Blog
/
Compliance
/
September 13, 2022

Compliance Threat: RedLine Information Stealer

Darktrace reveals the compliance risks posed by the RedLine information stealer. Read about their analysis and how to defend against this cyber threat.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Steven Sosa
Analyst Team Lead
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
13
Sep 2022

With the continued rise of malware as a service (MaaS), it is now easier than ever to find and deploy information stealers [1]. Given this, it is crucial that companies begin to prioritize good cyber hygiene, and address compliance issues within their environments. Thanks to MaaS, attackers with little to no experience can amplify what might seem like a low-risk attack, into a significant compromise. This blog will investigate a compromise that could have been mitigated with better cyber hygiene and enhanced awareness around compliance issues.

Figure 1: Timeline of the attack

In May 2022 Darktrace DETECT/Network identified a device linked with multiple compliance alerts for ‘torrent’ activity within a Latin American telecommunications company. This culminated in the device downloading a suspicious executable file from an archived webpage. At first, analysis of the downloaded file indicated that it could be a legitimate, albeit outdated software relevant to the client’s industry vertical (SNMPc management tool for GeoDesy GD-300). However, as this was the first event before further suspicious activities, it was also possible that the software downloaded was packaged with malware and marked an initial compromise. Since early April, the device had regularly breached compliance alerts for both BitTorrent and uTorrent (a BitTorrent client). These connections occurred over a common torrenting port, 6881, and may have represented the infection vector.  

Figure 2: View of archived webpage which the suspicious executable was downloaded from

Shortly after the executable was downloaded, Darktrace DETECT alerted a new outbound SSH connection with the following notice in Advanced Search: ‘SSH::Heuristic_Login_Success’. This was highlighted because the breach device did not commonly make connections over this protocol and the destination was a never-before-seen Bulgarian IP address (79.142.70[.]239). The connection lasted 4 minutes, and the device downloaded 31.36 MB of data. 

Following this, the breach device was seen making unusual HTTP connections to rare Russian and Danish endpoints using suspicious user agents. The Russian endpoint was noted for hosting a text file (‘incricinfo[.]com') that listed a single domain which was recently registered. The connections to the Danish endpoint were made to an IP with a URI that OSINT connected to the use of the BeamWinHTTP loader [2]. This loader can be used to download and execute other malware strains, in particular information stealers [3]. 

Figure 3: Screenshot of Russian endpoint with link to incricinfo[.]com 
Figure 4: Cyber AI Analyst highlighting the unusual HTTP connectivity that occurred prior to the multiple suspicious file downloads

At the same time as the connections with the unusual user agents, the device was also seen downloading an executable file from the endpoint, ‘Yuuichirou-hanma[.]s3[.]pl-waw[.]scw[.]cloud’. Analysis of the file indicated that it may be used to deploy further malware and potentially unwanted programs (PUPs). BeamWinHTTP also causes installation of these PUPs which helps to load more nefarious programs and spread compromise. 

This behavior was then seen as the device downloaded 5 different executable files from the endpoint, ‘hakhaulogistics[.]com’. This domain is linked to a Vietnamese logistics company that Darktrace had marked as new within the environment; it is possible that this domain was compromised and being used to host malicious infrastructure. At the point of compromise, several of the downloads were labeled as malicious by popular OSINT [4]. Additionally, at least one of the files was explicitly linked to the RedLine Information Stealer.  

Shortly after, the device made connections to a known Tor relay node. Tor is commonly used as an avenue for C2 communication as it offers a way for attackers to anonymize and obfuscate their activity. It was at this point that the first Proactive Threat Notification (PTN) for this activity occurred. This ensured immediate follow-up investigation from Darktrace SOC and a timeline of events and impacted devices were issued to the customer’s security team directly. 

Figure 5: Cyber AI Analyst highlighting the unusual executable downloads as well as the subsequent Tor connections. The file poweroff[.]exe has been highlighted by several OSINT sources as being potentially malicious

By this point, Darktrace had identified a large volume of unusual outbound HTTP POSTs to a variety of endpoints that seemed to have no obvious function or service. Following these POST requests, the compromised device was seen initiating a long SSL connection to the domain, ‘www[.]qfhwji6fnpiad3gs[.]com’, which is likely to have be generated by an algorithm (DGA). Lastly, a little while after the SSL connections, the device was seen downloading another executable file from the Russian domain ‘test-hf[.]su’. Research on the file again suggested that it was associated with RedLine Stealer [5].  

Figure 6: AIA highlighting additional unusual HTTP connections that were linked with the numeric exe download

Dangers of Non-Compliance 

Whilst the RedLine compromise was a matter of customer concern, the gap in their security was not visibility but rather best practice. It is important to note that prior to these events, the device was commonly seen sending and receiving connections associated with torrenting. In the past it has been observed that RedLine Stealer masquerades as ‘cracked’ software (software that has had its copy protection removed) [6]. In this instance, the initial download of the false ‘SNMPc’ executable may have been proof of this behavior. 

This is a reminder that torrenting is also extremely popular as a peer-to-peer vector for transferring malicious files. Combined with the possibility of network throttling or unapproved VPN use, torrents are usually considered non-compliant within corporate settings. Whether the events here were kickstarted due to a user unwittingly downloading malicious software, or exposure to a malicious actor via BitTorrent use, both cases represent a user circumventing existing compliance controls or a lack of compliance control in general. It is important for organizations to make sure that their users are acting in ways that limit the company’s exposure to nefarious actors. Companies should routinely encourage proper cyber hygiene and implement access controls that block certain activities such as torrenting if threats like these are to be stopped in the future.  

Regardless of what users are doing, Darktrace is positioned to detect and take action on compliance breaches and activity resulting from lack of compliance. The variety of C2 domains used in this blog incident were too quick for most security tools to alert on or for human teams to triage. However, this was no problem for Cyber AI analyst, which was able to draw together aspects of the attack across the kill chain and save a significant amount of time for both the customer security team and Darktrace SOC analysts. If active, Darktrace RESPOND could have blocked activities like the initial BitTorrent connections and incoming download, but with the right preventative measures, it wouldn’t have to. Darktrace PREVENT works continuously to harden defenses and preempt attackers, closing any vulnerabilities before they can be exploited. This includes performing attack surface management, attack path modelling, and security awareness training. In this case, Darktrace PREVENT could have highlighted torrenting activity as part of a potentially harmful attack path and recommended the best actions to mitigate it.

‘No Prior Experience required’ 

In the past, only highly skilled attackers could create and use the tools needed to attack organizations. With Ransomware-as-a-Service (RaaS) proving highly profitable, however, it is no surprise that malware is also becoming a lucrative business. As SaaS can help legitimate companies with no development experience to use and maintain apps, MaaS can help attackers with little to no hacking experience compromise organizations and achieve their goals. RedLine Stealer is readily available, and not prohibitively expensive, meaning attacks can be carried out more frequently, and on a wider range of victims. The incident explored in this blog is proof of this, and a strong indication that security comes not only from strong visibility but also compliance and best practice too. With a powerful defensive tool like PREVENT, security teams can save time while feeling confident that they are keeping ahead of these aspects of security.

Thanks to Adam Stevens for his contributions to this blog.

Appendices

Darktrace Model Breaches

·      Anomalous Connection / Multiple HTTP POSTs to Rare Hostname 

·      Anomalous Connection / New User Agent to IP Without Hostname

·      Anomalous File / EXE from Rare External Location

·      Anomalous File / Multiple EXE from Rare External 

·      Anomalous File / Numeric Exe Download

·      Anomalous Server Activity / New User Agent from Internet Facing System

·      Compliance / SSH to Rare External Destination

·      Compromise / Anomalous File then Tor 

·      Compromise / Possible Tor Usage 

·      Device / Initial Breach Chain Compromise

·      Device / Long Agent Connection to New Endpoint

References

[1] https://blog.sonicwall.com/en-us/2021/12/the-rise-and-growth-of-malware-as-a-service/

[2] https://asec.ahnlab.com/en/33679/  

[3] https://asec.ahnlab.com/en/20930/

[4] https://www.virustotal.com/gui/file/acfc06b4bcda03ecf4f9dc9b27c510b58ae3a6a9baf1ee821fc624467944467b & https://www.virustotal.com/gui/file/dad6311f96df65f40d9599c84907bae98306f902b1489b03768294b7678a5e79 

[5] https://www.virustotal.com/gui/file/ff7574f9f1d15594e409bee206f5db6c76db7c90dda2ae4f241b77cd0c7b6bf6

[6] https://asec.ahnlab.com/en/30445/

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Steven Sosa
Analyst Team Lead

More in this series

No items found.

Blog

/

Network

/

June 5, 2025

Unpacking ClickFix: Darktrace’s detection of a prolific social engineering tactic

Woman on laptop in office buildingDefault blog imageDefault blog image

What is ClickFix and how does it work?

Amid heightened security awareness, threat actors continue to seek stealthy methods to infiltrate target networks, often finding the human end user to be the most vulnerable and easily exploited entry point.

ClickFix baiting is an exploitation of the end user, making use of social engineering techniques masquerading as error messages or routine verification processes, that can result in malicious code execution.

Since March 2024, the simplicity of this technique has drawn attention from a range of threat actors, from individual cybercriminals to Advanced Persistent Threat (APT) groups such as APT28 and MuddyWater, linked to Russia and Iran respectively, introducing security threats on a broader scale [1]. ClickFix campaigns have been observed affecting organizations in across multiple industries, including healthcare, hospitality, automotive and government [2][3].

Actors carrying out these targeted attacks typically utilize similar techniques, tools and procedures (TTPs) to gain initial access. These include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms, such as GitHub, to deliver malicious payloads [2][3]. Often, a hidden link within an email or malvertisements on compromised legitimate websites redirect the end user to a malicious URL [4]. These take the form of ‘Fix It’ or fake CAPTCHA prompts [4].

From there, users are misled into believing they are completing a human verification step, registering a device, or fixing a non-existent issue such as a webpage display error. As a result, they are guided through a three-step process that ultimately enables the execution of malicious PowerShell commands:

  1. Open a Windows Run dialog box [press Windows Key + R]
  2. Automatically or manually copy and paste a malicious PowerShell command into the terminal [press CTRL+V]
  3. And run the prompt [press ‘Enter’] [2]

Once the malicious PowerShell command is executed, threat actors then establish command and control (C2) communication within the targeted environment before moving laterally through the network with the intent of obtaining and stealing sensitive data [4]. Malicious payloads associated with various malware families, such as XWorm, Lumma, and AsyncRAT, are often deployed [2][3].

Attack timeline of ClickFix cyber attack

Based on investigations conducted by Darktrace’s Threat Research team in early 2025, this blog highlights Darktrace’s capability to detect ClickFix baiting activity following initial access.

Darktrace’s coverage of a ClickFix attack chain

Darktrace identified multiple ClickFix attacks across customer environments in both Europe, the Middle East, and Africa (EMEA) and the United States. The following incident details a specific attack on a customer network that occurred on April 9, 2025.

Although the initial access phase of this specific attack occurred outside Darktrace’s visibility, other affected networks showed compromise beginning with phishing emails or fake CAPTCHA prompts that led users to execute malicious PowerShell commands.

Darktrace’s visibility into the compromise began when the threat actor initiated external communication with their C2 infrastructure, with Darktrace / NETWORK detecting the use of a new PowerShell user agent, indicating an attempt at remote code execution.

Darktrace / NETWORK's detection of a device making an HTTP connection with new PowerShell user agent, indicating PowerShell abuse for C2 communications.
Figure 1: Darktrace / NETWORK's detection of a device making an HTTP connection with new PowerShell user agent, indicating PowerShell abuse for C2 communications.

Download of Malicious Files for Lateral Movement

A few minutes later, the compromised device was observed downloading a numerically named file. Numeric files like this are often intentionally nondescript and associated with malware. In this case, the file name adhered to a specific pattern, matching the regular expression: /174(\d){7}/. Further investigation into the file revealed that it contained additional malicious code designed to further exploit remote services and gather device information.

Darktrace / NETWORK's detection of a numeric file, one minute after the new PowerShell User Agent alert.
Figure 2: Darktrace / NETWORK's detection of a numeric file, one minute after the new PowerShell User Agent alert.

The file contained a script that sent system information to a specified IP address using an HTTP POST request, which also processed the response. This process was verified through packet capture (PCAP) analysis conducted by the Darktrace Threat Research team.

By analyzing the body content of the HTTP GET request, it was observed that the command converts the current time to Unix epoch time format (i.e., 9 April 2025 13:26:40 GMT), resulting in an additional numeric file observed in the URI: /1744205200.

PCAP highlighting the HTTP GET request that sends information to the specific IP, 193.36.38[.]237, which then generates another numeric file titled per the current time.
Figure 3: PCAP highlighting the HTTP GET request that sends information to the specific IP, 193.36.38[.]237, which then generates another numeric file titled per the current time.

Across Darktrace’s investigations into other customers' affected by ClickFix campaigns, both internal information discovery events and further execution of malicious code were observed.

Data Exfiltration

By following the HTTP stream in the same PCAP, the Darktrace Threat Research Team assessed the activity as indicative of data exfiltration involving system and device information to the same command-and-control (C2) endpoint, , 193.36.38[.]237. This endpoint was flagged as malicious by multiple open-source intelligence (OSINT) vendors [5].

PCAP highlighting HTTP POST connection with the numeric file per the URI /1744205200 that indicates data exfiltration to 193.36.38[.]237.
Figure 4: PCAP highlighting HTTP POST connection with the numeric file per the URI /1744205200 that indicates data exfiltration to 193.36.38[.]237.

Further analysis of Darktrace’s Advanced Search logs showed that the attacker’s malicious code scanned for internal system information, which was then sent to a C2 server via an HTTP POST request, indicating data exfiltration

Advanced Search further highlights Darktrace's observation of the HTTP POST request, with the second numeric file representing data exfiltration.
Figure 5: Advanced Search further highlights Darktrace's observation of the HTTP POST request, with the second numeric file representing data exfiltration.

Actions on objectives

Around ten minutes after the initial C2 communications, the compromised device was observed connecting to an additional rare endpoint, 188.34.195[.]44. Further analysis of this endpoint confirmed its association with ClickFix campaigns, with several OSINT vendors linking it to previously reported attacks [6].

In the final HTTP POST request made by the device, Darktrace detected a file at the URI /init1234 in the connection logs to the malicious endpoint 188.34.195[.]44, likely depicting the successful completion of the attack’s objective, automated data egress to a ClickFix C2 server.

Darktrace / NETWORK grouped together the observed indicators of compromise (IoCs) on the compromised device and triggered an Enhanced Monitoring model alert, a high-priority detection model designed to identify activity indicative of the early stages of an attack. These models are monitored and triaged 24/7 by Darktrace’s Security Operations Center (SOC) as part of the Managed Threat Detection service, ensuring customers are promptly notified of malicious activity as soon as it emerges.

Darktrace correlated the separate malicious connections that pertained to a single campaign.
Figure 6: Darktrace correlated the separate malicious connections that pertained to a single campaign.

Darktrace Autonomous Response

In the incident outlined above, Darktrace was not configured in Autonomous Response mode. As a result, while actions to block specific connections were suggested, they had to be manually implemented by the customer’s security team. Due to the speed of the attack, this need for manual intervention allowed the threat to escalate without interruption.

However, in a different example, Autonomous Response was fully enabled, allowing Darktrace to immediately block connections to the malicious endpoint (138.199.156[.]22) just one second after the initial connection in which a numerically named file was downloaded [7].

Darktrace Autonomous Response blocked connections to a suspicious endpoint following the observation of the numeric file download.
Figure 7: Darktrace Autonomous Response blocked connections to a suspicious endpoint following the observation of the numeric file download.

This customer was also subscribed to our Managed Detection and Response service, Darktrace’s SOC extended a ‘Quarantine Device’ action that had already been autonomously applied in order to buy their security team additional time for remediation.

Autonomous Response blocked connections to malicious endpoints, including 138.199.156[.]22, 185.250.151[.]155, and rkuagqnmnypetvf[.]top, and also quarantined the affected device. These actions were later manually reinforced by the Darktrace SOC.
Figure 8: Autonomous Response blocked connections to malicious endpoints, including 138.199.156[.]22, 185.250.151[.]155, and rkuagqnmnypetvf[.]top, and also quarantined the affected device. These actions were later manually reinforced by the Darktrace SOC.

Conclusion

ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses. By tricking end point users into performing seemingly harmless, everyday actions, attackers gain initial access to systems where they can access and exfiltrate sensitive data.

Darktrace’s anomaly-based approach to threat detection identifies early indicators of targeted attacks without relying on prior knowledge or IoCs. By continuously learning each device’s unique pattern of life, Darktrace detects subtle deviations that may signal a compromise. In this case, Darktrace's Autonomous Response, when operating in a fully autonomous mode, was able to swiftly contain the threat before it could progress further along the attack lifecycle.

Credit to Keanna Grelicha (Cyber Analyst) and Jennifer Beckett (Cyber Analyst)

Appendices

NETWORK Models

  • Device / New PowerShell User Agent
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous Connection / Posting HTTP to IP Without Hostname
  • Anomalous Connection / Powershell to Rare External
  • Device / Suspicious Domain
  • Device / New User Agent and New IP
  • Anomalous File / New User Agent Followed By Numeric File Download (Enhanced Monitoring Model)
  • Device / Initial Attack Chain Activity (Enhanced Monitoring Model)

Autonomous Response Models

  • Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block
  • Antigena / Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block
  • Antigena / Network::External Threat::Antigena File then New Outbound Block
  • Antigena / Network::External Threat::Antigena Suspicious File Block
  • Antigena / Network::Significant Anomaly::Antigena Alerts Over Time Block
  • Antigena / Network::External Threat::Antigena Suspicious File Block

IoC - Type - Description + Confidence

·       141.193.213[.]11 – IP address – Possible C2 Infrastructure

·       141.193.213[.]10 – IP address – Possible C2 Infrastructure

·       64.94.84[.]217 – IP address – Possible C2 Infrastructure

·       138.199.156[.]22 – IP address – C2 server

·       94.181.229[.]250 – IP address – Possible C2 Infrastructure

·       216.245.184[.]181 – IP address – Possible C2 Infrastructure

·       212.237.217[.]182 – IP address – Possible C2 Infrastructure

·       168.119.96[.]41 – IP address – Possible C2 Infrastructure

·       193.36.38[.]237 – IP address – C2 server

·       188.34.195[.]44 – IP address – C2 server

·       205.196.186[.]70 – IP address – Possible C2 Infrastructure

·       rkuagqnmnypetvf[.]top – Hostname – C2 server

·       shorturl[.]at/UB6E6 – Hostname – Possible C2 Infrastructure

·       tlgrm-redirect[.]icu – Hostname – Possible C2 Infrastructure

·       diagnostics.medgenome[.]com – Hostname – Compromised Website

·       /1741714208 – URI – Possible malicious file

·       /1741718928 – URI – Possible malicious file

·       /1743871488 – URI – Possible malicious file

·       /1741200416 – URI – Possible malicious file

·       /1741356624 – URI – Possible malicious file

·       /ttt – URI – Possible malicious file

·       /1741965536 – URI – Possible malicious file

·       /1.txt – URI – Possible malicious file

·       /1744205184 – URI – Possible malicious file

·       /1744139920 – URI – Possible malicious file

·       /1744134352 – URI – Possible malicious file

·       /1744125600 – URI – Possible malicious file

·       /1[.]php?s=527 – URI – Possible malicious file

·       34ff2f72c191434ce5f20ebc1a7e823794ac69bba9df70721829d66e7196b044 – SHA-256 Hash – Possible malicious file

·       10a5eab3eef36e75bd3139fe3a3c760f54be33e3 – SHA-1 Hash – Possible malicious file

MITRE ATT&CK Mapping

Tactic – Technique – Sub-Technique  

Spearphishing Link - INITIAL ACCESS - T1566.002 - T1566

Drive-by Compromise - INITIAL ACCESS - T1189

PowerShell - EXECUTION - T1059.001 - T1059

Exploitation of Remote Services - LATERAL MOVEMENT - T1210

Web Protocols - COMMAND AND CONTROL - T1071.001 - T1071

Automated Exfiltration - EXFILTRATION - T1020 - T1020.001

References

[1] https://www.logpoint.com/en/blog/emerging-threats/clickfix-another-deceptive-social-engineering-technique/

[2] https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape

[3] https://cyberresilience.com/threatonomics/understanding-the-clickfix-attack/

[4] https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/

[5] https://www.virustotal.com/gui/ip-address/193.36.38.237/detection

[6] https://www.virustotal.com/gui/ip-address/188.34.195.44/community

[7] https://www.virustotal.com/gui/ip-address/138.199.156.22/detection

Continue reading
About the author
Keanna Grelicha
Cyber Analyst

Blog

/

Proactive Security

/

June 4, 2025

Beyond Discovery: Adding Intelligent Vulnerability Validation to Darktrace / Attack Surface Management

Man on computer doing workDefault blog imageDefault blog image

Introducing Exploit Prediction Assessment

Security teams are drowning in vulnerability alerts, but only a fraction of those issues pose a real threat. The new Exploit Prediction Assessment feature in Darktrace / Attack Surface Management helps teams cut through the noise by validating which vulnerabilities on their external attack surface can be actively exploited.

Instead of relying solely on CVSS scores or waiting for patch cycles, Exploit Prediction Assessment uses safe, targeted simulations to test whether exposed systems can be compromised, delivering fast, evidence-based results in under 72 hours.

This capability augments traditional pen testing and complements existing ASM workflows by transforming passive discovery into actionable insight. With EPA, security teams move from reacting to long lists of potential vulnerabilities to making confident, risk-based decisions on what actually matters.

Key highlights of Exploit Prediction Assessment

Simulated attacks to validate real risk

Exploit Prediction Assessment conducts safe, simulated attacks on assets with potential security vulnerabilities that have been identified by Darktrace / Attack Surface Management. This real-time testing validates your systems' susceptibility to compromise by confirming which vulnerabilities are present and exploitable on your attack surface.

Prioritize what matters most

Confirmed security risks can be prioritized for mitigation, ensuring that the most critical threats are promptly addressed. This takes the existing letter ranking system and brings it a step further by drilling down to yet another level. Even in the most overwhelming situations, teams will be able to act on a pragmatic, clear-cut plan.

Fast results, tailored to your environment

Customers set the scope of the Exploit Prediction Assessment within Darktrace / Attack Surface Management and receive the results of the surgical vulnerability testing within 72 hours. Users will see 1 of 2 shields:

1. A green shield with a check mark: Meaning no vulnerabilities were found on scanned CVEs for the asset.

2. A red shield with a red x: Meaning at least one vulnerability was found on scanned CVEs for the asset.

Why it's a game changer

Traditionally, attack surface management tools have focused on identifying exposed assets and vulnerabilities but lacked the context to determine which issues posed the greatest risk. Without context on what’s exploitable, security teams are left triaging long lists of potential risks, operating in isolation from broader business objectives. This misalignment ultimately leads to both weakened risk posture and cross team communication and execution.

This is where Continuous Threat Exposure Management (CTEM) becomes essential. Introduced by Gartner, CTEM is a framework that helps organizations continuously assess, validate, and improve their exposure to real-world threats. The goal isn’t just visibility, it’s to understand how an attacker could move through your environment today, and what to fix first to stop them.

Exploit Prediction Assessment brings this philosophy to life within Darktrace / Attack Surface Management. By safely simulating exploit attempts against identified vulnerabilities, it validates which exposures are truly at risk—transforming ASM from a discovery tool into a risk-based decision engine.

This capability directly supports the validation and prioritization phases of CTEM, helping teams focus on exploitable vulnerabilities rather than theoretical ones.  This shift from visibility to action reduces the risk of critical vulnerabilities in the technology stack being overlooked, turning overwhelming vulnerability data into focused, clear actionable insights.

As attack surfaces continue to grow and change, organizations need more than static scans they need continuous, contextual insight. Exploit Prediction Assessment ensures your ASM efforts evolve with the threat landscape, making CTEM a practical reality, not just a strategy.

Exploit Prediction Assessment in action

With Darktrace / Attack Surface Management organizations can get Exploit Prediction Assessment, and the cyber risk team no longer guesses which vulnerabilities matter most. Instead, they identify several externally exposed areas of their attack surface, then use the feature to surgically test for exploitability across these exposed endpoints. Within 72 hours, they receive a report:  

Positive outcome: Based on information in the html or the headers it seems that a vulnerable software version is running on an externally exposed infrastructure. By running a targeted attack on this infrastructure, we can confirm that it cannot be abused.

Negative outcome: Based on information in the html or the headers it seems that a vulnerable software version is running on an externally exposed infrastructure. By running a targeted attack on this infrastructure, we can confirm that it can be exploited, so we can predict it being exploited.

This second outcome changes everything. The team immediately prioritizes the exploitable asset for patching and takes the necessary adjustments to mitigate exposure until the fix is deployed.

Instead of spreading their resources thin across dozens of alerts, they focus on what poses a real threat, saving time, reducing risk, and demonstrating actionable results to stakeholders.

Conclusion

Exploit Predication Assessment bolsters Darktrace’s commitment to proactive cybersecurity. It supports intelligent prioritization of vulnerabilities, keeping organizations ahead of emerging threats. With this new addition to / Attack Surface Management, teams have another tool to empower a more efficient approach to addressing security gaps in real-time.

Stay tuned for more updates and insights on how Darktrace continues to develop a culture of proactive security across the entire ActiveAI Security Platform.

[related-resource]

Continue reading
About the author
Kelland Goodin
Product Marketing Specialist
Your data. Our AI.
Elevate your network security with Darktrace AI