Systems for attack detection are mandatory in Germany with no distinction between IT and OT. We evaluated more than 20 industrial networks with the open source framework malcolm. This talk will show you good practices and what we learned during our site visits.