Blog
/
Network
/
July 4, 2024

A Busy Agenda: Darktrace's Detection of Qilin Ransomware as a Service Operator

This blog breaks down how Darktrace detected and analyzed Qilin, a Ransomware-as-a-Service group behind recent high-impact attacks. You’ll see how Qilin affiliates customize attacks with flexible encryption, process termination, and double-extortion techniques, as well as why its cross-platform builds in Rust and Golang make it especially evasive. Darktrace highlights three real-world cases where its AI identified likely Qilin activity across customer environments, offering insights into how behavioral detection can spot novel ransomware before disruption occurs. Readers will gain a clear view of Qilin’s toolkit, tactics, and how self-learning defense adapts to these evolving threats.
Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst
Default blog image
04
Jul 2024

What is Qilin Ransomware and what's its impact?

Qilin ransomware has recently dominated discussions across the cyber security landscape following its deployment in an attack on Synnovis, a UK-based medical laboratory company. The ransomware attack ultimately affected patient services at multiple National Health Service (NHS) hospitals that rely on Synnovis diagnostic and pathology services. Qilin’s origins, however, date back further to October 2022 when the group was observed seemingly posting leaked data from its first known victim on its Dedicated Leak Site (DLS) under the name Agenda[1].

The Darktrace Threat Research team investigated network artifacts related to Qilin and identified three probable cases of the ransomware across the Darktrace customer base between June 2022 and May 2024.

How Qilin Ransowmare operates as RaaS

Qilin operates as a Ransomware-as-a-Service (RaaS) that employs double extortion tactics, whereby harvested data is exfiltrated and threatened of publication on the group's DLS, which is hosted on Tor. Qilin ransomware has samples written in both the Golang and Rust programming languages, making it compilable with various operating systems, and is highly customizable.

Techniques Qilin Ransomware uses to avoid detection

When building Qilin ransomware variants to be used on their target(s), affiliates can configure settings such as:

  • Encryption modes (skip-step, percent, or speed)
  • File extensions, directories, or processes to exclude
  • Unique company IDs used as extensions on encrypted files
  • Services or processes to terminate during execution [1] [2]

Trend Micro analysts, who were the first to discover Qilin samples in August 2022, when the name "Agenda" was still used in ransom notes, found that each analyzed sample was customized for the intended victims and that "unique company IDs were used as extensions of encrypted files" [3]. This information is configurable from within the Qilin's affiliate panel's 'Targets' section, shown below.

Qilin's affiliate panel and branding

The panel's background image features the eponym Chinese legendary chimerical creature Qilin (pronounced “Ke Lin”). Despite this Chinese mythology reference, Russian language was observed being used by a Qilin operator in an underground forum post aimed at hiring affiliates and advertising their RaaS operation[2].

Qilin ransomware’s affiliate panel.
Figure 1: Qilin ransomware’s affiliate panel.

Qilin’s affiliate payment model

Qilin's RaaS program purportedly has an attractive affiliates' payment structure,

  • Affiliates earn 80% of ransom payments under USD 3 million
  • Affiliates earn 85% of ransom payments above USD 3 million [2]

Publication of stolen data and ransom payment negotiations are purportedly handled by Qilin operators. Qilin affiliates have been known to target companies located around the world and within a variety of industries, including critical sectors such as healthcare and energy.

Qilin target industries and victims

As Qilin is a RaaS operation, the choice of targets does not necessarily reflect Qilin operators' intentions, but rather that of its affiliates.  

Similarly, the tactics, techniques, procedures (TTPs) and indicators of compromise (IoC) identified by Darktrace are associated with the given affiliate deploying Qilin ransomware for their own purpose, rather than TTPs and IoCs of the Qilin group. Likewise, initial vectors of infection may vary from affiliate to affiliate.

Previous studies show that initial access to networks were gained via spear phishing emails or by leveraging exposed applications and interfaces.

Differences have been observed in terms of data exfiltration and potential C2 external endpoints, suggesting the below investigations are not all related to the same group or actor(s).

[related-resource]

Darktrace’s threat research investigation

Qlin ransomware attack breakdown

June 2022: Qilin ransomware attack exploiting VPN and SCCM servers

Key findings

  • Initial access: VPN and compromised admin account
  • Lateral movement: SCCM and VMware ESXi hosts
  • Malware observed: SystemBC, Tofsee
  • Ransom notes: Linked to Qilin naming conventions
  • Darktrace visibility: Analysts worked with customer via Ask the Expert (ATE) to expand coverage, revealing unusual scanning, rare external connections, and malware indicators tied to Qilin

Full story

Darktrace first detected an instance of Qilin ransomware back in June 2022, when an attacker was observed successfully accessing a customer’s Virtual Private Network (VPN) and compromising an administrative account, before using RDP to gain access to the customer’s Microsoft System Center Configuration Manager (SCCM) server.

From there, an attack against the customer's VMware ESXi hosts was launched. Fortunately, a reboot of their virtual machines (VM) caught the attention of the security team who further uncovered that custom profiles had been created and remote scripts executed to change root passwords on their VM hosts. Three accounts were found to have been compromised and three systems encrypted by ransomware.  

Unfortunately, Darktrace was not configured to monitor the affected subnets at the time of the attack. Despite this, the customer was able to work directly with Darktrace analysts via the Ask the Expert (ATE) service to add the subnets in question to Darktrace’s visibility, allowing it to monitor for any further unusual behavior.

Once visibility over the compromised SCCM server was established, Darktrace observed:

  • A series of unusual network scanning activities  
  • The use of Kali (a Linux distribution designed for digital forensics and penetration testing).
  • Connections to multiple rare external hosts. Many of which were using the “[.]ru” Top Level Domain (TLD).

One of the external destinations the server was attempting to connect was found to be related to SystemBC, a malware that turns infected hosts into SOCKS5 proxy bots and provides command-and-control (C2) functionality.

Additionally, the server was observed making external connections over ports 993 and 143 (typically associated with the use of the Interactive Message Access Protocol (IMAP) to multiple rare external endpoints. This was likely due to the presence of Tofsee malware on the device.

After the compromise had been contained, Darktrace identified several ransom notes following the naming convention “README-RECOVER-<extension/company_id>.txt”” on the network. This naming convention, as well as the similar “<company_id>-RECOVER-README.txt” have been referenced by open-source intelligence (OSINT) providers as associated with Qilin ransom notes[5] [6] [7].

April 2023: Manufacturing sector breach with large-scale exfiltration

Key findings

  • Initial access & movement: Extensive scanning and lateral movement via SMB, RDP, and WMI
  • Credential abuse: Use of default credentials (admin, administrator)
  • Malware/Indicators: Evidence of Cobalt Strike; suspicious WebDAV user agent and JA3 fingerprint
  • Data exfiltration: ~30 GB stolen via SSL to MEGA cloud storage
  • Darktrace analysis: Detected anomalous SMB and DCE-RPC traffic from domain controller, high-volume RDP activity, and rare external connectivity to IPs tied to command-and-control (C2). Confirmed ransom notes followed Qilin naming conventions.

Full story

The next case of Qilin ransomware observed by Darktrace took place in April 2023 on the network of a customer in the manufacturing sector in APAC. Unfortunately for the customer in this instance, Darktrace's Autonomous Response was not active on their environment and no autonomous actions were taken to contain the compromise.

Over the course of two days, Darktrace identified a wide range of malicious activity ranging from extensive initial scanning and lateral movement attempts to the writing of ransom notes that followed the aforementioned naming convention (i.e., “README-RECOVER-<extension/company_id>.txt”).

Darktrace observed two affected devices attempting to move laterally through the SMB, DCE-RPC and RDP network protocols. Default credentials (e.g., UserName, admin, administrator) were also observed in the large volumes of SMB sessions initiated by these devices. One of the target devices of these SMB connections was a domain controller, which was subsequently seen making suspicious WMI requests to multiple devices over DCE-RPC and enumerating SMB shares by binding to the ‘server service’ (srvsvc) named pipe to a high number of internal devices within a short time frame. The domain controller was further detected establishing an anomalously high number of connections to several internal devices, notably using the RDP administrative protocol via a default admin cookie.  

Repeated connections over the HTTP and SSL protocol to multiple newly observed IPs located in the 184.168.123.0/24 range were observed, indicating C2 connectivity.  WebDAV user agent and a JA3 fingerprint potentially associated with Cobalt Strike were notably observed in these connections. A few hours later, Darktrace detected additional suspicious external connections, this time to IPs associated with the MEGA cloud storage solution. Storage solutions such as MEGA are often abused by attackers to host stolen data post exfiltration. In this case, the endpoints were all rare for the network, suggesting this solution was not commonly used by legitimate users. Around 30 GB of data was exfiltrated over the SSL protocol.

Darktrace did not observe any encryption-related activity on this customer’s network, suggesting that encryption may have taken place locally or within network segments not monitored by Darktrace.

May 2024: US enterprise compromise

Key findings

  • Initial access & movement: Abuse of administrative and default credentials; lateral movement via DCE-RPC and RDP
  • Malware/Indicators: Suspicious executables (‘a157496.exe’, ‘83b87b2.exe’); abuse of RPC service LSM_API_service
  • Data exfiltration: Large amount of data exfiltrated via FTP and other channels to rare external endpoint (194.165.16[.]13)
  • C2 communications: HTTP/SSL traffic linked to Cobalt Strike, including PowerShell request for sihost64.dll
  • Darktrace analysis: Flagged unusual SMB writes, malicious file transfers, and large-scale exfiltration as highly anomalous. Confirmed widespread encryption activity targeting numerous devices and shares.

Full story

The most recent instance of Qilin observed by Darktrace took place in May 2024 and involved a customer in the US.

In this case, Darktrace initially detected affected devices using unusual administrative and default credentials. Then Darktrace observed additional Internal systems conducting abnormal activity such as:

  • Making extensive suspicious DCE-RPC requests to a range of internal locations
  • Performing network scanning
  • Making unusual internal RDP connections
  • And transferring suspicious executable files like 'a157496.exe' and '83b87b2.exe'.  

SMB writes of the file "LSM_API_service" were also observed, activity which was considered 100% unusual by Darktrace; this is an RPC service that can be abused to enumerate logged-in users and steal their tokens. Various repeated connections likely representative of C2 communications were detected via both HTTP and SSL to rare external endpoints linked in OSINT to Cobalt Strike use. During these connections, HTTP GET requests for the following URIs were observed:

/asdffHTTPS

/asdfgdf

/asdfgHTTP

/download/sihost64.dll

Notably, this included a GET request a DLL file named "sihost64.dll" from a domain controller using PowerShell.  

Over 102 GB of data may have been transferred to another previously unseen endpoint, 194.165.16[.]13, via the unencrypted File Transfer Protocol (FTP). Additionally, many non-FTP connections to the endpoint could be observed, over which more than 783 GB of data was exfiltrated. Regarding file encryption activity, a wide range of destination devices and shares were targeted.

Figure 2: Advanced Search graph displaying the total volume of data transferred over FTP to a malicious IP.

During investigations, Darktrace’s Threat Research team identified an additional customer, also based in the United States, where similar data exfiltration activity was observed in April 2024. Although no indications of ransomware encryption were detected on the network, multiple similarities were observed with the case discussed just prior. Notably, the same exfiltration IP and protocol (194.165.16[.]13 and FTP, respectively) were identified in both cases. Additional HTTP connectivity was further observed to another IP using a self-signed certificate (i.e., CN=ne[.]com,OU=key operations,O=1000,L=,ST=,C=KM) located within the same ASN (i.e., AS48721 Flyservers S.A.). Some of the URIs seen in the GET requests made to this endpoint were the same as identified in that same previous case.

Information regarding another device also making repeated connections to the same IP was described in the second event of the same Cyber AI Analyst incident. Following this C2 connectivity, network scanning was observed from a compromised domain controller, followed by additional reconnaissance and lateral movement over the DCE-RPC and SMB protocols. Darktrace again observed SMB writes of the file "LSM_API_service", as in the previous case, activity which was also considered 100% unusual for the network. These similarities suggest the same actor or affiliate may have been responsible for activity observed, even though no encryption was observed in the latter case.

Figure 3: First event of the Cyber AI Analyst investigation following the compromise activity.

According to researchers at Microsoft, some of the IoCs observed on both affected accounts are associated with Pistachio Tempest, a threat actor reportedly associated with ransomware distribution. The Microsoft threat actor naming convention uses the term "tempest" to reference criminal organizations with motivations of financial gain that are not associated with high confidence to a known non-nation state or commercial entity. While Pistachio Tempest’s TTPs have changed over time, their key elements still involve ransomware, exfiltration, and extortion. Once they've gained access to an environment, Pistachio Tempest typically utilizes additional tools to complement their use of Cobalt Strike; this includes the use of the SystemBC RAT and the SliverC2 framework, respectively. It has also been reported that Pistacho Tempest has experimented with various RaaS offerings, which recently included Qilin ransomware[4].

Conclusion

Qilin is a RaaS group that has gained notoriety recently due to high-profile attacks perpetrated by its affiliates. Despite this, the group likely includes affiliates and actors who were previously associated with other ransomware groups. These individuals bring their own modus operandi and utilize both known and novel TTPs and IoCs that differ from one attack to another.

Darktrace’s anomaly-based technology is inherently threat-agnostic, treating all RaaS variants equally regardless of the attackers’ tools and infrastructure. Deviations from a device’s ‘learned’ pattern of behavior during an attack enable Darktrace to detect and contain potentially disruptive ransomware attacks.

[related-resource]

Credit to: Alexandra Sentenac, Emma Foulger, Justin Torres, Min Kim, Signe Zaharka for their contributions.

References

[1] https://www.sentinelone.com/anthology/agenda-qilin/  

[2] https://www.group-ib.com/blog/qilin-ransomware/

[3] https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

[4] https://www.microsoft.com/en-us/security/security-insider/pistachio-tempest

[5] https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

[6] https://www.bleepingcomputer.com/forums/t/790240/agenda-qilin-ransomware-id-random-10-char;-recover-readmetxt-support/

[7] https://github.com/threatlabz/ransomware_notes/tree/main/qilin

Darktrace Model Detections

Internal Reconnaissance

Device / Suspicious SMB Scanning Activity

Device / Network Scan

Device / RDP Scan

Device / ICMP Address Scan

Device / Suspicious Network Scan Activity

Anomalous Connection / SMB Enumeration

Device / New or Uncommon WMI Activity

Device / Attack and Recon Tools

Lateral Movement

Device / SMB Session Brute Force (Admin)

Device / Large Number of Model Breaches from Critical Network Device

Device / Multiple Lateral Movement Model Breaches

Anomalous Connection / Unusual Admin RDP Session

Device / SMB Lateral Movement

Compliance / SMB Drive Write

Anomalous Connection / New or Uncommon Service Control

Anomalous Connection / Anomalous DRSGetNCChanges Operation

Anomalous Server Activity / Domain Controller Initiated to Client

User / New Admin Credentials on Client

C2 Communication

Anomalous Server Activity / Outgoing from Server

Anomalous Connection / Multiple Connections to New External TCP Port

Anomalous Connection / Anomalous SSL without SNI to New External

Anomalous Connection / Rare External SSL Self-Signed

Device / Increased External Connectivity

Unusual Activity / Unusual External Activity

Compromise / New or Repeated to Unusual SSL Port

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

Device / Suspicious Domain

Device / Increased External Connectivity

Compromise / Sustained SSL or HTTP Increase

Compromise / Botnet C2 Behaviour

Anomalous Connection / POST to PHP on New External Host

Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

Anomalous File / EXE from Rare External Location

Exfiltration

Unusual Activity / Enhanced Unusual External Data Transfer

Anomalous Connection / Data Sent to Rare Domain

Unusual Activity / Unusual External Data Transfer

Anomalous Connection / Uncommon 1 GiB Outbound

Unusual Activity / Unusual External Data to New Endpoint

Compliance / FTP / Unusual Outbound FTP

File Encryption

Compromise / Ransomware / Suspicious SMB Activity

Anomalous Connection / Sustained MIME Type Conversion

Anomalous File / Internal / Additional Extension Appended to SMB File

Compromise / Ransomware / Possible Ransom Note Write

Compromise / Ransomware / Possible Ransom Note Read

Anomalous Connection / Suspicious Read Write Ratio

IoC List

IoC – Type – Description + Confidence

93.115.25[.]139 IP C2 Server, likely associated with SystemBC

194.165.16[.]13 IP Probable Exfiltration Server

91.238.181[.]230 IP C2 Server, likely associated with Cobalt Strike

ikea0[.]com Hostname C2 Server, likely associated with Cobalt Strike

lebondogicoin[.]com Hostname C2 Server, likely associated with Cobalt Strike

184.168.123[.]220 IP Possible C2 Infrastructure

184.168.123[.]219 IP Possible C2 Infrastructure

184.168.123[.]236 IP Possible C2 Infrastructure

184.168.123[.]241 IP Possible C2 Infrastructure

184.168.123[.]247 IP Possible C2 Infrastructure

184.168.123[.]251 IP Possible C2 Infrastructure

184.168.123[.]252 IP Possible C2 Infrastructure

184.168.123[.]229 IP Possible C2 Infrastructure

184.168.123[.]246 IP Possible C2 Infrastructure

184.168.123[.]230 IP Possible C2 Infrastructure

gfs440n010.userstorage.me ga.co[.]nz Hostname Possible Exfiltration Server. Not inherently malicious; associated with MEGA file storage.

gfs440n010.userstorage.me ga.co[.]nz Hostname Possible Exfiltration Server. Not inherently malicious; associated with MEGA file storage.

Get the latest insights on emerging cyber threats

This report explores the latest trends shaping the cybersecurity landscape and what defenders need to know in 2025

Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst

Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

Network
May 14, 2026
Tara Gould
Malware Research Lead
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
What the Darktrace Annual Threat Report 2026 Means for Security Leaders
Feb 26, 2026
3
State of AI Cybersecurity 2026: 92% of security professionals concerned about the impact of AI agents
Mar 26, 2026
4
Inside ZionSiphon: Darktrace’s Analysis of OT Malware Targeting Israeli Water Systems
Apr 16, 2026
5
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Mar 24, 2026

More in this series

No items found.
Continue reading
Network
May 21, 2026

Darktrace named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) For the Second Consecutive Year

Darktrace has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) for the second consecutive year. We believe this reflects continued execution in NDR, ongoing AI innovation, and strong outcomes delivered for customers globally.
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Read more
Network
May 19, 2026

When Open Source Is Weaponized: Analysis of a Trojanized 7 Zip Installer

Attackers abused a trojanized 7‑Zip installer distributed via a typo‑squatted domain to establish proxyware infections worldwide. This blog analyzes how social engineering, trusted open‑source software, and stealthy command‑and‑control activity enabled widespread compromise, highlighting the importance of software validation, user awareness, and proactive network‑level detection.
Justin Torres
Cyber Analyst
Read more
Network
May 14, 2026

Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

Darktrace researchers identified a Twill Typhoon–linked China‑nexus campaign targeting APJ customers. The activity observed includes CDN impersonation, legitimate binaries, and DLL sideloading to deploy a modular .NET RAT.
Tara Gould
Malware Research Lead
Read more

Blog

/

Compliance

/

May 26, 2026

The CIP-015 Countdown: What Utilities Should Be Doing Before October 2028

cip-015, utilities, cybersecurityDefault blog imageDefault blog image

CIP-015 what you need to know

The electric sector already knows CIP-015 is coming. The better question is whether utilities are using the time before October 1, 2028 to build an Internal Network Security Monitoring program that is defensible, auditable, and operationally useful.

I have spent most of my OT cybersecurity career around the power sector, from early NERC CIP program work as an asset owner, to consulting with utilities ranging from small municipalities and rural cooperatives to some of the largest power companies in the country, to now working with technology that helps organizations improve visibility and detection across IT and OT. One lesson has been consistent across all of those roles: compliance is not just about having a control in place. It is about being able to prove the control works.

That is where CIP-015 becomes important.

The standard is not simply asking utilities to deploy a tool inside the Electronic Security Perimeter and call the job done. CIP-015 is about improving the probability of detecting anomalous or unauthorized network activity so that organizations can improve response and recovery from an attack. That purpose is directly stated in the standard itself. (NERC)

The real work between now and October 2028 is not just buying technology. It is building an INSM capability that can collect the right data, detect meaningful activity, support evaluation, retain the right evidence, and protect that evidence from unauthorized deletion or modification.

Why CIP-015 exists

CIP-015 exists because perimeter security alone does not solve the internal visibility problem.

For years, many CIP controls have focused heavily on access management, segmentation, patching, logging, training, and other security practices that help reduce the likelihood of unauthorized access. Those controls still matter. But they do not fully answer what happens after an attacker, insider, compromised vendor account, misused credential, or malicious activity is already operating inside a trusted environment.

NERC’s technical rationale explains that Internal Network Security Monitoring focuses on the collection and analysis of network communications inside a “trust zone,” such as an ESP. In other words, CIP-015 is not only about defending the edge. It is about understanding what is happening inside the environment once traffic is already within the trusted zone. (NERC)

That is the internal visibility gap utilities need to close.

Why traditional security monitoring does not fully satisfy CIP-015

One mistake utilities should avoid is assuming that existing security event monitoring automatically solves CIP-015.

Many organizations already have logging programs tied to CIP-007, SIEM use cases, host-level security events, authentication logs, malware alerts, and incident response workflows. Those capabilities remain valuable, but they are not the same as Internal Network Security Monitoring.

Security event monitoring often tells you what happened on or to a system. INSM is intended to help show what is happening between systems, across network communications, devices, connections, and internal traffic patterns. That distinction is especially important in OT environments where adversaries may use legitimate pathways, valid credentials, native protocols, remote access, engineering workstations, or trusted systems to move inside the environment.

CIP-015 pushes utilities toward a different level of visibility: not just “did a system log something,” but “can we see and evaluate anomalous or unauthorized activity occurring inside the ESP?”

What CIP-015 requires

At a high level, CIP-015-1 requires three core capabilities.

Requirement R1: Monitoring internal network activity  

First, under Requirement R1, Responsible Entities must implement, using a risk-based rationale, network data feeds to monitor network activity, including connections, devices, and network communications. They must also implement one or more methods to detect anomalous network activity using those feeds, and one or more methods to evaluate detected anomalous activity to determine further actions.

Requirement R2: Retaining INSM data for investigations

Second, under Requirement R2, entities must retain INSM data associated with anomalous network activity at least until the related evaluation and action are complete. The standard also notes that entities are not required to retain INSM data that is not relevant to detected anomalous activity.

Requirement R3: Protecting monitoring data from tampering

Third, under Requirement R3, entities must protect INSM data collected for R1 and retained for R2 from unauthorized deletion or modification.

Those requirements may sound straightforward, but implementation is where the challenge begins.

What should utilities be asking themselves for CIP-015?

  • Where are we collecting network data inside the ESP, and why are those feeds defensible?
  • What methods are we using to detect anomalous network activity?
  • How do we distinguish meaningful anomalous behavior from normal operational change?
  • Who evaluates detections, and how are decisions documented?
  • What data is retained, and how is it protected from unauthorized deletion or modification?
  • Can we produce evidence that proves this process has worked over time?

Those answers matter because auditors will not be looking for marketing claims. They will be looking for evidence.

Why anomaly detection is central to CIP-015 compliance

One of the most important parts of CIP-015 is also one of the easiest to oversimplify: the word anomalous.

NERC’s technical rationale provides useful context. It explains that, as used in CIP-015, “anomalous” refers to unexpected, undesired, unusual, or undetermined network traffic. It also makes clear that the term does not refer to any single proprietary technology commonly marketed as “anomaly detection.”

Understanding static baselines vs true anomaly detection

A static baseline is not the same thing as meaningful anomaly detection. If a platform observes traffic for a limited period of time, assumes that observed behavior is “normal,” and then flags future deviations without deeper context, the result can be noisy, brittle, and operationally frustrating.

In real OT environments, “normal” is not fixed. Maintenance windows, vendor access, failovers, engineering changes, testing activity, backup jobs, and operational shifts can all change behavior. Detection has to keep learning and understand context. Otherwise, the organization may end up with alerts that are technically anomalous but not practically useful.

CIP-015 is not just about producing anomalies. It is about producing meaningful detections that can be evaluated, documented, and acted upon.

What should utilities consider when looking for anomaly detection tools

Some technologies were built around behavioral analysis and anomaly detection long before CIP-015 existed. What practitioners should look for is if the technology behind the phrase can identify meaningful deviations, provide context, reduce noise, and support the evaluation and evidence expectations of the standard.

Utilities should be cautious of vendor positioning that treats “anomaly” as a simple compliance keyword. This is especially important when evaluating tools historically built around signature-based, threat-based, or rule-based detection methods that are now being positioned as anomaly detection because CIP-015 uses the term.

A platform does not solve CIP-015 simply because it can baseline traffic or generate alerts when something changes.

The question is not: Can this tool create alerts?

The question is: Can this tool identify meaningful anomalous activity with enough context, prioritization, and evidence to support evaluation and response?

Why evidence and audit readiness matter for CIP-015

In NERC CIP, the control is only part of the story. Evidence is the part that proves the control existed, worked, and was followed.

That is why CIP-015 readiness should not be treated as a simple deployment project. It should be treated as a compliance operations and evidence program.

What auditors will expect utilities to prove

For R1, examples of evidence include documentation of network data feeds and the risk-based rationale for selecting them, anomalous network detection events, INSM configuration settings, communication baselines or other detection methods, methods used to evaluate anomalous activity, and actions taken in response to detected anomalies.

For R2, evidence may include documentation of the retention process, system configurations, or system-generated reports showing retention timelines sufficient to support evaluation. For R3, evidence may include documentation showing how INSM data is protected from unauthorized deletion or modification.

Common evidence gaps that can create compliance risk

If an entity implements a platform that generates noisy detections, lacks context, does not retain the right data, cannot demonstrate how data is protected, or cannot produce useful audit evidence, the issue may not become obvious until much later. By then, an organization may discover during an audit that it cannot prove what it thought it had implemented.

That is a bad place to be.

CIP evidence gaps can create exposure that goes back over time, not just to the day the audit finding is discovered. This is why utilities need to validate the process early. Do not wait until an audit cycle to find out whether your INSM approach can stand up to scrutiny.

How utilities should prepare for CIP-015 before 2028

October 2028 may sound far away, but in utility planning terms, it is not.

Utilities should already be moving through a structured readiness process.

Assessing internal network visibility across trusted environments

Start with scope. Identify the applicable High and Medium Impact BES Cyber Systems, the relevant ESPs, and the environments where INSM requirements will apply. Then map current visibility. Where do you already have useful network monitoring? Where are you relying mostly on logs, perimeter controls, or assumptions? Where do you have limited east-west visibility inside trusted environments?

Building a defensible network data feed strategy

Next, define the network data feed strategy. CIP-015 requires a risk-based rationale, so the organization should be able to explain why specific feeds were selected and how they support detection of anomalous activity across relevant connections, devices, and communications.

Validating anomaly detection workflows

Then validate the detection method. This is where utilities need to go deeper than vendor claims. Ask how the platform identifies anomalous activity. Ask how it reduces noise. Ask what context is provided for evaluation. Ask how it handles changes in normal operations. Ask what evidence is retained and how that evidence can be produced.

Testing evidence retention and protection processes

After that, build the evaluation workflow. Who reviews detections? How are anomalies classified as benign, abnormal but not suspicious, suspicious, or potentially malicious? When does an event move into CIP-008 incident response? What documentation is created during that process?

Finally, test evidence production. Utilities should be able to show detection records, configuration settings, evaluation notes, response actions, retention records, and data protection controls before an auditor asks for them.

Where Darktrace Fits into CIP-015

This is where technology matters, but only as part of the broader program.

Darktrace was built on self-learning anomaly detection long before CIP-015 created a new compliance driver around anomalous network activity. Its value is rooted in continuous behavioral understanding, multiple analytical techniques, and the ability to identify meaningful deviations across complex IT and OT environments. That matters because CIP-015 requires more than basic alerting. It requires detection that supports evaluation, evidence, and action.

This IT and OT visibility is especially important in power utility environments. High and Medium Impact environments are not made up only of industrial protocols and field devices. Control centers, operational workstations, engineering workstations, servers, remote access systems, domain services, printers, and other enterprise-class assets often sit inside or adjacent to critical operational environments. A useful INSM capability should understand a wide range of communications across both IT and OT, not only traditional industrial protocols like Modbus, DNP3, or IEC 61850.

That distinction matters because “protocol support” can mean very different things. Identifying that a protocol is present is not the same as performing deeper packet analysis that can provide behavioral context, richer protocol understanding, and meaningful detection across the communications actually used inside the environment. For CIP-015, utilities should be asking whether a platform can help evaluate activity across both enterprise and industrial communications, because real power utility environments are rarely “OT-only.”

This is also why utilities should look carefully at how vendors use the word “anomaly.” Some platforms were designed around behavioral understanding and anomaly detection long before CIP-015 created a new compliance driver. Others may now be adopting the language because the standard uses the term. The difference matters. Utilities should ask whether the platform’s detection approach is foundational to the technology, or simply a new label applied to existing signature-based, threat-based, or rule-based methods.

In OT environments, detection quality matters. Utilities do not need more noise. They need visibility into internal communications, confidence in what is normal, context when something changes, and prioritization that helps security and operations teams focus on what matters.

A strong INSM program should help utilities move from raw monitoring to operational confidence. It should support east-west visibility, better anomaly evaluation, defensible evidence retention, protection of monitoring data, and alignment between compliance and security outcomes.

That is the right way to think about CIP-015.

Not as “deploy a tool and move on.”But as “build a capability that can be trusted, operated, and proven.”

CIP-015 is about proving your INSM capability works

The CIP-015 countdown is real, but the countdown itself is not the whole story.

The real story is what utilities do with the time that remains.

Organizations that treat CIP-015 as a checkbox may be able to say they deployed something. But organizations that treat it as an opportunity to close the internal visibility gap will gain something much more valuable: better detection, better response, better evidence, and stronger operational resilience.

The question utilities should be asking now is not whether they can produce more alerts before October 2028.

The question is whether they can prove their INSM capability actually works.

Continue reading
About the author
Jeffrey Macre
Principal Industrial Security Solutions Architect

Blog

/

Email

/

May 26, 2026

Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL

Man at a computerDefault blog imageDefault blog image

Darktrace / EMAIL is an implementation of the Darktrace methodology – a multi-layered AI system built into a single product. As with other Darktrace products, Darktrace / EMAIL learns the expected behaviours of an organization and its employees to identify novel threats and anomalous activity.

The diagram below represents the architecture of Darktrace / EMAIL’s multi-layered AI: a structured visualization of how intelligence is built, step by step, from raw data to actionable insight. Each layer plays a distinct role, feeding into the next: collecting data, understanding behaviour, analysing intent, making decisions, and presenting clear outcomes.

It all starts with an email

In this blog, we’ll follow a malicious email as it passes through the Darktrace / EMAIL system, showing exactly what happens as it travels through each layer of the pyramid, from basic data extraction to AI-powered metric creation, and finally deciding on any autonomous actions.

Let’s take this example email. As an end-user, you can see that this is an obvious extortion attempt where an adversary is threatening legal action if money isn’t paid within 24 hours, but how does Darktrace figure that out?

Part 1: Data Gathering

Processing of an email begins on point-of-transit for all inbound, outbound, or lateral emails. The first step is to extract information directly. This includes taking information from the headers (such as sending and receiving addresses, sender IP address, routing, and authentication protocols), as well as extraction of raw HTML and CSS data from the email itself.

This directly extracted information only allows for immediate surface level analysis, such as identifying signature-based attacks (known malicious addresses / domains), but is insufficient for identifying novel threats, complex attacks, or potential email or vendor compromise. This is where Darktrace’s AI analysis shines.

In this example, the SPF, DKIM, and DMARC authentication all passed successfully, showing that even malicious emails can still bypass these signature-based checks. Even with this success, Darktrace will continue to analyse the email.

Diving deeper into the technical information, we can see further information extracted from the headers, including aggregations from the header information, historical calculations such as the frequency and volume of emails to and from a particular domain, and much more.

Part 2: Social Graphing

Social Graphing involves the analysis of sending and receiving behaviours of different mailboxes to create peer-groups. Mailboxes who often send and receive to and from the same mailboxes, or exhibit other correlated behaviours, will be clustered together using a collection of unsupervised AI clustering systems. These groups may represent uses in the same teams who perform similar activity, groups of external facing mailboxes which often receive unsolicited emails, or groups of VIP users (such as C-suite or executives).

Social graphing is an essential component of Darktrace’s pattern of life analysis. This clustering allows Darktrace to understand the responsibilities of individuals – for example, behaviours which are anomalous for one group of users may be completely expected of another group.

In our example, the email was sent to 3 different users within the organization. As part of the social graphing, an “Association Anomaly” is calculated which indicates the likelihood that these users would receive emails from this user or domain, based on historical patterns.

Part 3: Metric Calculation

Metrics are calculated for every email, representing more complex characteristics of an email which can’t be directly extracted. Darktrace / EMAIL features over 1000 unique metrics, calculated both algorithmically and using an ensemble of AI systems.

Algorithmically calculated (non-AI) metrics include further historical calculations, and counts of features such as code blocks, and hidden text, to name a few.

AI-driven metrics include Inducement Classification which uses Natural Language Processing to identify potential phishing, solicitation, or extortion attempts; Named Entity Recognition to identify PII and other sensitive data within an email to support Data Loss Prevention; and many more.

We can follow our example email through this process and view the outcome of these metric calculations. Looking at the language metrics for this email, we can see that our email has reported a high extortion inducement, along with identification of banking information and language indicating urgency.

Part 4: Evaluation and Combination Engine (models)

Once all metrics have been calculated for an email, it gets sent to an evaluation and combination engine where the metrics are compared against blocks of logic to determine if an email contains a threat. One key model which alerted for this example message was a model to tag and block extortion attempts.

Since our example email has a high inducement score for extortion, along the presence of a bitcoin wallet address in the message, this model alerts. When a model in the engine is activated, actions are taken – in this case adding a tag to the email to flag it as extortion in the console and hold the email to prevent it from reaching the end-user mailbox.

Part 5: Meta-Modelling and Actions

Once the models have been run, the actions are taken against the email. If the email hasn’t been blocked or held, this is the point where it will reach the end-user's mailbox.

In the Darktrace / EMAIL UI, all actions models which alerted for an email and actions taken as a result can be seen. At the top of this page, you can see the alert indicating an extortion attempt along with the action to hold the message.

Alongside this, a meta-classifier is used to calculate an overall anomaly score for each email, based on how much the email differs from the pattern of life for the user. The score of the email is boosted by any actions that have taken place.

Part 6: Campaign Clustering

All emails are passed through the Darktrace / EMAIL campaign clustering system. This system creates clusters based on related features within the emails to identify groups of emails with the same sender or intent.

In our case, the email was identified as part of a campaign, alongside other emails which were also identified as extortion attempts against a small group of recipients.

Email campaigns may have additional actions applied to them if the campaign is deemed malicious, and in this case, you can see that the autonomous response was to hold all emails in the campaign. This means that if an email manages to avoid being blocked in the evaluation and combination engine but gets identified as part of the campaign, the hold action will be applied to it retroactively.

Part 7: Cyber AI Analyst

Darktrace’s Cyber AI Analyst presents key information and anomaly indicators for each email, such as further information about authentication, specific metrics, or other identified anomalies and mismatches.

Cyber AI Analyst can also utilize data from Darktrace / EMAIL to enhance its investigation of incidents from other Darktrace products, correlating relevant information to build a fuller picture. More information about the Cyber AI Analyst is available in the Darktrace AI Arsenal.

Part 8: Data Presentation (UI)

Once all processing has taken place against the email, it is presented in the Darktrace / EMAIL UI. Here, members of the SOC team can investigate incidents and anomalies, interact with malicious emails to see why they were blocked, and much more.

Our email stands out here with its 100 anomaly score. Every email which passes through a Darktrace / EMAIL will undergo the same thorough and rigorous analysis to identify potential risks, apply autonomous actions where required, and will ultimately be assigned a score to be displayed here. By providing a single overall score in the UI, rather than presenting emails in full, Darktrace / EMAIL allows SOC teams to more easily identify which emails are most important to investigate, increasing efficiency and reducing alert fatigue.

Take the next step

Many email security tools on the market that claim to be AI-driven are in fact bolting AI onto attack-centric approaches, which rely on automating the identification of known threats. These approaches struggle, and will continue to struggle, with adapting to novel, AI-generated threats.

By analyzing every email within its deeply integrated, multi-layered AI system, Darktrace / EMAIL is able to identify the subtle threats that others miss. This depth not only improves detection accuracy, but enables confident, autonomous action, giving security teams clearer insight into AI outcomes and greater control while supporting users.

For a full deep dive into each stage of the AI system, check out the white paper: A Guide to the Multi-Layered AI in Darktrace / EMAIL

Learn more about securing AI in your enterprise.

[related-resource]

Continue reading
About the author
Jamie Bali
Technical Author (AI) Developer
Your data. Our AI.
Elevate your network security with Darktrace AI