A technical webinar recap covering Bastille’s wireless airspace security platform, ADAM analytics module, and emerging RF threat vectors facing Enterprise and Government environments.
What’s Covered
More Is Happening Than You Know
Enterprise facilities contain far more wireless activity than network diagrams reflect. Shadow IT, ICS, personal devices, and corporate-issued wearables, phones, and laptops continuously introduce wireless interfaces into controlled spaces. Without visibility into the wireless domain, significant activity goes undetected.
Three Pillars of Risk
1. Ubiquity
Wireless signals operate on RF frequencies that propagate through physical barriers and are imperceptible to humans. There are tens of billions of wireless-capable devices in the ecosystem. RF energy is a natural phenomenon that modern technology has harnessed to transmit data at the speed of light, largely ignoring physical security constraints.
2. Invisibility
Humans cannot perceive RF signals. Specialized instrumentation is required to detect and interpret activity in these bands. A real-time spectrum analyzer plots frequency, time, and power — providing a starting point for RF visibility, but insufficient on its own for threat identification.
3. Vulnerability
Wireless-specific CVEs have grown at roughly 20x the rate of overall CVEs over the past 15 years, reflecting significant offensive research focus on wireless attack surfaces. Protocol complexity continues to increase, expanding the vulnerability surface. Defensive response has not kept pace.
Example: Cellular Hotspot Data Exfiltration
In one monitored data center, a smartphone was configured as a hotspot and a dongle connected to a server rack established a data path through the hotspot’s cellular link — bypassing all existing network security infrastructure including firewalls, DLPs, and SIEMs entirely. This attack requires no sophisticated tooling, only a smartphone and basic knowledge. Existing WIDS systems focus on Wi-Fi network intrusion and do not surface this threat class.
Wireless attacks are becoming increasingly sophisticated, yet most network security products do not adequately address the associated risks.
Gartner
Speakers
Brett Walkenhorst
Dr. Walkenhorst is the CTO of Bastille with over 20 years of experience in RF systems and signal processing, previously leading R&D at Lucent Bell Labs, GTRI, NSI-MI Technologies, Silvus Technologies, and Raytheon. He has authored over 70 publications, is a senior member of IEEE, and has served as Chair of the Atlanta Chapter of the IEEE Communications Society.
Rahul Nagraj
Rahul leads engineering for Bastille’s ADAM (Airspace Defense Analytics Module), the company’s core analytics layer for RF threat detection across Enterprise and Government environments. He architected and implemented Bastille’s real-time production streaming pipeline, from raw RF data ingestion through localization result publishing, along with the backend APIs, deployment and upgrade distribution systems, and CI/testing infrastructure. See full bio
The Bastille Platform
Bastille is a Wireless Airspace Security (WAS) solution — Gartner’s term for this category. The platform deploys passive software-defined radio (SDR) sensors in a 2D grid across a floor plan, sweeping the electromagnetic spectrum and detecting packets from standard protocols.
Supported Protocols
- Cellular (LTE)
- Wi-Fi
- Bluetooth Classic
- Bluetooth Low Energy (BLE)
- ZigBee and other IoT protocols
Sensors demodulate and decode packet headers, extracting metadata transmitted in the clear. Data from multiple sensors is combined to localize transmissions spatially, placing device icons on a floor plan in real time. The DVR UI allows operators to view real-time device positions, filter by context, pause, rewind, and replay activity over any time window.
Sensor Specifications
- Fully passive — no wireless transmissions of any kind
- FCC certified passive
- PoE+ powered — single cable for power and data backhaul
- Plenum-rated for ceiling installation
- No endpoint agent software required
- Graceful degradation if a sensor goes offline
ADAM: Airspace Defense Analytics Module
System Architecture
Data flows through the pipeline with volume decreasing and information enrichment increasing at each stage.
- Sensors — passive RF capture across the floor plan
- Concentrator — aggregates sensor data; applies patented localization algorithms to determine real-time transmission locations
- Fusion Center — receives data from all concentrators; applies ML to determine whether transmissions originate inside or outside the monitored space; handles enrichments including user tags and filters; serves the DVR UI
- ADAM Module — advanced analytics using neural networks, AI/ML classifiers, and autoencoders; generates device classifications, behavior detection, and threat alerts
ADAM Use Cases
Meta Ray-Ban Smart Glasses Detection
Meta Ray-Ban glasses are commodity devices (~$300) with a camera, always-on microphone, Wi-Fi, and BLE. They can capture audio and video surreptitiously. Aftermarket modifications (~$100) disable the recording indicator LED. The U.S. Air Force has banned these devices from facilities due to security concerns.
ADAM detects Meta glasses passively by analyzing BLE and Wi-Fi transmissions using ML inference. Both Gen 1 and Gen 2 variants are detectable. Detection output includes device MAC address, floor plan location, protocol detected, confidence score, and a generated alert card.
Device Classification
Beyond MAC address identification, ADAM classifies the type of device present using ML inference. Classification enables risk calibration — an audio listening device in a secure conference room represents a materially higher risk than a printer in a common area.
Supported device classes include mobile phones, computers, wearables, audio/listening devices, video devices, printers, network infrastructure, and input peripherals. ADAM surfaces device class, manufacturer, and additional metadata alongside location and RF details.
Behavior Detection
ADAM classifies what a device is actively doing, not just that it is present. Detected behaviors include passive/idle transmission, active conference calls, file transfer and upload, and audio streaming.
An activity timeline provides a historical record of device behavior. Example: a mobile device in a conference room was detected in an active conference call while simultaneously performing a 5-minute file upload — a potential data exfiltration event surfaced for operator adjudication.
Hotspot Detection
Corporate firewalls, SIEMs, and DLPs are blind to traffic traversing cellular hotspots. A single smartphone with hotspot enabled creates a shadow network that bypasses all corporate network security infrastructure.
ADAM detects hotspot presence and location, connected clients and their locations, and the upstream network identity of the hotspot device — providing investigators with the full network chain for adjudication. Alerts are elevated when clients are actively connected, helping distinguish inadvertent activation from deliberate shadow network use.
Q&A Summary
Device Authorization
Bastille surfaces all transmitting devices. Operators apply tags, filters, and threat policy rules to mark known or authorized devices by MAC address or identifier, allowing focus on unknown or unauthorized devices.
Continuous Monitoring Requirements
Continuous screen monitoring is not required. Bastille integrates with SOC systems and SIEMs via webhook using a JSON format. Additional context — time of day, transmission frequency, last seen, last behavior — supports efficient investigation through alerts rather than active monitoring.
Payload Data
Bastille does not capture or store packet payloads regardless of encryption status. Metadata only. MAC addresses may be captured, but correlation to individuals requires a separate system outside of Bastille.
ICD 705.1 RF Shielding Alternative
Continuous passive monitoring can serve as a cost-effective mitigation alternative or supplement to full RF shielding. By actively detecting and enabling interdiction of introduced threats, Bastille provides an active detection layer that passive shielding alone does not. This approach is gaining traction with government customers facing prohibitive shielding retrofit costs.
Indoor vs. Outdoor Deployment
Outdoor sensor variants are available for perimeter and parking facility coverage. Most deployments are indoors, but outdoor monitoring is fully supported.
No Agent Software Required
No endpoint agents, VM software, or cooperation from monitored devices is required. Bastille operates entirely outside the monitored network, passively listening to all transmissions.
RF Emissions
Bastille sensors are purely passive and emit no RF signals of any kind. All data is transmitted only over the wired PoE+ backhaul cable. Sensors are FCC certified passive and have been tested by certification labs to confirm zero wireless transmission.