I think in this case they _are_ keeping their methods a secret; they don't say how their detection methods work. The BeyondTrust blog post doesn't mention their methods either. In this case that is probably right because knowing what they do to detect intruders would make it easier to stay invisible.
I think we might be talking about two different layers. I was misinterpreting your statement as “why won’t they share their safeguards”, but it sounds like you meant you would have preferred something more analytical in terms of the underlying compromise and detection methods.
So I was thinking “but they did share their safeguards: they’re using the features of their product that can let you do X, Y, or Z.” Which is an entirely orthogonal point.
I expect that their proprietary techniques underlying all of these capabilities are mostly derived from their insane eyeballs on Internet traffic and their ability to fingerprint and correlate devices and network traffic at scale. I agree it would be nice to hear more about that.
