ThreatFade: How We Detected QUIC-Based C2 Evasion at Scale

When we set out to build ThreatFade, we wanted to tackle one of the hardest problems in network security: detecting command-and-control traffic that's specifically designed to look like nothing.

QUIC-based C2 frameworks like Merlin are particularly tricky — they ride on the same protocol as your Google searches. Here's how we approached the problem and what our validation showed.

The Challenge

Modern C2 frameworks have evolved significantly. Where attackers once used obvious beaconing patterns, today's tools use encrypted QUIC channels, randomised timing, and legitimate-looking traffic volumes.

Our Approach

ThreatFade uses behavioural z-score analysis rather than signature matching. Against our test PCAP of 490,000 packets of real Merlin QUIC C2 traffic, we achieved a z-score of 14.76 — far above the threshold needed for confident detection.

This level of signal clarity means fewer false positives and faster incident response times.

What's Next

We're currently expanding our PCAP validation dataset and adding support for more C2 frameworks. If you're working in threat detection and want early access to ThreatFade, join our waitlist.