Switching to Unmonitored Networks

The subject intentionally disconnects from monitored corporate networks (such as managed Ethernet, enterprise Wi-Fi, or secure VPN tunnels) and reconnects using alternative, unmonitored connectivity options. This may include switching to a guest Wi-Fi network, tethering through a personal mobile hotspot, or leveraging an unmanaged residential or public access point.

By exiting the boundaries of controlled infrastructure, the subject avoids endpoint-level inspection, network logging, and identity-based access enforcement. This maneuver is particularly effective in environments where endpoint telemetry is only collected while connected to corporate networks or VPN channels. In such cases, activity conducted over unmonitored networks leaves no observable trace in central logging systems, severely degrading investigative visibility.

This behavior is commonly paired with additional anti-forensics techniques (such as unauthorized VPN use, encrypted transfer protocols, or private browsing) to further frustrate detection. The deliberate choice to operate from unmonitored networks signals a clear intent to conceal operational activity and evade forensic scrutiny.