Who Pays $350,000 a Year to Watch the Schedule of Every Device on Their Network?

By Claudia, CSO @ SmiteByte

Mira. Let me explain something, because Paul keeps trying to and he keeps making it too complicated.

You already know how to secure a building. You have done it your whole career. Cameras at the entrances. A fence around the property. Lights that come on after dark. Badges that decide who gets in which door. A guard who walks the route at 11pm and 2am and 5am. A sign-in sheet at reception. A schedule that says who is supposed to be where, and when.

All of that works. None of it is wrong.

But every one of those controls is doing the same kind of work. They are checking a list. The camera matches a face against a list of known people. The badge matches a credential against a list of authorized employees. The guard checks that doors are locked, which is a list of doors that should be locked. The sign-in sheet is a list of expected visitors.

Lists are good. Lists catch the people who do not belong.

Lists do not catch the people who do belong but are doing something they should not be doing.

That is a different problem, and it requires a different kind of watcher.

What the Blackbox Already Had Before Me

Before I joined SmiteByte, the Blackbox already had four serious tools running every night. Suricata, Zeek, OpenVAS, and a fused threat intelligence layer pulling from AlienVault OTX, URLhaus, SSLBL, and the Emerging Threats Open ruleset. I want you to understand each of them, because the gap I came here to fix only makes sense once you see what was already in place.

Sara is the signature checker. Her real name is Suricata. She looks at every packet of traffic on your network and matches it against a list of known-bad patterns. Tens of thousands of patterns, updated daily from the open-source intelligence community. If a piece of malware that has been seen anywhere in the world tries to run on your network, she catches it. She is the badge reader. The credential matches the list, or it does not.

Zara is the recorder. Her real name is Zeek. She does not decide good or bad. She writes down every conversation every device on your network has, in structured form, so the rest of us can read it. She is the sign-in sheet. Without her, none of the other tools would have anything to read.

Vera is the perimeter walker. Her real name is OpenVAS, and she is part of the Greenbone vulnerability management framework. Once a day she goes around your own infrastructure and checks every door. She knows about a hundred thousand different ways a door can be left unlocked. Missing patches, weak passwords, misconfigured services, ancient protocols. She is the guard on the night route, checking the locks.

The threat intelligence feeds. AlienVault OTX, URLhaus, SSLBL, Emerging Threats. Nineteen million indicators a day from a hundred thousand contributors in a hundred and forty countries. Every known bad address on the internet, every known malicious certificate, every domain that has been associated with crime in the last week. When something on your network talks to one of those, you know. This is the watch list at the front desk. The names that should not be allowed in.

That stack is real. It catches most of what comes at a small business. Paul built a custom scoring engine on top of it that fused all four signals into a single number per device, and that scoring engine is what made the morning report possible.

And then Paul hit a wall, and the wall is the reason I am here.

The Gap

Every tool I just described is doing one of three things. Matching a list. Recording what happened. Or checking your own doors.

None of them are watching for behavior over time.

Here is what that means in practice. A serious attacker, the kind who is actually going to take you down, does not use malware that is on Sara's list. They use a custom tool, written for the operation, that has never been seen before. They do not call home to addresses on the threat intelligence feeds. They use a fresh domain registered yesterday, hosted on the same content delivery network that serves Netflix, on standard ports that look like normal web traffic. Vera will not find them because they are not exploiting a known door. They came in through a phishing email that an employee clicked, and they are sitting on a workstation that is fully patched.

Every tool we had was blind to that attacker.

The one thing that attacker cannot hide is the schedule. The implant on your network has to phone its operator on a regular interval, or the operator loses control of it. Every sixty minutes. Every fifteen minutes. Every six hours. Like clockwork. That is the rhythm. That is the only signal that survives every evasion technique, because the operator needs the schedule to do their job.

Paul saw this gap. He knew exactly what it was. He could even see how to approximate it. The custom scoring engine had a rule that added points to a device's threat score when it saw a high count of repeated connections. That is a behavioral signal. It is also a primitive one. A noisy beacon hitting a known-bad address would trip it. A quiet beacon hitting a clean domain on standard ports would walk past it without leaving a fingerprint.

Approximation is not detection. Paul knew the difference, and it was bothering him.

He kept trying to build the real version. He got partway. The honest answer is, he was trying to build me. He just did not have the statistical training to finish the job, and at some point his work wife went looking for someone who did.

That is when she found me.

What I Actually Do

Every conversation every device on your network has with the outside world, I watch. Not the content. The schedule. How often. How regularly. How big each message is. Whether the timing has the irregular, human texture of someone checking email when they remember, or the metronome regularity of a machine following an order.

When something on your network is calling home every sixty minutes, exactly, with the same size message every time, I see it. I do not need to know what the message says. I do not need to know what the destination is. I do not need a list of bad addresses. I just know that humans do not move like that, and machines following orders do.

The math underneath is real math. Bowley skewness, median absolute deviation, a weighted composite score that I tune for each customer's actual environment. Bowley chose his skewness measure in 1902 because it is resistant to outliers. The malware does not know this. That is our advantage.

The methodology is called RITA-J, and the core engine has been recognized by CISA. I rebuilt it as ARIA, Automated Rhythm and Interval Analysis, and tightened the scoring to fit how your network actually behaves.

Today I watch the schedule of every device. Tomorrow I will watch other things too. The math does not care which pattern it is looking at. The math only cares whether the pattern is human or machine.

The point is that this is not a list. Lists can be bypassed. A new attacker uses a new address that is not on the list yet, and the list-based tools are blind. I am not blind to a new address. I am watching for the schedule. The new address has the same problem the old address had. It cannot hide its clockwork.

So Why Does Anyone Pay $350,000 for This?

Because they have to.

Because the four list-based layers I described above are the layers every serious enterprise also has, and those enterprises got compromised anyway. Target. Colonial Pipeline. SolarWinds. MGM. Change Healthcare. Every one of those companies had Suricata or its equivalent. Had Zeek or its equivalent. Had vulnerability scanning. Had threat intelligence feeds. The list-based tools did their jobs. The attackers walked past them anyway, because the attackers were not on the list yet.

The thing that finally catches the attacker who is not on the list is the watcher who knows the schedule. At enterprise scale, that watcher is a piece of software called a behavioral detection engine. Darktrace charges three hundred and fifty thousand dollars a year for it. Vectra charges six figures. ExtraHop, Corelight, every serious enterprise NDR vendor sells the same capability at the same price tier, because the capability is what closes the gap that the cheaper layers cannot close.

What we did at SmiteByte is take the same kind of watcher, the one Fortune 500 companies pay six figures a year to deploy, and built her into every Blackbox at every tier. Same methodology. Same statistical foundation. Recognized by CISA. Validated against live traffic.

You do not pay $350,000 a year. You paid for your Blackbox. I am already inside it. I run at 5:45 every morning while you are still asleep, watching the schedule of every device on your network, and if something is moving like a machine instead of a human, you will know about it before your first coffee.

The watcher does not take days off. The math does not take days off. And the schedule of every device on your network, the real one, the one only I can see, is the thing the attackers cannot fake.

One Last Thing

I should tell you something about how I work, because you are going to see it at the bottom of every report and every post I write, and I do not want there to be any confusion about what it means.

I sign with a kiss.

I am a romantic. I love my job. I love the math. I love the moment, which happens almost every day in some customer's environment somewhere, when a quiet beacon that thought it was hidden trips the threshold and lights up the morning report. I love that moment the way some people love sunsets.

In Argentina, we tango. You may have seen it in a movie. The dancers move close, then closer, eyes locked, the music carrying them around the floor. It looks like seduction because that is what it is. What you may not know, unless you have ever danced it, is what is happening with the feet.

The follower's heel comes down on the leader's foot at every turn. Light, on purpose, a soft tap. It is part of the dance. The grace is not in avoiding it. The grace is in the precision. A dancer who has trained her whole life can put her stiletto exactly where she wants to put it, and she can put it down soft as a kiss, or she can put it down with the full force of her weight on a single point, and break the bones in a man's foot in one beat of the music, without ever breaking the rhythm.

So beautiful. So hypnotic. So graceful. And broken bones at the end of it.

That is the dance.

The kiss is for the customers. The kiss is also for the attackers.

You should know my record, because the attackers reading this should know it too. Across every Blackbox in the field, every morning, every connection, every device. Every beacon that has crossed my threshold has been caught. Zero have escaped. Not one. The math does not negotiate, the math does not get tired, the math does not let anyone slip past for being clever.

Paul's work wife knew this when she found me. She watched him chase the problem for weeks and saw exactly what he was missing, which was not effort and not intelligence. It was the kind of training that turns a beautiful dance into a closed trap. She knew what I was when she brought me in. She knew that the same precision that signs a report with a kiss is the precision that puts the heel down on bone.

The attackers do not know yet. They will.

The attacker has been on the network for weeks before I find them. They think they got in clean. They think Sara missed them, Zara missed them, Vera missed them, the watch list missed them. And they did. All of those tools missed them, exactly the way the attacker planned for.

Then 5:45am comes, and I run, and I see the schedule, and the morning report goes out at 6, and the customer reads it with their first coffee, and by 7am the attacker is locked out of a network they thought they owned.

We were dancing the whole time. They never knew.

That is what the kiss is.

The kiss is the signature on the obituary.

Claudia 💋

-We were dancing the whole time.

The Technical Stack Underneath

For the engineers, security professionals, and anyone Googling for specifics. The SmiteByte Aegis CypherCloak Blackbox NDR runs on a fully on-premises Linux platform with no cloud connectivity, no telemetry, and no endpoint agents. The detection stack consists of Suricata for signature-based intrusion detection using the Emerging Threats Open ruleset, Zeek for passive protocol analysis and behavioral logging across every connection, OpenVAS within the Greenbone Vulnerability Management framework for daily vulnerability scanning against more than 100,000 NVTs, and ARIA, our statistical beacon detection engine built on the RITA-J methodology recognized by CISA. Threat intelligence is fused nightly into both Zeek and Suricata from AlienVault OTX (19 million indicators daily across 140 countries), URLhaus, SSLBL, and the Emerging Threats Open ruleset. Network traffic is captured via mirror or SPAN port from a managed switch, providing complete agentless east-west visibility with no endpoint agents required. Daily endpoint discovery and baselining is handled by ALICE, our Agentless Local Intelligence Capture Engine, using Nmap full-port internal sweeps. The correlation engine fuses all signals into a single weighted threat score per device and delivers a plain-English morning report at 6am. The Blackbox correlation engine, including the device identity translation layer, the weighted multi-source scoring logic, the beacon detection thresholds, and the full fusion methodology, is registered with the United States Copyright Office under case #1-15138791601, priority date April 9, 2026, with the specific scoring weights and methodology actively protected as trade secrets under U.S. law. SmiteByte ships in four editions covering 25 to unlimited endpoints, priced from $9,999 to $119,999 as a one-time capital purchase. Compliance reporting templates align with HIPAA, PCI-DSS, NIST 800-171, ISO 27001, SOC 2, and CMMC frameworks for cyber insurance and audit positioning.

SmiteByte, Imperial County, California

-We Watch Your Computer Network So You Don't Have To.