Blog

Thought Leadership

McLaren

The Tech Driving Arrow McLaren SP to the Top

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
16
Nov 2021
16
Nov 2021
As Arrow McLaren SP looks back on a positive season, the team reflects on key challenges, success, and how AI and automation is leveraged in their work!

As Arrow McLaren SP looks back on a positive season and prepares to build momentum into next year, Taylor Kiel (Team President) and Craig Hampson (Director of Trackside Engineering) reflect on key challenges and successes. With Pato O’Ward’s No. 5 car in the running to win the championship until the final race of the season, they reveal the formula for success – and how the team leverages AI and automation in every aspect of their work – from driver simulation to cyber security.

Data as the lifeblood for performance

In INDYCAR qualifiying, the difference between P1 and P10 can be as little as half a second, and when margins are that tight, the finer details in preparation make the difference. For us, that preparation is driven by data. Every race weekend and every practice session, over 100 lightweight sensors and several computers on the cars produce masses of data that is stored and analyzed for performance optimization.

This ecosystem includes an engine controller, a gear shift controller computer, and a computer unit that controls the clutch, and these systems all talk to each other across what is called a Controller Area Network (CAN). So the key question for us becomes: how do we get useful insights from that data, securely, and in a short period of time?

If you can think of something that’s happening on the car, the likelihood is our team is doing everything we can to try and measure it. Air speed, acceleration, tyre temperature, and so much more – we currently record over 1,500 data channels on the car itself, and we then process another 838 ‘math channels’ from combinations of this data – giving us, for example, the ride height of and downforce on the car.

This is more data than we can ever process with human beings alone, and a lot of our work now is figuring out how to automate these processes, using AI to look for patterns that humans simply cannot identify.

Pitting: More than just a tyre change

Each of our cars have two cellular-based telemetry systems built into them, but we are still limited on the amount of throughput we can observe real time, which is why we need to offload this data each time we pit during practice. This involves plugging in what we call an ‘umbilical cord’ that has a communication line and also powers the car.

Figure 1: A typical INDYCAR would last only minutes on its own battery without the engine running

Any typical race produces between 2.5GB and 3.3GB of data, in addition to in-car video, and a GPS system recording the car’s position on the track, which not only goes back to us but also to the relevant television broadcasters. So, we need to have a lot of storage available both in the cloud and on hard drives using a server. That data needs to be available not just to us at trackside but virtually to engineers not present at the race. And most importantly, that data needs to be secure, and protected from outside interference.

The cyber side: Turning to AI

All that precious data coming from the car, residing in the cloud or elsewhere in our organization, is susceptible to tampering from insiders and outsiders who may – deliberately or indirectly – compromise our ability to access or use that data reliably. As the cyber-threat landscape evolves – with ransomware bringing organizations of all shapes and sizes to a halt – we need to make sure we’re prepared for whatever attack is around the corner.

Firewalls, email gateways, and other perimeter protections are one part of the puzzle. But while these tools are focussed on keeping an attacker out – we needed another layer of defense that ensures that if these defenses are bypassed, we have an autonomous system that knows our organization inside out and can fight back on our behalf to disrupt emerging threats.

That’s where Darktrace has provided a revolutionary solution – using Self-Learning AI that understands every person and device from the ground up and identifies subtle deviations that point to a cyber-threat. And if ransomware strikes, 24/7 Autonomous Response is there in the form of Darktrace Antigena, taking precise action to contain ransomware and other threats at machine speed.

Double wins at doubleheaders

Using automation and AI throughout our technology stack enables us to extract meaningful insights from large pools of data and take quick, decisive action in the form of changes to the car or on-the-fly changes in race strategy.

The ability to react and react quickly is really put to the test on doubleheader race weekends, where any room for improvement you identify from Saturday’s race can be rectified in the form of overnight changes and implemented on Sunday. We believe it’s no coincidence that both of Pato’s No. 5 car’s wins came on the back end of doubleheader events, at Texas and Detroit Belle Isle. With people working in harmony with technology, our engineering team were able to make significant improvements to the car, react on the fly, and ultimately ensure we ended up ahead of the competition.

Digital fakes: Breaking new ground at Nashville

This year’s INDYCAR season featured a brand new track in Nashville, an exciting but daunting prospect for both the drivers and the team as a whole. Having access to a driver simulator, thanks to our partners at Chevrolet, we were able to run a virtual version of our car to try different setups, different techniques, and in this case have the driver learn his way round a whole new circuit.

Figure 2: The Chevrolet simulator projects a digital twin of the Nashville circuit

The track is recreated down to the nearest millimetre using a laser scanner, and then there is a lot of digital rendering involved, making it as realistic as possible with stands, fencing, and sponsor banners. Using this ‘digital fake’ representation was super helpful to the drivers in determining the correct approaches to corners, and for our engineers, enabling them to use the outputs to characterize the track.

The setup of the car in the simulator is effectively the same as the setup of the car in the real world: you set the spring rate and the ride height, it has the aerodynamic map, it knows the inertias and the masses of the car. It’s an incredibly complicated and powerful physics engine, but it gives us the ability to test things out in a controlled environment, and contributed toward one of Felix Rosenqvist’s strongest races of the season in the No. 7 car.

Simulations like these are the way of the future – not just for new circuits but in general. Rather than going through tyres and engines, we can replicate practice sessions in digital form, and the software gets closer to reality every day.

Looking ahead

What is next for Arrow McLaren SP? As we are now a part of the McLaren Racing family, new efficiencies and synergies are realized every month. We’ll certainly continue to leverage that valuable partnership, as well as our technology partnership with Darktrace, continuing to roll out their technology across our digital estate, including our email and cloud services.

In the INDYCAR Series, if you stay still, you go backwards, and the competition hots up every year. We know that now more than ever, the answer lies in using cutting-edge technologies across every aspect of the business to make our lives easier and ultimately propel us to the very top.

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Taylor Kiel
Team President, Arrow McLaren SP

Taylor Kiel is a native of Indianapolis, Indiana. His career highlights include starting with Sam Schmidt Motorsports in 2007 in Indy Lights before rising the ranks of now Arrow McLaren SP to president of the team. Kiel has been part of the team’s nine NTT INDYCAR SERIES wins and two Indianapolis 500 pole positions. He was also the race strategist during Pato O’Ward’s first career victory at Texas Motor Speedway in 2021 and led the team to a third-place finish in the point standings.

Craig Hampson
Director of Trackside Engineering, Arrow McLaren SP

Craig Hampson is a mechanical engineering graduate from the University of Maryland. In Hampson’s career, he was the Indianapolis 500-winning R&D engineer for the team that fielded cars for Ryan Hunter-Reay (2014) and Alexander Rossi (2016) and was at the helm of all four of Sebastien Bourdais’ Champ Car World Series titles and 33 of his 37 career NTT INDYCAR SERIES wins. Now, Hampson is the R&D Engineer at Arrow McLaren SP, and in 2020, he took on an expanded role as the race engineer for Fernando Alonso during the 105th Indianapolis 500. During the 2021 season, he served as the race strategist for Felix Rosenqvist and Juan Pablo Montoya on a limited basis.

Book a 1-1 meeting with one of our experts
share this article
COre coverage

More in this series

No items found.

Blog

Inside the SOC

Disarming the WarmCookie Backdoor: Darktrace’s Oven-Ready Solution

Default blog imageDefault blog image
26
Jul 2024

What is WarmCookie malware?

WarmCookie, also known as BadSpace [2], is a two-stage backdoor tool that provides functionality for threat actors to retrieve victim information and launch additional payloads. The malware is primarily distributed via phishing campaigns according to multiple open-source intelligence (OSINT) providers.

Backdoor malware: A backdoor tool is a piece of software used by attackers to gain and maintain unauthorized access to a system. It bypasses standard authentication and security mechanisms, allowing the attacker to control the system remotely.

Two-stage backdoor malware: This means the backdoor operates in two distinct phases:

1. Initial Stage: The first stage involves the initial infection and establishment of a foothold within the victim's system. This stage is often designed to be small and stealthy to avoid detection.

2. Secondary Stage: Once the initial stage has successfully compromised the system, it retrieves or activates the second stage payload. This stage provides more advanced functionalities for the attacker, such as extensive data exfiltration, deeper system control, or the deployment of additional malicious payloads.

How does WarmCookie malware work?

Reported attack patterns include emails attempting to impersonate recruitment firms such as PageGroup, Michael Page, and Hays. These emails likely represented social engineering tactics, with attackers attempting to manipulate jobseekers into engaging with the emails and following malicious links embedded within [3].

This backdoor tool also adopts stealth and evasion tactics to avoid the detection of traditional security tools. Reported evasion tactics included custom string decryption algorithms, as well as dynamic API loading to prevent researchers from analyzing and identifying the core functionalities of WarmCookie [1].

Before this backdoor makes an outbound network request, it is known to capture details from the target machine, which can be used for fingerprinting and identification [1], this includes:

- Computer name

- Username

- DNS domain of the machine

- Volume serial number

WarmCookie samples investigated by external researchers were observed communicating communicated over HTTP to a hardcoded IP address using a combination of RC4 and Base64 to protect its network traffic [1]. Ultimately, threat actors could use this backdoor to deploy further malicious payloads on targeted networks, such as ransomware.

Darktrace Coverage of WarmCookie

Between April and June 2024, Darktrace’s Threat Research team investigated suspicious activity across multiple customer networks indicating that threat actors were utilizing the WarmCookie backdoor tool. Observed cases across customer environments all included the download of unusual executable (.exe) files and suspicious outbound connectivity.

Affected devices were all observed making external HTTP requests to the German-based external IP, 185.49.69[.]41, and the URI, /data/2849d40ade47af8edfd4e08352dd2cc8.

The first investigated instance occurred between April 23 and April 24, when Darktrace detected a a series of unusual file download and outbound connectivity on a customer network, indicating successful WarmCookie exploitation. As mentioned by Elastic labs, "The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download WarmCookie and run the DLL with the Start export" [1].

Less than a minute later, the same device was observed making HTTP requests to the rare external IP address: 185.49.69[.]41, which had never previously been observed on the network, for the URI /data/b834116823f01aeceed215e592dfcba7. The device then proceeded to download masqueraded executable file from this endpoint. Darktrace recognized that these connections to an unknown endpoint, coupled with the download of a masqueraded file, likely represented malicious activity.

Following this download, the device began beaconing back to the same IP, 185.49.69[.]41, with a large number of external connections observed over port 80.  This beaconing related behavior could further indicate malicious software communicating with command-and-control (C2) servers.

Darktrace’s model alert coverage included the following details:

[Model Alert: Device / Unusual BITS Activity]

- Associated device type: desktop

- Time of alert: 2024-04-23T14:10:23 UTC

- ASN: AS28753 Leaseweb Deutschland GmbH

- User agent: Microsoft BITS/7.8

[Model Alert: Anomalous File / EXE from Rare External Location]

[Model Alert: Anomalous File / Masqueraded File Transfer]

- Associated device type: desktop

- Time of alert: 2024-04-23T14:11:18 UTC

- Destination IP: 185.49.69[.]41

- Destination port: 80

- Protocol: TCP

- Application protocol: HTTP

- ASN: AS28753 Leaseweb Deutschland GmbH

- User agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

- Event details: File: http[:]//185.49.69[.]41/data/b834116823f01aeceed215e592dfcba7, total seen size: 144384B, direction: Incoming

- SHA1 file hash: 4ddf0d9c750bfeaebdacc14152319e21305443ff

- MD5 file hash: b09beb0b584deee198ecd66976e96237

[Model Alert: Compromise / Beaconing Activity To External Rare]

- Associated device type: desktop

- Time of alert: 2024-04-23T14:15:24 UTC

- Destination IP: 185.49.69[.]41

- Destination port: 80

- Protocol: TCP

- Application protocol: HTTP

- ASN: AS28753 Leaseweb Deutschland GmbH  

- User agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

Between May 7 and June 4, Darktrace identified a wide range of suspicious external connectivity on another customer’s environment. Darktrace’s Threat Research team further investigated this activity and assessed it was likely indicative of WarmCookie exploitation on customer devices.

Similar to the initial use case, BITS activity was observed on affected devices, which is utilized to download WarmCookie [1]. This initial behavior was observed with the device after triggering the model: Device / Unusual BITS Activity on May 7.

Just moments later, the same device was observed making HTTP requests to the aforementioned German IP address, 185.49.69[.]41 using the same URI /data/2849d40ade47af8edfd4e08352dd2cc8, before downloading a suspicious executable file.

Just like the first use case, this device followed up this suspicious download with a series of beaconing connections to 185.49.69[.]41, again with a large number of connections via port 80.

Similar outgoing connections to 185.49.69[.]41 and model alerts were observed on additional devices during the same timeframe, indicating that numerous customer devices had been compromised.

Darktrace’s model alert coverage included the following details:

[Model Alert: Device / Unusual BITS Activity]

- Associated device type: desktop

- Time of alert: 2024-05-07T09:03:23 UTC

- ASN: AS28753 Leaseweb Deutschland GmbH

- User agent: Microsoft BITS/7.8

[Model Alert: Anomalous File / EXE from Rare External Location]

[Model Alert: Anomalous File / Masqueraded File Transfer]

- Associated device type: desktop

- Time of alert: 2024-05-07T09:03:35 UTC  

- Destination IP: 185.49.69[.]41

- Protocol: TCP

- ASN: AS28753 Leaseweb Deutschland GmbH

- Event details: File: http[:]//185.49.69[.]41/data/2849d40ade47af8edfd4e08352dd2cc8, total seen size: 72704B, direction: Incoming

- SHA1 file hash: 5b0a35c574ee40c4bccb9b0b942f9a9084216816

- MD5 file hash: aa9a73083184e1309431b3c7a3e44427  

[Model Alert: Anomalous Connection / New User Agent to IP Without Hostname]

- Associated device type: desktop

- Time of alert: 2024-05-07T09:04:14 UTC  

- Destination IP: 185.49.69[.]41  

- Application protocol: HTTP  

- URI: /data/2849d40ade47af8edfd4e08352dd2cc8

- User agent: Microsoft BITS/7.8  

[Model Alert: Compromise / HTTP Beaconing to New Endpoint]

- Associated device type: desktop

- Time of alert: 2024-05-07T09:08:47 UTC

- Destination IP: 185.49.69[.]41

- Protocol: TCP

- Application protocol: HTTP  

- ASN: AS28753 Leaseweb Deutschland GmbH  

- URI: /  

- User agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705) \

Cyber AI Analyst Coverage Details around the external destination, ‘185.49.69[.]41’.
Figure 1: Cyber AI Analyst Coverage Details around the external destination, ‘185.49.69[.]41’.
External Sites Summary verifying the geographical location of the external IP, 185.49.69[.]41’.
Figure 2: External Sites Summary verifying the geographical location of the external IP, 185.49.69[.]41’.

Fortunately, this particular customer was subscribed to Darktrace’s Proactive Threat Notification (PTN) service and the Darktrace Security Operation Center (SOC) promptly investigated the activity and alerted the customer. This allowed their security team to address the activity and begin their own remediation process.

In this instance, Darktrace’s Autonomous Response capability was configured in Human Confirmation mode, meaning any mitigative actions required manual application by the customer’s security team.

Despite this, Darktrace recommended two actions to contain the activity: blocking connections to the suspicious IP address 185.49.69[.]41 and any IP addresses ending with '69[.]41', as well as the ‘Enforce Pattern of Life’ action. By enforcing a pattern of life, Darktrace can restrict a device (or devices) to its learned behavior, allowing it to continue regular business activities uninterrupted while blocking any deviations from expected activity.

Actions suggested by Darktrace to contain the emerging activity, including blocking connections to the suspicious endpoint and restricting the device to its ‘pattern of life’.
Figure 3: Actions suggested by Darktrace to contain the emerging activity, including blocking connections to the suspicious endpoint and restricting the device to its ‘pattern of life’.

Conclusion

Backdoor tools like WarmCookie enable threat actors to gather and leverage information from target systems to deploy additional malicious payloads, escalating their cyber attacks. Given that WarmCookie’s primary distribution method seems to be through phishing campaigns masquerading as trusted recruitments firms, it has the potential to affect a large number of organziations.

In the face of such threats, Darktrace’s behavioral analysis provides organizations with full visibility over anomalous activity on their digital estates, regardless of whether the threat bypasses by human security teams or email security tools. While threat actors seemingly managed to evade customers’ native email security and gain access to their networks in these cases, Darktrace identified the suspicious behavior associated with WarmCookie and swiftly notified customer security teams.

Had Darktrace’s Autonomous Response capability been fully enabled in these cases, it could have blocked any suspicious connections and subsequent activity in real-time, without the need of human intervention, effectively containing the attacks in the first instance.

Credit to Justin Torres, Cyber Security Analyst and Dylan Hinz, Senior Cyber Security Analyst

Appendices

Darktrace Model Detections

- Anomalous File / EXE from Rare External Location

- Anomalous File / Masqueraded File Transfer  

- Compromise / Beacon to Young Endpoint  

- Compromise / Beaconing Activity To External Rare  

- Compromise / HTTP Beaconing to New Endpoint  

- Compromise / HTTP Beaconing to Rare Destination

- Compromise / High Volume of Connections with Beacon Score

- Compromise / Large Number of Suspicious Successful Connections

- Compromise / Quick and Regular Windows HTTP Beaconing

- Compromise / SSL or HTTP Beacon

- Compromise / Slow Beaconing Activity To External Rare

- Compromise / Sustained SSL or HTTP Increase

- Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

- Anomalous Connection / Multiple Failed Connections to Rare Endpoint

- Anomalous Connection / New User Agent to IP Without Hostname

- Compromise / Sustained SSL or HTTP Increase

AI Analyst Incident Coverage:

- Unusual Repeated Connections

- Possible SSL Command and Control to Multiple Endpoints

- Possible HTTP Command and Control

- Suspicious File Download

Darktrace RESPOND Model Detections:

- Antigena / Network / External Threat / Antigena Suspicious File Block

- Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block

List of IoCs

IoC - Type - Description + Confidence

185.49.69[.]41 – IP Address – WarmCookie C2 Endpoint

/data/2849d40ade47af8edfd4e08352dd2cc8 – URI – Likely WarmCookie URI

/data/b834116823f01aeceed215e592dfcba7 – URI – Likely WarmCookie URI

4ddf0d9c750bfeaebdacc14152319e21305443ff  - SHA1 Hash  – Possible Malicious File

5b0a35c574ee40c4bccb9b0b942f9a9084216816  - SHA1 Hash – Possiblem Malicious File

MITRE ATT&CK Mapping

(Technique Name) – (Tactic) – (ID) – (Sub-Technique of)

Drive-by Compromise - INITIAL ACCESS - T1189

Ingress Tool Transfer - COMMAND AND CONTROL - T1105

Malware - RESOURCE DEVELOPMENT - T1588.001 - T1588

Lateral Tool Transfer - LATERAL MOVEMENT - T1570

Web Protocols - COMMAND AND CONTROL - T1071.001 - T1071

Web Services - RESOURCE DEVELOPMENT - T1583.006 - T1583

Browser Extensions - PERSISTENCE - T1176

Application Layer Protocol - COMMAND AND CONTROL - T1071

Fallback Channels - COMMAND AND CONTROL - T1008

Multi-Stage Channels - COMMAND AND CONTROL - T1104

Non-Standard Port - COMMAND AND CONTROL - T1571

One-Way Communication - COMMAND AND CONTROL - T1102.003 - T1102

Encrypted Channel - COMMAND AND CONTROL - T1573

External Proxy - COMMAND AND CONTROL - T1090.002 - T1090

Non-Application Layer Protocol - COMMAND AND CONTROL - T1095

References

[1] https://www.elastic.co/security-labs/dipping-into-danger

[2] https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor

[3] https://thehackernews.com/2024/06/new-phishing-campaign-deploys.html

Continue reading
About the author
Justin Torres
Cyber Analyst

Blog

Thought Leadership

The State of AI in Cybersecurity: Understanding AI Technologies

Default blog imageDefault blog image
24
Jul 2024

About the State of AI Cybersecurity Report

Darktrace surveyed 1,800 CISOs, security leaders, administrators, and practitioners from industries around the globe. Our research was conducted to understand how the adoption of new AI-powered offensive and defensive cybersecurity technologies are being managed by organizations.

This blog continues the conversation from “The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners”. This blog will focus on security professionals’ understanding of AI technologies in cybersecurity tools.

To access download the full report, click here.

How familiar are security professionals with supervised machine learning

Just 31% of security professionals report that they are “very familiar” with supervised machine learning.

Many participants admitted unfamiliarity with various AI types. Less than one-third felt "very familiar" with the technologies surveyed: only 31% with supervised machine learning and 28% with natural language processing (NLP).

Most participants were "somewhat" familiar, ranging from 46% for supervised machine learning to 36% for generative adversarial networks (GANs). Executives and those in larger organizations reported the highest familiarity.

Combining "very" and "somewhat" familiar responses, 77% had familiarity with supervised machine learning, 74% generative AI, and 73% NLP. With generative AI getting so much media attention, and NLP being the broader area of AI that encompasses generative AI, these results may indicate that stakeholders are understanding the topic on the basis of buzz, not hands-on work with the technologies.  

If defenders hope to get ahead of attackers, they will need to go beyond supervised learning algorithms trained on known attack patterns and generative AI. Instead, they’ll need to adopt a comprehensive toolkit comprised of multiple, varied AI approaches—including unsupervised algorithms that continuously learn from an organization’s specific data rather than relying on big data generalizations.  

Different types of AI

Different types of AI have different strengths and use cases in cyber security. It’s important to choose the right technique for what you’re trying to achieve.  

Supervised machine learning: Applied more often than any other type of AI in cyber security. Trained on human attack patterns and historical threat intelligence.  

Large language models (LLMs): Applies deep learning models trained on extremely large data sets to understand, summarize, and generate new content. Used in generative AI tools.  

Natural language processing (NLP): Applies computational techniques to process and understand human language.  

Unsupervised machine learning: Continuously learns from raw, unstructured data to identify deviations that represent true anomalies.  

What impact will generative AI have on the cybersecurity field?

More than half of security professionals (57%) believe that generative AI will have a bigger impact on their field over the next few years than other types of AI.

Chart showing the types of AI expected to impact security the most
Figure 1: Chart from Darktrace's State of AI in Cybersecurity Report

Security stakeholders are highly aware of generative AI and LLMs, viewing them as pivotal to the field's future. Generative AI excels at abstracting information, automating tasks, and facilitating human-computer interaction. However, LLMs can "hallucinate" due to training data errors and are vulnerable to prompt injection attacks. Despite improvements in securing LLMs, the best cyber defenses use a mix of AI types for enhanced accuracy and capability.

AI education is crucial as industry expectations for generative AI grow. Leaders and practitioners need to understand where and how to use AI while managing risks. As they learn more, there will be a shift from generative AI to broader AI applications.

Do security professionals fully understand the different types of AI in security products?

Only 26% of security professionals report a full understanding of the different types of AI in use within security products.

Confusion is prevalent in today’s marketplace. Our survey found that only 26% of respondents fully understand the AI types in their security stack, while 31% are unsure or confused by vendor claims. Nearly 65% believe generative AI is mainly used in cybersecurity, though it’s only useful for identifying phishing emails. This highlights a gap between user expectations and vendor delivery, with too much focus on generative AI.

Key findings include:

  • Executives and managers report higher understanding than practitioners.
  • Larger organizations have better understanding due to greater specialization.

As AI evolves, vendors are rapidly introducing new solutions faster than practitioners can learn to use them. There's a strong need for greater vendor transparency and more education for users to maximize the technology's value.

To help ease confusion around AI technologies in cybersecurity, Darktrace has released the CISO’s Guide to Cyber AI. A comprehensive white paper that categorizes the different applications of AI in cybersecurity. Download the White Paper here.  

Do security professionals believe generative AI alone is enough to stop zero-day threats?

No! 86% of survey participants believe generative AI alone is NOT enough to stop zero-day threats

This consensus spans all geographies, organization sizes, and roles, though executives are slightly less likely to agree. Asia-Pacific participants agree more, while U.S. participants agree less.

Despite expecting generative AI to have the most impact, respondents recognize its limited security use cases and its need to work alongside other AI types. This highlights the necessity for vendor transparency and varied AI approaches for effective security across threat prevention, detection, and response.

Stakeholders must understand how AI solutions work to ensure they offer advanced, rather than outdated, threat detection methods. The survey shows awareness that old methods are insufficient.

To access the full report, click here.

Continue reading
About the author
The Darktrace Community
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.