Network Security · Beacon Butty

Stop Malware —
before it calls home.

Detect silent, periodic check-ins signalling a compromised device. The threats your antivirus never sees.

Enquire about installation Download Brochure
24/7
Passive Monitoring
≤1hr
Alert Response
0.95+
Beacon Confidence
5-in-1
Security Engines
The Problem

Your Antivirus Won't Catch This

Modern malware rarely announces itself. Instead, it installs silently, then reaches out to its operator via short, regular, encrypted messages — beacons. Once a live command channel is confirmed, attackers push further: lateral movement, data exfiltration, ransomware deployment.

Traditional defences inspect files and signatures. Beacons don't look like malware. They look like background traffic — which is exactly the point.

Ransomware Pre-staging
Operators verify access and map the network before encrypting — beacons are the first sign something is wrong.
Persistent Access Trojans
RATs check in every few minutes. Signature scanners see a normal process. Beacon analysis sees the pattern.
Stealthy Data Exfiltration
Small, consistent payloads sent at fixed intervals are invisible to volume-based anomaly detection.
Supply-chain Implants
Trusted software can be compromised. Even legitimate-looking traffic must be profiled for periodic behaviour.
The Solution

Behavioural Network Monitoring

Beacon Butty sits between your LAN and the internet, tracking and scoring every connection — without any packets being blocked or delayed. Zero impact on your network performance.

Rather than matching against known-bad signatures, it measures behaviour: connection regularity, consistent payload sizes, unusual destination profiles. These statistical patterns survive encryption and obfuscation.

Beacon Scoring
RITA v5 scores every host on periodicity, jitter, packet size consistency, and connection duration.
Intrusion Detection
Suricata IDS monitors signatures in parallel, covering exploit attempts and known malware traffic.
Threat Intelligence
Destination geo-location, ASN reputation, Tor exit node detection, and domain entropy analysis.
Asset Inventory
Automatic LAN discovery via ARP, DHCP, and Nmap — OS detection and open-port visibility across all devices.
False Positive Control
A managed registry suppresses known-benign traffic, keeping alert volumes meaningful — not noisy.
Instant Alerts
Slack notifications with configurable severity thresholds and suppression windows per alert type. Response within the hour.

Inside Beacon Butty

Real-time visibility across every layer of detection — from beacon scores to asset inventory to IDS alerts.

Main Dashboard
Main Dashboard
At-a-glance view of beacon scores, active alerts and network health across all monitored hosts.
Beacon Detection
Beacon Detection
RITA v5 scores every host-to-destination pair on periodicity, jitter, payload size and duration.
LAN Asset Inventory
LAN Asset Inventory
Automatic device discovery via ARP, DHCP and Nmap — with OS fingerprinting and open-port visibility.
Network Intelligence
Network Intelligence
Destination geo-location, ASN reputation scoring, Tor exit node detection and domain entropy analysis.
Intrusion Detection
Intrusion Detection
Suricata IDS alerts correlated to the asset inventory — CVE exploits, shellcode patterns and protocol abuse.

A Five-Layer Detection Pipeline

Best-in-class open source components, orchestrated into a single appliance.

1
Passive Packet Capture Zeek 8

Zeek monitors all LAN traffic on the internal interface — passively, with zero impact on throughput. Every TCP/UDP connection is logged with full metadata: timestamps, bytes transferred, connection state, and duration.

2
Beacon Scoring Engine RITA v5.1.1

Hourly, RITA imports Zeek connection data and runs statistical analysis per source/destination pair, scoring each on four axes: connection periodicity, inter-arrival jitter, consistent byte size, and connection duration.

3
High-Performance Storage ClickHouse

Beacon scores, connection records, and alert history are stored in a columnar time-series database on NVMe SSD. Sub-millisecond queries across weeks of data allow the dashboard to serve results instantly, even on constrained hardware.

4
Intrusion Detection Overlay Suricata IDS

Suricata runs concurrently, applying thousands of community and commercial ruleset signatures against live traffic. Alerts are correlated back to the asset inventory via MAC address and IP — so you always know which device triggered which rule.

5
Reporting, Alerting & Dashboard Flask · AWS Lambda · Slack API

A Flask web application provides real-time visibility across all detection layers. A daily 07:00 report summarises top beaconing hosts. Alerts fire within minutes of a high-confidence detection to your chosen channel (Slack, email, SMS etc.), with configurable thresholds and suppression windows.

What Beacon Butty Catches

Six categories of threat, detected continuously — 24 hours a day, 7 days a week.

Periodic C2 Beacons
Statistical jitter and periodicity scoring catches malware check-ins regardless of obfuscation or encryption.
Tor Exit Node Contacts
Connections to known Tor infrastructure are flagged immediately — a reliable indicator of compromise.
Threat Intel Hits
Destinations are checked against curated threat intelligence feeds — known bad IPs and domains.
Exploit Attempts
Suricata rules cover active exploit signatures: CVE payloads, shellcode patterns, and protocol abuse.
Excessive DNS Queries
Hosts generating unusually high DNS query volumes — a common indicator of C2 location attempts.
New & Rogue Devices
New LAN devices trigger an immediate notification the moment they appear on the network.

Prioritised, Intelligent Alerting

Not every event is equally urgent. Beacon Butty grades alerts so you know what to act on immediately.

High Priority
  • Beacon score ≥ 0.95
  • Persistent strobe traffic
  • Threat intel match
  • Tor exit node contact
  • Suricata P1 rule
  • Service down (Zeek / ClickHouse / Suricata)
  • WAN unreachable
  • Disk > 90% full
Medium Priority
  • New device on LAN
  • Health check failure
  • Beacon score 0.80–0.94
  • High DNS volume host
  • Suricata P2/P3 alerts
  • Firewall policy change
  • Daily summary digest
Who It's For

Built for Small Business and Home Networks

Beacon Butty is designed for networks that matter but don't have a full security operations team behind them — small businesses, professional home offices, and anyone who handles sensitive data and wants to know if something is quietly phoning home.

It is a combined hardware and software solution. The appliance must be physically placed on your network and configured to match your specific environment — this is not software you download and install yourself.

Enterprise-grade threat detection technology, sized and priced for organisations without enterprise budgets.

How it works

  1. 1
    We scope your network
    A short discovery call to understand your setup — number of devices, internet connection, and physical access for installation.
  2. 2
    On-site installation
    A Mustard Research consultant visits to install and configure the appliance. Beacon Butty requires physical placement between your router and LAN — not something that can be done remotely.
  3. 3
    Monitoring begins
    From the moment it's live, Beacon Butty is watching. Alerts land in your Slack workspace. A daily digest arrives each morning.
  4. 4
    Ongoing support
    We handle ruleset updates and are on hand if an alert needs expert interpretation.

Ready to see what's on your network?

Get in touch to discuss your setup. We'll let you know if Beacon Butty is a good fit and talk through the installation process.

Enquire about installation Download Brochure