Darktrace acquires Cybersprint, a best-in-class Attack Surface Management company. Learn more about the integration and its benefits.
Today Darktrace announced the acquisition of best-in-class Attack Surface Management (ASM) company Cybersprint. This is hugely exciting for both our companies, our customers and the wider security industry.
After months of meeting with the Cybersprint teams, diving into their technology and shared opportunities, we are truly excited for the way ahead. Cybersprint is a fantastic fit for Darktrace because of their technology, their people and their data. I want to go into those three reasons in a little more detail.
The Technology
We have tested Cybersprint’s technology intensely ourselves and have seen first-hand great benefits in the short, medium and long-term for our customers.
There are three technical requirements to ensure it met Darktrace’s architectural needs:
Unique to each customer; delivering a bespoke perspective of the attack surface of a given organisation by starting just with a brand or domain. No access to sensitive customer data is required. No installation or integration is required to get started.
The analysis of data had to be real-time and continuous. This is critically important for Darktrace’s Continuous Cyber AI Loop. We always operate on real-time data that is continuously updated as things change; so does Cybersprint.
Built-in automation and integration. Cybersprint automates everything possible in Attack Surface Management and integrates with every external data source.
We have already identified several high-impact integration opportunities where Cybersprint and its external data can be additive to Darktrace’s self-learning, internal data; applying this to each area of the Loop.
The People
Thinking about people, Cybersprint has a well-functioning technical team that we welcome with open arms here at Darktrace, to help accelerate our Prevent vision and create something better together.
When we first started meeting with the Cybersprint teams, we immediately noticed that this is a meeting of minds. We both share a vision for cyber security – using smart tech to move the needle in favour of defenders. We both believe that cyber security is not a human-scale problem – this won’t be solved by throwing more humans in the mix.
Their world-class teams of researchers, ethical hackers and developers are a great addition to our own R&D capabilities in Cambridge, who have a heavy focus on AI. We share many common values across both organizations – such as friends & family first. It is great to have another European research hub that is only a short train-ride or flight away from our Cambridge R&D HQ. It’s important to note that the vast majority of Cybersprint employees are deep technologists.
The Data
Lastly, touching on data, Cybersprint has unparalleled access to attack surface data – basically an up-to-date, continuous copy of the internet. Having access to this data and being able to intelligently analyse it is a huge benefit in itself.
At Darktrace, we already have complete visibility over the internal data of our customers – their email environment, SaaS data, operational technology, IoT, network, zero-trust and other coverage areas – but being able to combine those data sets and deriving insights from them will further drive breakthrough innovations.
Delivering on a shared vision
To understand why we are so excited about Cybersprint and see it as a great fit, one has to be aware of our technology vision of a closed loop system:
Darktrace is already well-known for its offering in the Detect (Enterprise Immune System), Investigate (Cyber AI Analyst) and Respond (Antigena) areas. As we work towards further augmenting security teams in other areas, we are starting to productize technology that makes it more costly and harder for attackers to succeed – we refer to this area broadly as ‘Prevent’.
Prevent is all about being proactive, hardening your environment and reducing risk. The core technology for Prevent is Attack Path Modeling – feeding Attack Path Modeling with various telemetry and working out the most critical attack paths and chokepoints to remediate.
Darktrace already has complete coverage of an organization’s digital estate from an internal perspective, thanks to our various coverage areas. Our Attack Path Modeling is currently producing powerful results based on an organization’s internal data only – but by adding Cybersprint’s attack surface data and external asset information, we will have complete visibility, internal and external, and bespoke to each individual organization.
While the ASM data in itself is valuable to harden the external attack surface, feeding it into our Attack Path Modeling engine will unlock further capabilities. It allows us to model bespoke, multi-domain, end-to-end attack paths in real time.
Stay tuned
This is the beginning of an exciting journey for both Cybersprint and Darktrace. We look forward to updating you again on the evolution of our upcoming Prevent offering.
In the meantime, feel free to send any questions relating to Cybersprint to cybersprint@darktrace.com
Like this and want more?
Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Newsletter
Enjoying the blog?
Sign up to receive the latest news and insights from the Darktrace newsletter – delivered directly to your inbox
Thanks for signing up!
Look out for your first newsletter, coming soon.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Max Heinemeyer
Global Field CISO
Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.
Darktrace's Early Detection of the Latest Ivanti Exploits
As reported in Darktrace’s 2024 Annual Threat Report, the exploitation of Common Vulnerabilities and Exposures (CVEs) in edge infrastructure has consistently been a significant concern across the threat landscape, with internet-facing assets remaining highly attractive to various threat actors.
What are the latest vulnerabilities in Ivanti products?
In early January 2025, two new vulnerabilities were disclosed in Ivanti CS and PS, as well as their Zero Trust Access (ZTA) gateway products.
CVE-2025-0282: A stack-based buffer overflow vulnerability. Successful exploitation could lead to unauthenticated remote code execution, allowing attackers to execute arbitrary code on the affected system [1]
CVE-2025-0283: When combined with CVE-2025-0282, this vulnerability could allow a local authenticated attacker to escalate privileges, gaining higher-level access on the affected system [1]
Ivanti also released a statement noting they are currently not aware of any exploitation of CVE-2025-0283 at the time of disclosure [1].
Darktrace coverage of Ivanti
The Darktrace Threat Research team investigated the new Ivanti vulnerabilities across their customer base and discovered suspicious activity on two customer networks. Indicators of Compromise (IoCs) potentially indicative of successful exploitation of CVE-2025-0282 were identified as early as December 2024, 11 days before they had been publicly disclosed by Ivanti.
Case 1: December 2024
Authentication with a Privileged Credential
Darktrace initially detected suspicious activity connected with the exploitation of CVE-2025-0282 on December 29, 2024, when a customer device was observed logging into the network via SMB using the credential “svc_negbackups”, before authenticating with the credential “svc_negba” via RDP.
This likely represented a threat actor attempting to identify vulnerabilities within the system or application and escalate their privileges from a basic user account to a more privileged one. Darktrace / NETWORK recognized that the credential “svc_negbackups” was new for this device and therefore deemed it suspicious.
Figure 1: Darktrace / NETWORK’s detection of the unusual use of a new credential.
Likely Malicious File Download
Shortly after authentication with the privileged credential, Darktrace observed the device performing an SMB write to the C$ share, where a likely malicious executable file, ‘DeElevate64.exe’ was detected. While this is a legitimate Windows file, it can be abused by malicious actors for Dynamic-Link Library (DLL) sideloading, where malicious files are transferred onto other devices before executing malware. There have been external reports indicating that threat actors have utilized this technique when exploiting the Ivanti vulnerabilities [2].
Figure 2: Darktrace’s detection the SMB write of the likely malicious file ‘DeElevate64.exe’ on December 29, 2024.
Shortly after, a high volume of SMB login failures using the credential “svc_counteract-ext” was observed, suggesting potential brute forcing activity. The suspicious nature of this activity triggered an Enhanced Monitoring model alert that was escalated to Darktrace’s Security Operations Center (SOC) for further investigation and prompt notification, as the customer was subscribed to the Security Operations Support service. Enhanced Monitoring are high-fidelity models detect activities that are more likely to be indicative of compromise
Suspicious Scanning and Internal Reconnaissance
Darktrace then went on to observe the device carrying out network scanning activity as well as anomalous ITaskScheduler activity. Threat actors can exploit the task scheduler to facilitate the initial or recurring execution of malicious code by a trusted system process, often with elevated permissions. The same device was also seen carrying out uncommon WMI activity.
Figure 3: Darktrace’s detection of a suspicious network scan from the compromised device.
Figure 4: Further information on the suspicious scanning activity retrieved by Cyber AI Analyst, including total number of connections and ports scanned.
Figure 5: Darktrace’s detection of a significant spike in WMI activity represented by DCE_RPC protocol request increases at the time, with little to no activity observed one week either side.
Case 2: January 2025
Suspicious File Downloads
On January 13, 2025, Darktrace began to observe activity related to the exploitation of CVE-2025-0282 on the network of another customer, with one in particular device attempting to download likely malicious files.
Firstly, Darktrace observed the device making a GET request for the file “DeElevator64.dll” hosted on the IP 104.238.130[.]185. The device proceeded to download another file, this time “‘DeElevate64.exe”. from the same IP. This was followed by the download of “DeElevator64.dll”, similar to the case observed in December 2024. External reporting indicates that this DLL has been used by actors exploiting CVE-2025-0282 to sideload backdoor into infected systems [2]
Figure 6: Darktrace’s detection of the download of the suspicious file “DeElevator64.dll” on January 13, 2025.
Suspicious Internal Activity
Just like the previous case, on January 15, the same device was observed making numerous internal connections consistent with network scanning activity, as well as DCE-RPC requests.
Just a few minutes later, Darktrace again detected the use of a new administrative credential, observing the following details:
The hostname observed by Darktrace, “DESKTOP-1JIMIV3,” has also been identified by other external vendors and was associated with a remote computer name seen accessing compromised accounts [2].
Darktrace also observed the device performing an SMB write of an additional file, “to.bat,” which may have represented another malicious file loaded from the DLL files that the device had downloaded earlier. It is possible this represented the threat actor attempting to deploy a remote scheduled task.
Figure 7: Darktrace’s detection of SMB Write of the suspicious file “to.bat”.
Further investigation revealed that the device was likely a Veeam server, with its MAC address indicating it was a VMware device. It also appeared that the Veeam server was capturing activities referenced from the hostname DESKTOP-1JIMIV3. This may be analogous to the remote computer name reported by external researchers as accessing accounts [2]. However, this activity might also suggest that while the same threat actor and tools could be involved, they may be targeting a different vulnerability in this instance.
Autonomous Response
In this case, the customer had Darktrace’s Autonomous Response capability enabled on their network. As a result, Darktrace was able to contain the compromise and shut down any ongoing suspicious connectivity by blocking internal connections and enforcing a “pattern of life” on the affected device. This action allows a device to make its usual connections while blocking any that deviate from expected behavior. These mitigative actions by Darktrace ensured that the compromise was promptly halted, preventing any further damage to the customer’s environment.
If the previous blog in January 2024 was a stark reminder of the threat posed by malicious actors exploiting Internet-facing assets, the recent activities surrounding CVE-2025-0282 and CVE-2025-0283 emphasize this even further.
Based on the telemetry available to Darktrace, a wide range of malicious activities were identified, including the malicious use of administrative credentials, the download of suspicious files, and network scanning in the cases investigated .
These activities included the download of suspicious files such as “DeElevate64.exe” and “DeElevator64.dll” potentially used by attackers to sideload backdoors into infected systems. The suspicious hostname DESKTOP-1JIMIV3 was also observed and appears to be associated with a remote computer name seen accessing compromised accounts. These activities are far from exhaustive, and many more will undoubtedly be uncovered as threat actors evolve.
Fortunately, Darktrace was able to swiftly detect and respond to suspicious network activity linked to the latest Ivanti vulnerabilities, sometimes even before these vulnerabilities were publicly disclosed.
Credit to: Nahisha Nobregas, Senior Cyber Analyst, Emma Foulger, Principle Cyber Analyst, Ryan Trail, Analyst Content Lead and the Darktrace Threat Research Team
From Containment to Remediation: Darktrace / CLOUD & Cado Reducing MTTR
Cloud environments operate at speed, with workloads spinning up and down in seconds. This agility is great for business and is one of the main reasons for cloud adoption. But this same agility and speed presents new challenges for security teams. When a threat emerges, every second counts—yet many organizations struggle with slow Mean Time to Respond (MTTR) due to operational bottlenecks, outdated tooling, and the complexity of modern cloud infrastructure.
To minimize disruption and potential damage, containment is a critical step in incident response. By effectively responding to contain a threat, organizations can help prevent lateral movement limiting an attack’s impact.
However, containment is not the end goal. Full remediation requires a deep understanding of exactly what happened, how far the threat spread, and what assets were involved and what changes may be needed to prevent it from happening again.
This is why Darktrace’s recent acquisition of Cado is so exciting. Darktrace / CLOUD provides real-time threat detection and automated cloud native response for containment. With Cado, Darktrace / CLOUD ensures security teams have the forensic insights that are required to fully remediate and strengthen their defenses.
Why do organizations struggle with MTTR in the cloud?
Many security teams experience delays in fully responding to cloud threats due to several key challenges:
1. Limited access to cloud resources
Security teams often don’t have direct access to cloud environments because often infrastructure is managed by a separate operations team—or even an outsourced provider. When a threat is detected, analysts must submit access requests or escalate to another team, slowing down investigations.
This delay can be particularly costly in cloud environments where attacks unfold rapidly. Without immediate access to affected resources, the time to contain, investigate, and remediate an incident can increase significantly.
2. The cloud’s ephemeral nature
Cloud workloads are often dynamic and short-lived. Serverless functions, containers, and auto-scaling resources can exist for minutes or even seconds. If a security event occurs in one of these ephemeral resources and it disappears before forensic data is captured, understanding the full scope of the attack becomes nearly impossible.
Traditional forensic methods, which rely on static endpoints, fail in these environments—leaving security teams blind to what happened.
3. Containment is critical, but businesses require more
Automated cloud native response for containment is essential for stopping an attack in progress. However, regulatory frameworks underline the need for a full understanding to prove the extent of an incident and determine the root cause, this goes beyond just containing a threat.
Digital Operational Resilience Act (DORA):[1] Enacted by the European Union, DORA requires financial entities to establish robust incident reporting mechanisms. Organizations must detect, manage, and notify authorities of significant ICT-related incidents, ensuring a comprehensive understanding of each event's impact. This includes detailed analysis and documentation to enhance operational resilience and compliance.
Network and Information Security Directive 2 (NIS2):[2]This EU directive imposes advanced reporting obligations on essential and important entities, requiring them to report significant cybersecurity incidents to relevant authorities. Organizations must conduct thorough post-incident analysis to understand the incident's scope and prevent future occurrences.
Forensic analysis plays a critical role in full remediation, particularly when organizations need to:
Conduct post-incident investigations for compliance and reporting.
Identify affected data and impacted users.
Understand attacker behavior to prevent repeat incidents.
Without a clear forensic understanding, security teams are at risk of incomplete remediation, potentially leaving gaps that adversaries can exploit in a future attack.
How Darktrace / CLOUD & Cado reduce MTTR and enable full remediation
By combining Darktrace / CLOUD’s AI-driven platform with Cado’s automated forensics capture, organizations can achieve rapid containment and deep investigative capabilities, accelerating MTTR metrics while ensuring full remediation in complex cloud environments.
Darktrace / CLOUD provides deep visibility into hybrid cloud environments, by understanding the relationships between assets, identity behaviours, combined with misconfiguration data and runtime anomaly activity. Enabling customers to:
Detect and contain anomalous activity before threats escalate.
Understand how cloud identities, permissions, and configurations contribute to organizational risk.
Provide visibility into deployed cloud assets and services logically grouped into architectures.
Even in containerized services like AWS Fargate, where traditional endpoint security tools often struggle due to the lack of persistent accessible infrastructure, Darktrace / CLOUD monitors for anomalous behavior. If a threat is detected, security teams can launch a Cado forensic investigation from the Darktrace platform, ensuring rapid evidence collection and deeper analysis.
Ensuring:
Complete timeline reconstruction to understand the full impact.
Identification of persistence mechanisms that attackers may have left behind.
Forensic data preservation to meet compliance mandates like DORA, NIS2, and ISO 27001.
The outcome: Faster, smarter incident response
Darktrace / CLOUD with Cado enables organizations to detect, contain and forensically analyse activity across hybrid cloud environments
Reduce MTTR by automating containment and enabling forensic analysis.
Seamlessly pivot to a forensic investigation when needed—right from the Darktrace platform.
Ensure full remediation with deep forensic insights—even in ephemeral environments.
Stopping an attack is only the first step—understanding its impact is what prevents it from happening again. Together, Darktrace / CLOUD and Cado empower security teams to investigate, respond, and remediate cloud threats with speed and confidence.
