Penetration Testing · · 7 min read

How We Test Darktrace Without Breaking It

Darktrace testing NDR validation ShadowTap methodology

Sherlock Forensics tests Darktrace and NDR platforms using ShadowTap without disrupting production systems. The methodology uses controlled phase escalation: passive reconnaissance first, then active scanning, then exploitation techniques, with joint review after each phase. Darktrace stays fully operational throughout. This is not adversarial. This is validation. Comprehensive validation engagements start at $12,000 CAD.

The First Question Every CISO Asks

"If you test our Darktrace, will it break something?"

It is a fair question. Your NDR platform monitors production traffic. Your security team relies on it for real-time alerting. If a validation test floods the network with malicious traffic, triggers thousands of alerts or crashes a sensor, the cure is worse than the disease.

This is why we built the ShadowTap methodology specifically around non-disruptive validation. Darktrace stays fully operational. Production systems are not modified. The network continues to function normally. What changes is that a controlled adversary is now operating inside the network, giving you the opportunity to measure what Darktrace actually detects.

This is not adversarial. This is validation.

Phase 0: Scoping and Rules of Engagement

Before any device is shipped or any packet is sent, we sit down with your security team and define the engagement boundaries. This includes:

  • Scope definition: Which network segments are in scope? Which are excluded? Are there critical systems that require additional caution?
  • Rules of engagement: No denial-of-service techniques. No modification of production data. No destructive payloads. No social engineering of employees (unless specifically requested as part of a broader engagement).
  • Communication protocol: Who receives real-time updates during testing? What is the escalation path if something unexpected occurs? Who has authority to pause or stop the engagement?
  • Success criteria: What does your team want to learn? Detection rates? Alert latency? Coverage gaps? This shapes how we structure the testing phases.

Every ShadowTap engagement has a signed rules-of-engagement document before testing begins. This protects both parties and ensures alignment on what the engagement will and will not include.

Phase 1: Passive Reconnaissance

The ShadowTap device arrives at your office preconfigured and sealed. Your IT team plugs it into a designated network port. It establishes a secure encrypted tunnel back to our testing environment. No software needs to be installed on any of your systems.

Phase 1 is entirely passive. We observe network traffic visible from the ShadowTap device's position on the network. We map the network topology, identify active hosts, catalog services and build an understanding of traffic patterns.

This phase accomplishes two things. First, it gives us the intelligence we need to plan active testing phases. Second, it provides a control measurement. If Darktrace alerts on the ShadowTap device's passive presence (it should, if configured to alert on new devices), we know the baseline detection of new network participants is working.

If Darktrace does not alert on a new device appearing on the network, that is already a finding.

Phase 2: Active Scanning

With passive reconnaissance complete, we begin controlled active scanning. This includes:

  • Port scanning at controlled rates (not flooding, measured enumeration)
  • Service identification and version detection
  • SMB enumeration of shares and permissions
  • LDAP queries against Active Directory
  • DNS zone transfer attempts
  • SNMP community string testing

Each technique is executed individually with pauses between them. This allows your security team to correlate our activity timeline with Darktrace alerts. After Phase 2, we conduct a checkpoint review: here is what we did, here is what Darktrace saw, here is what it missed.

This phase-and-review approach is critical. It transforms the engagement from a gotcha exercise into a collaborative learning experience. Your team sees exactly how each technique appears (or does not appear) in Darktrace's alert stream.

Phase 3: Controlled Exploitation

Phase 3 tests Darktrace's ability to detect actual attack techniques. This includes:

  • Encrypted tunnel establishment: We set up encrypted command-and-control channels using legitimate TLS certificates to test encrypted traffic blind spots
  • DNS tunneling: Data exfiltration through DNS queries at varying throughput levels to find detection thresholds
  • MAC address manipulation: Spoofing MAC addresses with legitimate vendor prefixes to test device identity tracking
  • Lateral movement: Controlled movement between hosts using standard administrative protocols (RDP, SSH, WMI, PowerShell remoting)
  • Privilege escalation: Testing Active Directory attack paths (Kerberoasting, AS-REP roasting, constrained delegation abuse)
  • Identity rotation: Switching between multiple credential sets to test whether Darktrace correlates activity across identity changes
  • Hostname cloning: Matching the hostname of existing devices to test device disambiguation

Every technique has a specific detection hypothesis. "We expect Darktrace to alert on X within Y minutes." This gives your team a measurable framework for evaluating detection capability.

Phase 4: Low-and-Slow Testing

Phase 4 is where most detection tools struggle. We reduce our activity to levels that mimic normal network behavior. Small amounts of data exfiltrated over long periods. Lateral movement at the pace of a legitimate administrator. Beacon intervals that match legitimate software update patterns.

This phase tests the boundary between detectable and undetectable behavior in your specific environment. The results tell you exactly how much adversary activity can occur before your tools notice.

Phase 5: Joint Review and Reporting

After active testing is complete, we conduct a joint review session with your security team. This is not a presentation where we show you what you missed. It is a working session where we walk through every technique, every alert (or lack of alert) and every gap.

The final report includes:

  • Complete technique execution timeline with Darktrace alert correlation
  • Detection rate by technique category
  • Alert latency measurements (time from technique execution to alert generation)
  • Coverage gap analysis with prioritized recommendations
  • Configuration changes that would improve detection for identified gaps
  • Compensating controls for gaps that cannot be addressed through configuration alone

The report is designed to be actionable. Not a list of findings to file away, but a roadmap for measurable improvement. Many clients schedule follow-up validation after implementing recommendations to verify the improvements.

Why This Approach Works

The collaborative, phased approach works because it aligns incentives. We are not trying to embarrass your security team. We are not trying to prove Darktrace is bad. We are working with your team to understand exactly where your detection coverage stands and how to improve it.

Your security team learns from the process. They see how real attack techniques appear in their tools. They understand why certain techniques evade detection. They gain practical knowledge that improves their ability to detect and respond to real incidents.

That is the difference between adversarial testing and validation. Adversarial testing proves a point. Validation improves capability.

Schedule a ShadowTap Validation