The Assumption That Breaks Your Detection
Every network detection system operates on the same fundamental assumption: attackers generate traffic. Your IDS inspects packets. Your firewall filters connections. Your NDR builds behavioral baselines from observed communications. Your SIEM correlates log entries generated by network activity.
All of these tools share a single dependency. They need the attacker to send something through the network.
What happens when the attacker does not?
Ghost Mode: The Architecture
ShadowTap is a physical device that plugs into your corporate network. In its standard operating mode, it phones home through your infrastructure, establishing encrypted tunnels to our testing lab. Your detection stack has every opportunity to catch it. New MAC address, new DHCP lease, outbound connections to unknown destinations. This is Mode 1, and it is designed to be detectable.
Ghost Mode is different.
When Ghost Mode activates, a USB LTE modem takes over all command-and-control responsibilities. The cellular connection handles everything: tunnel establishment, management traffic, data exfiltration, remote access. All of it routes through the LTE modem, through the cellular network, through a Cloudflare ARGO tunnel and into our lab.
The eth0 interface, the wired Ethernet connection plugged into your network, goes completely dark. No outbound packets. No DNS queries. No DHCP requests beyond the initial lease. No keepalive traffic. Nothing.
But it is still listening.
Receiving Everything, Transmitting Nothing
Scapy runs on the eth0 interface in pure passive capture mode. It sees every broadcast packet on the VLAN. ARP requests. DHCP exchanges. LLMNR queries. NetBIOS announcements. SMB negotiations. Kerberos ticket exchanges. Every piece of information that traverses the broadcast domain reaches ShadowTap's network interface.
The device collects all of it. Hostnames, IP addresses, MAC addresses, service announcements, credential material from cleartext protocols, NTLM challenge-response pairs from SMB traffic. Everything your network broadcasts is captured, parsed and stored.
None of this capture activity generates return traffic. Scapy operates at the raw socket level, reading frames as they arrive on the wire without acknowledging, responding to or interacting with the sending device in any way. The network devices broadcasting this information have no indication that an additional listener exists.
Your Firewall Watches the Door
Your firewall watches the door. This device came in through the window and never touched the door.
Network-based detection tools monitor traffic flowing through the network. They inspect packets between source and destination. They look for anomalous connections, unusual protocols, unexpected destinations. These tools are effective against attackers who communicate through the network.
Ghost Mode bypasses this entire detection layer. The command-and-control channel never touches corporate infrastructure. The cellular connection operates on a completely separate network, separate IP space, separate routing, separate everything. Your firewall never sees the traffic because the traffic never reaches the firewall.
Your IDS never inspects the packets because the packets travel through cellular towers, not through your switches. Your NDR never builds a behavioral profile of the C2 channel because the C2 channel exists outside your network's visibility.
What Evidence Remains
Ghost Mode is not perfectly invisible. There are forensic artifacts, but they require looking in places most security teams do not monitor in real time.
The switch port has an active link. An electrical signal is present on the interface. If your network operations team monitors port status changes, they might notice a new port going active. Most do not monitor this at the individual port level, especially on access layer switches in office environments.
The MAC address appears in the switch's ARP table and MAC address table. If you run regular ARP table audits comparing known devices to active entries, the unknown MAC would stand out. Most organizations do not perform this audit, and those that do typically run it monthly or quarterly, not in real time.
The initial DHCP lease request creates a log entry on the DHCP server. One new lease among hundreds or thousands. Unless your SIEM specifically correlates new DHCP leases against a known device inventory, this event disappears into normal operational noise.
These are the clues. A port link state change, a MAC address entry and a DHCP log. Against an organization with mature asset management and real-time network inventory monitoring, these could be detected. Against the vast majority of corporate networks, they are invisible.
Why This Matters for Your Detection Strategy
Ghost Mode tests a specific question: does your detection strategy assume all threats communicate through your network?
If the answer is yes, you have a blind spot. USB LTE modems cost less than $50. They are small enough to hide inside a desktop computer case, behind a monitor or inside a ceiling tile. A real attacker with physical access to your building, a contractor, a disgruntled employee, a social engineer, can deploy this exact architecture for almost nothing.
The attacker plugs a device into your network. Attaches a cellular modem. Walks away. The device sits quietly on your network, passively harvesting intelligence, while all command-and-control happens over cellular. Your Darktrace, your firewall, your IDS, your entire network security stack sees nothing because there is nothing on the network to see.
What Detection Actually Works
Detecting Ghost Mode requires controls that do not depend on network traffic analysis.
Network Access Control (NAC) with 802.1X authentication can prevent unauthorized devices from obtaining network access in the first place. If the switch port requires certificate-based authentication before granting VLAN access, an unknown device cannot get a foothold regardless of whether it transmits traffic.
Real-time asset inventory monitoring that compares active MAC addresses and DHCP leases against a known device database can flag unknown devices within minutes of connection. This requires maintaining an accurate device inventory, which most organizations struggle with.
Physical port security, disabling unused switch ports and enabling port security with sticky MAC addressing, prevents unknown devices from activating dormant network connections. This is one of the oldest network security controls available, and one of the most frequently neglected.
These controls work because they do not rely on observing attacker traffic. They validate device identity at the access layer, before the device has an opportunity to go silent.
The Test
When we deploy ShadowTap in Ghost Mode, we are testing whether your organization has these controls in place and whether they work. We document how long the device operates undetected, what intelligence it collects passively and what controls eventually catch it, if any do.
The results tell you whether your detection strategy covers the full threat surface or only the portion that generates network traffic. For most organizations, Ghost Mode reveals that their entire detection architecture has a fundamental dependency they never considered.
Your IDS watches network traffic. This device does not generate any.