The Clock Starts at the Port
The moment a new device plugs into your network, a race begins. On one side, your detection stack is trying to identify, classify and assess the device. On the other side, the attacker is trying to establish persistence, harvest credentials and set up command-and-control before detection occurs.
The attacker has one advantage that is difficult to overcome: the detection tools need time, and the attacker knows this.
The Baseline Problem
Behavioral NDR platforms like Darktrace, Vectra and ExtraHop work by learning patterns. They observe each device over time and build a profile of normal behavior. What servers does this device connect to? What protocols does it use? When is it active? How much data does it typically transfer? What is its normal communication pattern?
When a completely new device appears on the network, the NDR has no baseline for it. The device has no history. No established patterns. No definition of "normal" to compare against. The AI is essentially blind to behavioral anomalies for that device until it accumulates enough observation data to build a profile.
This is the baseline window. And it is the attacker's window.
What Happens During the Window
During the baseline learning period, the new device gets a grace period. Not an intentional one, but a functional one. The AI cannot flag behavior as anomalous when it has no reference for what normal looks like.
A new device making outbound HTTPS connections? That could be normal. It could be a new workstation loading Windows updates. A new device performing DNS queries to unfamiliar domains? That could be normal too. New software installations often query licensing servers and update endpoints that the AI has never seen associated with this device before.
An attacker operating during this window can perform reconnaissance, establish tunnels and begin lateral movement while the AI is still trying to figure out whether the device's behavior is unusual. By the time the baseline solidifies, the attacker may have already achieved their objectives.
A real attacker with physical access has the same window. A contractor who plugs in a rogue device. An employee who brings compromised hardware. A visitor who finds an active network port in a conference room. They all benefit from the same baseline learning delay.
What ShadowTap Measures
When we deploy ShadowTap, we measure three specific metrics about your detection response.
Time to first alert. How many minutes or hours elapse between the device connecting to the network and the first security alert being generated? This is the most basic detection metric. If your NDR takes 30 minutes to generate the first alert about an unknown device, an attacker has 30 minutes of unmonitored activity.
Alert accuracy. When the alert fires, what does it say? Does it correctly identify the device as unauthorized? Does it flag the specific risk (unknown MAC address, rogue device, unauthorized network access)? Or does it generate a generic anomaly alert that could easily be dismissed as a false positive? Alert quality matters as much as alert speed. A fast but vague alert is often ignored by SOC analysts drowning in noise.
Response action triggered. Does your detection stack do anything beyond alerting? Does the switch port get disabled? Does the device get quarantined to a restricted VLAN? Does NAC block the connection? Does Antigena take autonomous action? An alert without response is an observation, not a defense. We document whether your tools respond or simply report.
The Detection Timeline Report
The ShadowTap engagement produces a detailed detection timeline. Every action we take is logged with a precise timestamp. Every alert your detection stack generates is recorded. The two timelines are mapped together to show exactly what was detected, when it was detected and what was missed.
The timeline typically reveals patterns. Initial device connection may generate a DHCP log entry but no security alert. First outbound connection may trigger a new device notification but no response action. Tunnel establishment may or may not generate a model breach depending on the tunnel type. Active testing phases generate different alert volumes depending on the techniques used.
The gap between our activity timeline and your detection timeline is your exposure window. Everything we accomplished before the first effective detection represents what a real attacker could accomplish with the same access.
Why Speed Matters More Than You Think
Detection speed is not just about catching the device. It is about the entire kill chain that follows.
In the first five minutes after connection, ShadowTap has already begun passive reconnaissance. It is capturing broadcast traffic, ARP entries, DHCP exchanges and hostname announcements. This information requires zero outbound traffic and generates no alerts.
Within the first fifteen minutes, the tunnel cascade begins. If your egress controls are permissive, a covert tunnel is established and our testing team has remote access to your internal network.
Within the first hour, credential harvesting from passive traffic capture is well underway. NTLM hashes from SMB, Kerberos tickets, LLMNR responses and any cleartext credentials have been collected.
If your NDR takes two hours to generate the first actionable alert, everything described above has already happened. Detection at that point is forensic, not preventive. You are documenting the compromise rather than preventing it.
What Good Detection Looks Like
The best results we see combine multiple detection layers that do not all depend on behavioral baselines.
NAC with 802.1X authentication prevents unauthorized devices from ever reaching the network. The device fails authentication at the switch port level and never gets an IP address. Detection time: zero. The attack is prevented, not detected after the fact.
DHCP alerting on unknown MAC addresses generates an immediate notification when a new device requests an IP assignment. This does not require behavioral analysis. It is a simple comparison against a known device inventory. Detection time: seconds.
Switch port security with sticky MAC addressing limits each port to a specific MAC address. When an unknown MAC appears, the port shuts down. Detection time: immediate. Response: automatic.
These controls work because they do not need a baseline. They validate identity at the access layer before the device has an opportunity to do anything. The behavioral AI layer (Darktrace, Vectra, etc.) then provides a second detection opportunity for devices that somehow bypass the first layer.
The Question You Should Be Asking
Most organizations have never measured their new device detection speed. They deploy Darktrace or another NDR platform, see alerts appearing in the dashboard and assume detection is working. But they have never plugged in an unknown device and measured the clock.
How fast does your NDR detect a new device? Not in the vendor's lab with optimized conditions. In your production environment with your configuration, your network topology, your alert volume and your SOC team's current workload.
The answer matters because a real attacker with physical access has the same window. And they know exactly how to use it.