Why Red Teams Need Dedicated Drop Hardware (and What We Built)

MAY 2, 2026 - Written by Yves SoeteBlacksight LLC — see the hardware atred.blacksight.io

Physical red team engagements still rely on Raspberry Pis, repurposed laptops, and manual workflows held together with SSH tunnels and prayer. We built two purpose-built devices — Blacksight Phantom and Blacksight Scout — to replace that entire stack with hardware that phones home over 4G, encrypts everything end-to-end, and self-destructs on command.

If you have done any physical red team work, you know the drill. You show up at the target site with a backpack full of gear — a Raspberry Pi with a cellular hat, a WiFi adapter, maybe a small NUC, a power bank, cables, and a USB drive with your tools. You spend 15 minutes setting up, plugging things in, hoping the SSH reverse tunnel holds, and then you walk away wondering if the SD card will corrupt before you get back to the hotel.

The problem with improvised drop boxes

Raspberry Pis were never designed for offensive operations. They are education boards repurposed into drop boxes by operators who had no better option. The typical setup has real problems:

Reliability. SD cards corrupt. Power interruptions kill running processes. WiFi dongles overheat. A Pi that worked perfectly in the lab fails silently at the target site, and you do not know until the next day when your reverse shell stops responding.

Connectivity. Most operators use SSH reverse tunnels to a VPS, which means your engagement data — credentials, hashes, PCAPs — transits a cloud server you rented on your personal credit card. If that VPS is compromised or subpoenaed, the engagement data is exposed.

OPSEC. There is no kill switch. There is no self-destruct. If the device is discovered, whoever finds it has access to everything on the SD card — your tools, your scripts, your captured data, and possibly your SSH keys.

Setup time. Every engagement starts with re-imaging, re-configuring, testing tunnels, and hoping the cellular modem connects. This is unbillable time that adds up across dozens of engagements per year.

What purpose-built means

We built two devices that solve every problem listed above. Both are manufactured by Azulle (same vendor as our IDS hardware line) with Intel processors, passive cooling, internal or USB 4G cellular, and industrial-grade storage.

Blacksight Phantom ($1,299) is the full offensive platform. Five attack modes — Tap (NAC bypass with transparent 802.1X pass-through), Venom (Responder, LLMNR/NBT-NS poisoning, NTLM relay, rogue DHCP), Siren (evil twin WiFi, captive portal, WPA handshake capture), Fang (Bluetooth/BLE relay, spoofing, GATT fuzzing), and Scope (passive recon, full PCAP, asset discovery). All five modes can run simultaneously. Toggle them from the web panel or the cloud dashboard.

Blacksight Scout ($499) is the recon stick. WiFi and Bluetooth enumeration, client tracking, probe request capture. Plug it into power, add a USB 4G dongle, and walk away. Every network, client, and probe request in range streams to the dashboard.

Both devices phone home over 4G cellular — never through the target network. Both encrypt all data locally before transmission. Both support remote kill switch and self-destruct.

Zero-knowledge relay architecture

The biggest architectural decision we made was the relay. Instead of SSH tunnels to a VPS, every device connects to relay.blacksight.io over an encrypted WebSocket. The relay matches devices to operators by device code and forwards encrypted blobs in both directions. The relay cannot decrypt anything. It has no database, no disk writes, no logging of payload content. Connection state is tracked in memory and lost on restart.

This means that even if Blacksight is compromised — even if someone gains root on the relay server — they get a stream of encrypted binary blobs they cannot read. Your engagement data is private by architecture, not by policy.

Operators can also choose to keep data entirely on the device and retrieve it physically. The relay is optional.

Kill switch and self-destruct

Every device supports two emergency commands sent via the relay:

Kill switch immediately stops all active attacks. One command from the dashboard or Connect app, instant effect. The device goes silent on the target network within seconds.

Self-destruct cryptographically erases all loot, encryption keys, and logs. The device resets to a clean factory image. It can be triggered remotely via the relay or locally via a physical button combination on the device. After self-destruct, even physical forensics on the device yields nothing.

No subscriptions

Both devices include free access to the dashboard, relay, and all features. No monthly subscription, no per-device fees, no feature gating. You buy the hardware and you own everything. Enterprise customers who need on-premises relay and dashboard deployment can contact us for custom pricing.

Details, specs, and ordering at red.blacksight.io.