Blog
/
Network
/
October 3, 2023

Unveiling ViperSoftX: A Darktrace Investigation

Read about the ViperSoftX threat and how Darktrace's innovative detection methods exposed this cyber intrusion and its potential impacts.
Written by
Zoe Tilsiter
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Zoe Tilsiter
Cyber Analyst
Default blog image
03
Oct 2023

Fighting Info-Stealing Malware

The escalating threat posed by information-stealing malware designed to harvest and steal the sensitive data of individuals and organizations alike has become a paramount concern for security teams across the threat landscape. In direct response to security teams improving their threat detection and prevention capabilities, threat actors are forced to continually adapt and advance their techniques, striving for greater sophistication to ensure they can achieve the malicious goals.

What is ViperSoftX?

ViperSoftX is an information stealer and Remote Access Trojan (RAT) malware known to steal privileged information such as cryptocurrency wallet addresses and password information stored in browsers and password managers. It is commonly distributed via the download of cracked software from multiple sources such as suspicious domains, torrent downloads, and key generators (keygens) from third-party sites.

ViperSoftX was first observed in the wild in 2020 [1] but more recently, new strains were identified in 2022 and 2023 utilizing more sophisticated detection evasion techniques, making it more difficult for security teams to identify and analyze. This includes using more advanced encryption methods alongside monthly changes to command-and-control servers (C2) [2], using dynamic-link library (DLL) sideloading for execution techiques, and subsequently loading a malicious browser extension upon infection which works as an independent info-stealer named VenomSoftX [3].

Between February and June 2023, Darktrace detected activity related to the VipersoftX and VenomSoftX information stealers on the networks of more than 100 customers across its fleet. Darktrace DETECT™ was able to successfully identify the anomalous network activity surrounding these emerging information stealer infections and bring them to the attention of the customers, while Darktrace RESPOND™, when enabled in autonomous response mode, was able to quickly intervene and shut down malicious downloads and data exfiltration attempts.

ViperSoftX Attack & Darktrace Coverage

In cases of ViperSoftX information stealer activity observed by Darktrace, the initial infection was caused through the download of malicious files from multimedia sites, endpoints of cracked software like Adobe Illustrator, and torrent sites. Endpoint users typically unknowingly download the malware from these endpoints with a sideloaded DLL, posing as legitimate software executables.

Darktrace detected multiple downloads from such multimedia sites and endpoints related to cracked software and BitTorrent, which were likely representative of the initial source of ViperSoftX infection. Darktrace DETECT models such as ‘Anomalous File / Anomalous Octet Stream (No User Agent)’ breached in response to this activity and were brought to the immediate attention of customer security teams. In instances where Darktrace RESPOND was configured in autonomous response mode, Darktrace was able to enforce a pattern of life on offending devices, preventing them from downloading malicious files.  This ensures that devices are limited to conducting only their pre-established expected activit, minimizing disruption to the business whilst targetedly mitigating suspicious file downloads.

The downloads are then extracted, decrypted and begin to run on the device. The now compromised device will then proceed to make external connections to C2 servers to retrieve secondary PowerShell executable. Darktrace identified that infected devices using PowerShell user agents whilst making HTTP GET requests to domain generation algorithm (DGA) ViperSoftX domains represented new, and therefore unusual, activity in a large number of cases.

For example, Darktrace detected one customer device making an HTTP GET request to the endpoint ‘chatgigi2[.]com’, using the PowerShell user agent ‘Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364’. This new activity triggered a number of DETECT models, including ‘Anomalous Connection / PowerShell to Rare External’ and ‘Device / New PowerShell User Agent’. Repeated connections to these endpoints also triggered C2 beaconing models including:  

  • Compromise / Agent Beacon (Short Period)
  • Compromise / Agent Beacon (Medium Period)
  • Compromise / Agent Beacon (Long Period)
  • Compromise / Quick and Regular Windows HTTP Beaconing
  • Compromise / SSL or HTTP Beacon

Although a large number of different DGA domains were detected, commonalities in URI formats were seen across affected customers which matched formats previously identified as ViperSoftX C2 communication by open-source intelligence (OSINT), and in other Darktrace investigations.  

URI paths for example, were always of the format /api/, /api/v1/, /v2/, or /v3/, appearing to detail version number, as can be seen in Figure 1.

Figure 1: A Packet Capture (PCAP) taken from Darktrace showing a connection made to a ViperSoftX C2 endpoint containing versioning information, consistent with ViperSoftX pattern of communication.  

Before the secondary PowerShell executables are loaded, ViperSoftX takes a digital fingerprint of the infected machine to gather its configuration details, and exfiltrates them to the C2 server. These include the computer name, username, Operating System (OS), and ensures there are no anti-virus or montoring tools on the device. If no security tool are detected, ViperSoftX then downloads, decrypts and executes the PowerShell file.

Following the GET requests Darktrace observed numerous devices performing HTTP POST requests and beaconing connections to ViperSoftX endpoints with varying globally unique identifiers (GUIDs) within the URIs. These connections represented the exfiltration of device configuration details, such as “anti-virus detected”, “app used”, and “device name”. As seen on another customer’s deployment, this caused the model ‘Anomalous Connection / Multiple HTTP POSTs to Rare Hostname’ to breach, which was also detected by Cyber AI Analyst as seen in Figure 2.

Figure 2: Cyber AI Analyst’s detection of HTTP POSTs being made to apibiling[.]com, a ViperSoftX C2 endpoint.

The malicious PowerShell download then crawls the infected device’s systems and directories looking for any cryptocurrency wallet information and password managers, and exfiltrates harvest data to the C2 infrastructure. The C2 server then provides further browser extensions to Chromium browsers to be downloaded and act as a separate stand-alone information stealer, also known as VenomSoftX.

Similar to the initial download of ViperSoftX, these malicious extensions are disguised as legitimate browser extensions to evade the detection of security teams. VenomSoft X, in turn, searches through and attempts to gather sensitive data from password managers and crypto wallets stored in user browsers. Using this information, VenomSoftX is able to redirect crypocurrency transactions by intercepting and manipulating API requests between the sender and the intended recipient, directing the cryptocurrency to the attacker instead [3].

Following investigation into VipersoftX activity across the customer base, Darktrace notified all affected customers and opened Ask the Expert (ATE) tickets through which customer’s could directly contact the analyst team for support and guidance in the face on the information stealer infection.

How did the attack bypass the rest of the security stack?

As previously mentioned, both the initial download of ViperSoftX and the subsequent download of the VenomX browser extension are disguised as legitimate software or browser downloads. This is a common technique employed by threat actors to infect target devices with malicious software, while going unnoticed by security teams traditional security measures. Furthermore, by masquerading as a legitimate piece of software endpoint users are more likely to trust and therefore download the malware, increasing the likelihood of threat actor’s successfully carrying out their objectives. Additionally, post-infection analysis of shellcode, the executable code used as the payload, is made significantly more difficult by VenomSoftX’s use of bytemapping. Bytemapping prevents the encryption of shellcodes without its corresponding byte map, meaning that the payloads cannot easily be decrypted and analysed by security researchers. [3]

ViperSoftX also takes numerous attempts to prevent their C2 infrastructure from being identified by blocking access to it on browsers, and using multiple DGA domains, thus renderring defunct traditional security measures that rely on threat intelligence and static lists of indicators of compromise (IoCs).

Fortunately for Darktrace customers, Darktrace’s anomaly-based approach to threat detection means that it was able to detect and alert customers to this suspicious activity that may have gone unnoticed by other security tools.

Insights/Conclusion

Faced with the challenge of increasingly competent and capable security teams, malicious actors are having to adopt more sophisticated techniques to successfully compromise target systems and achieve their nefarious goals.

ViperSoftX information stealer makes use of numerous tactics, techniques and procedures (TTPs) designed to fly under the radar and carry out their objectives without being detected. ViperSoftX does not rely on just one information stealing malware, but two with the subsequent injection of the VenomSoftX browser extension, adding an additional layer of sophistication to the informational stealing operation and increasing the potential yield of sensitive data. Furthermore, the use of evasion techniques like disguising malicious file downloads as legitimate software and frequently changing DGA domains means that ViperSoftX is well equipped to infiltrate target systems and exfiltrate confidential information without being detected.

However, the anomaly-based detection capabilities of Darktrace DETECT allows it to identify subtle changes in a device’s behavior, that could be indicative of an emerging compromise, and bring it to the customer’s security team. Darktrace RESPOND is then autonomously able to take action against suspicious activity and shut it down without latency, minimizing disruption to the business and preventing potentially significant financial losses.

Credit to: Zoe Tilsiter, Senior Cyber Analyst, Nathan Lorenzo, Cyber Analyst.

Appendices

References

[1] https://www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat

[2] https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html

[3] https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/

Darktrace DETECT Model Detections

·       Anomalous File / Anomalous Octet Stream (No User Agent)

·       Anomalous Connection / PowerShell to Rare External

·       Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

·       Anomalous Connection / Lots of New Connections

·       Anomalous Connection / Multiple Failed Connections to Rare Endpoint

·       Anomalous Server Activity / Outgoing from Server

·       Compromise / Large DNS Volume for Suspicious Domain

·       Compromise / Quick and Regular Windows HTTP Beaconing

·       Compromise / Beacon for 4 Days

·       Compromise / Suspicious Beaconing Behaviour

·       Compromise / Large Number of Suspicious Failed Connections

·       Compromise / Large Number of Suspicious Successful Connections

·       Compromise / POST and Beacon to Rare External

·       Compromise / DGA Beacon

·       Compromise / Agent Beacon (Long Period)

·       Compromise / Agent Beacon (Medium Period)

·       Compromise / Agent Beacon (Short Period)

·       Compromise / Fast Beaconing to DGA

·       Compromise / SSL or HTTP Beacon

·       Compromise / Slow Beaconing Activity To External Rare

·       Compromise / Beaconing Activity To External Rare

·       Compromise / Excessive Posts to Root

·       Compromise / Connections with Suspicious DNS

·       Compromise / HTTP Beaconing to Rare Destination

·       Compromise / High Volume of Connections with Beacon Score

·       Compromise / Sustained SSL or HTTP Increase

·       Device / New PowerShell User Agent

·       Device / New User Agent and New IP

Darktrace RESPOND Model Detections

·       Antigena / Network / External Threat / Antigena Suspicious File Block

·       Antigena / Network / External Threat / Antigena File then New Outbound Block

·       Antigena / Network / External Threat / Antigena Watched Domain Block

·       Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

·       Antigena / Network / External Threat / Antigena Suspicious Activity Block

·       Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

·       Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

·       Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block

·       Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach

List of IoCs

Indicator - Type - Description

ahoravideo-blog[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-chat[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

apibilng[.]com - Hostname - ViperSoftX C2 endpoint

arrowlchat[.]com - Hostname - ViperSoftX C2 endpoint

bideo-blog[.]com - Hostname - ViperSoftX C2 endpoint

bideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint

bideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-chat[.]com - Hostname - ViperSoftX C2 endpoint

bideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-endpoint[.]com - Hostname - ViperSoftX C2 endpoint

bideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

chatgigi2[.]com - Hostname - ViperSoftX C2 endpoint

counter[.]wmail-service[.]com - Hostname - ViperSoftX C2 endpoint

fairu-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

fairu-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

fairu-endpoint[.]com - Hostname - ViperSoftX C2 endpoint

fairu-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

fairu-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-blog[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-cdn[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

static-cdn-349[.]net - Hostname - ViperSoftX C2 endpoint

wmail-blog[.]com - Hostname - ViperSoftX C2 endpoint

wmail-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

wmail-chat[.]com - Hostname - ViperSoftX C2 endpoint

wmail-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

wmail-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364 - User Agent -PowerShell User Agent

MITRE ATT&CK Mapping

Tactic - Technique - Notes

Command and Control - T1568.002 Dynamic Resolution: Domain Generation Algorithms

Command and Control - T1321 Data Encoding

Credential Access - T1555.005 Credentials from Password Stores: Password Managers

Defense Evasion - T1027 Obfuscated Files or Information

Execution - T1059.001 Command and Scripting Interpreter: PowerShell

Execution - T1204 User Execution T1204.002 Malicious File

Persistence - T1176 Browser Extensions - VenomSoftX specific

Persistence, Privilege Escalation, Defense Evasion - T1574.002 Hijack Execution Flow: DLL Side-Loading

Written by
Zoe Tilsiter
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Zoe Tilsiter
Cyber Analyst

When Open Source Is Weaponized: Analysis of a Trojanized 7 Zip Installer

Network
May 19, 2026
Justin Torres
Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches
May 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
May 21, 2026

Darktrace named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) For the Second Consecutive Year

Darktrace has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) for the second consecutive year. We believe this reflects continued execution in NDR, ongoing AI innovation, and strong outcomes delivered for customers globally.
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Read more
Network
May 19, 2026

When Open Source Is Weaponized: Analysis of a Trojanized 7 Zip Installer

Attackers abused a trojanized 7‑Zip installer distributed via a typo‑squatted domain to establish proxyware infections worldwide. This blog analyzes how social engineering, trusted open‑source software, and stealthy command‑and‑control activity enabled widespread compromise, highlighting the importance of software validation, user awareness, and proactive network‑level detection.
Justin Torres
Cyber Analyst
Read more
Network
May 14, 2026

Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor

Darktrace researchers identified a Twill Typhoon–linked China‑nexus campaign targeting APJ customers. The activity observed includes CDN impersonation, legitimate binaries, and DLL sideloading to deploy a modular .NET RAT.
Tara Gould
Malware Research Lead
Read more

Blog

/

OT

/

June 9, 2026

Healthcare’s OT Cybersecurity Gap: Why Hospitals Must Make the Same Security Investments as Regulated Critical Infrastructures

healthcare OTDefault blog imageDefault blog image

Rethinking the healthcare attack surface

When most people think about Operational Technology (OT) cybersecurity, they think about oil & gas pipelines, utilities, manufacturing plants, or power grids. However, hospitals & healthcare systems have quickly become a point of focus in the OT cybersecurity community as they do employ a variety of OT in the form of IoMT (Internet of Medical Things) networked devices such as: infusion pumps, imaging systems, patient monitoring equipment, laboratory systems, and traditional industrial control systems (ICS) in the form of smart building management systems (BMS) and even on site power generation control systems. 

These healthcare environments are no longer just traditional IT ecosystems, they are cyber-physical environments where disruption can directly impact patient care, operational continuity, and ultimately patient safety.

The OT cybersecurity expertise gap in healthcare organizations

Our research in the OT cybersecurity space revealed a concerning trend. Many hospitals and healthcare networks lack dedicated OT cybersecurity teams, OT security full time employees (FTE) and even OT expertise in the form of OT security certifications when compared to other critical infrastructure sectors.

On the other hand, within industries such as energy and manufacturing, we encounter more mature OT security programs that employ full time employees  dedicated to OT cybersecurity with OT security certifications and expertise to secure industrial and operational environments and lead investment in OT security processes and technology.

When reviewing the top 20 U.S. Hospitals by market cap, given what is publicly available on LinkedIn, only one FTE with an OT cybersecurity certification was found. The certifications that were searched for include: GIAC GICSP, GIAC GRID, GIAC GCIP and all ISA/IEC 62443 certifications. When replicating this same search across the top 20 utility providers in the US, 73 FTEs with OT related certifications were identified. As a control group, we looked within financial services, an industry NOT expected to have OT systems worth investing in FTEs to protect. However, the top 20 US financial institutions had 18 FTEs with OT related certifications. 

What these findings reveal

Overall, the findings regarding healthcare investment in OT security FTEs are surprising given how operationally dependent modern healthcare has become on OT. So why aren't hospitals investing in OT security personnel at the rate of peer critical infrastructures? It could just be lack of awareness; however, there are other, more plausible reasons.  

Based on historical trends in cyber incidents within the healthcare space, one could speculate that there is significantly greater likelihood of being victim to an attack that  focuses on extortion or data theft rather than an attack on specific OT systems. The amount of ransomware events incurred in healthcare, that historically do not target OT systems, may divert attention and security investment to the parts of the attack surface most likely to be targeted by ransomware. Additionally, data theft is a relevant threat objective for hospitals given PHI, PCI and PII, and data theft does not traditionally align with attacks targeting OT.  

However, with focused investment to address data theft and with adversaries new capability to string together chains of vulnerabilities of different severity scores using advancements in AI, we could be entering a threat landscape where adversaries pivot their tactics to target exposed and under protected devices and systems like OT. For example, although not a patient records database, predominant IOMT protocols HL7 and DICOM are unencrypted plaintext protocols and unless encrypted it is very simple for adversaries, who are sniffing traffic, to identify protected health information (PHI) in these communication protocols.

Why OT cybersecurity expertise can be effective for healthcare organizations

The convergence of IT, OT, and IoMT is already here, and threat actors are increasingly aware of the operational vulnerabilities that come with it. Additionally, as AI solutions such as agentic or generative applications are adopted and deployed, the attack surface will continue to change as permissions, and new connections will exist to support AI efficiency. From a cybersecurity standpoint, the reality is that many healthcare organizations are still working to establish consistent visibility and governance across their enterprise-connected devices and systems as their attack surface is changing in real time.  As the healthcare sector remains a significant target for cyber-attacks, hospitals would be well advised to begin addressing their operational environments OT as a critical component of their attack surface and invest in securing them first with people, then process and technology. 

What can healthcare organizations do to secure their OT

Including OT in current cybersecurity processes such as red teaming and testing incident response plans that take OT into account alongside building dedicated OT security capabilities including improving OT network visibility, leveraging OT network anomaly detection, micro-segmentation, and secure remote access will become essential steps in strengthening healthcare resilience. 

However, before any of the above processes or investments in technology can be made, these healthcare organizations, like the other critical infrastructure sectors, need to invest in the people with the experience in OT security to lead, implement, manage and audit the investment in OT cybersecurity technology and processes.  In cases where headcount cannot be added, investment in OT security certifications, such as the ones listed in this article, and participation on OT security events focused on practitioner training for existing cybersecurity employees can move the needle in terms of bringing OT expertise to the existing team.  

In an industry where uptime and safety are as mission critical as they are for a power utility, OT cybersecurity FTEs can no longer be viewed as optional for healthcare organizations and must become part of the foundation of modern healthcare cybersecurity strategy. 

[related-resource]

Continue reading
About the author
Daniel Simonds
Director of Operational Technology

Blog

/

/

June 9, 2026

Always On, Always Defending: Inside the AI-Driven SOC

Default blog imageDefault blog image

Today’s SOC: A system under pressure

The SOC has been described as the:

  • Control center for security systems management  
  • Operations center for log analysis and alert response
  • Command center for network monitoring and investigation

But the CISO at a manufacturer of industrial power solutions says today’s SOC is far more dynamic:

“The SOC is an active player in a never-ending chess match where the pieces are always moving, the rules are constantly changing, and we’re continuously adjusting our tactical and strategic approaches to keep up.”

This has created a balancing act for cybersecurity professionals:

  • Support expanding digital estates to fuel innovation…or risk limiting business growth
  • Stop advanced cyberattacks at scale…or risk severe financial and reputational impacts

But balancing these responsibilities is increasingly difficult. Attackers are operating at machine speed and scale using sophisticated, adaptive techniques that overwhelm teams and bypass legacy defenses. At the same time, more than half of cybersecurity teams are understaffed, and 65% have unfilled cybersecurity positions (ISACA).

“The SOC is hitting its breaking point,” admits the VP of IT at a U.S.-based risk management services provider.”

“That’s the hard reality,” affirms a Chief Digital and Technology Officer at a North American financial services organization. “SOC teams are drowning in alerts, wasting time researching the most benign incidents while missing critical threats.”

Traditional tools lack the context and autonomous reasoning needed to determine which ones are truly dangerous, requiring analysts to manually review and respond. But with thousands of alerts hitting SOCs daily, the task exceeds human capacity, with recent industry research revealing that 40% to 42% of security alerts now go uninvestigated.

“Our old governance models of throwing bodies at it, that’s not going to work,” says the Group CIO of a multinational holding company. “Attackers move at machine speed, and our defenses have to operate at the same pace. Using AI for cybersecurity is the only way to do that.”

Why AI is essential

AI is about speed, scale, and context.

SOC teams are still expected to find the proverbial “needle in a haystack”, but the haystack keeps growing. As digital infrastructures expand and threat actors use AI to rapidly scale attacks and exploit vulnerabilities, success isn’t about keeping up but changing the approach.

This is where AI comes in, enabling security teams to operate at machine speed and scale by:

  • Analyzing vast amounts of data and correlating signals across domains within seconds
  • Detecting possible threats in real time and taking immediate action to mitigate risk
  • Prioritizing threats by severity and uncovering contextual details for rapid triage

The power of AI isn’t theoretical; it is transforming how today’s businesses operate.

The Chief Digital and Technology Officer at a financial services firm says within a single month of using Darktrace, the solution tracked billions of network events, autonomously investigated tens of millions of those incidents, and added the equivalent of 1,000 analyst hours of investigation. It also found threats that bypassed traditional tools, autonomously responding to contain or disrupt the threat on over 30,000 emails, including 18,000 the firm’s native email filter missed.

When Darktrace says it “takes action on a threat,” it generally means its platform can move beyond just detecting suspicious activity and automatically respond to contain or disrupt the threat—such as isolating a device, slowing or blocking suspicious network traffic, disabling risky user activity, or triggering security workflows—depending on how the system is configured.

AI isn’t about displacing humans.

AI is a powerful tool for handling large-scale data analysis, pattern detection, and repetitive tasks, but it cannot replace human critical thinking. By removing mindless work that does not require judgment, AI frees analysts to focus on what humans do best: applying reasoning, context, and sound decision-making to complex threats.

“AI is a workforce maximizer,” says the Chief Digital and Technology Officer. “It augments our team by monitoring and detecting threats at a scale beyond human capacity while providing the critical context we need to make faster, more confident decisions.

Rather than replacing people, AI is changing how security professionals work. Analysts can reclaim time previously spent on tedious, manual triage to focus on higher priorities and proactive initiatives like advanced threat hunting, strategic risk management, and security enablement and training.

“Aside from risk mitigation, our biggest ROI is in efficiency,” says the Head of Security at global business services provider. “What used to take 90% of our investigation time is now handled automatically, so we can focus on the final 10%, which requires critical thinking."

For SOC teams under pressure, the impact can be transformative, with security leaders reporting significant real-world outcomes using Darktrace Self-Learning AITM, including:

  • Phishing emails reduced by 99%
  • 1 million+ emails autonomously analyzed each month, with no email-based incidents reported
  • Potential threats autonomously neutralized in under four seconds, on average  
  • 99% of investigations conducted autonomously, surfacing only the high-priority 1% of threats for analyst review

How AI optimizes the SOC

To protect the modern enterprise, you absolutely need the right tools,” says CTO at leading European fashion brand. “Without them you’re a victim. With them, you’re a defender. AI and the machine speed detect/response it enables makes it the most critical tool.”

Replacing chaos with clarity and control  

It’s important to note that different AI solutions address different needs. Companies should clearly understand their specific use case and select the solution that best aligns with their goals, requirements, and operational needs.  

When it comes to choosing cybersecurity in a machine-speed threat landscape, time is the most valuable resource. Organizations require AI that can move from insight to action by:

  • Learning an organization’s unique behavioral patterners
  • Correlating signals across domains to detect anomalous activity
  • Prioritizing events and autonomously responding at scale to the vast majority
  • Quarantining high-impact threats until the SOC can investigate
  • Arming analysts with deep, contextual information to accelerate investigations

“Darktrace AI gives us threat detections based on facts, not guesses,” says the Group CIO. “It moves the SOC beyond alert overload to confident, informed decision-making. When Darktrace flags something, we pay attention. False positives are very rare, so we act with speed and confidence without second-guessing.”

Replacing anxiety with confidence and peace of mind

Every missed alert can have real-world consequences.

The strain of maintaining constant vigilance at scale without holistic visibility and automation is taking its toll on security professionals: 66% report increased stress, and nearly half say it’s the reason they’re leaving the field (ISACA).

The CIO at a professional sports organization says that’s not surprising: “If you don’t know what’s going on, anything could be happening. Operating with that level of uncertainty and control is incredibly stressful.”

AI gives SOCs the power to be proactive by unifying telemetry across network, email, identity, and cloud environments to provide a complete picture and a stronger foundation for action. The benefits for analysts, both personally and professionally, are significant:

  • Achieve greater work-life balance: “Knowing that Darktrace has our backs 24/7 and will take immediate action to stop threats  means we can now work normal hours and take vacations without worrying,” says the Chief Digital and Technology Officer.
  • Feel in control with deeper insights: “It not only stops and quarantines threats but also provides the deep context we need to quickly investigate and respond,” explains the Head of Security.  
  • Gain confidence the business is protected 24/7: “We can sleep at night. With Darktrace I’m confident that even with a small team we can protect the business 24/7,” adds the former retail CIO.

The modern SOC: A system of balance

Elevated to a core pillar of business strategy, the modern SOC is now considered:

  • The nerve center of cyber risk and proactive defense
  • The AI-powered command center for operational resilience
  • The strategic hub for contextual decision-making at scale

The SOC has evolved from a reactive center responsible for managing systems into a proactive, frontline defender and strategic business enabler—integral to innovation and growth.

AI is the key to balancing these responsibilities.

“We can only grow as fast as we can secure the business,” says the Head of Security. “AI gives us the speed, scale, and confidence to do both.”

*Metrics are based on the customer’s interview, data and sourced from its monthly Cyber AI Insights reporting.

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI