Network Security · Beacon Butty

Stop Malware —
before it calls home.

Detect silent, periodic check-ins signalling a compromised device. The threats your antivirus never sees.

Enquire about installation Download Brochure
24/7
Passive Monitoring
≤1hr
Alert Response
14d
Slow-Cadence Window
11
Live Dashboards
The Problem

Your Antivirus Won't Catch This

Modern malware rarely announces itself. Instead, it installs silently, then reaches out to its operator via short, regular, encrypted messages — beacons. Once a live command channel is confirmed, attackers push further: lateral movement, data exfiltration, ransomware deployment.

Traditional defences inspect files and signatures. Beacons don't look like malware. They look like background traffic — which is exactly the point.

Ransomware Pre-staging
Operators verify access and map the network before encrypting — beacons are the first sign something is wrong.
Persistent Access Trojans
RATs check in every few minutes — or every few hours, deliberately, to evade hourly analysis. Signature scanners see a normal process; multi-cadence beacon analysis sees the pattern either way.
Stealthy Data Exfiltration
Small, consistent payloads sent at fixed intervals are invisible to volume-based anomaly detection.
Supply-chain Implants
Trusted software can be compromised. Even legitimate-looking traffic must be profiled for periodic behaviour.
The Solution

Behavioural Network Monitoring

Beacon Butty sits between your LAN and the internet, tracking and scoring every connection — without any packets being blocked or delayed. Zero impact on your network performance.

Rather than matching against known-bad signatures, it measures behaviour: connection regularity, consistent payload sizes, unusual destination profiles. Two cadence engines run in parallel — RITA's hourly window and a 14-day slow-cadence correlator — so check-ins from minutes to days both get caught. Every finding then passes the alert gate before it ever reaches Slack.

Multi-Cadence Beacon Scoring
RITA v5 scores every host on periodicity, jitter, payload-size consistency and duration — hourly. A separate 14-day cross-DB correlator catches the slow, long-sleep check-ins that hourly windows miss.
JA4 Threat Fingerprints
Per-device JA4 TLS Client Hello fingerprints recorded against the asset inventory and matched daily against FoxIO's ja4plus-mapping — known threat families surfaced the moment a device adopts their TLS profile.
Intrusion Detection
Suricata IDS scans live traffic against ~50,000 community and Emerging Threats signatures — exploit attempts, shellcode, protocol abuse — with STREAM and QUIC infrastructure noise filtered automatically.
L2 / ARP Anomaly Detection
Reads Zeek's arp.log for gateway impersonation (rogue MAC announcing the router IP), MAC change (an IP claimed by more than one MAC in a day) and malformed-ARP events. Critical events fire Slack alerts immediately.
Network Intelligence
TLS / DNS anomaly builders, exfiltration candidates, night-activity profiling, new-beacon discovery — every connection enriched with geo, ASN, Tor exit list and domain entropy.
Asset Inventory
Automatic LAN discovery via DHCP, ARP and Nmap. OS fingerprinting, MAC vendor, open ports, JA4 fingerprints and last-seen — with manual overrides for unidentified devices.
False-Positive Registry
MAC-keyed device suppression that survives DHCP changes — plus domain and protocol rules. Suppressions apply across every detector, keeping alert volumes meaningful.
Gated, Intelligent Alerts
A sole-LAN-talker / non-hyperscaler gate demotes findings reaching CDN ASNs or destinations several devices share — only implant-shaped traffic pages Slack. Per-type enable / disable, suppression windows and a daily 08:00 UTC digest.

Inside Beacon Butty

Real-time visibility across every layer — from operations and bandwidth dashboards to per-detector deep-dives. Click any screen for a closer look.

A Six-Layer Detection Pipeline

Best-in-class open source components, orchestrated into a single appliance.

1
Passive Packet Capture Zeek 8

Zeek monitors all LAN traffic on the internal interface — passively, with zero impact on throughput. Every TCP / UDP connection is logged with full metadata: timestamps, bytes transferred, connection state, duration, TLS / JA4 handshake details and ARP events.

2
Multi-Cadence Beacon Engine RITA v5 + correlator

Hourly, RITA scores every source / destination pair on periodicity, jitter, consistent byte size and duration. A separate cross-DB correlator walks 14 days at a time to surface slow-cadence pairs RITA's sleep-cycle window misses. Strobes and threat-intel hits are flagged independently.

3
Signature-Based IDS Overlay Suricata IDS

Suricata runs concurrently with ~50,000 community and Emerging Threats signatures against live traffic. STREAM and QUIC infrastructure noise is filtered automatically. Alerts are correlated back to the asset inventory via MAC and IP.

4
High-Performance Storage ClickHouse · log2ram

A columnar time-series database on NVMe SSD stores beacon scores, connection records, IDS alerts, JA4 fingerprints and host metrics. Sub-millisecond queries across weeks of data; live logs land on a RAM-backed tier to extend SSD lifespan.

5
Web Dashboard Flask · Chart.js

A Flask web application served over HTTPS provides real-time visibility across every detection layer. Eleven purpose-built pages cover beacons, slow-cadence hunting, IDS, assets, false positives, network intel, health, backup and hardware telemetry.

6
Gated Alerting & Daily Digest Alert Gate · Slack

Every finding passes the alert gate — sole-LAN-talker AND non-hyperscaler — before it pages Slack via AWS Lambda. Demoted candidates stay on the dashboards for hunting. A daily 08:00 UTC digest rolls up slow-cadence hunt candidates, top scorers, anomalies and capacity headlines.

What Beacon Butty Catches

Twelve categories of threat, detected continuously — 24 hours a day, 7 days a week.

Periodic C2 Beacons
Statistical jitter and periodicity scoring catches malware check-ins regardless of obfuscation or encryption.
Long-Sleep Beacons
Cross-day, low-rate periodic egress — the slow check-ins that hourly windows miss. Flagged when the cadence stays tight across many days.
Persistent Strobes
Long-lived connections to single destinations — the operational tell of an active C2 channel — flagged independently of beacon score.
Tor Exit Node Contacts
Connections to known Tor infrastructure are flagged immediately — a reliable indicator of compromise.
Threat-Intel Hits
Destinations are checked against curated threat-intelligence feeds — known bad IPs and domains.
JA4 Threat Fingerprints
TLS Client Hello fingerprints matched daily against FoxIO's ja4plus mapping — surfaces devices adopting a known threat family's TLS profile.
Exploit Attempts
Suricata rules cover active exploit signatures: CVE payloads, shellcode patterns and protocol abuse.
Gateway Impersonation
A rogue MAC announcing the gateway IP is the L2 signature of router takeover — caught from Zeek's arp.log and paged immediately.
MAC Spoofing & ARP Anomalies
IPs claimed by multiple MACs in a day, malformed-ARP packets and other L2 abuse patterns surface on the network-intel page.
High-Entropy DNS Lookups
Random-looking subdomains — a common DGA and DNS-tunnelling tell — scored on second-level-domain entropy.
Excessive DNS Volume
Hosts generating unusually high DNS query volumes — a common indicator of C2 location attempts.
New & Rogue Devices
A new MAC on the LAN triggers an immediate notification the moment it appears (LAA-randomised MACs are gated).
Beyond Detection

A Self-Sufficient Appliance

Detection is only half the job. Beacon Butty also gives you the tools to investigate what it finds — and watches itself as carefully as it watches your network.

Continuous Health Monitoring
Every dependent service — Zeek, Suricata, ClickHouse, dnsmasq, log2ram, certbot — checked on a timer. Failures auto-page Slack with diagnostic context.
Hardware Telemetry
CPU temperature, fan speeds, memory, disk and uptime tracked by the bb-watchdog feed. A front-panel OLED shows live status; tiered cooling with two independent fans keeps the appliance silent under load.
Domain Activity Lookup
Type a domain to scan the last 6 hours of LAN→WAN access from Zeek's ssl/dns logs, bucketed by minute. Read-only investigation — answer "did anything on my network just touch X?" in seconds.
On-Demand PCAP Capture
Watch up to three suspect domains and Beacon Butty captures matching packets to NVMe — a rolling 2-hour ring per domain plus durable snapshots. Forensic-grade evidence without redeploying tooling.
Backup & Recovery
Three-tier backup — config snapshot, ClickHouse export, full-system clone to USB SSD. Documented restore procedure ships with every appliance.
Encrypted Remote Access
Optional Tailscale enrolment provides Mustard Research consultants with secure remote diagnostics — no inbound port exposure on your network.

Gated, Prioritised Alerting

Each alert type can be enabled, disabled or suppression-windowed independently — so you decide what wakes you up.

The Alert Gate

Every detection passes one final filter before it pages Slack: it must be from a single LAN device talking to a non-hyperscaler destination. Findings reaching CDN or major-cloud ASNs, or destinations that several devices on your LAN already share, are demoted to the dashboards as hunting candidates rather than waking you up. The accountability table on the Health page shows, per detector, how many findings fired and how many were gated — so the filter is auditable, not a black box.

Real-time alerts
  • High-score beacon (perfect 1.0)
  • Persistent strobe traffic
  • Threat-intel destination match
  • Tor exit node contact
  • Gateway impersonation / critical L2 anomaly
  • JA4 threat-family fingerprint match
  • LAN device triggers a P1 Suricata rule
  • Repeated Suricata P1 hits (≥5/day)
  • Service down (Zeek / ClickHouse / dnsmasq / Suricata)
  • WAN unreachable
  • Disk > 90% full
  • New device on LAN
Daily digest — 08:00 UTC
  • Slow-cadence beacon hunt candidates
  • Top beacon scorers across the LAN
  • Suricata P2 / P3 alert summary
  • New devices seen in the last 24 hours
  • High-DNS-volume hosts
  • TLS / DNS / JA4 / L2 anomaly digest
  • Suppressed-by-FP traffic recap
  • Health and capacity headline
Who It's For

Built for Small Business and Home Networks

Beacon Butty is designed for networks that matter but don't have a full security operations team behind them — small businesses, professional home offices, and anyone who handles sensitive data and wants to know if something is quietly phoning home.

It is a combined hardware and software solution. The appliance must be physically placed on your network and configured to match your specific environment — this is not software you download and install yourself.

Enterprise-grade threat detection technology, sized and priced for organisations without enterprise budgets.

How it works

  1. 1
    We scope your network
    A short discovery call to understand your setup — number of devices, internet connection, and physical access for installation.
  2. 2
    On-site installation
    A Mustard Research consultant visits to install and configure the appliance. Beacon Butty requires physical placement between your router and LAN — not something that can be done remotely.
  3. 3
    Monitoring begins
    From the moment it's live, Beacon Butty is watching. Alerts land in your Slack workspace. A daily digest arrives each morning.
  4. 4
    Ongoing support
    We handle ruleset updates, health monitoring, and are on hand if an alert needs expert interpretation. Optional encrypted remote access via Tailscale.

Ready to see what's on your network?

Get in touch to discuss your setup. We'll let you know if Beacon Butty is a good fit and talk through the installation process.

Enquire about installation Download Brochure