Services Work ThreatFade About Blog Pricing Careers Client Login Start a project →
Private Beta · Security Research Product by Tinlance

ThreatFade

An evasion interception platform that detects C2 quieting, Living-off-the-Land attacks, and GNSS jamming — using behavioural z-score analysis, not just signatures.

Join the waitlist Read the research
490K+ Packets validated
14.76 Z-score confidence
3 Attack types detected
Private Beta Status

// Detection methodology

Behavioural detection.
Not just signatures.

ThreatFade analyses network behaviour over time using statistical z-score models, making it effective against evasion techniques that trivially bypass signature-based detection.

🔴

C2 Quieting Detection

Identifies command-and-control traffic that deliberately reduces beacon frequency to avoid threshold-based detectors. Validated against real Merlin QUIC C2 PCAPs.

🟡

LOTL Attack Detection

Living-off-the-Land attacks exploit legitimate system tools. ThreatFade flags anomalous usage patterns that deviate from established baselines.

🟢

GNSS Jamming Detection

Detects temporal and positional anomalies consistent with GPS/GNSS jamming events — critical for logistics, aviation, and critical infrastructure defenders.

// Validation results

Real traffic. Real results.

ThreatFade was validated against a real-world PCAP capture of Merlin QUIC C2 traffic containing 490,847 packets. The behavioural z-score analysis returned a confidence score of 14.76 — well above the threshold for high-confidence detection.

490,847
Packets analysed
14.76
Z-score confidence
Merlin
C2 framework tested
QUIC
Transport protocol
threatfade — validation run
$ threatfade validate --pcap merlin_quic_c2.pcap --verbose
Initialising ThreatFade v0.4.1-beta...
Loading PCAP: merlin_quic_c2.pcap
Packets loaded: 490,847
Running protocol dissection...
Applying QUIC header analysis...
Computing behavioural z-score model...
 
■ POSITIVE DETECTION
────────────────────────────────
Verdict: MALICIOUS — C2 Evasion
Z-Score: 14.76 (threshold: 3.0)
Technique: C2 Quieting + LOTL
Confidence: HIGH (99.2%)
 
$

ThreatFade vs traditional tools

Capability ThreatFade Signature-based IDS Manual analysis
C2 Quieting detection ❌ Misses low-freq ⚠️ Very slow
QUIC protocol analysis ❌ Encrypted blind spot ⚠️ Expert needed
LOTL attack detection ❌ Uses legit tools ⚠️ Hard to distinguish
GNSS jamming detection ❌ Not supported ❌ No tooling
Behavioural z-score model ❌ Rule-based only ❌ Manual
Zero-day evasion handling ✅ Behaviour-based ❌ Signature required ⚠️ Slow
Real traffic validation ✅ 490K+ packets ✅ Varies ⚠️ Depends

// MITRE ATT&CK® Framework

Techniques we detect

ThreatFade maps detections directly to MITRE ATT&CK techniques — the language security teams, SOCs, and investors understand.

ATT&CK ID Technique ThreatFade Detection Method Validated
T1027 Obfuscated Files or Information Entropy analysis on network payloads — Merlin QUIC z-score 14.76 detected ✅ Real PCAP
T1071 Application Layer Protocol QUIC protocol traffic fingerprinting + C2 quieting pattern detection ✅ Real PCAP
T1059 Command and Scripting Interpreter LOTL (Living-off-the-Land) behavioural baseline deviation scoring ✅ Validated
T1036 Masquerading Protocol anomaly scoring — legitimate vs. adversarial traffic patterns ✅ Validated
T1583 Acquire Infrastructure GNSS signal jamming + RF interference pattern detection ✅ Validated
T1048 Exfiltration Over Alternative Protocol Covert channel detection in encrypted QUIC streams 🔬 Beta

MITRE ATT&CK® is a registered trademark of The MITRE Corporation. Technique IDs reference attack.mitre.org.

// Pricing

Simple, transparent pricing

Start free. Scale as you detect.

Free / Open Source
$0
Forever free. Community supported.
  • CLI tool via GitHub
  • PCAP file analysis
  • Z-score detection engine
  • Community support
  • MIT licensed
View on GitHub →
Most Popular
Pro
$149/mo
For security engineers and consultants.
  • Everything in Free
  • REST API access
  • SIEM export — CEF / Splunk HEC / JSON
  • Live endpoint agent
  • Priority support
  • 10M packets / month
Join waitlist →
Enterprise
Custom
For SOCs, MSSPs, and large-scale deployments.
  • Everything in Pro
  • Unlimited packets
  • On-premise deployment
  • Custom SIEM integrations
  • SLA guarantees
  • Dedicated support
Contact us →

Pro and Enterprise pricing subject to change during beta. Join waitlist to lock in early-access rates.

Pro subscriptions processed via LemonSqueezy. Crypto payments (USDT/USDC) accepted via NOWPayments. Enterprise invoicing via Stripe or bank transfer.

Follow the research

ThreatFade is in active development. Follow the GitHub repo for updates, and check the blog for research notes on evasion detection techniques.

GitHub — LloydCoder Research blog →

// Early access

Join the ThreatFade waitlist

We are onboarding security teams and researchers one at a time during private beta. Join the waitlist to get early access and be the first to hear our research.

No spam. We email when spots open and when we publish new research.

Built by

TINLANCE.

Building AI & cybersecurity products for technical founders.

Start a project with us →
Try live demo → 📄 Read the full technical research paper →