Breach Detection Service
For most companies, breach detection comes way too late. Even with millions of dollars invested in security, over-worked admins and ignored alerts do little to help.
But what if there were a simpler, more reliable intrusion detection signal than malware signatures? Wouldn’t you want to know if someone was opening ‘passwords2019.xls’ on \\SalesTeam_FS1, or brute-forcing an SSH server on your DataBase segment?
Most companies only discover that they have suffered a data breach when they are notified by a third party – often weeks or months after the initial infiltration.
The Solution: Early Breach Detection
The activereach HackWatchman™ solution is a simple but effective managed detection service designed to reveal the presence of malicious insiders on compromised networks.
Breach Detection Service Overview
An attacker, be that an individual hacker or malicious software, aims to gain a beachhead into a target network. Regardless of how they achieve that, once they have compromised one computing device, the most common next step is to identify other assets on the same local network and scan them for vulnerabilities that could be exploited or use stolen credentials to try to login as a legitimate user.
The HackWatchman™ Breach Detection Service involves locating a number of tempting-looking computer assets on the local network segments next to devices you want to protect:
- The Detector’s sole job is to mimic other assets, and raise the alarm if anyone tries to access them
- The device is securely registered with activereach’s management service (hosted in the EEA for GDPR purposes)
- The portal is configured to send real-time e-mail or SMS alerts whenever the detector is touched, with details of the suspect traffic, and where it came from
- The activereach HackWatchman™ Breach Detector Service is available as a 24x7x365 Managed Security Service

How It Works:
- activereach’s Breach Detectors are small form factor appliances, powered by USB or AC power adaptor (included), which have a 100Mbps Ethernet port and require an IP address with outbound access to DNS services through any existing security layer.
- As well as appliances, Breach Detectors are available as a virtual appliance (VMWare), and for AWS.
- Once installed onto a network segment, the Breach Detectors are configured to mimic one of dozens of computing devices.
- The devices are securely registered with a cloud service dedicated to the customer’s collection of Breach Detectors and communicate using DNS protocols, with an encrypted payload.
- Attackers who have breached your network, malicious insiders and other adversaries make themselves known by trying to access the Breach Detector.
- If any of the devices are scanned, browsed, fingerprinted, or otherwise ‘touched’ by network traffic, even within the protected network segment, the Breach Detector signals an alarm.
Would you know when it mattered? Anti-virus, IDS, and intelligence feeds generate so much data that the signal is lost. The activereach Breach Detection System lets you know when it matters.
Typical Deployment Configurations
Breach Detectors are deployed all over the world. The possible OS, service and port permutations number in the thousands. The Breach Detectors are supplied with a host of default “personalities” including several flavours of Windows, Linux, routers, switches and SCADA equipment (programmable logic controllers).
What matters, of course, is where you place the Breach Detectors. If you are a large financial organization and place a “Dell Switch” in the CEO’s office, it may get tripped over by a really clumsy attacker, but there are several spots on your networks where attackers are likely to show up. activereach can advise on optimal location of your Breach Detectors on one of your DMZs, database segments or your VOIP network, etc.

Typical deployments include the set-up of the breach detector to mimic:
- Web application servers or SQL servers in a DMZ network segment
- Endpoints of managers or executives on internal networks
- Cisco routers that seem to be connected to third parties such a banks or data centres
- Sensitive file servers in an AD domain, even SCADA systems
There is no need to purchase additional licenses e.g. to mimic a Windows device.
Decoy Personalities
Appliances can be configured to mimic other computing devices from the list:
Windows 2012/2008/2000 | Windows Sharepoint 2010 |
Windows 8/10/XP Desktop | Diskstation NAS |
VMWare ESXi server | HO iLO Server |
Joomla Server | CUPS Server |
JBOSS Server | Dell Switch |
Cisco Router | Standard Linux Server |
Linux Database Server | Linux Proxy Server |
Rockwell Automation PLC | Siemens Simatic PLC |
Custom configurations and behaviours are available at an additional charge based on complexity.
Customer Requirements
- Each appliance needs a USB port or UK AC power socket for power (5V, 2A).
- Each appliance needs a Cat5 or similar cable for Ethernet connection to switch LAN port.
- Each appliance needs an IP address from the subnet it will be installed on.
- Small form factor appliances are also available as a VMware appliance or cloud service. Call for details.
Ongoing Support
The HackWatchman™ Breach Detection service comes with our basic support service (UK working hours 9-5pm), with a number of support cases that can be requested by the customer (default is three per Breach Detector). Each case can either be a remote reconfiguration of a Breach Detector to adopt a new configuration, or assistance in understanding, diagnosing, and resolving an alarm where the customer needs additional assurance.
Enhanced support services that extend the operating hours, and provide proactive incident response, managed security integration and/or managed SOC services are separately available.
To read more about the business case for Breach Detection Services, please see our blog.