How Autonomous Cyber AI Scaled to Protect Arrow McLaren SP
Darktrace's Cyber AI has seamlessly scaled, extended, and adapted to protect Arrow McLaren's Formula 1 and IndyCar teams from machine-speed cyberattacks.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Fier
SVP, Red Team Operations
Written by
Nick Snyder
Performance Director, Arrow McLaren SP
Share
25
May 2021
It’s been decades since a racing team has had the ambition to compete at the highest level simultaneously in Formula 1 and in the NTT INDYCAR Series. And why would they? With hectic schedules, tight timelines, and the finest margins between victory and defeat, one series alone may seem a daunting enough feat. But to compete across both requires cross-continent collaboration, creativity, and innovation at every turn.
Rather than being daunted by the challenge, McLaren has embraced the unique advantages of racing in both series simultaneously. Arrow McLaren SP, in a strategic partnership with McLaren Racing, communicates on a daily basis with the McLaren Technology Centre in the UK, gathering and sharing data including car telemetry, on-board video and audio files, timing and scoring information, car set-ups, and reporting.
The security of this critical and highly sensitive data is paramount to the performance of AMSP, and after the success of Darktrace’s AI in protecting the cloud, email, and network environments of McLaren F1, AMSP recently announced they would be seamlessly extending the coverage to the US.
How adaptive, scalable AI drives success
Darktrace’s autonomous Cyber AI has protected the McLaren F1 team since early 2020, shielding their workforce and critical systems during a time of fundamental digital change, with conditions arising from COVID-19 forcing many employees to work from home. During this time the organization had a heightened reliance on cloud collaboration platforms, including video conferencing and file sharing.
Cyber AI technology adapted to these unforeseen changes, protecting the McLaren F1 team from novel and advanced attacks targeting their dynamic workforce. While traditional tools bound by set rules and playbooks had to be reconfigured, a self-learning approach allowed continuous protection of McLaren’s email systems, cloud services, and network traffic, with little maintenance required from busy human teams.
Now, the technology is being put to the test again. McLaren has extended Darktrace’s AI technology to protect the large volumes of sensitive data that travels back and forth between Arrow McLaren SP and the MTC.
Responding to machine-speed ransomware with Autonomous Response
As a wave of ransomware attacks brings fresh concerns to the cyber security industry, AMSP is turning to a technology fundamental to stopping these machine-speed attacks. With Autonomous Response, Darktrace not only detects emerging threats, but responds in real time, stopping attackers in their tracks without human teams having to lift a finger.
The response is surgical and proportionate: only the malicious activity is contained, whilst normal operations are allowed to continue. This will be a crucial capability for the AMSP team, as any unnecessary downtime severely undermines their ability to get access to the right data at the right time – ultimately having an impact on performance on race day.
With Darktrace’s autonomous Cyber AI protecting both its F1 and INDYCAR teams, McLaren’s human IT resources are augmented with real-time protection and Autonomous Response working across different time zones and providing that 24/7 overwatch they need.
Indianapolis 500: The toughest test yet
The month of May is a busy and critical period of the season for AMSP, with three races culminating in the 105th Running of the Indianapolis 500, which will be held in front of a reduced crowd of 135,000 spectators. The IT team has been busy preparing a temporary trackside data centre for this event, and the sheer volume of data circulating between that and the MTC is ramping up.
All of this data must be gathered, organized, and transferred securely back and forth between the two hubs. The speed of that transfer is absolutely vital, as speed of analysis and real-time decision-making is critical to race performance. AMSP’s engineering team and McLaren’s engineering team operate as if they’re sitting next to each other, despite being thousands of miles away.
Moreover, some data files can be extremely large, and reliable connectivity is key in ensuring that all files, no matter the size, can be transferred and downloaded as quickly as possible. Lack or loss of any data gathered trackside would prevent AMSP’s abilities to accurately recap on-track sessions.
This clearly represents an incredibly busy time for the security personnel on the ground both at Indianapolis and in the UK. Leaning on AI to facilitate the secure and reliable movement of highly sensitive data empowers AMSP’s IT team to stay proactive, rather than being reactive and playing catch up in the case of a security incident.
Facing the future with Cyber AI
AMSP is in a unique position in the INDYCAR paddock – no other team transmits so much data, so often or over so far of a distance. Darktrace’s Cyber AI technology is helping to protect AMSP’s at-track engineering crews, remote engineering teams, data transfer processes and cloud infrastructure, from an increasingly hostile cyber-threat landscape.
Relying on Darktrace to safeguard and protect its sensitive data and digital assets will become critical in securing AMSP’s overall approach to race weekend activation. As the collaboration between McLaren Racing and Arrow McLaren SP continues to drive success on the track, the targeted actions of Darktrace’s Autonomous Response capability ensures both sides of the technical partnership stay protected across different time zones, around the clock, no matter what threat is waiting round the corner.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Shadow AI Detection: The First Step Toward Securing AI
Why shadow AI is emerging
Imagine you’re an employee under pressure, deadlines stacking up, repetitive tasks piling higher by the day. You find a free AI tool online that promises to automate the work in seconds; no approvals are needed. It feels like a simple win, paste in some data, write a quick prompt, and move faster.
But in that moment, something changed.
Sensitive customer information is entered into a tool your organization doesn’t monitor, doesn’t govern, and can’t see and suddenly, that data is no longer where it should be, and no one knows where it’s gone.
This is the reality of Shadow AI: employees using unsanctioned AI tools to move faster, while unintentionally creating risk that exists entirely outside visibility and control.
This is not just a one off case, research across businesses indicate that nearly half of employees report using unsanctioned AI tools, often prioritizing speed and productivity over security. Additionally, 51% of employees report connecting AI tools to work systems or apps without IT approval, creating significant operational risk where the average cost of security incidents in organizations with a high level of shadow AI usage can reach $670k.
While shadow AI is often top of mind for security professionals, it is just one component of how AI use can increase risk. Understanding and managing shadow AI use should be considered as part of a broader, comprehensive risk management strategy that aims to secure AI systems, including human and agent identities, interactions, human-AI partnerships, and behaviors operating across the digital enterprise from visibility and governance through detection, response, and recovery.
Effective risk management calls for a layered and interdisciplinary strategy. It requires addressing issues across governance and visibility; identity, access and agent control, data security and privacy, secure MLOps / LLMOps, runtime security, behavior-based detection, autonomous response and recovery.
This blog explores a specific governance and visibility use case linked to shadow AI and reveals the challenges it presents as well as the defensive strategies that security teams can adopt.
Why shadow AI is hard to detect
When it comes to AI, what organizations can easily see does not always reflect the full scope of AI activity occurring within the tools, applications, and workflows used across an enterprise. As a result, organizations using traditional rule-based methods to flag unusual activity may struggle to distinguish unsanctioned AI usage from legitimate operational behavior, particularly as SaaS applications, APIs, and orchestration layers increasingly have AI embedded into normal business workflows. Identifying threats using previously observed intelligence or depending on hard to maintain allow and block lists does not provide a dynamic enough strategy to manage risk. Also, many organizations are focusing on identifying Shadow AI in their governed infrastructure, like gateways, endpoints, or SASE, which is foundational. But, organizations require visibility and Shadow AI detection across all networked infrastructure from on-prem, hybrid, data centers, and cloud infrastructure that may not have endpoint agent visibility. This uncovers the utilization of MCP, data flows, and autonomous agents across these domains.
For example, employees interact with AI assistants across approved SaaS platforms every day. However, browser extensions and other types of plug-ins can route prompts that include enterprise data to embedded AI services in ways that are not visible to the security team. AI enabled workflows may invoke multiple APIs, orchestration layers, and cloud services behind the scenes, making it difficult for traditional security tooling to determine where data is processed, stored, or retransmitted. Because much of this activity occurs within trusted browser sessions and encrypted SaaS traffic, conventional network monitoring, DLP, and application allowlisting controls often lack the context needed to accurately identify or govern these interactions
Identifying AI tools in the environment is one part of the equation. Understanding the behavior surrounding their use is where the real challenge lies. An AI application is not inherently risky, but the way users or other assets interact with it may be. Sensitive data exposure, abnormal access patterns, and misuse of AI-assisted workflows often appear legitimate in isolation and only become visible through behavioral analysis across the broader environment.
What Shadow AI visibility does and doesn’t show
Comprehensive Shadow AI visibility allows organizations to answer several important questions:
What types of AI are we using? What AI platforms, agents, MCP clients/servers, and services are active across the enterprise?
Who is using AI services? Which users, business units, or systems are interacting with those AI services?
Is our data safe? Is sensitive or regulated data being exposed through prompts, workflows, or integrations?
Are AI systems behaving as expected? Are AI systems behaving anomalously or operating outside approved governance processes?
Are our AI systems under attack? Is an attacker attempting to manipulate prompts, influence agent behavior, or abuse AI-enabled workflows?
Answering these questions is foundational to broader AI governance efforts. However, it is limited to helping teams understand initial interactions and fails to offer insight into dependencies and outcomes that are critical to securing AI across an enterprise.
Deeper visibility that includes the ability to understand dependencies and outcomes are not always available in AI security point products. Answering the questions below requires understanding runtime behavior and operational outcomes:
What actions did the AI interaction trigger?
What systems, applications, or data did it access? Did the AI operate beyond its intended permissions or scope?
Could a low-risk interaction lead to high-risk outcomes?
What is the risk and context understanding of an anomalous activity to assist in prioritization of analysis and autonomous response action?
The distinction between these two sets of questions offers two different layers of AI security. The first set of questions focuses on discovery and interaction visibility. The second set focuses on providing visibility that includes the context and outcomes that are critical for managing follow-on risks associated with obfuscated downstream activities.
Together, these layers help organizations move beyond simply identifying AI usage toward understanding how AI behaves operationally across the enterprise.
How organizations are addressing shadow AI
Most organizations still approach shadow AI as an application control problem, relying on policies, browser restrictions, and allow/block lists. However, AI adoption is evolving faster than most governance processes can realistically keep pace with. New assistants, plugins, and embedded AI features appear continuously, creating pressure to enable business productivity while simultaneously containing risk.
Existing governance processes were designed for a more traditional SaaS adoption cycle, where new applications could be reviewed, approved, and monitored over longer time horizons. AI adoption operates differently. New capabilities can appear overnight inside existing platforms employees already use, making it difficult for security and governance teams to maintain an accurate understanding of enterprise AI exposure. This means that many organizations are experiencing significant operational overhead, particularly in large environments where AI usage is decentralized across teams, departments, and third-party services.
Where should organizations start when securing their AI systems?
Shadow AI identification is an on-going critical component for AI Risk/Governance Boards as well as security organizations. As organizations seek AI certifications like ISO 42001 AI Management Systems, visibility into all AI adoption from enterprise use to custom innovation and development is crucial. Shadow AI identification provides organizations with the visibility needed to decide whether an AI tool should be brought into governed environments to reduce data loss (DLP) risks or whether policies should be established and enforced to restrict their use.
As organizations rapidly innovate and adopt AI, they are taking on more and more risk. Organizations need to have a strategy in place to mitigate the assumed risk, especially with third-party adoption. Visibility, monitoring, governance enforcement, behavioral-based detection of non-deterministic systems, and autonomous investigation and containment becomes critical to mitigating the risk of AI systems.
How Darktrace secures AI and shadow AI
Attackers are using AI to move faster, scale tactics, and make threats more adaptive and convincing. Internally, organizations are grappling with new forms of risk created by generative AI, autonomous agents, shadow AI, and increasingly complex digital environments.
Darktrace helps organizations protect both people and AI in a world where AI is now central to how business gets done. Darktrace / SECURE AI helps organizations discover and control shadow AI by surfacing unsanctioned or unexpected AI activity where it appears – including MCP detections, distinguishing misuse of legitimate tools and unapproved services, and applying policy to contain data exposure while guiding users toward sanctioned options.
Stay up to date on AI security
Sign up for the Secure AI Readiness Program here: This gives you exclusive access to the latest news on the latest AI threats, updates on emerging approaches shaping AI security, and insights into the latest innovations, including Darktrace’s ongoing work in this area.
Ready to talk with a Darktrace expert on securing AI? Register here to receive practical guidance on the AI risks that matter most to your business, paired with clarity on where to focus first across governance, visibility, risk reduction, and long-term readiness.
From Click to Command: Behavioral Detection of AppleScript-Led MacOS Intrusions
Introduction
Darktrace’s Threat Research team is publishing this analysis to help defenders understand an active pattern of macOS tradecraft observed in multiple customer environments. This post summarizes the behaviors observed, how they were assessed, and what defenders can do now.
Across multiple environments, Darktrace observed a consistent MacOS intrusion pattern beginning with ClickFix-style user-assisted “update” execution and transitioning into AppleScript-driven post-compromise activity and sustained outbound signaling.
While individual indicators were low-confidence, the repeated convergence of weak behavioral signals — including HTTP POST beaconing, rare or IP-only destinations, SSL anomalies, and abnormal client characteristics — provided a defensible indication of command-and-control establishment Darktrace detection and response in these cases was driven by behavior over artifacts. In the highest-confidence instances, automated containment disrupted outbound signaling before sustained tasking could occur.
Background
ClickFix-style activity typically relies on user-assisted execution and plausible “update” pretexting, followed by post-execution use of native tools to keep the footprint light. In MacOS environments, AppleScript and other built-in scripting mechanisms enable flexible post-compromise workflows while minimizing stable file-based indicators.
Following execution, affected devices exhibited a consistent behavioral pattern. AppleScript or equivalent native scripting activity was observed initiating follow-on workflows, after which outbound communications began to establish a structured rhythm.
These communications were characterized by repeated HTTP POST requests to low-prevalence or IP-only endpoints, often combined with unusual SSL properties and client identifiers that diverged from baseline device behavior. Individually, these signals were weak. When correlated across time and devices, they formed a pattern consistent with control establishment rather than benign software activity.
In higher-confidence cases, Autonomous Response actions were able to reduce or halt outbound signaling, interrupting the attacker’s ability to maintain control.
Detection Timeline
In representative cases, the sequence unfolded as follows:
Stage 1 – Initial Execution
Initial activity began with suspicious or masqueraded execution on a MacOS endpoint, consistent with ClickFix-style user deception.
Stage 2 – Post-Execution Scripting
This was followed closely by native scripting activity, most commonly AppleScript, indicating the transition into post-execution workflow.
Stage 3 – Outbound Communications
Outbound communications then emerged, initially sporadic but quickly forming a consistent cadence of HTTP POST requests to rare external endpoints.
Stage 4 – Anomaly Convergence
As activity persisted, additional anomalies became visible — unusual SSL characteristics, abnormal user agents, and connections to infrastructure with no prior network prevalence.
Stage 5 – Autonomous Response
In the most mature stages of the activity, automated containment actions disrupted outbound communications on affected devices, limiting the attacker’s ability to continue tasking while investigations progressed.
Darktrace coverage and detections
The following use-case highlights systems likely affected by malicious macOS intrusion activity linked by Microsoft to the Democratic People’s Republic of Korea (DPRK) [1], with indications of suspicious behavior observed between March 1 and May 3, 2026. The activity overlaps with patterns described in recent reporting on DPRK-nexus MacOS intrusions [1], though attribution confidence in this case remains moderate and based on behavioral alignment rather than solely infrastructure linkage.
Analyst confidence emerged through the correlation of multiple weak signals across time and devices. This included model coverage for rare external communications, sustained beaconing patterns, repeated HTTP POSTs, and anomalous client characteristics. Where enabled, Autonomous Response actions disrupted the most active outbound paths to reduce the attacker’s ability to maintain control while Darktrace’s investigation continued.
Notably, this highly anomalous behavior included:
Outbound connections to the rare external endpoint, zoom[.]uswebob[.]us associated with IP address, 148.72.73[.]98 [2][3] over port 443
Outbound connections to the rare external endpoint, check02id[.]com associated with IP address, 83.136.210[.]180 [4] over port 7365
Outbound connections to the rare external endpoints, 104.145.210[.]107 [5] over port 8443 and 83.136.208[.]48 [6] over port 443
Outbound connections to the rare external endpoint, 83.136.208[.]246 [7] over port 6783 with observed URI `/api/daemon` and a PowerShell user agent
Darktrace’s detection initially highlighted a desktop device (running MacOS) engaging in anomalous behavior as early as March 12, 2026. Starting on March 12, the source device triggered a ‘Possible Doppelganger Attack’ alert including connectivity to the hostname "zoom[.]uswebob[.]us · 148.72.73[.]98" over port 443 (TCP, HTTPS, H2). This model highlights a device connecting to a location that is rare but masquerades as legitimate software, such as Zoom in this case, a commonly used technique to blend into expected traffic [2] [3].
Figure 1: Initial connectivity observed to the rare external hostname, zoom[.]uswebob[.]us · 148.72.73[.]98, over port 443.
This was followed roughly seven later by a connection to 104.145.210[.]107 over port 8443, during which approximately 250 KiB of data of inbound data and 30 MiB of outbound data was observed, triggering the ‘Unusual Activity / Unusual External Data to New Endpoint’ in Darktrace.
Quickly after this connection, Darktrace’s Autonomous Response intervened, blocking the device’s access to the unusual external location and halting the data exfiltration attempt.
Figure 2: Darktrace’s detection of unusual data exfiltration, shortly followed by an Autonomous Response action to block it.
The device continued to consistently trigger model alerts relating to unusual external connectivity, including 'Posting HTTP to IP Without Hostname', 'Anomalous Connection / Rare External SSL Self-Signed' alerts, until well after 3 PM that day.
Figure 3: Additional external connectivity to new IP without a hostname, including connectivity to 83.136.208[.]246, alongside an anomalous ‘curl/8.7.1’ user agent and ‘/api/daemon’ URI.
Figure 4: Continued external SSL connectivity to IP 83.136.208[.]48, including connectivity to 83.136.208[.]246, alongside an anomalous ‘curl/8.7.1’ user agent and ‘/api/daemon’ URI.
Figure 5: Continued external HTTP connectivity to hostname, check02id[.]com · 83.136.210[.]180, alongside an anomalous ‘Go-http-client/1,1’ user agent.
From March 13 to March 28, the device continued exhibit unusual connectivity to various endpoints (e.g., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180), with the 'Multiple HTTP POSTs to Rare Hostname' model consistently triggering.
Windows OS Case
Pivoting over to an additional device, this time running Windows OS, anomalous behavior was also observed between March 30 and April 20. Notably, on March 30, the device was observed making a large number of suspicious external connection attempts to 83.136.208[.]246 over port 6783, all of which failed.
A further indicator was observed on April 1 with PowerShell connectivity to the same rare endpoint (83.136.208[.]246, port 6783), using the URI '/api/daemon' and the user agent 'Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.7920'. Additional alerts included 'New User Agent to IP Without Hostname' and 'Anomalous Github Download', alongside activity involving the same endpoint.
Figure 6 : ‘Anomalous Powershell to Rare External Destination’ and ‘Github Download’ model alerts. This behavior involved connectivity with the endpoints ‘83.136.208[.]246’ and ‘github[.]com’.
The device continued triggering 'Posting HTTP to IP Without Hostname' & 'PowerShell to External Rare' alerts between April 4 and April 20 across multiple related endpoints (i.e., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180).
Darktrace’s Autonomous Response capability was able to block suspicious PowerShell attempts to unusual external locations, as shown below in an example from April 20.
Figure 7: Autonomous Response intervening to block an unusual PowerShell connection to an external destination.
Cyber AI Analyst investigations
In higher-confidence instances, Darktrace’s Cyber AI Analyst investigations helped connect otherwise separate model alerts into a single incident narrative, highlighting the attacker’s progression from post-execution scripting into sustained outbound signaling. This contextual stitching is particularly valuable in macOS scenarios where static artefacts are limited, and behavioral sequencing defines the intrusion.
Cyber AI Analyst investigations highlighted alerts on March 12, including unusual repeated connections and possible SSL command-and-control (C2) to multiple endpoints:
Figure 8: Cyber AI Analyst investigation linking events into a unified incident.
Autonomous Response
In addition to the containment actions detailed earlier, Autonomous Response implemented multiple additional measures to contain suspicious activity throughout the course of this attack. Whenever unusual external connectivity was detected, Darktrace blocked it, closing down potential C2 channels. Likewise, when data exfiltration attempts were identified, these connections were stopped to prevent the potential loss of sensitive data.
Figure 9: Autonomous Response actions implemented by Darktrace in response to suspicious connectivity in mid-March.
Furthermore, in cases where a device was deemed to have carried out a significant number of anomalous activities, Darktrace enforced a “pattern of life” on the device, preventing it from deviating from its expected behavior while allowing legitimate business operations to continue uninterrupted.
Figure 10: Autonomous Response actions implemented by Darktrace in response to suspicious connectivity in April, including the “Enforce Pattern of Life” action.
Conclusion
macOS intrusion tradecraft continues to shift toward native tooling and lightweight control channels designed to evade signature-led controls.
The repeated convergence of rare destinations, POST-based signaling, and anomalous client behavior — observed across time and across devices — provided sufficient evidence to act early and with confidence.
As macOS tradecraft continues to evolve, the defender advantage increasingly lies not in signatures, but in the ability to reason from behavior.
Credit to Justin Torres (Senior Cyber Analyst), Nathaniel Jones (VP, Security & AI Strategy, FCISO)
Edited by Ryan Traill (Content Manager)
Appendices
Darktrace Model Alert Coverage:
/ NETWORK-based model alerts:
· Anomalous Connection::Multiple HTTP POSTs to Rare Hostname
.jpg)
![Initial connectivity observed to the rare external hostname, zoom[.]uswebob[.]us · 148.72.73[.]98, over port 443.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/6a3c241a851b82605cdf62fb_Screenshot%202026-06-24%20at%2011.38.14%E2%80%AFAM.png)
