Blog
/
AI
/
September 6, 2023

Preparing Security Defenses For the AI Cyber Attack Era

The threat of AI being used in cyberattacks is growing. Learn how Darktrace is harnessing the power of AI to protect security systems against these attacks.
Written by
Jack Stockdale OBE FREng
Chief Technology Officer
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Jack Stockdale OBE FREng
Chief Technology Officer
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
06
Sep 2023

The last 12 months have been a watershed moment in the public perception and adoption of AI. With the rise of generative AI systems like ChatGPT and Google Bard, AI is becoming more embedded in our everyday lives and there is a lot of hype around what these tools can – or will - do.  

In cyber security, AI is a double-edged sword. Its use by cyber-attackers is still in its infancy, but Darktrace expects that the mass availability of generative AI tools like ChatGPT will significantly enhance attackers’ capabilities by providing better tools to generate and automate human-like attacks. There are three areas where Darktrace sees potential for AI to significantly enhance the capabilities of attackers: increasing the sophistication of low-level threat actors, increasing the speed of attacks through automation and eroding trust among users.

We’ve already started to see some potential indicators of these shifts.

In April, Darktrace revealed a 135% increase in ‘novel social engineering attacks’ – email attacks that show a strong linguistic deviation from other phishing emails – from January to February 2023 [1]. The timing corresponds with the widespread adoption of ChatGPT and suggests the use of generative AI tools is providing an avenue for threat actors to craft more sophisticated and targeted attacks, at speed and scale.

Between May and July this year, our Cyber AI Research Centre observed that multistage payload attacks, in which a malicious email encourages the recipient to follow a series of steps before delivering a payload or attempting to harvest sensitive information, have increased by an average of 59% across Darktrace customers. Nearly 50,000 more of these attacks were detected by Darktrace in July than May, indicating potential use of automation, and the speed of these types of attacks will likely rise as greater automation and AI are adopted and applied by attackers.

In the same period, Darktrace has seen changes in attacks that abuse trust. While VIP impersonation – phishing emails that mimic senior executives – decreased 11%, email account takeover attempts increased by 52% and impersonation of the internal IT team increased by 19% [2]. The changes suggest that as employees have become better attuned to the impersonation of senior executives, attackers are pivoting to impersonating IT teams to launch their attacks. While it’s common for attackers to pivot and adjust their techniques as efficacy declines, generative AI –  particularly deepfakes - has the potential to disrupt this pattern in favor of attackers. Factors like increasing linguistic sophistication and highly realistic voice deep fakes could more easily be deployed to deceive employees.

These early indicators give us a glimpse of a new era of disruption and challenges for cyber security. An era where novel is the new normal.

Darktrace was built for this moment.

Darktrace began ten years ago as an AI Research Centre. We saw that AI could address an existential threat – defending people, businesses and nations from a world of constantly evolving threats. This threat is only poised to grow as AI is increasingly used by attackers. That’s why we became one of the first to apply AI to cyber security and built a completely AI native technology platform aimed at freeing the world of cyber disruption.

We built everything at Darktrace with the same philosophy of using the right AI and the right data for the job.

Most AI today is trained periodically in offline training environments on huge amounts of combined historic training data. You give all that data to the AI, and then after a few days or weeks, you get a static AI model which you push live to serve its role until the next version is ready. This is ideal for tasks like generating imagery or, in cyber security, checking against known attack patterns, but the AI is static – it doesn’t learn or adapt until the next version is pushed live.

Darktrace takes a different and unique approach to nearly everyone else in cyber security. Our distinction lies in the algorithms we use, the data we use AND, most importantly, in how the two interact.  

Instead of taking your data to the AI, we take our AI to your data. Inside every single customer lies a Darktrace AI that is completely unique to them – their OWN data AI pipeline – plugged into their enterprise and self-learning in real time from everything that happens in their digital world –including email, cloud environments, manufacturing and operational systems, and physical locations.

The pace of new threats and the sophistication of the technology, including the use of AI, now outpaces any notion that a week old view of historic cyber threats can fully protect a business – either from the new threats that we’re seeing today from the sudden availability of generative AI tools, or the threats of tomorrow. For example, automated deepfakes where you can’t trust what you’re hearing or seeing, your employees being tricked into being inadvertent insiders, or self-evolving code designed to evade the best of those legacy defenses.

And because the increased use of AI in attacks will mean novel attacks will become the new normal, only Darktrace stands between those attacks succeeding or failing. We’ve seen this before with our technology detecting, and protecting customers against, Log4J, supply chain attacks like SolarWinds, the novel phishing scams we saw during the Covid-19 lockdowns, zero days like the Citrix Netscaler attack, novel ransomware worms such as WannaCry, or sophisticated nation-state attacks like APT35. We didn’t protect businesses because we were looking specifically for these threats, but we found them because every threat, whether known or novel, accidental or malicious, human or AI driven, impacts the customer, its people and its data.

The right AI for the right job

Today we’re on our 6th generation of Darktrace AI and, as we’ve innovated and developed, we’ve built a platform of applied AI techniques and algorithms that utilise Darktrace’s live, tailored knowledge of a business, to defend it alongside human security teams. Our focus has always been on using the right AI and the right data for the job, which is why our software uses:

  • A wide range of our own self-learning methods to understand new information and decide if something never seen before looks suspicious.
  • Real time Bayesian Probabilistic Methods allow models to be efficiently updated and controlled in real time.
  • Generative and applied AI run simulated phishing campaigns, tabletop exercises and realistic drills.
  • Deep-neural networks replicate the thought process of humans.
  • Graph theory understands the incredibly complex relationships between people, systems, organizations and supply chains.
  • Offensive AI techniques such as Generative Adversarial Networks (GANs) help to test and improve our ability to counter AI driven attacks.  
  • Natural language processing and large language models interpret and produce human consumable output.

This complex platform of AI tools and techniques, all sat within a business, focused on the customers’ data, brings a range of advantages in data privacy, explainability and data transfer costs. But its main achievement is the one we set out for ten years ago. It can provide protection that is always on - always learning, able to detect and stop the unusual, the suspicious and the novel – and, ultimately, to protect our customers from it. That’s what we’ve always done and that’s what we will continue to do, regardless of how the landscape shifts.


[1] Based on the average change in email attacks between January and February 2023 detected across Darktrace/Email deployments with control of outliers.

[2] Based on the change in the average number of emails assigned this classification per 10,000 emails on each Darktrace/Email deployment in May versus July 2023 (significantly more than 1,000 deployments in total).

Written by
Jack Stockdale OBE FREng
Chief Technology Officer
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Jack Stockdale OBE FREng
Chief Technology Officer

Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure 

Network
June 16, 2025
Signe Zaharka
Senior Cyber Security Analyst
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response
Jun 2, 2025
2
The Importance of NDR in Resilient XDR
Apr 24, 2025
3
Evaluating Email Security: How to Select the Best Solution for Your Organization
May 21, 2025
4
PumaBot: Novel Botnet Targeting IoT Surveillance Devices
May 28, 2025
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

No items found.
Continue reading
AI
April 16, 2025

Introducing Version 2 of Darktrace’s Embedding Model for Investigation of Security Threats (DEMIST-2)

Learn how Darktrace’s DEMIST-2 embedding model delivers high-accuracy threat classification and detection across any environment, outperforming larger models with efficiency and precision.
Margaret Cunningham, PhD
Director, Security & AI Strategy, Field CISO
Read more
AI
April 16, 2025

AI Uncovered: Introducing Darktrace Incident Graph Evaluation for Security Threats (DIGEST)

Discover how Darktrace’s new DIGEST model enhances Cyber AI Analyst by using GNNs and RNNs to score and prioritize threats with expert-level precision before damage is done.
Margaret Cunningham, PhD
Director, Security & AI Strategy, Field CISO
Read more
AI
April 16, 2025

Force Multiply Your Security Team with Agentic AI: How the Industry’s Only True Cyber AI Analyst™ Saves Time and Stop Threats

See how Darktrace Cyber AI Analyst™, an agentic AI virtual analyst, cuts through alert noise, accelerates threat response, and strengthens your security team — all without adding headcount.
Ed Metcalf
Senior Director of Product Marketing, AI & Innovation Products
Read more

Blog

/

Email

/

June 18, 2025

Darktrace Collaborates with Microsoft: Unifying Email Security with a Shared Vision

Default blog imageDefault blog image

In today’s threat landscape, email remains the most targeted vector for cyberattacks. Organizations require not only multi-layered defenses but also advanced, integrated systems that work collaboratively to proactively mitigate threats before they cause damage

That’s why we’re proud to announce a new integration between Darktrace / EMAIL and Microsoft Defender for Office 365, delivering a Unified Quarantine experience that empowers security teams with seamless visibility, control, and response across both platforms.

This announcement builds on a strong and growing collaboration. In 2024, Darktrace was honored as Microsoft UK Partner of the Year and recognized as a Security Trailblazer at the annual Microsoft Security 20/20 Awards, a testament to our shared commitment to innovation and customer-centric security.

A Shared Mission: Stopping Threats at Machine Speed

This integration is more than a technical milestone,as it’s a reflection of a shared mission: to protect organizations from both known and unknown threats, with efficiency, accuracy, and transparency.

  • Microsoft Defender for Office 365 delivers a comprehensive security framework that safeguards Microsoft 365 email and collaboration workloads leveraging advanced AI, global threat intelligence and information on known attack infrastructure.
  • Darktrace / EMAIL complements this with Self-Learning AI that understands the unique communication patterns within each organization, detecting subtle anomalies that evade traditional detection methods.

Together, we’re delivering multi-layered, adaptive protection that’s greater than the sum of its parts.

“Our integration with Microsoft gives security teams the tools they need to act faster and more precisely to detect and respond to threats,” said Jill Popelka, CEO of Darktrace. “Together, we’re strengthening defenses where it matters most to our customers: at the inbox.”

Unified Quarantine: One View, Total Clarity

The new Unified Quarantine experience gives customers a single pane of glass to view and manage email threatsregardless of which product took action. This means:

  • Faster investigations with consolidated visibility
  • Clear attribution of actions and outcomes across both platforms
  • Streamlined workflows for security teams managing complex environments

“This integration is a testament to the power of combining Microsoft’s global threat intelligence with Darktrace’s unique ability to understand the ‘self’ of an organization,” said Jack Stockdale, CTO of Darktrace. “Together, we’re delivering a new standard in proactive, adaptive email security.”

A New Era of Collaborative Cyber Defense

This collaboration represents a broader shift in cybersecurity: from siloed tools to integrated ecosystems. As attackers become more sophisticated, defenders must move faster, smarter, and in unison.

Through this integration, Darktrace and Microsoft establish a new standard for collaboration between native and third-party security solutions, enhancing not only threat detection but also comprehensive understanding and proactive measures against threats.

We’re excited to bring this innovation to our customers and continue building a future where AI and human expertise collaborate to secure the enterprise.

[related-resource]

Continue reading
About the author
Carlos Gray
Senior Product Marketing Manager, Email

Blog

/

Network

/

June 18, 2025

Customer Case Study: Leading Petrochemical Manufacturer

Default blog imageDefault blog image

Headquartered in Saudi Arabia, this industry leading petrochemical manufacturer serves customers in more than 80 countries across diverse markets throughout Europe, Africa, Latin America, the Middle East, China, and Southeast Asia.

Cyber resiliency critical to growth strategy

This leading petrochemical manufacturer’s vision is to be one of the major global players in the production and marketing of designated petrochemicals and downstream products. The company aims to significantly increase its capacity to up to a million metric tons within the next few years.

With cyber-attacks on critical infrastructure increasing 30% globally last year, cyber resiliency is essential to supporting the company’s strategic business goals of:

  • Maximizing production through efficient asset utilization
  • Maximizing sales by conducting 90% of its business outside Saudi Arabia
  • Optimizing resources and processes by integrating with UN Global Compact principles for sustainability and efficiency
  • Growing its business portfolio by engaging in joint ventures to diversify production and add value to the economy

However, the industry leader faced several challenges in its drive to fortify its cybersecurity defenses.

Visibility gaps delay response time

The company’s existing security setup provided limited visibility to the in-house security team, hindering its ability to detect anomalous network and user activity in real time. This resulted in delayed responses to potential incidents, making proactive issue resolution difficult and any remediation in the event of a successful attack costly and time-consuming.

Manual detection drains resources

Without automated detection and response capabilities, the organization’s security team had to manually monitor for suspicious activity – a time-consuming and inefficient approach that strained resources and left the organization vulnerable. This made it difficult for the team to stay current with training or acquire new skills and certifications, which are core to the ethos of both the company’s owners and the team itself.

Cyber-attacks on critical infrastructure increasing

The petrochemical manufacturer is part of a broader ecosystem of companies, making the protection of its supply chain – both upstream and downstream – critical. With several manufacturing entities and multiple locations, the customer’s internal structure is complex and challenging to secure. As cyber-attacks on critical infrastructure escalate, it needed a more comprehensive approach to safeguard its business and the wider ecosystem.

Keeping and growing skills and focus in-house

To strengthen its cybersecurity strategy, the company considered two options:

  1. Make a significant initial and ongoing investment in a Security Operations Center (SOC), which would involve skills development outside the company and substantial management overhead.
  2. Use a combination of new, automated tools and an outsourced Managed Detection and Response (MDR) service to reduce the burden on internal security specialists and allow the company to invest in upskilling its staff so they can focus on more strategic tasks.

Faced with this choice between entirely outsourcing security and augmenting the security team with new capabilities, the customer chose the second option, selecting Darktrace to automate the company’s monitoring, detection, and response. Today, the petrochemical manufacturer is using:

Extending the SOC with 24/7 expert support

To alleviate the burden on its lean security team, the company augmented its in-house capabilities with Darktrace’s Managed Detection & Response service. This support acts as an extension of its SOC, providing 24/7 monitoring, investigation, and escalation of high-priority threats. With Darktrace’s global SOC managing alert triage and autonomously containing threats, the organization’s internal team can focus on strategic initiatives. The result is a stronger security posture and increased capacity to proactively address evolving cyber risks – without expanding headcount or sacrificing visibility.

A unique approach to AI

In its search for a new security platform, the company’s Director of Information Technology said Darktrace’s autonomous response capability, coupled with Self-Learning AI-driven threat reduction, were two big reasons for selecting Darktrace over competing products and services.

AI was a huge factor – no one else was doing what Darktrace was doing with [AI].”

Demonstrated visibility

Before Darktrace, the customer had no visibility into the network activity to and from remote worker devices. Some employees need the ability to connect to its networks at any time and from any location, including the Director of Information Technology. The trial deployment of Darktrace / ENDPOINT was a success and gave the team peace of mind that, no matter the location or device, high-value remote workers were protected by Darktrace.

Modular architecture  

Darktrace's modular architecture allowed the company to deploy security controls across its complex, multi-entity environment. The company’s different locations run on segregated networks but are still interconnected and need to be protected. Darktrace / NETWORK provides a unified view and coordinated security response across the organization’s entire network infrastructure, including endpoint devices.

Results

The petrochemical manufacturer is using Darktrace across all of its locations and has achieved total visibility across network and user activity. “Darktrace is increasing in value every day,” said the Director of Information Technology.

I don’t have a big team, and Darktrace makes our lives very, very easy, not least the automation of some of the tasks that require constant manual review.”

Time savings frees analysts to focus on proactive security

Darktrace / NETWORK provides continuous, AI-driven monitoring and analysis of the company’s network activity, user behavior, and threat patterns, establishing a baseline of what normal activity looks like, and then alerting analysts to any deviations from normal traffic, activity, and behaviors. Darktrace’s autonomous response capabilities speed up response to detected threats, meaning intervention from the security team is required for fewer incidents and alerts.

In October 2024 alone, Darktrace Cyber AI Analyst saved the team 810 investigation hours, and autonomously responded to 180 anomalous behaviors that were uncovered during the investigations. With Darktrace managing the majority of threat detection and response efforts, the security team has been able to change its day-to-day activity from manual review of traffic and alerts and belated response to activity, to proactively fortifying its detection and response posture and upskilling to meet evolving requirements.  

Layered email protection reduces phishing threats

The company’s email infrastructure posed a challenge due to petrochemical industry regulations requiring on-premises email servers, with some security delivered via Microsoft Azure. By integrating Darktrace / EMAIL into the Azure stack, the organization has reduced the volume of phishing emails its users receive by 5%.

“Now we have one more layer of security related to email – every email goes through two filters. If something is not being caught or traced by Azure, it is being detected by Darktrace,” said the Director of Information Technology. “As a result, we’re now seeing only about 15% to 20% of the phishing emails we used to receive before implementing Darktrace.”

Preparing for a secure future

The time saved using Darktrace has helped the security team take proactive steps, including preparing for new cyber resilience regulations for Saudi Arabia’s Critical National Infrastructure, as mandated by the National Cybersecurity Authority (NCA).

“The team now has ample time to prepare policies and procedures that meet the new NCA regulations and, in some cases, enhance the requirements of the new law,” said the Director of Information Technology. “All of this is possible because they don’t need to keep watch; Darktrace takes on so much of that task for them.”

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI