Beaconing is a technique by which the malware regularly sends small amounts of data to the command and control server (C2), indicating that it is still active and waiting for further instructions.

What is beaconing?

Beaconing is a technique used by malware in which an infected device regularly sends small signals—called “beacons”—to a command and control (C2) server. These signals let the attacker know the system is active and ready to receive further instructions. This method allows attackers to maintain covert control over compromised systems—often for months—without detection.

How beaconing appears in practice?

Examples of real-world scenarios:

• Malware connects to a specific IP or domain every 10 minutes to “check in” silently.
• An infected company laptop regularly sends small data packets to an unknown network.
• Network logs reveal periodic, harmless-looking requests to suspicious domains (e.g., xyz-update.com).
• The attacker uses beaconing to identify active systems before triggering data theft or ransomware.

Beaconing is stealthy and non-destructive at first. Its purpose is to prepare the ground for a controlled, staged attack. Without proper network monitoring, it often goes unnoticed.

Beaconing vs. similar terms – What’s the difference?

• Beaconing vs. malware
  Beaconing is a technique. Malware is the malicious software that may use it—not all malware does.
• Beaconing vs. data exfiltration
  Beaconing is the initial signal to the attacker. Exfiltration is the active transfer of stolen data out of the company.
• Beaconing vs. command and control (C2)
  C2 is the attacker’s infrastructure. Beaconing is how infected devices communicate with it.

Understanding these differences is key to early detection and effective defense. While other threats are more visible, beaconing is often the first subtle sign that something is wrong.

How to detect and mitigate beaconing in your company

Recommended steps:

1. Monitor network traffic, especially DNS and HTTP(S) activity.
2. Look for recurring small-volume requests to external IPs or domains.
3. Use anomaly detection tools and network behavior analysis (e.g., NDR, SIEM).
4. Keep security tools updated (antivirus, EDR, firewalls).
5. Block access to unknown or suspicious domains via security policies.
6. Conduct forensic analysis on devices showing suspicious behavior.

Beaconing is often the first sign that an attacker is inside your network. The challenge is that it typically goes undetected without proactive monitoring. This isn’t a failure of antivirus software—beaconing is subtle, sometimes encrypted, and designed to blend in. That’s why specialized tools and vigilant monitoring are essential. Early detection can make the difference between stopping an attack or suffering a full-blown breach.