• Darktrace / NETWORK detects and precisely responds to both known and novel threats. Approximately 70 percent of detections involve highly anomalous activity, including insider threats, compliance-related issues, or other malicious external threats.‍

Darktrace, a global leader in AI for cybersecurity, announced it has delivered significant new advancements in network detection and response (NDR) with multiple new innovations for Darktrace / NETWORK™. These updates help organizations address the challenges of the modern enterprise network, including managing distributed infrastructure and a hybrid workforce, detecting an increasing volume of novel, unknown, and AI-driven threats, and streamlining the time-intensive burden of investigation and response for security analysts.

Jack Stockdale, Chief Technology Officer, Darktrace, commented:

‍“For over a decade, Darktrace has pioneered the use of AI in network detection and response, achieving one-fifth of the global NDR market share and supporting nearly 10,000 organizations. Darktrace is proven to meet the needs of the increasingly complex modern enterprise IT network and currently supports customers in industries including critical infrastructure like healthcare and energy, financial services, telecommunications, retail, manufacturing, and many more. We regularly deliver new innovations to meet the core challenges in the NDR market, and advance beyond traditional requirements to help our customers secure their environments from a wide range of evolving threats.” [1]

Expanded Threat Detection Methods

Darktrace / NETWORK uses a unique Self-Learning AI engine that learns what is normal behavior for an organization’s entire network, continuously analyzing, mapping and modeling every connection to create a full picture of your devices, identities, connections, and potential attack paths. With its ability to uncover previously unknown threats as well as detect known threats via signatures and threat intelligence, Darktrace is an essential layer of the security stack that augments existing preventative measures. Darktrace has helped secure customers against attacks including Log4J, SolarWinds, novel phishing scams during COVID-19, and more.  

An evaluation conducted in November 2024 of actionable detections across the global Darktrace / NETWORK customer base [2] found that most threats detected were novel or highly anomalous. These threats were not blocked by other security tools that rely heavily on pre-existing indicators of compromise, rules, and signatures, such as next-generation firewalls, secure service edge and zero trust network access, or intrusion prevention systems, due to how these components are managed.

• 30% of detections in this period were from known threats, half of which matched indicators of compromise from external threat intelligence and the other half were rules or signature-based (using machine learning to automatically manage their detection engineering properties).
• 70% were detections of highly anomalous activity, including insider threats, compliance risks, and novel or unknown external threat activity.

To further enhance these capabilities, Darktrace introduced new detection features over the last year including:

• Threat intelligence ingestion: Darktrace can ingest and manage secondary STIX and TAXII threat intelligence to proactively detect and autonomously respond to known threats based on indicators of compromise, facilitating additional threat hunting and creation of custom detections. Now, Darktrace Cyber AI Analyst™ can automatically investigate, correlate, and raise a critical incident for each intelligence-based detection if deemed important for the human investigation team.
• Decryption and encrypted traffic analysis: Darktrace supports decrypting TLS traffic and analyzing both encrypted and decrypted forms together, including Deep Packet Inspection for protocols inside encrypted connections such as HTTP/2.
• Support for NetFlow v9: Darktrace ingests NetFlow v9 records of traffic activity which enhances visibility over areas of networks that might otherwise go unmonitored.
• Tunneling detection improvements: Specialized scrutiny of commonly used tunneling services that can easily be repurposed for remote access and control of devices and have seen increasing use globally throughout 2024.
• Detection of generative AI misuse: Dedicated risk and compliance detection models help prevent data loss by allowing customers to monitor, and when necessary, respond to activity and connections to generative AI and large language model (LLM) tools such as AutoGPT, ChatGPT, Stable Diffusion, Claude, and more.

Enhancements to Support the Scale of Large, Modern Network Architectures

Darktrace / NETWORK is designed to scale with the needs of modern organizations, providing robust performance and visibility across large and complex networks.

Darktrace’s ability to handle this scale and complexity has been proven with customers throughout 2024. For example, one customer oversees their entire Darktrace / NETWORK deployment from a single central unified view that covers 50 large locations globally (many with their own security teams working locally) plus more than 15,000 Darktrace / ENDPOINT™ agents providing network visibility for traveling devices and smaller offices and locations.

Recent updates to further support large, global deployments include:

• Centralized, enterprise-wide network detection, investigation and response: Customers can extend visibility and control across the modern perimeter-less network, with support for Microsoft Azure and Amazon Web Services (AWS) environments with Darktrace / CLOUD™; remote or hybrid workers with integrations for leading Zero Trust Network Access providers or with Darktrace / ENDPOINT; cyber-physical systems and operational technology with Darktrace / OT™; and, a wide variety of enterprise SaaS applications and identities including Microsoft 365 and Salesforce  with Darktrace / IDENTITY™ .
• Proactive network performance monitoring: Detailed status alerts for significant changes in bulk network activity, with proactive recommendations to identify and resolve potential security threats and network performance issues.
• Additional customization for distributed deployments: Darktrace offers a unified view to streamline the management of large deployments, which can now be used to centrally define a wider range of unique local settings. This increases flexibility and simplifies ongoing management for large, distributed, global deployments where different configurations are required across different locations with multiple physical, virtual, and cloud deployment types.

Innovations to Streamline Security Workflows

Darktrace / NETWORK can be used by security teams as the central place to manage and respond to threats, and it is uniquely designed to help streamline and improve SOC efficiency. Innovations including Darktrace’s industry-first Cyber AI Analyst™ provide a patented approach to automate the investigation of alerts and understand incidents at scale. Cyber AI Analyst performed 1.5 million investigations per week on average during 2023, and generally completes an investigation within just five minutes of an initial alert being raised [3].

Darktrace has continued to prioritize user experience, efficiency, and scale, with enhancements including:

• Automated detection engineering: External threat intelligence feeds and custom signatures are automatically investigated and an incident raised if there is a material impact. This helps minimize the amount of time and effort required by a security analyst to manage rules or continually assess incorrect or outdated intelligence and indicators of compromise.
• Explainable and automated AI-led triage and investigations for alerts: Cyber AI Analyst automatically investigates all relevant alerts to completion, including third party alerts, reducing alert fatigue by replacing the existing manual triage process with AI. It now provides detailed explanations of an investigation, its reasoning behind search queries, and significance of findings, even for those alerts that are not escalated to incidents. This frees up teams to focus on response actions, threat hunting, and proactive hardening.  
• Increased customization of investigations: Customers can now specify how Cyber AI Analyst investigates alerts, providing increased flexibility for custom alerts.
• Upgraded incident interface: A new interface centralizes all components of an investigation and gathers all capabilities needed to follow up on incidents, including incident structure, key investigation details, Autonomous Response action summaries, third party alerts, and more.
• MITRE ATT&CK mapping: Darktrace tracks any relevant model alert to the MITRE ATT&CK framework and will display this is in any related Cyber AI Analyst investigations and reports.  
• Autonomous Response enhancements: Cyber AI Analyst can initiate and further leverage Autonomous Response actions when it discovers a high importance or large-scale incident, even if the initial alerts were not threatening enough to justify immediate automated actions. The duration of Autonomous Response actions can also be adjusted at a global level, giving security teams the flexibility to enforce a minimum containment time aligned with their known or target time to follow up.

Darktrace was recently named a leader in the 2024 IDC MarketScape for Worldwide Network Detection and Response, and the KuppingerCole Leadership Compass: Network Detection and Response (2024).

For more information about Darktrace / NETWORK and how it is pushing beyond the definitions of traditional NDR technologies, please visit https://darktrace.com/products/ NETWORK

About Darktrace

Darktrace is a global leader in AI for cybersecurity that keeps organizations ahead of the changing threat landscape every day. Founded in 2013, Darktrace provides the essential cybersecurity platform protecting organizations from unknown threats using its proprietary AI that learns from the unique patterns of life for each customer in real-time. The Darktrace ActiveAI Security Platform™ delivers a proactive approach to cyber resilience with pre-emptive visibility into security posture, real-time threat detection, and autonomous response – securing the business across cloud, email, identities, operational technology, endpoints, and network. Breakthrough innovations from our R&D teams in Cambridge, UK, and The Hague, Netherlands have resulted in over 200 patent applications filed. Darktrace’s platform and services are supported by over 2,400 employees around the world who protect nearly 10,000 customers across all major industries globally. To learn more, visit http://www.darktrace.com.

NOTES

[1]  IDC MarketScape: Worldwide Network Detection and Response 2024 Vendor Assessment (doc #US51752324, November 2024). The report notes, “Darktrace achieves roughly one-fifth of all global NDR revenue.”

[2] Based on a study conducted by Darktrace between November 1-30, 2024, of all actionable detections from Darktrace / NETWORK customers providing relevant telemetry.

[3] Based on an internal analysis of Darktrace Cyber AI Analyst fleet data collected from 1 January to 31 December 2023.

‍

‍

‍

‍