What are the three ShadowTap operating modes?

ShadowTap operates in three progressive modes. Mode 1 (Corporate Network) plugs directly into the client network via eth0 and phones home through their infrastructure using a cascade of tunnels. Mode 2 (Ghost Mode) uses a USB LTE modem for all command-and-control while eth0 goes completely dark, generating zero management traffic on the corporate network. Mode 3 (Anti-Antigena) adds full stealth with identity cloning, harvesting observed hostnames and MAC prefixes from the network and rotating identity every 15-30 minutes.

What does Ghost Mode do differently from Corporate Network mode?

In Ghost Mode, all command-and-control and management traffic routes through a USB LTE cellular modem instead of the corporate network. The eth0 interface goes completely passive, using Scapy to monitor network traffic without generating any detectable packets. Your IDS watches network traffic, but this device does not generate any. It receives everything and transmits nothing through the corporate network.

How does Anti-Antigena mode evade behavioral AI detection?

Anti-Antigena mode wipes the device hostname and harvests observed hostnames from the network. If the network uses a WSXXXX naming pattern, ShadowTap becomes WSXXXX. It clones the first three octets of the most common MAC vendor on the network and randomizes the last three. Identity rotation occurs every 15-30 minutes with random delays between actions to break beacon detection patterns. To the AI, it looks like just another workstation.

How much does a ShadowTap engagement cost?

ShadowTap deployment across all three operating modes is included in the Comprehensive Security Assessment at $12,000 CAD. This includes external testing, internal testing via ShadowTap, progressive detection validation across all three modes and a full report with detection timelines for each mode.

ShadowTap Detection Validation

Three Modes. Three Levels of Stealth.

Each mode tests a different layer of your detection. Each mode that succeeds teaches you where your gaps are.

ShadowTap operates in three progressive modes to test network detection capabilities. Mode 1 (Corporate Network) plugs into the client network and phones home through their infrastructure using a cascade of tunnels: Cloudflare ARGO, Iodine DNS, ICMP ptunnel and SSH reverse. Mode 2 (Ghost Mode) routes all command-and-control through a USB LTE modem while Scapy passively monitors the corporate network, generating zero outbound traffic. Mode 3 (Anti-Antigena) adds identity cloning, matching local hostname patterns and MAC prefixes while rotating identity every 15-30 minutes. Each mode that goes undetected reveals a gap in your detection stack. Included in the Comprehensive Security Assessment at $12,000 CAD.

Order Comprehensive Assessment ShadowTap Overview

Operating Modes

Three Modes, Progressive Stealth

Mode 1: Corporate Network

ShadowTap plugs directly into the client network via eth0 and phones home through their infrastructure. The tunnel cascade tries each method in sequence: Cloudflare ARGO first (looks like HTTPS to a CDN), then Iodine DNS tunneling, then ICMP ptunnel, then SSH reverse tunnel. This mode tests three things simultaneously: how fast your network detects a new device, how long it takes to establish a baseline and whether your monitoring catches covert tunnel establishment. This is the loudest mode. If your detection stack cannot catch this, it cannot catch anything.

Mode 2: Ghost Mode (LTE Cellular)

A USB LTE modem handles all command-and-control and management traffic. The eth0 interface goes completely dark. Zero management traffic touches the corporate network. Scapy runs passive monitoring on the wired interface, collecting intelligence without generating a single detectable packet. Your IDS watches network traffic. This device does not generate any. It receives everything and transmits nothing through your infrastructure. The only evidence of its existence is the electrical signal on the switch port and the MAC address in the ARP table. This mode tests whether your detection can identify a device that is physically present but operationally silent.

Mode 3: Anti-Antigena (Full Stealth)

Anti-Antigena adds identity cloning to Ghost Mode's passive posture. ShadowTap wipes its hostname and harvests observed hostnames from the network. If your naming convention uses WSXXXX, it becomes WSXXXX. If you use DESKTOP-XXXX, it adopts that pattern. It clones the first three octets of the most common MAC vendor on your network and randomizes the last three. To the AI, it looks like just another Intel workstation named WS4827. Identity rotation occurs every 15-30 minutes with random delays between actions to break beacon detection patterns. This mode tests whether your behavioral AI can distinguish one device from the 200 others that look identical to it.

Engagement Flow

Progressive Detection Timeline

Phase 1: Corporate Network

ShadowTap connects in Mode 1. The clock starts. We monitor your detection stack for alerts: new device detection, tunnel establishment, anomalous traffic patterns. Every alert is timestamped. Every missed event is documented. When detection occurs (or after a defined window passes), we record the results and move to Mode 2.

Phase 2: Ghost Mode LTE

ShadowTap switches to cellular command-and-control. The corporate network interface goes passive. We monitor whether your detection stack notices the behavioral change, whether it flags the silent device and whether any alerts from Phase 1 persist or resolve. Did your NDR detect the mode switch? Did it notice the device stopped talking but kept listening?

Phase 3: Anti-Antigena

Identity cloning activates. ShadowTap blends into your network's device population. We test whether your behavioral AI can distinguish the cloned identity from legitimate devices. MAC prefix matching, hostname mimicry and rotation timing are all documented. Does your AI flag one device among 200 identical ones?

Phase 4: Detection Report

You receive a complete detection timeline for each mode. Time to first alert, alert accuracy, response actions triggered and gaps identified. The report shows exactly which modes your detection stack caught, which it missed and what that means for your security posture against a real attacker with physical access.

Why This Matters

What Each Mode Tells You

Mode 1 Failures

If your detection stack cannot catch a device that plugs into your network and establishes outbound tunnels through your infrastructure, your baseline detection is fundamentally broken. This is the most detectable scenario. A new MAC address, new DHCP lease, outbound encrypted traffic to an unknown destination. If this gets through, every subsequent mode will too.

Mode 2 Failures

If Ghost Mode goes undetected, your monitoring relies entirely on observing outbound traffic. A device that receives but never transmits is invisible to traffic-based detection. This is exactly how a sophisticated attacker with cellular hardware would operate. Your network detection needs to identify devices by their presence, not just their behavior.

Mode 3 Failures

If Anti-Antigena evades your Darktrace or other behavioral AI, it means identity-based detection is vulnerable to cloning. An attacker who matches your naming conventions and MAC vendor patterns becomes statistically indistinguishable from your legitimate devices. This is the hardest detection problem and the most realistic advanced threat scenario.

Frequently Asked Questions

Operating Mode FAQs

What are the three ShadowTap operating modes?: Mode 1 (Corporate Network) plugs directly into the client network and phones home through their infrastructure using a cascade of tunnels. Mode 2 (Ghost Mode) uses a USB LTE modem for all command-and-control while the wired interface goes completely passive. Mode 3 (Anti-Antigena) adds identity cloning with hostname mimicry and MAC prefix matching. Each mode progressively tests deeper layers of your detection capabilities.
What does Ghost Mode do differently from Corporate Network mode?: In Ghost Mode, all command-and-control traffic routes through a USB LTE cellular modem. The eth0 interface goes completely passive, using Scapy to monitor network traffic without generating any detectable packets. Your IDS watches network traffic, but this device does not generate any. It receives everything and transmits nothing through the corporate network.
How does Anti-Antigena mode evade behavioral AI detection?: Anti-Antigena wipes the device hostname and harvests observed hostnames from the target network. If the network uses a WSXXXX naming pattern, ShadowTap becomes WSXXXX. It clones the first three octets of the most common MAC vendor on the network and randomizes the last three. Identity rotation occurs every 15-30 minutes with random delays to break beacon detection patterns. To the AI, it looks like just another workstation.
How much does a ShadowTap engagement cost?: ShadowTap deployment across all three operating modes is included in the Comprehensive Security Assessment at $12,000 CAD. This includes external testing, internal testing via ShadowTap, progressive detection validation across all three modes and a full report with detection timelines for each mode.

Test Your Detection

Three modes. Three chances to catch us. One report that tells you everything.

ShadowTap is included in the Comprehensive Security Assessment at $12,000 CAD. Progressive detection validation across Corporate Network, Ghost Mode and Anti-Antigena with full detection timeline reporting.

Order Comprehensive Assessment

Questions About ShadowTap Modes?

Want to know which operating modes are most relevant to your environment? Need details on how Ghost Mode or Anti-Antigena would work on your network? Call us for a free scoping consultation.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Related Pages: ShadowTap Platform · Darktrace Testing