How does ShadowTap connect back to your lab?

ShadowTap supports multiple tunnel types to ensure connectivity in any environment: SSH reverse tunnels, Cloudflare Zero Trust tunnels, Iodine DNS tunnels, ICMP tunnels via ptunnel and JML ICMP timing channels. The device automatically selects the best available tunnel based on your network's egress rules. All communications are encrypted end-to-end.

Is ShadowTap safe to plug into our production network?

Yes. ShadowTap is configured to operate passively during its initial reconnaissance phase - listening to broadcast traffic, DHCP and ARP without injecting packets. Active testing only begins after the tunnel is established and our team confirms scope with you. All testing is conducted by certified penetration testers following PTES methodology with pre-agreed rules of engagement.

What happens to the device after testing?

After the engagement concludes, we provide a prepaid return shipping label. All data collected during the assessment is included in your final report. The device is wiped and reconfigured for the next engagement. You receive your report within five business days of testing completion.

Why not just use a VPN for internal testing?

VPN-based internal testing is faster to set up but less realistic. A VPN connection goes through your firewall and gets a legitimate IP assignment - it skips the physical access simulation entirely. ShadowTap simulates what happens when an attacker gains physical access to your network: plugging a device into an open port, harvesting credentials from broadcast traffic and establishing covert tunnels that bypass your perimeter controls. This is the scenario your detection systems need to catch.

Internal Penetration Testing Tool

ShadowTap

We built the tool that watches your network. Then we built the tool that attacks it.

ShadowTap is Sherlock Forensics' proprietary internal penetration testing platform. It is a pre-configured hardware device shipped directly to your office. You plug it into any network port, it establishes an encrypted tunnel back to our testing lab, and our team conducts a full internal penetration test remotely. ShadowTap supports SSH reverse tunnels, Cloudflare Zero Trust, Iodine DNS tunnels, ICMP tunnels and JML ICMP timing channels. Originally built as a network intrusion detection system watching 12,000+ attack signatures, ShadowTap was re-engineered for offensive testing. It is included in the Comprehensive Security Assessment at $12,000 CAD.

Order Comprehensive Assessment View Methodology

Heritage

From Detection to Offense

Born as a NIDS

ShadowTap started its life as a network intrusion detection system. It sat on client networks passively monitoring traffic against 12,000+ attack signatures, flagging anomalies and generating alerts. We watched thousands of hours of network traffic, learned what normal looked like and learned exactly what attackers looked like when they moved through internal networks.

Re-engineered for Offense

After years of watching attackers, we asked a simple question: what if we used this same platform to simulate the attackers instead of just detecting them? ShadowTap was rebuilt from the ground up as an offensive tool. The same passive sniffing capabilities that made it an effective sensor now make it an effective attacker. It listens before it acts, just like a real adversary.

Real Physical Access Simulation

Most internal penetration tests start with a VPN connection. That skips the hardest part: getting onto the network in the first place. ShadowTap simulates the scenario where an attacker, a rogue employee or a visitor plugs a device into an open network port. This is the attack path your network detection systems need to catch, and the one most tests skip entirely.

Advanced

Capabilities Beyond the Tunnel

LTE Modem Failover

ShadowTap includes an optional USB LTE modem. When plugged in, the wired interface goes completely dark. All command-and-control traffic routes through the cellular connection via a Cloudflare ARGO tunnel. The device becomes invisible on the client network while Scapy runs passive monitoring on the Ethernet interface. This simulates an attacker with their own out-of-band connection, the hardest scenario for any detection system to catch.

Identity Harvesting and Rotation

ShadowTap passively collects legitimate hostnames and MAC addresses from the target network via ARP cache analysis, DHCP lease files and passive sniffing. It then clones the first three octets of the most common MAC prefix on the network and randomizes the last three. Hostnames are generated to match local naming conventions. If the network uses DESKTOP-XXXX format, ShadowTap adopts the same pattern. Identity rotation occurs every 15-30 minutes to evade behavioral profiling.

Anti-Antigena: Darktrace Evasion Testing

The Anti-Antigena button triggers a full identity reset: hostname wiped and regenerated, MAC address cycled to match local patterns, new DHCP lease requested. Random 10-30 second delays between actions break beacon detection patterns. This tests whether your Darktrace installation can detect an attacker who actively evades its behavioral models, the exact scenario a sophisticated threat actor would execute.

How It Works

Four Steps to Internal Testing

1. Ship

We pre-configure ShadowTap for your engagement and ship it directly to your office via tracked courier. The device arrives ready to go with no software installation, no client-side configuration and no IT staff involvement required beyond plugging it in.

2. Plug In

Your team plugs ShadowTap into any available network port. It immediately begins passive reconnaissance: listening to broadcast traffic, ARP requests, DHCP exchanges and network announcements. It maps your internal network topology without sending a single packet.

3. Tunnel Home

ShadowTap establishes an encrypted tunnel back to our testing lab. It tries multiple tunnel types in sequence until one succeeds: SSH reverse tunnels for permissive networks, Cloudflare Zero Trust for web-only egress, Iodine DNS tunnels when only DNS is allowed, ICMP tunnels via ptunnel when ICMP is permitted and JML ICMP timing channels as a last resort. Every tunnel is encrypted end-to-end.

4. Full Internal Test

Once the tunnel is live, our team conducts a complete internal penetration test: Active Directory enumeration, service scanning, credential harvesting, lateral movement, privilege escalation and data exfiltration simulation. You receive the same depth of testing as an on-site engagement at a fraction of the cost and logistics.

Tunnel Technology

Five Tunnel Types, One Goal

Tunnel Type	When It Works	Detection Difficulty
SSH Reverse Tunnel	Outbound SSH (port 22 or 443) is permitted	Moderate - looks like normal SSH traffic
Cloudflare Zero Trust	Only HTTPS egress is allowed	Hard - traffic blends with legitimate Cloudflare CDN traffic
Iodine DNS Tunnel	Only DNS resolution is permitted	Moderate - generates unusual DNS query patterns
ICMP Tunnel (ptunnel)	ICMP echo/reply is allowed through the firewall	Hard - encapsulated in normal-looking ping traffic
JML ICMP Timing	Last resort - works in extremely restricted environments	Very hard - data encoded in packet timing, minimal payload

The tunnel selection is itself a test. If ShadowTap can establish a covert channel out of your network, an attacker can too. Our report documents which tunnel succeeded, which were blocked and what that tells you about your egress controls. This information feeds directly into your network detection validation and helps you understand whether your Darktrace or other NDR would catch a real attacker phoning home.

Why ShadowTap

What Makes ShadowTap Different

No On-Site Consultant

Traditional internal penetration tests require flying a consultant to your office, badging them in and giving them a desk for a week. ShadowTap delivers the same results without the travel costs, scheduling delays or physical security complications. You plug in a device. We do the rest from our lab.

Tests Your Detection Stack

Because ShadowTap behaves like a real rogue device on your network, it tests your entire detection stack in a way VPN-based tests cannot. Does your Darktrace flag the new MAC address? Does your NAC block the port? Does your SIEM alert on the tunnel? Our report tells you exactly what was detected and what was missed.

Realistic Attack Path

Physical access attacks are real. USB drop attacks, rogue devices planted by visitors, compromised IoT hardware - these are documented attack vectors used by nation-state actors and organized crime. ShadowTap tests the exact scenario these attacks create. Passive monitoring alone cannot catch what it has never seen.

Full Methodology Documentation

Every phase of the ShadowTap engagement is documented in detail: which tunnel was used, what was discovered during passive recon, which credentials were harvested, how far lateral movement progressed and what data was accessible. Read our complete internal penetration testing methodology for the full phase-by-phase breakdown.

What You Get

Comprehensive Assessment with ShadowTap

External Network Testing

Full external penetration test covering your public-facing infrastructure: web applications, APIs, mail servers, DNS, VPN endpoints and cloud configurations.

Internal Network Testing

Complete internal penetration test via ShadowTap: Active Directory assessment, service enumeration, credential harvesting, lateral movement and privilege escalation.

Detection Validation

Assessment of what your security tools caught during testing. Which alerts fired? Which tools missed what? This alone justifies the engagement for organizations running NDR, IDS or SIEM platforms.

Executive Report

CVSS-scored findings with business impact context, remediation roadmap prioritized by risk, compliance mapping and an executive summary written for non-technical stakeholders.

Frequently Asked Questions

ShadowTap FAQs

What is ShadowTap?: ShadowTap is our proprietary internal penetration testing platform. It is a pre-configured hardware device shipped to your office. You plug it into your network, it establishes an encrypted tunnel back to our lab, and we conduct a full internal penetration test remotely. It is included in the Comprehensive Security Assessment at $12,000 CAD.
How does ShadowTap connect back to your lab?: It supports five tunnel types and selects the best one automatically: SSH reverse tunnels, Cloudflare Zero Trust, Iodine DNS tunnels, ICMP tunnels via ptunnel and JML ICMP timing channels. All communications are encrypted end-to-end. The tunnel selection itself is a test of your egress controls.
Is ShadowTap safe for production networks?: Yes. ShadowTap operates passively during initial reconnaissance, listening to broadcast traffic without injecting packets. Active testing begins only after the tunnel is established and scope is confirmed with your team. All testing follows PTES methodology with pre-agreed rules of engagement.
Why not just use a VPN for internal testing?: VPN-based testing skips the most critical attack phase: initial network access. A VPN connection goes through your firewall and gets a legitimate IP assignment. ShadowTap simulates what happens when someone plugs a rogue device into your network, which is the attack scenario your detection systems need to catch. Read our full methodology comparison for details.
What happens to the device after testing?: We provide a prepaid return shipping label. All collected data is included in your final report. The device is wiped and reconfigured for the next engagement. Your report is delivered within five business days of testing completion.

Get Started

Ship. Plug in. Get tested.

ShadowTap is included in the Comprehensive Security Assessment at $12,000 CAD. External testing, internal testing via ShadowTap, detection validation and a full executive report.

Order Comprehensive Assessment

Questions About ShadowTap?

Want to know if ShadowTap is right for your environment? Need a custom scope for a multi-site deployment? Call us for a free scoping consultation.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Related Pages: Internal Pentest Methodology · Darktrace Testing