Which detection systems can you validate?

Sherlock Forensics validates any network detection and response platform including Darktrace, CrowdStrike Falcon, Vectra AI, ExtraHop Reveal(x), Cisco Stealthwatch, Snort, Suricata and Zeek. We also test SIEM-based detection rules in Splunk, Microsoft Sentinel, Elastic Security and similar platforms. The assessment methodology is platform-agnostic because we test by attacking the network, not the detection tool itself.

What does a detection validation test?

We test five areas: detection coverage (what percentage of attack techniques generate alerts), alert accuracy (true positive vs false positive ratio), response time (how long between attack and alert), blind spots (network segments or techniques with no coverage) and evasion resistance (whether common evasion techniques bypass detection). Results are mapped against the MITRE ATT&CK framework for standardized reporting.

How is this different from a regular penetration test?

A regular penetration test focuses on finding vulnerabilities in your network. Detection validation focuses on testing whether your security tools catch attacker behavior. The attack techniques are similar but the objective is different. A pentest asks 'can we get in?' Detection validation asks 'can your tools see us getting in?' Many organizations combine both into the Comprehensive Security Assessment at $12,000 CAD.

Do you provide tuning recommendations?

Yes. Every validation report includes specific tuning recommendations for your platform: rule adjustments, signature updates, detection model changes, network tap placement suggestions, log source additions and integration recommendations. We do not just tell you what failed. We tell you how to fix it.

NDR Validation

Network Detection System Validation

You bought a million-dollar detection system. We find out if it is worth it.

Sherlock Forensics validates network detection and response (NDR), intrusion detection (IDS) and intrusion prevention (IPS) systems using real attack simulation. We test Darktrace, CrowdStrike Falcon, Vectra AI, ExtraHop Reveal(x), Cisco Stealthwatch, Snort, Suricata and Zeek. Our validation covers detection coverage, alert accuracy, response time, blind spots and evasion resistance. We deploy our ShadowTap platform on your network, simulate real attacker behavior and map detection results against the MITRE ATT&CK framework. NDR Validation Assessments start at $5,000 CAD.

Book NDR Validation Darktrace-Specific Testing

Platforms

Systems We Validate

Platform	Type	What We Test
Darktrace	AI-driven NDR	Model breach detection, Antigena response, anomaly sensitivity
CrowdStrike Falcon	EDR/NDR	Network visibility, lateral movement detection, cloud workload coverage
Vectra AI	AI-driven NDR	Cognito detections, threat scoring accuracy, host scoring
ExtraHop Reveal(x)	NDR	Wire data analysis, protocol detection, decryption coverage
Cisco Stealthwatch	Flow-based NDR	NetFlow analysis, encrypted traffic analytics, behavioral detection
Snort	Signature-based IDS/IPS	Ruleset coverage, evasion resistance, custom rule effectiveness
Suricata	Signature-based IDS/IPS	Ruleset coverage, protocol detection, multi-threading performance
Zeek (Bro)	Network security monitor	Script coverage, protocol parsing, log completeness

Running a platform not listed here? We validate any network detection system. Our methodology is platform-agnostic because we test by attacking your network, not by attacking the detection tool itself. Contact us to discuss your specific platform.

Assessment Areas

Five Dimensions of Detection

Detection Coverage

What percentage of our attack techniques generate alerts? We map results against the MITRE ATT&CK framework to give you a standardized view of which tactics and techniques your system detects and which it misses. Most organizations are surprised by the gaps. Coverage above 70% is good. Above 85% is exceptional. Below 50% is common.

Alert Accuracy

What is the ratio of true positives to false positives? A detection system that generates 500 alerts per day with a 95% false positive rate is worse than one that generates 10 alerts per day with a 5% false positive rate. Alert fatigue is the number one reason real attacks get missed. We measure your actual ratio during the testing window.

Response Time

How long between an attack action and the corresponding alert? An attacker can exfiltrate an entire database in under 10 minutes. If your detection system takes 30 minutes to flag the activity, the data is already gone. We measure time-to-detection for every technique in our test matrix, from initial device connection to data exfiltration simulation.

Blind Spots

Which network segments, protocols or traffic patterns have no detection coverage? Common blind spots include encrypted traffic, east-west traffic between servers, cloud workload communications and IoT device segments. We identify exactly where your detection system has no visibility and what an attacker could do in those zones.

Evasion Resistance

Can common evasion techniques bypass your detection? We test packet fragmentation, protocol tunneling, encryption, timing-based evasion, living-off-the-land techniques and traffic blending. ShadowTap's multiple tunnel types are themselves an evasion test: if a DNS tunnel or ICMP timing channel can exfiltrate data without detection, that is a critical finding.

Methodology

How Validation Works

Deploy ShadowTap

We ship our ShadowTap device to your location. You plug it into your network. It begins passive reconnaissance and establishes an encrypted tunnel back to our lab. The deployment itself is the first test: does your detection system flag a new, unknown device appearing on the network?

Execute Attack Matrix

Our team executes a structured attack matrix covering MITRE ATT&CK tactics from initial access through exfiltration. Each technique is logged with precise timestamps. We follow our documented internal penetration testing methodology with additional detection-focused instrumentation at every phase.

Cross-Reference and Report

We cross-reference our attack log against your detection platform's alert history. For each technique: was it detected? How long did detection take? What alert was generated? Was the alert actionable? The final report maps every finding to MITRE ATT&CK and includes specific tuning recommendations for your platform.

Frequently Asked Questions

Detection Validation FAQs

Which detection systems can you validate?: Any NDR, IDS, IPS or network security monitor. We regularly test Darktrace, CrowdStrike Falcon, Vectra AI, ExtraHop, Cisco Stealthwatch, Snort, Suricata and Zeek. We also validate SIEM-based detection rules in Splunk, Microsoft Sentinel and Elastic Security. Our methodology is platform-agnostic.
How is this different from a penetration test?: A penetration test asks "can we get in?" Detection validation asks "can your tools see us getting in?" The attack techniques overlap, but the objective and reporting are different. A pentest report focuses on vulnerabilities. A validation report focuses on detection gaps. Many organizations combine both in the Comprehensive Assessment at $12,000 CAD.
Do you provide tuning recommendations?: Yes. Every report includes platform-specific tuning recommendations: rule adjustments, signature updates, detection model changes, network tap placement suggestions, log source additions and integration recommendations. We do not just tell you what failed. We tell you how to fix it.
Can you test multiple detection systems at once?: Yes. If you run multiple detection platforms (for example, Darktrace for NDR and Suricata for IDS), we can validate both during the same engagement. Our attack matrix runs once and results are mapped against each platform separately. This is the most efficient way to compare detection capabilities across your security stack.

Validate Your Detection

Find out what your detection system actually catches.

NDR Validation Assessment from $5,000 CAD. Combined with full internal and external penetration testing in the Comprehensive Assessment at $12,000 CAD.

Book NDR Validation

Scope Your Detection Validation

Tell us which detection platforms you run and we will build a validation engagement that tests what matters. Free scoping call, fixed-price quote within one business day.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Related Pages: ShadowTap · Darktrace Testing · Darktrace vs Pentest