it can be in two situations:
1. real hack to a network
2. blackbox pentest.

How can we discover if there is any sort of IDS on the network?