Blog
/
Network
/
March 19, 2024

Pikabot Malware: Insights, Impact, & Attack Analysis

Learn about Pikabot malware and its rapid evolution in the wild, impacting organizations and how to defend against this growing threat.
Written by
Brianna Luong (Leddy)
Sr. Technical Alliances Manager
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Brianna Luong (Leddy)
Sr. Technical Alliances Manager
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
19
Mar 2024

How does Loader Malware work?

Throughout 2023, the Darktrace Threat Research team identified and investigated multiple strains of loader malware affecting customers across its fleet. These malicious programs typically serve as a gateway for threat actors to gain initial access to an organization’s network, paving the way for subsequent attacks, including additional malware infections or disruptive ransomware attacks.

How to defend against loader malware

The prevalence of such initial access threats highlights the need for organizations to defend against multi-phase compromises, where modular malware swiftly progresses from one stage of an attack to the next. One notable example observed in 2023 was Pikabot, a versatile loader malware used for initial access and often accompanied by secondary compromises like Cobalt Strike and Black Basta ransomware.

While Darktrace initially investigated multiple instances of campaign-like activity associated with Pikabot during the summer of 2023, a new campaign emerged in October which was observed targeting a Darktrace customer in Europe. Thanks to the timely detection by Darktrace DETECT™ and the support of Darktrace’s Security Operations Center (SOC), the Pikabot compromise was quickly shut down before it could escalate into a more disruptive attack.

What is Pikabot?

Pikabot is one of the latest modular loader malware strains that has been active since the first half of 2023, with several evolutions in its methodology observed in the months since. Initial researchers noted similarities to the Qakbot aka Qbot or Pinkslipbot and Mantanbuchus malware families, and while Pikabot appears to be a new malware in early development, it shares multiple commonalities with Qakbot [1].

First, both Pikabot and Qakbot have similar distribution methods, can be used for multi-stage attacks, and are often accompanied by downloads of Cobalt Strike and other malware strains. The threat actor known as TA577, which has also been referred to as Water Curupira, has been seen to use both types of malware in spam campaigns which can lead to Black Basta ransomware attacks [2] [3].Notably, a rise in Pikabot campaigns were observed in September and October 2023, shortly after the takedown of Qakbot in Operation Duck Hunt, suggesting that Pikabot may be serving as a replacement for initial access to target network [4].

How does Pikabot malware work?

Many Pikabot infections start with a malicious email, particularly using email thread hijacking; however, other cases have been distributed via malspam and malvertising [5]. Once downloaded, Pikabot runs anti-analysis techniques and checks the system’s language, self-terminating if the language matches that of a Commonwealth of Independent States (CIS) country, such as Russian or Ukrainian. It will then gather key information to send to a command-and-control (C2) server, at which point additional payload downloads may be observed [2]. Early response to a Pikabot infection is important for organizations to prevent escalation to a significant compromise such as ransomware.

Darktrace’s Coverage of Pikabot malware

Between April and July 2023, the Darktrace Threat Research team investigated Pikabot infections affected more than 15 customer environments; these attacks primarily targeted US and European organizations spanning multiple industries, and most followed the below lifecycle:

  1. Initial access via malspam or email, often outside of Darktrace’s scope
  2. Suspicious executable download from a URI in the format /\/[a-z0-9A-Z]{3,}\/[a-z0-9A-Z]{5,}/ and using a Windows PowerShell user agent
  3. C2 connections to IP addresses on uncommon ports including 1194 and 2078
  4. Some cases involved further C2 activity to Cobalt Strike endpoints

In October 2023, a second campaign emerged that largely followed the same attack pattern, with a notable difference that cURL was used for the initial payload download as opposed to PowerShell. All the Pikabot cases that Darktrace has observed since October 2023 have used cURL, which could indicate a shift in approach from targeting Windows devices to multi-operating system environments.

Figure 1: Timeline of the Pikabot infection over a 2-hour period.

On October 17, 2023, Darktrace observed a Pikabot infection on the network of a European customer after an internal user seemingly clicked a malicious link in a phishing email, thereby compromising their device. As the customer did not have Darktrace/Email™ deployed on their network, Darktrace did not have visibility over the email. Despite this, DETECT was still able to provide full visibility over the network-based activity that ensued.

Darktrace observed the device using a cURL user agent when initiating the download of an unusual executable (.exe) file from an IP address that had never previously been observed on the network. Darktrace further recognized that the executable file was attempting to masquerade as a different file type, likely to evade the detection of security teams and their security tools. Within one minute, the device began to communicate with additional unusual IP addresses on uncommon ports (185.106.94[.]174:5000 and 80.85.140[.]152:5938), both of which have been noted by open-source intelligence (OSINT) vendors as Pikabot C2 servers [6] [7].

Figure 2: Darktrace model breach Event Log showing the initial file download, immediately followed by a connection attempt to a Pikabot C2 server.

Around 40 minutes after the initial download, Darktrace detected the device performing suspicious DNS tunneling using a pattern that resembled the Cobalt Strike Beacon. This was accompanied by beaconing activity to a rare domain, ‘wordstt182[.]com’, which was registered only 4 days prior to this activity [8]. Darktrace observed additional DNS connections to the endpoint, ‘building4business[.]net’, which had been linked to Black Basta ransomware [2].

Figure 3: The affected device making successful TXT DNS requests to known Black Basta endpoints.

As this customer had integrated Darktrace with the Microsoft Defender, Defender was able to contextualize the DETECT model breaches with endpoint insights, such as known threats and malware, providing customers with unparalleled visibility of the host-level detections surrounding network-level anomalies.

In this case, the behavior of the affected device triggered multiple Microsoft Defender alerts, including one alert which linked the activity to the threat actor Storm-0464, another name for TA577 and Water Curupira. These insights were presented to the customer in the form of a Security Integration alert, allowing them to build a full picture of the ongoing incident.

Figure 4: Security Integration alert from Microsoft Defender in Darktrace, linking the observed activity to the threat group Storm-0464.

As the customer had subscribed to Darktrace’s Proactive Threat Notification (PTN) service, the customer received timely alerts from Darktrace’s SOC notifying them of the suspicious activity associated with Pikabot. This allowed the customer’s security team to quickly identify the affected device and remove it from their environment for remediation.

Although the customer did have Darktrace RESPOND™ enabled on their network, it was configured in human confirmation mode, requiring manual application for any RESPOND actions. RESPOND had suggested numerous actions to interrupt and contain the attack, including blocking connections to the observed Pikabot C2 addresses, which were manually actioned by the customer’s security team after the fact. Had RESPOND been enabled in autonomous response mode during the attack, it would have autonomously blocked these C2 connections and prevented the download of any suspicious files, effectively halting the escalation of the attack.

Nonetheless, Darktrace DETECT’s prompt identification and alerting of this incident played a crucial role in enabling the customer to mitigate the threat of Pikabot, preventing it from progressing into a disruptive ransomware attack.

Figure 5: Darktrace RESPOND actions recommended from the initial file download and throughout the C2 traffic, ranging from blocking specific connections to IP addresses and ports to enforcing a normal pattern of life for the source device.

Conclusion

Pikabot is just one recent example of a modular strain of loader known for its adaptability and speed, seamlessly changing tactics from one campaign to the next and utilizing new infrastructure to initiate multi-stage attacks. Leveraging commonly used tools and services like Windows PowerShell and cURL, alongside anti-analysis techniques, this malware can evade the detection and often bypass traditional security tools.

In this incident, Darktrace detected a Pikabot infection in its early stages, identifying an anomalous file download using a cURL user agent, a new tactic for this particular strain of malware. This timely detection, coupled with the support of Darktrace’s SOC, empowered the customer to quickly identify the compromised device and act against it, thwarting threat actors attempting to connect to malicious Cobalt Strike and Black Basta servers. By preventing the escalation of the attack, including potential ransomware deployment, the customer’s environment remained safeguarded.

Had Darktrace RESPOND been enabled in autonomous response mode at the time of this attack, it would have been able to further support the customer by applying targeted mitigative actions to contain the threat of Pikabot at its onset, bolstering their defenses even more effectively.

Credit to Brianna Leddy, Director of Analysis, Signe Zaharka, Senior Cyber Security Analyst

Appendix

Darktrace DETECT Models

Anomalous Connection / Anomalous SSL without SNI to New External

Anomalous Connection / Application Protocol on Uncommon Port

Anomalous Connection / Multiple Connections to New External TCP Port

Anomalous Connection / New User Agent to IP Without Hostname

Anomalous Connection / Powershell to Rare External

Anomalous Connection / Rare External SSL Self-Signed

Anomalous Connection / Repeated Rare External SSL Self-Signed

Anomalous File / EXE from Rare External Location

Anomalous File / Masqueraded File Transfer

Anomalous File / Multiple EXE from Rare External Locations

Compromise / Agent Beacon to New Endpoint

Compromise / Beacon to Young Endpoint

Compromise / Beaconing Activity To External Rare

Compromise / DNS / DNS Tunnel with TXT Records

Compromise / New or Repeated to Unusual SSL Port

Compromise / SSL Beaconing to Rare Destination

Compromise / Suspicious Beaconing Behaviour

Compromise / Suspicious File and C2

Device / Initial Breach Chain Compromise

Device / Large Number of Model Breaches

Device / New PowerShell User Agent

Device / New User Agent

Device / New User Agent and New IP

Device / Suspicious Domain

Security Integration / C2 Activity and Integration Detection

Security Integration / Egress and Integration Detection

Security Integration / High Severity Integration Detection

Security Integration / High Severity Integration Incident

Security Integration / Low Severity Integration Detection

Security Integration / Low Severity Integration Incident

Antigena / Network / External Threat / Antigena File then New Outbound Block

Antigena / Network / External Threat / Antigena Suspicious Activity Block

Antigena / Network / External Threat / Antigena Suspicious File Block

Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block

Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

Antigena / Network / Significant Anomaly / Antigena Significant Security Integration and Network Activity Block

List of Indicators of Compromise (IoC)

IOC - TYPE - DESCRIPTION + CONFIDENCE

128.140.102[.]132 - IP Address - Pikabot Download

185.106.94[.]174:5000 - IP Address: Port - Pikabot C2 Endpoint

80.85.140[.]152:5938 - IP Address: Port - Pikabot C2 Endpoint

building4business[.]net - Hostname - Cobalt Strike DNS Beacon

wordstt182[.]com - Hostname - Cobalt Strike Server

167.88.166[.]109 - IP Address - Cobalt Strike Server

192.9.135[.]73 - IP - Pikabot C2 Endpoint

192.121.17[.]68 - IP - Pikabot C2 Endpoint

185.87.148[.]132 - IP - Pikabot C2 Endpoint

129.153.22[.]231 - IP - Pikabot C2 Endpoint

129.153.135[.]83 - IP - Pikabot C2 Endpoint

154.80.229[.]76 - IP - Pikabot C2 Endpoint

192.121.17[.]14 - IP - Pikabot C2 Endpoint

162.252.172[.]253 - IP - Pikabot C2 Endpoint

103.124.105[.]147 - IP - Likely Pikabot Download

178.18.246[.]136 - IP - Pikabot C2 Endpoint

86.38.225[.]106 - IP - Pikabot C2 Endpoint

198.44.187[.]12 - IP - Pikabot C2 Endpoint

154.12.233[.]66 - IP - Pikabot C2 Endpoint

MITRE ATT&CK Mapping

TACTIC - TECHNIQUE

Defense Evasion - Masquerading: Masquerade File Type (T1036.008)

Command and Control - Application Layer Protocol: Web Protocols (T1071.001)

Command and Control - Non-Standard Port (T1571)

Command and Control - Application Layer Protocol: DNS (T1071.004)

Command and Control - Protocol Tunneling (T1572)

References

[1] https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/?&web_view=true  

[2] https://www.trendmicro.com/en_be/research/24/a/a-look-into-pikabot-spam-wave-campaign.html

[3] https://thehackernews.com/2024/01/alert-water-curupira-hackers-actively.html

[4] https://www.darkreading.com/cyberattacks-data-breaches/pikabot-malware-qakbot-replacement-black-basta-attacks

[5] https://www.redpacketsecurity.com/pikabot-distributed-via-malicious-ads-6/

[6] https://www.virustotal.com/gui/ip-address/185.106.94.174/detection

[7] https://www.virustotal.com/gui/ip-address/80.85.140.152/detection

[8] https://www.domainiq.com/domain?wordstt182.com

Written by
Brianna Luong (Leddy)
Sr. Technical Alliances Manager
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Brianna Luong (Leddy)
Sr. Technical Alliances Manager

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

Network
April 21, 2026
Joanna Ng
Associate Principal Analyst
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
What the Darktrace Annual Threat Report 2026 Means for Security Leaders
Feb 26, 2026
3
State of AI Cybersecurity 2026: 92% of security professionals concerned about the impact of AI agents
Mar 26, 2026
4
Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace
Dec 15, 2025
5
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Mar 24, 2026

More in this series

No items found.
Continue reading
Network
April 21, 2026

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

A malicious eScan software update triggered a supply chain compromise that deployed multi‑stage malware and used blockchain‑based domains for resilient C2 communications. Darktrace identified rare, anomalous network activity across customer environments, helping organizations uncover the attack chain and strengthen defenses against increasingly sophisticated supply chain threats.
Joanna Ng
Associate Principal Analyst
Read more
Network
April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Darktrace's latest threat research reveals how Chinese-nexus cyber operations have evolved from isolated intrusions into long-term strategic positioning, with attackers prioritizing persistent access to critical infrastructure and digital ecosystems to gain lasting operational and economic advantage.
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more
Network
March 26, 2026

Phantom Footprints: Tracking GhostSocks Malware

GhostSocks is an emerging threat turning compromised devices into residential proxy nodes to help attackers evade detection. Darktrace identifies its growing use alongside Lumma Stealer, highlighting the malware’s stealth, payload delivery, and persistence. AI-driven detection and Autonomous Response reveal the full attack lifecycle and underscore the need for proactive defense.
Isabel Evans
Cyber Analyst
Read more

Blog

/

AI

/

April 28, 2026

State of AI Cybersecurity 2026: 87% of security professionals are seeing more AI-driven threats, but few feel ready to stop them

Default blog imageDefault blog image

The findings in this blog are taken from Darktrace’s annual State of AI Cybersecurity Report 2026.

In part 1 of this blog series, we explored how AI is remaking the attack surface, with new tools, models, agents — and vulnerabilities — popping up just about everywhere. Now embedded in workflows across the enterprise, and often with far-reaching access to sensitive data, AI systems are quickly becoming a favorite target of cyber threat actors.

Among bad actors, though, AI is more often used as a tool than a target. Nearly 62% of organizations  experienced a social engineering attack involving a deepfake, or an incident in which bad actors used AI-generated video or audio to try to trick a biometric authentication system, compared to 32% that reported an AI prompt injection attack.

In the hands of attackers, AI can do many things. It’s being used across the entire kill chain: to supercharge reconnaissance, personalize phishing, accelerate lateral movement, and automate data exfiltration. Evidence from Anthropic demonstrates that threat actors have harnessed AI to orchestrate an entire cyber espionage campaign from end to end, allegedly running it with minimal human involvement.

CISOs inhabit a world where these increasingly sophisticated attacks are ubiquitous. Naturally, combatting AI-powered threats is top of mind among security professionals, but many worry about whether their capabilities are up to the challenge.

AI-powered threats at scale: no longer hypothetical

AI-driven threats share signature characteristics. They operate at speed and scale. Automated tools can probe multiple attack paths, search for multiple vulnerabilities and send out a barrage of phishing emails, all within seconds. The ability to attack everywhere at once, at a pace that no human operator could sustain, is the hallmark of an AI-powered threat. AI-powered threats are also dynamic. They can adapt their behavior to spread across a network more efficiently or rewrite their own code to evade detection.

Security teams are seeing the signs that they’re fighting AI-powered threats at every stage of the kill chain, and the sophistication of these threats is testing their resolve and their resources.

  • 73% say that AI-powered cyber threats are having a significant impact on their organization
  • 92% agree that these threats are forcing them to upgrade their defenses
  • 87% agree that AI is significantly increasing the sophistication and success rate of malware
  • 87% say AI is significantly increasing the workload of their security operations team

These teams now confront a challenge unlike anything they’ve seen before in their careers, and the risks are compounding across workflows, tools, data, and identities. It’s no surprise that 66% of security professionals say their role is more stressful today than it was five years ago, or that 47% report feeling overwhelmed at work.

Up all night: Security professionals’ worry list is long

Traditional security methods were never built to handle the complexity and subtlety of AI-driven behavior. Working in the trenches, defenders have deep firsthand experience of how difficult it can be to detect and stop AI-assisted threats.

Increasingly effective social engineering attacks are among their top concerns. 50% of security leaders mentioned hyper-personalized phishing campaigns as one of their biggest worries, while 40% voiced apprehension about deepfake voice fraud. These concerns are legitimate: AI-generated phishing emails are increasingly tailored to individual organizations, business activities, or individuals. Gone are the telltale signs – like grammar or spelling mistakes – that once distinguished malicious communications. Notably, 33% of the malicious emails Darktrace observed in 2025 contained over 1,000 characters, indicating probable LLM usage.

Security leaders also worry about how bad actors can leverage AI to make attacks even faster and more dynamic. 45% listed automated vulnerability scanning and exploit chaining among their biggest concerns, while 40% mentioned adaptive malware.

Confidence is lacking

Protecting against AI demands capabilities that many organizations have not yet built. It requires interpreting new indicators, uncovering the subtle intent within interactions, and recognizing when AI behavior – human or machine – could be suspicious. Leaders know that their current tools aren’t prepared for this. Nearly half don’t feel confident in their ability to defend against AI-powered attacks.

We’ve asked participants in our survey about their confidence for the last three years now. In 2024, 60% said their organizations were not adequately prepared to defend against AI-driven threats. Last year, that percentage shrunk to 45%, a possible indicator that security programs were making progress. Since then, however, the progress has apparently stalled. 46% of security leaders now feel inadequately prepared to protect their organizations amidst the current threat landscape.

Some of these differences are accentuated across different cultures. Respondents in Japan are far less confident (77% say they are not adequately prepared) than respondents in Brazil (where only 21% don’t feel prepared).

Where security programs are falling short

It’s no longer the case that cybersecurity is overlooked or underfunded by executive leadership. Across industries, management recognizes that AI-powered threats are a growing problem, and insufficient budget is near the bottom of most CISO’s list of reasons that they struggle to defend against AI-powered threats.  

It’s the things that money can’t buy – experience, knowledge, and confidence – that are holding programs back. Near the top of the list of inhibitors that survey participants mention is “insufficient knowledge or use of AI-driven countermeasures.” As bad actors embrace AI technologies en masse, this challenge is coming into clearer focus: attack-centric security tools, which rely on static rules, signatures, and historical attack patterns, were never designed to handle the complexity and subtlety of AI-driven attacks. These challenges feel new to security teams, but they are the core problems Darktrace was built to solve.  

Our Self-Learning AI develops a deep understanding of what “normal” looks like for your organization –including unique traffic patterns, end user habits, application and device profiles – so that it can detect and stop novel, dynamic threats at the first encounter. By focusing on learning the business, rather than the attack, our AI can keep pace with AI-powered threats as they evolve.

Explore the full State of AI Cybersecurity 2026 report for deeper insights into how security leaders are responding to AI-driven risks.

Learn more about securing AI in your enterprise.

[related-resource]

Continue reading
About the author
The Darktrace Community

Blog

/

Email

/

April 24, 2026

Email-Borne Cyber Risk: A Core Challenge for the CISO in the Age of Volume and Sophistication

Default blog imageDefault blog image

The challenge for CISOs

Despite continuous advances in security technologies, humans continue to be exploited by attackers. Credential abuse and social actions like phishing are major factors, accounting for around 60% of all breaches. These attacks rely less on technical vulnerabilities and more on exploiting human behavior and organizational processes. 

From my perspective as a former CISO, protecting humans concentrates three of today’s most pressing challenges: the sheer volume of email-based threats, their increasing sophistication, and the limitations of traditional employee awareness programs in moving the needle on risk. 

My personal experience of security awareness training as a CISO

With over 20 years’ experience as an ICT and Cybersecurity leader across various international organizations, I’ve seen security awareness training (SAT) in many guises. And while the cyber landscape is evolving in every direction, the effectiveness of SAT is reaching a plateau.  

Most programs I’ve seen follow a familiar pattern. Training is delivered through a combination of eLearning modules and internal sessions designed to reinforce IT policies. Employees are typically required to complete a slide deck or video, followed by a multiple-choice quiz. Occasional phishing simulations are distributed throughout the year.

The content is often static and unpersonalized, based on known threats that may already be outdated. Every employee regardless of role or risk exposure receives the same training and the same simulated phishing templates, from front-desk staff to the CEO.

The problem with traditional SAT programs

The issue with the approach to SAT outlined above is that the distribution of power is imbalanced. Humans will always be fallible, particularly when faced with increasingly sophisticated attacks. Providing generic, low-context training risks creating false confidence rather than genuine resilience. Let’s look at some of the problems in detail.

Timing and delivery

Employees today operate under constant cognitive load, making lots of rapid decisions every day to reduce their email volumes. Yet if employees are completing training annually, or on an ad hoc basis, it becomes a standalone occurrence rather than a continuous habit.  

As a result, retention is low. Employees often forget the lessons within weeks, a phenomenon known as the ‘Ebbinghaus Forgetting Curve.’

The graph illustrates that when you first learn something, the information disappears at an exponential rate without retention. In fact, according to the curve, you forget 50% of all new information within a day, and 90% of all new information within a week.  

Simultaneously, most training is conducted within a separate interface. Because it takes place away from the actual moment of decision-making, the "teachable moment" is lost. There is a cognitive disconnect between the action (clicking a link in Outlook) and the education (watching a video in a browser). 

People

In the context of professional risk management, the risks faced by different users are different. Static learning such as everyone receiving the same ‘Password Reset’ email doesn’t help users prepare for the specific threats they are likely to face. It also contributes to user fatigue, driven by repetitive training. And if users receive tests at the same time, news spreads among colleagues, hurting the efficacy of the test.  

Staff turnover introduces further risk. In many organizations, new employees gain access to systems before receiving meaningful training, reducing onboarding to little more than policy acknowledgment.

Measuring success

In my experience, solutions are standalone, without any correlation to other tools in the security stack. In some cases, the programs are delivered by HR rather than the security team, creating a complete silo.  

As a result, SAT is often perceived as a compliance exercise rather than a capability building function. The result is that poor-quality training does little to reduce the likelihood of compromise, regardless of completion rates or quiz performance.

What a modern SAT solution should look like

For today’s CISO, email represents the convergence point of high-volume, high-impact, and human-centric threats. Despite significant security investments, it remains one of the most difficult channels to secure effectively. Given these constraints, CISOs must evolve their approach to SAT.

Success lies in a balanced strategy one that combines advanced technology, attack surface reduction, and pragmatic user enablement, without over-relying on human vigilance as the final line of defense.

This means moving beyond traditional SAT toward continuous, contextual awareness, realistic simulations, and tight integration with security outcomes.

Three requirements for a modern SAT solution

  • Invisible protection: The optimum security solution is one that assists users without impeding their experience. The objective is to enhance human capabilities, rather than simply delivering a lecture. 
  • Real-time feedback: Rather than a monthly quiz, the ideal system would provide a prompt or warning when a user is about to engage with something suspicious. 
  • Positive culture: Shifting the focus away from a "gotcha" culture, which is a contributing factor to a resentment, and instead empowers employees to serve as "sensors" for the company. 

Discover how personalized security coaching can strengthen your human layer and make your email defenses more resilient. Explore Darktrace / Adaptive Human Defense.

Continue reading
About the author
Karim Benslimane
VP, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI