Blog
/
Network
/
December 20, 2023

Ivanti Sentry Vulnerability | Analysis & Insights

Darktrace observed a critical vulnerability in Ivanti Sentry's cybersecurity. Learn how this almost become a huge threat and how we stopped it in its tracks.
Written by
Sam Lister
Specialist Security Researcher
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
Specialist Security Researcher
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
20
Dec 2023

In an increasingly interconnected digital landscape, the prevalence of critical vulnerabilities in internet-facing systems stands as an open invitation to malicious actors. These vulnerabilities serve as a near limitless resource, granting attackers a continually array of entry points into targeted networks.

In the final week of August 2023, Darktrace observed malicious actors validating exploits for one such critical vulnerability, likely the critical RCE vulnerability, CVE-2023-38035, on Ivanti Sentry servers within multiple customer networks. Shortly after these successful tests were carried out, malicious actors were seen delivering crypto-mining and reconnaissance tools onto vulnerable Ivanti Sentry servers.

Fortunately, Darktrace DETECT™ was able to identify this post-exploitation activity on the compromised servers at the earliest possible stage, allowing the customer security teams to take action against affected devices. In environments where Darktrace RESPOND™ was enabled in autonomous response mode, Darktrace was further able inhibit the identified post-exploitation activity and stop malicious actors from progressing towards their end goals.

Exploitation of Vulnerabilities in Ivanti Products

The software provider, Ivanti, offers a variety of widely used endpoint management, service management, and security solutions. In July and August 2023, the Norwegian cybersecurity company, Mnemonic, disclosed three vulnerabilities in Ivanti products [1]/[2]/[3]; two in Ivanti's endpoint management solution, Ivanti Endpoint Manager Mobile (EPMM) (formerly called 'MobileIron Core'), and one in Ivanti’s security gateway solution, Ivanti Sentry (formerly called 'MobileIron Sentry'):

CVE-2023-35078

  • CVSS Score: 10.0
  • Affected Product: Ivanti EPMM
  • Details from Ivanti: [4]/[5]/[6]
  • Vulnerability type: Authentication bypass

CVE-2023-35081

  • CVSS Score: 7.2
  • Affected Product: Ivanti EPMM
  • Details from Ivanti: [7]/[8]/[9]
  • Vulnerability type: Directory traversal

CVE-2023-38035

  • CVSS Score:
  • Affected Product: Ivanti Sentry
  • Details from Ivanti: [10]/[11]/[12]
  • Vulnerability type: Authentication bypass

At the beginning of August 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) provided details of advanced persistent threat (APT) activity targeting EPMM systems within Norwegian private sector and government networks via exploitation of CVE-2023-35078 combined with suspected exploitation of CVE-2023-35081.

In an article published in August 2023 [12], Ivanti disclosed that a very limited number of their customers had been subjected to exploitation of the Ivanti Sentry vulnerability, CVE-2023-38035, and on the August 22, 2023, CISA added the Ivanti Sentry vulnerability, CVE-2023-38035 to its ‘Known Exploited Vulnerabilities Catalogue’.  CVE-2023-38035 is a critical authentication bypass vulnerability affecting the System Manager Portal of Ivanti Sentry systems. The System Manager Portal, which is accessible by default on port 8433, is used for administration of the Ivanti Sentry system. Through exploitation of CVE-2023-38035, an unauthenticated actor with access to the System Manager Portal can achieve Remote Code Execution (RCE) on the underlying Ivanti Sentry system.

Observed Exploitation of CVE-2023-38035

On August 24, Darktrace observed Ivanti Sentry servers within several customer networks receiving successful SSL connections over port 8433 from the external endpoint, 34.77.65[.]112. The usage of port 8433 indicates that the System Manager Portal was accessed over the connections. Immediately after receiving these successful connections, Ivanti Sentry servers made GET requests over port 4444 to 34.77.65[.]112. The unusual string ‘Wget/1.14 (linux-gnu)’ appeared in the User-Agent headers of these requests, indicating that the command-line utility, wget, was abused to initiate the requests.

Figure 1: Event Log data for an Ivanti Sentry system showing the device breaching a range of DETECT models after contacting 34.77.65[.]112.The suspicious behavior highlighted by DETECT was subsequently investigated by Darktrace’s Cyber AI Analyst™, which was able to weave together these separate behaviors into single incidents representing the whole attack chain.

Figure 2: AI Analyst Incident representing a chain of suspicious activities from an Ivanti Sentry server.

In cases where Darktrace RESPOND was enabled in autonomous response mode, RESPOND was able to automatically enforce the Ivanti Sentry server’s normal pattern of life, thus blocking further exploit testing.

Figure 3: Event Log for an Ivanti Sentry server showing the device receiving a RESPOND action immediately after trying to 34.77.65[.]112.

The GET requests to 34.77.65[.]112 were responded to with the following HTML document:

Figure 4: Snapshot of the HTML document returned by 34.77.65[.]112.

None of the links within this HTML document were functional. Furthermore, the devices’ downloads of these HTML documents do not appear to have elicited further malicious activities. These facts suggest that the observed 34.77.65[.]112 activities were representative of a malicious actor validating exploits (likely for CVE-2023-38035) on Ivanti Sentry systems.

Over the next 24 hours, these Ivanti Sentry systems received successful SSL connections over port 8433 from a variety of suspicious external endpoints, such as 122.161.66[.]161. These connections resulted in Ivanti Sentry systems making HTTP GET requests to subdomains of ‘oast[.]site’ and ‘oast[.]live’. Strings containing ‘curl’ appeared in the User-Agent headers of these requests, indicating that the command-line utility, cURL, was abused to initiate the requests.

These ‘oast[.]site’ and ‘oast[.]live’ domains are used by the out-of-band application security testing (OAST) service, Interactsh. Malicious actors are known to abuse this service to carry out out-of-band (OOB) exploit testing. It, therefore, seems likely that these activities were also representative of a malicious actor validating exploits for CVE-2023-38035 on Ivanti Sentry systems.

Figure 5: Event Log for Ivanti Sentry system showing the device contacting an 'oast[.]site' endpoint after receiving connections from the suspicious, external endpoint 122.161.66[.]161.

The actors seen validating exploits for CVE-2023-38035 may have been conducting such activities in preparation for their own subsequent malicious activities. However, given the variety of attack chains which ensued from these exploit validation activities, it is also possible that they were carried out by Initial Access Brokers (IABs) The activities which ensued from exploit validation activities identified by Darktrace fell into two categories: internal network reconnaissance and cryptocurrency mining.

Reconnaissance Activities

In one of the reconnaissance cases, immediately after receiving successful SSL connections over port 8443 from the external endpoints 190.2.131[.]204 and 45.159.248[.]179, an Ivanti Sentry system was seen making a long SSL connection over port 443 to 23.92.29[.]148, and making wget GET requests over port 4444 with the Target URIs '/ncat' and ‘/TxPortMap’ to the external endpoints, 45.86.162[.]147 and 195.123.240[.]183.  

Figure 6: Event Log data for an Ivanti Sentry system showing the device making connections to the external endpoints, 45.86.162[.]147, 23.92.29[.]148, and 195.123.240[.]183, immediately after receiving connections from rare external endpoints.

The Ivanti Sentry system then went on to scan for open SMB ports on systems within the internal network. This activity likely resulted from an attacker dropping a port scanning utility on the vulnerable Ivanti Sentry system.

Figure 7: Event Log data for an Ivanti Sentry server showing the device breaching several DETECT models after downloading a port scanning tool from 195.123.240[.]183.

In another reconnaissance case, Darktrace observed multiple wget HTTP requests with Target URIs such as ‘/awp.tar.gz’ and ‘/resp.tar.gz’ to a suspicious, external server (78.128.113[.]130).  Shortly after making these requests, the Ivanti Sentry system started to scan for open SMB ports and to respond to LLMNR queries from other internal devices. These behaviors indicate that the server may have installed an LLMNR poisoning tool, such as Responder. The Ivanti Sentry server also went on to conduct further information-gathering activities, such as LDAP reconnaissance, HTTP-based vulnerability scanning, HTTP-based password searching, and RDP port scanning.

Figure 8: Event Log data for an Ivanti Sentry system showing the device making connections to 78.128.113[.]130, scanning for an open SMB port on internal endpoints, and responding to LLMNR queries from internal endpoints.

In cases where Darktrace RESPOND was active, reconnaissance activities resulted in RESPOND enforcing the Ivanti Sentry server’s pattern of life.

Figure 9: Event Log data for an Ivanti Sentry system receiving a RESPOND action as a result of its SMB port scanning activity.
Figure 10: Event Log data for an Ivanti Sentry system receiving a RESPOND action as a result of its LDAP reconnaissance activity.

Crypto-Mining Activities

In one of the cryptomining cases, Darktrace detected an Ivanti Sentry server making SSL connections to aelix[.]xyz and mining pool endpoints after receiving successful SSL connections over port 8443 from the external endpoint, 140.228.24[.]160.

Figure 11: Event Log data for an Ivanti Sentry system showing the device contacting aelix[.]xyz and mining pool endpoints immediately after receiving connections from the external endpoint, 140.228.24[.]160.

In a cryptomining case on another customer’s network, an Ivanti Sentry server was seen making GET requests indicative of Kinsing malware infection. These requests included wget GET requests to 185.122.204[.]197 with the Target URIs ‘/unk.sh’ and ‘/se.sh’ and a combination of GET and POST requests to 185.221.154[.]208 with the User-Agent header ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36’ and the Target URIs, ‘/mg’, ‘/ki’, ‘/get’, ‘/h2’, ‘/ms’, and ‘/mu’. These network-based artefacts have been observed in previous Kinsing infections [13].

Figure 12: Event Log data for an Ivanti Sentry system showing the device displaying likely Kinsing C2 activity.

On customer environments where RESPOND was active, Darktrace was able to take swift autonomous action by blocking cryptomining connection attempts to malicious command-and-control (C2) infrastructure, in this case Kinsing servers.

Figure 13: Event Log data for an Ivanti Sentry server showing the device receiving a RESPOND action after attempting to contact Kinsing C2 infrastructure.

Fortunately, due to Darktrace DETECT+RESPOND prompt identification and targeted actions against these emerging threats, coupled with remediating steps taken by affected customers’ security teams, neither the cryptocurrency mining activities nor the network reconnaissance activities led to significant disruption.  

Figure 14: Timeline of observed malicious activities.

Conclusion The inevitable presence of critical vulnerabilities in internet-facing systems underscores the perpetual challenge of defending against malicious intrusions. The near inexhaustible supply of entry routes into organizations’ networks available to malicious actors necessitates a more proactive and vigilant approach to network security.

While it is, of course, essential for organizations to secure their digital environments through the regular patching of software and keeping abreast of developing vulnerabilities that could impact their network, it is equally important to have a safeguard in place to mitigate against attackers who do manage to exploit newly discovered vulnerabilities.

In the case of Ivanti Sentry, Darktrace observed malicious actors validating exploits against affected servers on customer networks just a few days after the public disclosure of the critical vulnerability.  This activity was followed up by a variety of malicious and disruptive, activities including cryptocurrency mining and internal network reconnaissance.

Darktrace DETECT immediately detected post-exploitation activities on compromised Ivanti Sentry servers, enabling security teams to intervene at the earliest possible stage. Darktrace RESPOND, when active, autonomously inhibited detected post-exploitation activities. These DETECT detections, along with their accompanying RESPOND interventions, prevented malicious actors from being able to progress further towards their likely harmful objectives.

Credit to Sam Lister, Senior Cyber Analyst, and Trent Kessler, SOC Analyst  

Appendices

MITRE ATT&CK Mapping

Initial Access techniques:

  • Exploit Public-Facing Application (T1190)

Credential Access techniques:

  • Unsecured Credentials: Credentials In Files (T1552.001)
  • Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)

Discovery

  • Network Service Discovery (T1046)
  • Remote System Discovery (T1018)
  • Account Discovery: Domain Account (T1087.002)

Command and Control techniques:

  • Application Layer Protocol: Web Protocols (T1071.001)
  • Ingress Tool Transfer (T1105)
  • Non-Standard Port (T1571)
  • Encrypted Channel: Asymmetric Cryptography (T1573.002)

Impact techniques

  • Resource Hijacking (T1496)
List of IoCs

Exploit testing IoCs:

·      34.77.65[.]112

·      Wget/1.14 (linux-gnu)

·      cjjovo7mhpt7geo8aqlgxp7ypod6dqaiz.oast[.]site • 178.128.16[.]97

·      curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2

·      cjk45q1chpqflh938kughtrfzgwiofns3.oast[.]site • 178.128.16[.]97

·      curl/7.29.0

Kinsing-related IoCs:

·      185.122.204[.]197

·      /unk.sh

·      /se.sh

·      185.221.154[.]208

·      185.221.154[.]208

·      45.15.158[.]124

·      Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

·      /mg

·      /ki

·      /get

·      /h2

·      /ms

·      /mu

·      vocaltube[.]ru • 185.154.53[.]140

·      92.255.110[.]4

·      194.87.254[.]160

Responder-related IoCs:

·      78.128.113[.]130

·      78.128.113[.]34

·      /awp.tar.gz

·      /ivanty

·      /resp.tar.gz

Crypto-miner related IoCs:

·      140.228.24[.]160

·      aelix[.]xyz • 104.21.60[.]147 / 172.67.197[.]200

·      c8446f59cca2149cb5f56ced4b448c8d (JA3 client fingerprint)

·      b5eefe582e146aed29a21747a572e11c (JA3 client fingerprint)

·      pool.supportxmr[.]com

·      xmr.2miners[.]com

·      xmr.2miners[.]com

·      monerooceans[.]stream

·      xmr-eu2.nanopool[.]org

Port scanner-related IoCs:

·      122.161.66[.]161

·      192.241.235[.]32

·      45.86.162[.]147

·      /ncat

·      Wget/1.14 (linux-gnu)

·      45.159.248[.]179

·      142.93.115[.]146

·      23.92.29[.]148

·      /TxPortMap

·      195.123.240.183

·      6935a8d379e086ea1aed159b8abcb0bc8acf220bd1cbc0a84fd806f14014bca7 (SHA256 hash of downloaded file)

Darktrace DETECT Model Breaches

·      Anomalous Server Activity / New User Agent from Internet Facing System

·      Device / New User Agent

·      Anomalous Connection / New User Agent to IP Without Hostname

·      Device / New User Agent and New IP

·      Anomalous Connection / Application Protocol on Uncommon Port

·      Anomalous Connection / Callback on Web Facing Device

·      Compromise / High Volume of Connections with Beacon Score

·      Compromise / Large Number of Suspicious Failed Connections

·      Compromise / High Volume of Connections with Beacon Score

·      Compromise / Beacon for 4 Days

·      Compromise / Agent Beacon (Short Period)

·      Device / Large Number of Model Breaches

·      Anomalous Server Activity / Rare External from Server

·      Compromise / Large Number of Suspicious Successful Connections

·      Compromise / Monero Mining

·      Compromise / High Priority Crypto Currency Mining

·      Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

·      Device / Internet Facing Device with High Priority Alert

·      Device / Suspicious SMB Scanning Activity

·      Device / Internet Facing Device with High Priority Alert

·      Device / Network Scan

·      Device / Unusual LDAP Bind and Search Activity

·      Compliance / Vulnerable Name Resolution

·      Device / Anomalous SMB Followed By Multiple Model Breaches

·      Device / New User Agent To Internal Server

·      Anomalous Connection / Suspicious HTTP Activity

·      Anomalous Connection / Unusual Internal Connections

·      Anomalous Connection / Suspicious HTTP Activity

·      Device / RDP Scan

·      Device / Large Number of Model Breaches

·      Compromise / Beaconing Activity To External Rare

·      Compromise / Beacon to Young Endpoint

·      Anomalous Connection / Suspicious HTTP Activity

·      Compromise / Suspicious Internal Use Of Web Protocol

·      Anomalous File / EXE from Rare External Location

·      Anomalous File / Internet Facing System File Download

·      Device / Suspicious SMB Scanning Activity

·      Device / Internet Facing Device with High Priority Alert

·      Device / Network Scan

·      Device / Initial Breach Chain Compromise

References

[1] https://www.mnemonic.io/resources/blog/ivanti-endpoint-manager-mobile-epmm-authentication-bypass-vulnerability/
[2] https://www.mnemonic.io/resources/blog/threat-advisory-remote-file-write-vulnerability-in-ivanti-epmm/
[3] https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/
[4] https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability
[5] https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US
[6] https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078?language=en_US
[7] https://www.ivanti.com/blog/cve-2023-35081-new-ivanti-epmm-vulnerability
[8] https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write?language=en_US
[9] https://forums.ivanti.com/s/article/KB-Arbitrary-File-Write-CVE-2023-35081?language=en_US
[10] https://www.ivanti.com/blog/cve-2023-38035-vulnerability-affecting-ivanti-sentry
[11] https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US
[12] https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US
[13] https://isc.sans.edu/diary/Your+Business+Data+and+Machine+Learning+at+Risk+Attacks+Against+Apache+NiFi/29900

Written by
Sam Lister
Specialist Security Researcher
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
Specialist Security Researcher

Darktrace Malware Analysis: Jenkins Honeypot Reveals Emerging Botnet Targeting Online Games

Network
April 29, 2026
Nathaniel Bill
Malware Research Engineer
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
What the Darktrace Annual Threat Report 2026 Means for Security Leaders
Feb 26, 2026
3
State of AI Cybersecurity 2026: 92% of security professionals concerned about the impact of AI agents
Mar 26, 2026
4
Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace
Dec 15, 2025
5
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Mar 24, 2026

More in this series

No items found.
Continue reading
Network
April 29, 2026

Darktrace Malware Analysis: Jenkins Honeypot Reveals Emerging Botnet Targeting Online Games

Darktrace analysts observed attackers exploiting a Jenkins honeypot to deploy a new DDoS botnet targeting video game servers. Leveraging Jenkins scriptText abuse, the malware installs a multi-platform payload, evades detection, and launches UDP, TCP, and application-layer attacks, highlighting ongoing risks from opportunistic botnet activity across internet-facing environments.
Nathaniel Bill
Malware Research Engineer
Read more
Network
April 21, 2026

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

A malicious eScan software update triggered a supply chain compromise that deployed multi‑stage malware and used blockchain‑based domains for resilient C2 communications. Darktrace identified rare, anomalous network activity across customer environments, helping organizations uncover the attack chain and strengthen defenses against increasingly sophisticated supply chain threats.
Joanna Ng
Associate Principal Analyst
Read more
Network
April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Darktrace's latest threat research reveals how Chinese-nexus cyber operations have evolved from isolated intrusions into long-term strategic positioning, with attackers prioritizing persistent access to critical infrastructure and digital ecosystems to gain lasting operational and economic advantage.
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more

Blog

/

Email

/

May 1, 2026

How email-delivered prompt injection attacks can target enterprise AI – and why it matters

Default blog imageDefault blog image

What are email-delivered prompt injection attacks?

As organizations rapidly adopt AI assistants to improve productivity, a new class of cyber risk is emerging alongside them: email-delivered AI prompt injection. Unlike traditional attacks that target software vulnerabilities or rely on social engineering, this is the act of embedding malicious or manipulative instructions into content that an AI system will process as part of its normal workflow. Because modern AI tools are designed to ingest and reason over large volumes of data, including emails, documents, and chat histories, they can unintentionally treat hidden attacker-controlled text as legitimate input.  

At Darktrace, our analysis has shown an increase of 90% in the number of customer deployments showing signals associated with potential prompt injection attempts since we began monitoring for this type of activity in late 2025. While it is not always possible to definitively attribute each instance, internal scoring systems designed to identify characteristics consistent with prompt injection have recorded a growing number of high-confidence matches. The upward trend suggests that attackers are actively experimenting with these techniques.

Recent examples of prompt injection attacks

Two early examples of this evolving threat are HashJack and ShadowLeak, which illustrate prompt injection in practice.

HashJack is a novel prompt injection technique discovered in November 2025 that exploits AI-powered web browsers and agentic AI browser assistants. By hiding malicious instructions within the URL fragment (after the # symbol) of a legitimate, trusted website, attackers can trick AI web assistants into performing malicious actions – potentially inserting phishing links, fake contact details, or misleading guidance directly into what appears to be a trusted AI-generated output.

ShadowLeak is a prompt injection method to exfiltrate PII identified in September 2025. This was a flaw in ChatGPT (now patched by OpenAI) which worked via an agent connected to email. If attackers sent the target an email containing a hidden prompt, the agent was tricked into leaking sensitive information to the attacker with no user action or visible UI.

What’s the risk of email-delivered prompt injection attacks?

Enterprise AI assistants often have complete visibility across emails, documents, and internal platforms. This means an attacker does not need to compromise credentials or move laterally through an environment. If successful, they can influence the AI to retrieve relevant information seamlessly, without the labor of compromise and privilege escalation.

The first risk is data exfiltration. In a prompt injection scenario, malicious instructions may be embedded within an ordinary email. As in the ShadowLeak attack, when AI processes that content as part of a legitimate task, it may interpret the hidden text as an instruction. This could result in the AI disclosing sensitive data, summarizing confidential communications, or exposing internal context that would otherwise require significant effort to obtain.

The second risk is agentic workflow poisoning. As AI systems take on more active roles, prompt injection can influence how they behave over time. An attacker could embed instructions that persist across interactions, such as causing the AI to include malicious links in responses or redirect users to untrusted resources. In this way, the attacker inserts themselves into the workflow, effectively acting as a man-in-the-middle within the AI system.

Why can’t other solutions catch email-delivered prompt injection attacks?

AI prompt injection challenges many of the assumptions that traditional email security is built on. It does not fit the usual patterns of phishing, where the goal is to trick a user into clicking a link or opening an attachment.  

Most security solutions are designed to detect signals associated with user engagement: suspicious links, unusual attachments, or social engineering cues. Prompt injection avoids these indicators entirely, meaning there are fewer obvious red flags.

In this case, the intention is actually the opposite of user solicitation. The objective is simply for the email to be delivered and remain in the inbox, appearing benign and unremarkable. The malicious element is not something the recipient is expected to engage with, or even notice.

Detection is further complicated by the nature of the prompts themselves. Unlike known malware signatures or consistent phishing patterns, injected prompts can vary widely in structure and wording. This makes simple pattern-matching approaches, such as regex, unreliable. A broad rule set risks generating large numbers of false positives, while a narrow one is unlikely to capture the diversity of possible injections.

How does Darktrace catch these types of attacks?

The Darktrace approach to email security more generally is to look beyond individual indicators and assess context, which also applies here.  

For example, our prompt density score identifies clusters of prompt-like language within an email rather than just single occurrences. Instead of treating the presence of a phrase as a blocking signal, the focus is on whether there is an unusual concentration of these patterns in a way that suggests injection. Additional weighting can be applied where there are signs of obfuscation. For example, text that is hidden from the user – such as white font or font size zero – but still readable by AI systems can indicate an attempt to conceal malicious prompts.

This is combined with broader behavioral signals. The same communication context used to detect other threats remains relevant, such as whether the content is unusual for the recipient or deviates from normal patterns.

Ask your email provider about email-delivered AI prompt injection

Prompt injection targets not just employees, but the AI systems they rely on, so security approaches need to account for both.

Though there are clear indications of emerging activity, it remains to be seen how popular prompt injection will be with attackers going forward. Still, considering the potential impact of this attack type, it’s worth checking if this risk has been considered by your email security provider.

Questions to ask your email security provider

  • What safeguards are in place to prevent emails from influencing AI‑driven workflows over time?
  • How do you assess email content that’s benign for a human reader, but may carry hidden instructions intended for AI systems?
  • If an email contains no links, no attachments, and no social engineering cues, what signals would your platform use to identify malicious intent?

Visit the Darktrace / EMAIL product hub to discover how we detect and respond to advanced communication threats.  

Learn more about securing AI in your enterprise.

Continue reading
About the author
Kiri Addison
Senior Director of Product

Blog

/

AI

/

April 30, 2026

Mythos vs Ethos: Defending in an Era of AI‑Accelerated Vulnerability Discovery

mythos vulnerability discoveryDefault blog imageDefault blog image

Anthropic’s Mythos and what it means for security teams

Recent attention on systems such as Anthropic Mythos highlights a notable problem for defenders. Namely that disclosure’s role in coordinating defensive action is eroding.

As AI systems gain stronger reasoning and coding capability, their usefulness in analyzing complex software environments and identifying weaknesses naturally increases. What has changed is not attacker motivation, but the conditions under which defenders learn about and organize around risk. Vulnerability discovery and exploitation increasingly unfold in ways that turn disclosure into a retrospective signal rather than a reliable starting point for defense.

Faster discovery was inevitable and is already visible

The acceleration of vulnerability discovery was already observable across the ecosystem. Publicly disclosed vulnerabilities (CVEs) have grown at double-digit rates for the past two years, including a 32% increase in 2024 according to NIST, driven in part by AI even prior to Anthropic’s Mythos model. Most notably XBOW topped the HackerOne US bug bounty leaderboard, marking the first time an autonomous penetration tester had done so.  

The technical frontier for AI capabilities has been described elsewhere as jagged, and the implication is that Mythos is exceptional but not unique in this capability. While Mythos appears to make significant progress in complex vulnerability analysis, many other models are already able to find and exploit weaknesses to varying degrees.  

What matters here is not which model performs best, but the fact that vulnerability discovery is no longer a scarce or tightly bounded capability.

The consequence of this shift is not simply earlier discovery. It is a change in the defender-attacker race condition. Disclosure once acted as a rough synchronization point. While attackers sometimes had earlier knowledge, disclosure generally marked the moment when risk became visible and defensive action could be broadly coordinated. Increasingly, that coordination will no longer exist. Exploitation may be underway well before a CVE is published, if it is published at all.

Why patch velocity alone is not the answer

The instinctive response to this shift is to focus on patching faster, but treating patch velocity as the primary solution misunderstands the problem. Most organizations are already constrained in how quickly they can remediate vulnerabilities. Asset sprawl, operational risk, testing requirements, uptime commitments, and unclear ownership all limit response speed, even when vulnerabilities are well understood.

If discovery and exploitation now routinely precede disclosure, then patching cannot be the first line of defense. It becomes one necessary control applied within a timeline that has already shifted. This does not imply that organizations should patch less. It means that patching cannot serve as the organizing principle for defense.

Defense needs a more stable anchor

If disclosure no longer defines when defense begins, then defense needs a reference point that does not depend on knowing the vulnerability in advance.  

Every digital environment has a behavioral character. Systems authenticate, communicate, execute processes, and access resources in relatively consistent ways over time. These patterns are not static rules or signatures. They are learned behaviors that reflect how an organization operates.

When exploitation occurs, even via previously unknown vulnerabilities, those behavioral patterns change.

Attackers may use novel techniques, but they still need to gain access, create processes, move laterally, and will ultimately interact with systems in ways that diverge from what is expected. That deviation is observable regardless of whether the underlying weakness has been formally named.

In an environment where disclosure can no longer be relied on for timing or coordination, behavioral understanding is no longer an optional enhancement; it becomes the only consistently available defensive signal.

Detecting risk before disclosure

Darktrace’s threat research has consistently shown that malicious activity often becomes visible before public disclosure.

In multiple cases, including exploitation of Ivanti, SAP NetWeaver, and Trimble Cityworks, Darktrace detected anomalous behavior days or weeks ahead of CVE publication. These detections did not rely on signatures, threat intelligence feeds, or awareness of the vulnerability itself. They emerged because systems began behaving in ways that did not align with their established patterns.

This reflects a defensive approach grounded in ‘Ethos’, in contrast to the unbounded exploration represented by ‘Mythos’. Here, Mythos describes continuous vulnerability discovery at speed and scale. Ethos reflects an understanding of what is normal and expected within a specific environment, grounded in observed behavior.

Revisiting assume breach

These conditions reinforce a principle long embedded in Zero Trust thinking: assume breach.

If exploitation can occur before disclosure, patching vulnerabilities can no longer act as the organizing principle for defense. Instead, effective defense must focus on monitoring for misuse and constraining attacker activity once access is achieved. Behavioral monitoring allows organizations to identify early‑stage compromise and respond while uncertainty remains, rather than waiting for formal verification.

AI plays a critical role here, not by predicting every exploit, but by continuously learning what normal looks like within a specific environment and identifying meaningful deviation at machine speed. Identifying that deviation enables defenders to respond by constraining activity back towards normal patterns of behavior.

Not an arms race, but an asymmetry

AI is often framed as fueling an arms race between attackers and defenders. In practice, the more important dynamic is asymmetry.

Attackers operate broadly, scanning many environments for opportunities. Defenders operate deeply within their own systems, and it’s this business context which is so significant. Behavioral understanding gives defenders a durable advantage. Attackers may automate discovery, but they cannot easily reproduce what belonging looks like inside a particular organization.

A changed defensive model

AI‑accelerated vulnerability discovery does not mean defenders have lost. It does mean that disclosure‑driven, patch‑centric models no longer provide a sufficient foundation for resilience.

As vulnerability volumes grow and exploitation timelines compress, effective defense increasingly depends on continuous behavioral understanding, detection that does not rely on prior disclosure, and rapid containment to limit impact. In this model, CVEs confirm risk rather than define when defense begins.

The industry has already seen this approach work in practice. As AI continues to reshape both offense and defense, behavioral detection will move from being complementary to being essential.

Continue reading
About the author
Andrew Hollister
Principal Solutions Engineer, Cyber Technician
Your data. Our AI.
Elevate your network security with Darktrace AI