SEC536: Adversarial AI - Penetration Testing AI Systems


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsNetwork security monitoring platforms are widely deployed in enterprise security operations centers (SOCs), yet modern command-and-control (C2) frameworks still routinely evade detection by blending into normal encrypted web traffic. In practice, many teams deploy Zeek, Suricata, and Security Onion with default configurations and lack clear empirical evidence quantifying how well those defaults perform against contemporary C2.
This research measures the effectiveness of Zeek, Suricata, and Security Onion against representative modern C2 frameworks in a controlled laboratory environment. C2 traffic is generated over standard HTTP(S) profiles and evaluated under both default and tuned monitoring configurations. Detection rate, false positive rate, and detection latency are recorded and analyzed. The outcome is evidence-based guidance for defenders who need to prioritize practical monitoring improvements and structured tuning strategies for network-level C2 detection.

















