Why We Built Kutoa: Helping Asset Owners Build Capacity, Not Dependency

For years, our team has worked alongside industrial organizations navigating the challenges of OT security, and in that time, we've watched a familiar pattern emerge. Teams invest in the right things: tools, assessments, roadmaps, expertise, and from the outside that investment looks like an organization moving in the right direction. But when you're close enough to see beneath the surface, a different picture takes shape.

The programs aren't stalling because people don't care or because technology isn't capable. They're stalling because the organization isn't evolving alongside the investment. Progress is happening around teams, not within them.

Over time, this creates a subtle problem: Dependency.

Many traditional approaches in OT security are built around delivering expertise, technology, and outputs: Bring in a team, perform an assessment, deploy a solution, provide a report. And while those things are valuable, they often leave the organization in the same position it started. Relying on external support to interpret, prioritize, and execute. It’s common to see strong tooling but limited ability to act on what it reveals. Many have built detailed strategies that stall because ownership isn’t clear or processes don’t fit how operations work. In these situations, the gap isn’t technical, it’s people and process.

That’s the gap Kutoa was created to address.

At its core, OT security is not just a technology problem. It lives in the day-to-day reality of operations, where safety, uptime, and production pressures shape every decision. The people running these environments are constantly balancing competing priorities, and security only works when it acknowledges that reality. It’s why resilience shows up in moments of pressure, not in planning or documentation. OT security should be a capability that organizations execute on, not something they have.  

We believe that security can’t be delivered from the outside. It must be built into how an organization operates. That means focusing not just on controls or compliance, but on the combination of people, processes, and technology working together to be sustainable over time.

Instead of asking how we can “solve” security for a customer, we focus on how we can help them build capabilities. Subtle difference changes the nature of work, shifting the conversation from delivering outputs to building capability. It means spending time where operations happen, as Filip Lauwereys’ reminds us often: “Shoulder-to-shoulder”, working alongside teams to translate security into something practical, that works in their environment.

Building capacity is about closing that gap.

It shows up in small but meaningful ways: teams understanding why a control matters, not just that it exists; processes that reflect how maintenance and production actually operate; decisions that are made with context, not just data. Over time, those things compound into something more powerful, a program that continues to move forward without needing constant external push.

Capacity is central to how we think about security.

Because ultimately, the organizations that succeed won’t be the ones with the most tools or the most detailed reports. They’ll be the ones where people understand their role, processes support real-world execution, continued evolution, and security is part of how work gets done every day.

This is why Kutoa exists.