathematically verified.
NATO COSMIC TOP SECRET — Approved for the highest NATO classification level. Listed on the NATO Information Assurance Portal (NIAPC).
TEMPEST SDIP-27/A Level A — Electromagnetic shielding against side-channel eavesdropping. Required for SCIF and hardened facilities.
Dutch AIVD (intelligence service) approval and German BSI TL 03305 zone listing (zones 1–3).
The diode hardware contains NO software, firmware, or FPGAs — a purely passive photodiode. This eliminates software vulnerability surface entirely.
Advenica
SecuriCDS / DD1G Gen 2
CC EAL4+
Swedish Armed Forces N3
Austrian MOD
Finnish NCSA
SECRET / TOP SECRET (SE, AT, FI)
CC EAL4+ — DD1G Gen 2 independently certified. Covers hardware design, optical isolation, and software.
Triple EU-Nation Military Approval — Only vendor approved by Sweden (N3), Austria (MOD), and Finland (NCSA) for national SECRET and TOP SECRET levels.
Approvals cover classification levels SECRET and TOP SECRET in three NATO-allied nations — unique in the EU defense market.
Actively participating in ETSI data diode standardization work — shaping future European certification frameworks.
No NATO COSMIC TOP SECRET approval (unlike Sentyron). Best suited for EU/Scandinavian national defense rather than multilateral NATO CTS networks.
Genua
vs-diode / cyber-diode
BSI DEU SECRET
EU SECRET
NATO SECRET
TÜV SÜD
TÜV Rheinland
BSI (Bundesamt für Sicherheit) Approved — For DEU SECRET, EU SECRET, and NATO SECRET classifications. Required for German government and Bundeswehr.
EU SECRET and NATO SECRET approved — enables use in EU Council classified networks and NATO alliance information systems up to SECRET level.
TÜV SÜD and TÜV Rheinland certified — independent German safety evaluation bodies add additional validation layer.
Now an Airbus subsidiary (2021) — backed by aerospace-grade supply chain assurance and industrial quality management.
No CC EAL certification publicly listed. BSI approval uses a different German national framework (VSA/ITSEC-derived). Not approved for NATO COSMIC TOP SECRET.
Protocol Support
Supported data transfer protocols determine integration complexity and applicability to your environment.
OPSWAT
IT Protocols
TCPUDPHTTPSFTP/SFTPSMBSMTP
OT Protocols
ModbusOPC DA/UADNP3IEC-104ICCPMQTT
Historian
Aveva PIOSIsoft
Video
Screen ViewStreaming
Management
SyslogSNMPNTP
Waterfall Security
IT Protocols
TCPUDPFTPSFTP
OT Protocols
ModbusOPC DA/HDA/A&E/UADNP3IEC 60870-104ICCP
Historian
OSIsoft PIHistorian replication
Custom
Any OT/SCADA product
Management
SyslogSNMP
Owl Cyber Defense
IT Protocols
UDPTCPSFTP/FTPSMTPNTPSNMP
OT Protocols
OPC UAPI TransferDB replication
Gov/Intel
Packet streamingCross-domain
FPGA-based
Any (Torrent)
Email
SMTPS/MIME
Sentyron
File Transfer
FTPSFTPSCPSMBNFSrSync
Messaging
SMTPAMQPRESTUDP
OT
ModbusOPCOSIsoft PI
Database
OracleMySQLMSSQL
Monitoring
SplunkSyslogSNMP
Advenica
DD1000A
Raw optical (any)
DD1000i
HTTP(S)OPC UAMQTTSyslogSNMPFile transfer
DD1G
L2 Ethernet (any)
Monitoring
SyslogSNMPNTP
OT
OPC UAMQTT
Genua
vs-diode (gov)
HTTP(S)SFTPSMTP(S)TCPUDPSyslog
cyber-diode (OT)
OPC UAModbus TCPFTP/FTPSSMTP
VPN
IPSec (cyber-diode)
Log
SyslogLumberjackLogstash
Management
SNMPNTP
Full Comparison Matrix
Side-by-side comparison across all key dimensions. Blue = primary vendors. Cyan = suggested vendors.
| Feature | OPSWAT | Waterfall | Owl Cyber Defense | Sentyron | Advenica | Genua |
|---|---|---|---|---|---|---|
| Origin | 🇺🇸 USA | 🇮🇱 Israel | 🇺🇸 USA | 🇳🇱 Netherlands | 🇸🇪 Sweden | 🇩🇪 Germany |
| Max Throughput | 10 Gbps | 10 Gbps | 100 Gbps | 10 Gbps | 1 Gbps | 8+ Gbps |
| Entry Model Speed | 10 Mbps (DIN Rail) | 1 Gbps (WF-500) | 26 Mbps (OPDS-1000) | 1 Gbps | 1 Gbps | Not published |
| CC EAL Level | EAL4+ | None | EAL4+ | EAL7+ | EAL4+ | BSI equiv. |
| NATO Classified Approved | ◑ NIAPC Listed* | ✗ | ◑ DoD only | ✓ COSMIC TOP SECRET | ◑ National (SE/AT/FI) | ◑ NATO SECRET |
| Hardware-Enforced | ✓ Optical | ✓ Fiber TX-only | ✓ Optical/FPGA | ✓ Pure photodiode | ✓ Optical | ✓ Optical+microkernel |
| No firmware in diode | ✗ | ✗ | ✗ | ✓ Purely passive | ✗ | ✗ |
| TEMPEST Certified | ✗ | ✗ | ✗ | ✓ SDIP-27/A Level A | ✗ | ✗ |
| Hazardous Env. (C1D2) | ✓ Only vendor | ✗ | ✗ | ✗ | ✗ | ✗ |
| DIN Rail Form Factor | ✓ | ✓ | ✓ XD Verge | ✗ | ✓ DD1G Gen 2 | ✓ cyber-diode |
| Field Speed Upgrade | ✓ SW license | ✗ | ✓ Modular | ✗ | ◑ Partial | ✗ |
| HA / Redundancy | ✓ | ✓ WF-600 | ✓ | ✓ | ◑ | ◑ |
| OT/ICS Protocol Depth | ✓ Excellent | ✓ Excellent | ◑ Good | ◑ Good | ◑ Moderate | ✓ Good (cyber-diode) |
| Historian Replication | ✓ Aveva PI | ✓ Native | ✓ Owl PI Transfer | ✓ OSIsoft PI | ✗ | ✗ |
| Ruggedised / MIL-STD | ✗ | ✗ | ◑ | ✓ MIL-STD-810G/F | ✗ | ✗ |
| Public Pricing | ✓ ~$14,431 | ✗ Quote only | ✗ Quote only | ✗ Quote only | ✗ Quote only | ✗ Quote only |
| Primary Market | OT/ICS, Oil&Gas | Energy, SCADA | DoD, Gov, OT | NATO, Intelligence | EU Defense | DEU Gov, OT |
✓ = Supported / Certified | ✗ = Not available / Not certified | ◑ = Partial or model-dependent
Market Context
Understanding the data diode market landscape and key selection criteria.
Market Size
The global data diode market was valued at approximately $1.1–1.3 billion in 2025, driven by growing OT/IT convergence, critical infrastructure protection mandates (NIS2, NERC CIP), and escalating nation-state cyber threats to industrial systems.
Certification Hierarchy
Only three data diode products worldwide hold CC EAL7+ (Sentyron, Arbit, Nexor). EAL4+ is the practical threshold for most government procurement. Waterfall Security dominates commercial OT without CC certification by leveraging ICS-specific protocol depth.
Key Trends
Defense consolidation (Genua → Airbus, Infodas → Airbus) signals strategic investment. Software-defined diodes (Infodas SDoT at 9.1 Gbps with EAL5+) challenge the orthodoxy that hardware-only is necessary. 100G diodes (Owl Torrent) address classified AI/ML data pipeline requirements.
OT/ICS vs. Gov Segments
OPSWAT and Waterfall lead the commercial OT/ICS segment with wide protocol support. Sentyron, Nexor, and Arbit lead the classified government segment. Owl Cyber Defense and Genua serve both markets with distinct product lines.
Selection Criteria
Key questions: (1) What certification level does your regulatory/classification regime require? (2) What OT protocols do you need natively? (3) Do you need DIN-rail or 1U rack? (4) Is throughput above 1 Gbps needed? (5) Is a hazardous environment rating required?
Pricing Reality
Almost all vendors require quotes. OPSWAT is the only vendor with a published entry price (~$14,431 for 10 Mbps DIN Rail). Enterprise data diode deployments with software licenses, implementation, and support typically run $50K–$500K+ depending on throughput tier and protocol stack.
OPSWAT MetaDefender CORE — File Scanning & CDR
When paired with the MetaDefender Optical Diode, MD CORE provides deep content inspection, multi-engine malware scanning, and Content Disarm & Reconstruction before data crosses the one-way boundary.
How It Works With the Diode
Files arrive on the source side → MD CORE scans & sanitizes with 30+ AV engines + Deep CDR → clean file passes through the one-way optical link → safe content arrives on the destination network. Threats are stopped before they can cross, not just detected after.
30+
AV Engines
200+
CDR File Types
4500+
File Types Verified
99%+
Detection Rate
Multiscanning — 30+ AV Engines
MD CORE runs files simultaneously through 30+ anti-malware engines (including SentinelOne and Xcitium, added April 2026) using signatures, heuristics, and machine learning in parallel. Detection rate exceeds 99% of known malware. In Transfer Guard's bundled diode configuration, up to 20 engines are active depending on the license tier.
Deep CDR — Content Disarm & Reconstruction
Supports 200+ file types including PDF, Microsoft Office (Word, Excel, PowerPoint), HTML, and images. CDR does not rely on threat detection — it assumes every file is potentially malicious, strips all active content, and rebuilds the document from safe structural elements. Removes 100% of potential embedded threats (macros, scripts, exploits) while preserving full usability. Effective against zero-day threats with no known signature.
File Type Verification
Verifies actual file type against content (not just the extension) across 4,500+ file types. Detects and blocks spoofed file attacks where attackers disguise malware as innocent documents (e.g., an .exe renamed to .pdf). Also unpacks and scans 30+ compressed archive formats recursively.
Adaptive Sandbox (Add-on)
MetaDefender Aether sandbox uses CPU-level emulation rather than fingerprintable VMs — forcing evasive malware to execute its real logic. Detects memory-only payloads, process injection, and advanced evasion techniques. Available as an add-on to MD CORE and integrates with the diode workflow for high-assurance environments.
Proactive DLP
Detects, redacts, removes, or watermarks sensitive data (PII, financial records, credentials) in files before they transfer across the diode boundary. Prevents accidental or deliberate exfiltration of sensitive information even in authorized file transfers.
AI-Native Pre-Execution Detection
Launched in 2025, this AI-driven engine analyzes files before execution for early-stage threat detection — complementing signature-based scanning with behavioral prediction models. Targets novel and polymorphic threats that evade traditional AV signatures at first exposure.
File-Based Vulnerability Assessment
Scans transferred files for known CVEs embedded in software packages, installers, and update files. Can generate Software Bills of Materials (SBOMs). Particularly relevant for OT environments where firmware and software updates cross the diode from IT to OT networks.
MD CORE Certifications
CC EAL4+ — Awarded March 2026 for MetaDefender CORE independently of the diode hardware certification.
Combined with the Optical Diode's own EAL4+ (September 2024), the full solution has dual EAL4+ coverage across hardware and content inspection software — unique in the data diode market.
Combined with the Optical Diode's own EAL4+ (September 2024), the full solution has dual EAL4+ coverage across hardware and content inspection software — unique in the data diode market.
⚠️ NATO NIAPC Note: MetaDefender Optical Diode v1.7.1 and Transfer Guard v2.0.0 are listed on the NATO NIAPC (announced July 2025). However, the specific NATO classification tier is not publicly disclosed — there is no confirmed NATO SECRET or COSMIC TOP SECRET approval. Buyers requiring classified government approval should verify the exact tier directly through NATO/national authority channels.