How the relay works.
Three components, one encrypted tunnel. The relay sits in the middle but sees nothing.
Using the Relay is optional. The device can store all findings and data locally, or you can use our relay for remote capturing and control.
Your Device
Phantom or Scout at target
Blacksight Relay
relay.blacksight.io
You
Blacksight Connect or Dashboard
Your device. Your data.
We can't see it.
Every Blacksight Red device communicates optionally through our relay infrastructure using end-to-end encryption. The relay forwards encrypted blobs between your device and your locally installed client outside of the drop site -- it never sees the plaintext. Even if the Blacksight Relay is compromised, your engagement data stays private.
The relay is entirely optional. You can also choose to store all findings on the device itself -- no 4G or WiFi connection needed. Come back after a few days, connect directly to the device, and download all captured data. Whether you use the relay or retrieve physically, we or anybody else can never see the plain data.
Two ways to connect.
Use the web dashboard for monitoring and commands, or Blacksight Connect for full tunnel access.
Web Dashboard
Available nowBrowser-based access via red.blacksight.io. Monitor device status, view captured loot, manage engagements, and send commands -- all from the web dashboard. No installation required.
- Fleet overview -- all devices at a glance
- Real-time device status (online/offline)
- Loot viewer (creds, hashes, handshakes)
- Engagement management
- Mode toggles and kill switch
- Team management and access control
Blacksight Connect
Available nowDesktop application for direct encrypted tunnels to your devices. SSH into a Phantom remotely, forward local ports, transfer files, and stream PCAPs -- all routed through the relay with full E2E encryption.
- Direct SSH tunnel to device
- Local port forwarding
- Secure file transfer (SCP/SFTP)
- Live PCAP streaming
- Interactive shell access
- Works on macOS, Linux, and Windows
What flows where.
A detailed breakdown of every data path and what each component can see.
Device to Relay
The device opens a persistent WebSocket (WSS) connection to relay.blacksight.io over its 4G cellular connection. All payloads are encrypted on the device before transmission. The relay authenticates the device by its unique device code but cannot read any payload content.
What the relay sees
The relay knows which device code is connected and which client is requesting access to it. It matches them and forwards binary blobs in both directions. It has zero knowledge of the payload content -- no credentials, no hashes, no commands, no PCAPs. Connection state is tracked in-memory only and lost on restart. There is no database, no disk writes, and no logging of payload content.
Relay to You
Your client (dashboard or Blacksight Connect) opens its own WebSocket to the relay, authenticated via JWT issued by the dashboard. The relay matches your session to the correct device and forwards encrypted blobs to you. Decryption happens entirely on your machine -- your keys never leave your device.
Commands (kill switch, mode toggles, self-destruct)
Commands follow the same path in reverse. You send an encrypted command from the dashboard or Connect app, the relay forwards the encrypted blob to the device, and the device decrypts and executes it. The relay cannot read or modify commands in transit. Kill switch, mode changes, config pushes, and self-destruct all use this channel.
Security guarantees.
End-to-End Encryption
All data encrypted on the device before it leaves. Decrypted only on your machine. The relay, the network, and Blacksight never see plaintext.
Zero Persistent Storage
The relay has no database and writes nothing to disk. Connection state is in-memory only and lost on restart. No logs, no history.
Tamper-Proof Commands
Commands (kill switch, mode changes, self-destruct) are encrypted and authenticated. The relay cannot read, modify, or inject commands.
Keys Never Leave Your Devices
Encryption keys are generated on the device and stored on your client. They never pass through the relay or Blacksight infrastructure.
Self-Destruct
Remote self-destruct via encrypted command through the relay. Cryptographically erases all loot, keys, and logs on the device.
Independent 4G Channel
Device communicates over its own 4G cellular connection. It never touches the target network's internet. Completely separate OPSEC channel.
Frequently Asked Questions
Can Blacksight read my engagement data?
No. All payloads are encrypted on the device with AES-256-GCM before transmission. The relay forwards opaque encrypted blobs. We cannot decrypt, read, modify, or log any payload content. Even if the relay infrastructure is compromised, your data stays private.
What encryption does the relay use?
Transport layer: WebSocket Secure (WSS) over TLS 1.3. Payload layer: AES-256-GCM end-to-end encryption. Keys are generated on the device and stored on your client. They never pass through the relay.
Is the relay required?
No. The relay is optional. Devices can store all findings locally on encrypted storage. You can physically retrieve the device and download data over a direct connection. The relay is for remote access and real-time exfiltration.
Can I run the relay on my own infrastructure?
Yes. Enterprise customers can deploy the relay and dashboard on-premises for air-gapped or regulated environments. Contact us for details.
What happens if the relay goes down?
Devices continue operating and storing data locally. When the relay comes back online, the device reconnects automatically and syncs. No data is lost.
Does the relay store any data?
No. The relay has no database and writes nothing to disk. Connection state is tracked in-memory only and lost on restart. There are no logs of payload content.
Zero-knowledge by design.
Every device ships with relay access included. No extra cost, no subscriptions.