Will you break our Darktrace?

No. We do not modify, disable or interfere with your Darktrace installation in any way. ShadowTap operates as a rogue device on your network, and we observe whether Darktrace detects our activities at each phase. We test Darktrace by attacking the network it monitors, not by attacking Darktrace itself. Your Darktrace appliance and configuration remain untouched throughout the engagement.

What if Darktrace doesn't catch you?

Then you need to know that. Our report documents exactly which attack phases Darktrace detected, which it missed and why. We provide specific tuning recommendations: signature adjustments, Antigena policy changes, network segment visibility gaps and model configuration improvements. Many organizations discover that Darktrace is not monitoring all network segments, or that Antigena is set to passive mode when it should be blocking. These are fixable problems, but only if you know about them.

Do you work with Darktrace directly?

No. Sherlock Forensics is completely independent of Darktrace. We do not sell, resell, partner with or receive referral fees from Darktrace. This independence is what makes our validation credible. We have no incentive to tell you Darktrace is working if it is not. We are also not adversarial toward Darktrace. If your installation is well-configured, our report will confirm that. We validate the investment you already made.

Darktrace Validation

Test Your Darktrace Installation

Q: Can you test our Darktrace?

Yes. Sherlock Forensics offers the Darktrace Validation Assessment, a dedicated service that tests your Darktrace installation against real attack techniques. We deploy ShadowTap on your network, simulate a physical access attacker, harvest identities, establish covert tunnels and test detection at each phase. You receive a detailed report showing what Darktrace caught, what it missed, false positive rates and specific tuning recommendations. The assessment costs $5,000 CAD.

You spent $100K+ on Darktrace. Does it actually catch attackers?

Sherlock Forensics offers the Darktrace Validation Assessment, a $5,000 CAD service that tests whether your Darktrace installation actually detects real attack techniques. We deploy our ShadowTap device on your network, simulate a physical access attacker, harvest identities, establish covert tunnels and test Darktrace detection at every phase. You receive a detailed report showing detection timelines, missed events, false positive rates and specific tuning recommendations. This may be the only service of its kind available on the internet. If Darktrace catches us, great. If it does not, you need to know.

Book Darktrace Validation For Darktrace Customers

The Problem

Why You Need to Test Your Darktrace

Trust but Verify

Darktrace is a sophisticated AI-driven network detection and response platform. It learns your network's normal behavior and alerts on anomalies. But learning takes time, configuration matters and blind spots exist. Without independent validation, you are trusting a vendor's promise that their product works in your specific environment. That is not security. That is hope.

Configuration Drift

Darktrace was likely tuned during initial deployment. Since then, your network has changed. New subnets, new applications, new cloud services, new remote workers. Has Darktrace been re-tuned to match? In most organizations, the answer is no. Configuration drift means the Darktrace you deployed is not the Darktrace you are running today.

Antigena Assumptions

Darktrace Antigena is designed to autonomously respond to threats. But many organizations deploy Antigena in "human confirmation" mode, effectively making it a notification system rather than a response system. Others have Antigena active but untested. Does it actually block lateral movement? Does it quarantine compromised hosts? You will not know until someone tests it.

Our Process

The Anti-Antigena Assessment

Phase 1: Physical Access Simulation

We deploy ShadowTap on your network, simulating an attacker who has gained physical access to your building. The device connects to an available network port and begins passive reconnaissance. We monitor whether Darktrace detects the new device, how quickly it alerts and what model breaches it generates.

Phase 2: Identity Harvesting

ShadowTap passively captures credentials from broadcast traffic: NTLM hashes from SMB, Kerberos tickets, LLMNR/NBT-NS poisoning opportunities and cleartext protocols. We document what identity information is available to an attacker on your network and whether Darktrace flags the credential harvesting activity.

Phase 3: Covert Tunnel Establishment

ShadowTap establishes an encrypted tunnel back to our lab using one of five tunnel types. This is a critical detection point. A device on your network establishing an outbound encrypted channel to an unknown destination is exactly what Darktrace should catch. We record the detection timeline, the model breaches generated and whether Antigena takes action.

Phase 4: Active Testing and Detection Mapping

With the tunnel established, we conduct active internal penetration testing: AD enumeration, service scanning, lateral movement attempts and privilege escalation. At each step, we cross-reference our actions against Darktrace's threat visualizer to map exactly which activities triggered alerts, which were missed and how long detection took.

Deliverables

What Your Report Includes

Detection Timeline

A minute-by-minute timeline showing when each attack phase began and when (or if) Darktrace detected it. Time-to-detection is the most critical metric for any NDR platform. If your Darktrace takes 45 minutes to flag a rogue device, that is 45 minutes an attacker has to establish persistence.

Missed Events Analysis

A detailed breakdown of attack activities that Darktrace did not detect. Each missed event includes the technique used, why it likely evaded detection and specific configuration changes that would improve coverage. This is the most valuable section of the report because it shows you exactly where your blind spots are.

False Positive Assessment

During our testing window, we also review the alerts Darktrace generates that are not related to our activity. A high false positive rate leads to alert fatigue, which leads to real attacks being ignored. We assess your current false positive rate and recommend tuning adjustments.

Tuning Recommendations

Specific, actionable recommendations for improving your Darktrace deployment: model sensitivity adjustments, network segment coverage gaps, Antigena policy changes, integration opportunities with your SIEM or SOAR platform and custom model suggestions based on your environment.

Why Us

Possibly the Only Service of Its Kind

Independent Validation

We are not a Darktrace partner, reseller or competitor. We have no commercial relationship with Darktrace. This independence means our assessment is credible: we have no incentive to say your Darktrace works when it does not, and no incentive to say it fails when it succeeds. We report what we find.

Real Attacks, Not Simulations

We do not run Darktrace's built-in attack simulations. Those test whether Darktrace can detect its own test patterns, which is trivially easy. We use real attack techniques, real tools and a real rogue device on your network. If Darktrace can detect us, it can detect a real attacker using the same methods.

NIDS Heritage

ShadowTap was originally a network intrusion detection system. We know detection from the inside. We know what good detection looks like, what bad detection looks like and exactly which techniques are hardest to catch. This expertise informs every phase of our Darktrace validation.

Frequently Asked Questions

Darktrace Testing FAQs

Can you test our Darktrace?: Yes. The Darktrace Validation Assessment is a dedicated service specifically designed to test Darktrace installations. We deploy ShadowTap on your network, simulate real attack techniques and map Darktrace's detection against each phase. The assessment costs $5,000 CAD and includes a full report with detection timelines, missed events and tuning recommendations.
Will you break our Darktrace?: No. We do not modify, disable or interfere with your Darktrace installation. We test Darktrace by attacking the network it monitors, not by attacking Darktrace itself. Your Darktrace appliance and configuration remain completely untouched throughout the engagement.
What if Darktrace does not catch you?: Then you need to know that before a real attacker exploits those same blind spots. Our report documents exactly which attack phases were missed and why. We provide specific tuning recommendations: model sensitivity adjustments, network segment visibility gaps, Antigena policy changes. These are fixable problems, but only if you know about them.
Do you work with Darktrace directly?: No. Sherlock Forensics is completely independent of Darktrace. We do not sell, resell or partner with Darktrace. This independence is what makes our validation credible. We also test other NDR and IDS platforms including CrowdStrike Falcon, Vectra AI, ExtraHop, Snort, Suricata and Zeek.

Validate Your Investment

If Darktrace catches us, great. If it does not, you need to know.

Darktrace Validation Assessment: $5,000 CAD. Detection timeline, missed events, false positive analysis and tuning recommendations. Also available as part of the Comprehensive Assessment at $12,000 CAD.

Book Darktrace Validation

Ready to Test Your Darktrace?

Tell us about your Darktrace deployment and we will scope a validation assessment. Free scoping call, fixed-price quote, testing typically completed within 5-10 business days.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Related Pages: ShadowTap Platform · Darktrace vs Pentest · NDR Validation