Blog
/
Network
/
June 23, 2023

How Darktrace Quickly Foiled An Information Stealer

Discover how Darktrace thwarted the CryptBot malware in just 2 seconds. Learn about this fast-moving threat and the defense strategies employed.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst
Default blog image
23
Jun 2023

The recent trend of threat actors using information stealer malware, designed to gather and exfiltrate confidential data, shows no sign of slowing. With new or updated info-stealer strains appearing in the wild on a regular basis, it came as no surprise to see a surge in yet another prolific variant in late 2022, CryptBot.

What is CryptBot?

CryptBot is a Windows-based trojan malware that was first discovered in the wild in December 2019. It belongs to the prolific category of information stealers whose primary objective, as the name suggests, is to gather information from infected devices and send it to the threat actor.

ZeuS was reportedly the first info-stealer to be discovered, back in 2006. After its code was leaked, many other variants came to light and have been gaining popularity amongst cyber criminals [1] [2] [3]. Indeed, Inside the SOC has discussed multiple infections across its customer base associated with several types of stealers in the past months [4] [5] [6] [7]. 

The Darktrace Threat Research team investigated CryptBot infections on the digital environments of more than 40 different Darktrace customers between October 2022 and January 2023. Darktrace DETECT™ and its anomaly-based approach to threat detection allowed it to successfully identify the unusual activity surrounding these info-stealer infections on customer networks. Meanwhile, Darktrace RESPOND™, when enabled in autonomous response mode, was able to quickly intervene and prevent the exfiltration of sensitive company data.

Why is info-stealer malware popular?

It comes as no surprise that info-stealers have “become one of the most discussed malware types on the cybercriminal underground in 2022”, according to Accenture’s Cyber Threat Intelligence team [10]. This is likely in part due to the fact that:

More sensitive data on devices

Due to the digitization of many aspects of our lives, such as banking and social interactions, a trend accelerated by the COVID-19 pandemic.

Cost effective

Info-stealers provide a great return on investment (ROI) for threat actors looking to exfiltrate data without having to do the traditional internal reconnaissance and data transfer associated with data theft. Info-stealers are usually cheap to purchase and are available through Malware-as-a-Service (MaaS) offerings, allowing less technical and resourceful threat actors in on the stealing action. This makes them a prevalent threat in the malware landscape. 

How does CryptBot work?

The techniques employed by info-stealers to gather and exfiltrate data as well as the type of data targeted vary from malware to malware, but the data targeted typically includes login credentials for a variety of applications, financial information, cookies and global information about the infected computer [8]. Given its variety and sensitivity, threat actors can leverage the stolen data in several ways to make a profit. In the case of CryptBot, the data obtained is sold on forums or underground data marketplaces and can be later employed in higher profile attacks [9]. For example, stolen login information has previously been leveraged in credential-based attacks, which can successfully bypass authentication-based security measures, including multi-factor authentication (MFA). 

CryptBot functionalities

Like many information stealers, CryptBot is designed to steal a variety of sensitive personal and financial information such as browser credentials, cookies and history information and social media accounts login information, as well as cryptocurrency wallets and stored credit card information [11]. General information (e.g., OS, installed applications) about the infected computer is also retrieved. Browsers targeted by CryptBot include Chrome, Firefox, and Edge. In early 2022, CryptBot’s code was revamped in order to streamline its data extraction capabilities and improve its overall efficiency, an update that coincided with a rise in the number of infections [11] [12].

Some of CryptBot's functionalities were removed and its exfiltration process was streamlined, which resulted in a leaner payload, around half its original size and a quicker infection process [11]. Some of the features removed included sandbox detection and evasion functionalities, the collection of desktop text files and screen captures, which were deemed unnecessary. At the same time, the code was improved in order to include new Chrome versions released after CryptBot’s first appearance in 2019. Finally, its exfiltration process was simplified: prior to its 2022 update, the malware saved stolen data in two separate folders before sending it to two separate command and control (C2) domains. Post update, the data is only saved in one location and sent to one C2 domain, which is hardcoded in the C2 transmission function of the code. This makes the infection process much more streamlined, taking only a few minutes from start to finish. 

Aside from the update to its malware code, CryptBot regularly updates and refreshes its C2 domains and dropper websites, making it a highly fluctuating malware with constantly new indicators of compromise and distribution sites. 

Even though CryptBot is less known than other info-stealers, it was reportedly infecting thousands of devices daily in the first months of 2020 [13] and its continued prevalence resulted in Google taking legal action against its distribution infrastructure at the end of April 2023 [14].  

How is CryptBot obtained?

CryptBot is primarily distributed through malicious websites offering free and illegally modified software (i.e., cracked software) for common commercial programs (e.g., Microsoft Windows and Office, Adobe Photoshop, Google Chrome, Nitro PDF Pro) and video games. From these ‘malvertising’ pages, the user is redirected through multiple sites to the actual payload dropper page [15]. This distribution method has seen a gain in popularity amongst info-stealers in recent months and is also used by other malware families such as Raccoon Stealer and Vidar [16] [17].

A same network of cracked software websites can be used to download different malware strains, which can result in multiple simultaneous infections. Additionally, these networks often use search engine optimization (SEO) in order to make adverts for their malware distributing sites appear at the top of the Google search results page, thus increasing the chances of the malicious payloads being downloaded.

Furthermore, CryptBot leverages Pay-Per-Install (PPI) services such as 360Installer and PrivateLoader, a downloader malware family used to deliver payloads of multiple malware families operated by different threat actors [18] [19] [20]. The use of this distribution method for CryptBot payloads appears to have stemmed from its 2022 update. According to Google, 161 active domains were associated with 360Installer, of which 90 were associated with malware delivery activities and 29 with the delivery of CryptBot malware specifically. Google further identified hundreds of domains used by CryptBot as C2 sites, all of which appear to be hosted on the .top top-level domain [21].

This simple yet effective distribution tactic, combined with the MaaS model and the lucrative prospects of selling the stolen data resulted in numerous infections. Indeed, CryptBot was estimated to have infected over 670,000 computers in 2022 [14]. Even though the distribution method chosen means that most of the infected devices are likely to be personal computers, bring your own device (BYOD) policies and users’ tendency to reuse passwords means that corporate environments are also at risk. 

CryptBot Attack Overview

In some cases observed by Darktrace, after connecting to malvertising websites, devices were seen making encrypted SSL connections to file hosting services such as MediaFire or Mega, while in others devices were observed connecting to an endpoint associated with a content delivery network. This is likely the location from where the malware payload was downloaded alongside cracked software, which is executed by the unsuspecting user. As the user expects to run an executable file to install their desired software, the malware installation often happens without the user noticing.

Some of the malvertising sites observed by Darktrace on customer deployments were crackful[.]com, modcrack[.]net, windows-7-activator[.]com and office-activator[.]com. However, in many cases detected by Darktrace, CryptBot was propagated via websites offering trojanized KMSPico software (e.g., official-kmspico[.]com, kmspicoofficial[.]com). KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services (KMS) server to activate licenses fraudulently. 

Once it has been downloaded and executed, CryptBot will search the system for confidential information and create a folder with a seemingly randomly generated name, matching the regex [a-zA-Z]{10}, to store the gathered sensitive data, ready for exfiltration. 

Figure 1: Packet capture (PCAP) of an HTTP POST request showing the file with the stolen data being sent over the connection.
Figure 1: Packet capture (PCAP) of an HTTP POST request showing the file with the stolen data being sent over the connection.

This data is then sent to the C2 domain via HTTP POST requests on port 80 to the URI /gate.php. As previously stated, CryptBot C2 infrastructure is changed frequently and many of the domains seen by Darktrace had been registered within the previous 30 days. The domain names detected appeared to have been generated by an algorithm, following the regex patterns [a-z]{6}[0-9]{2,3}.top or [a-z]{6}[0-9]{2,3}.cfd. In several cases, the C2 domain had not been flagged as malicious by other security vendors or had just one detection. This is likely because of the frequent changes in the C2 infrastructure operated by the threat actors behind CryptBot, with new malicious domains being created periodically to avoid detection. This makes signature-based security solutions much less efficient to detect and block connections to malicious domains. Additionally, the fact that the stolen data is sent over regular HTTP POST requests, which are used daily as part of a multitude of legitimate processes such as file uploads or web form submissions, allows the exfiltration connections to blend in with normal and legitimate traffic making it difficult to isolate and detect as malicious activity. 

In this context, anomaly-based security detections such as Darktrace DETECT are the best way to pick out these anomalous connections amidst legitimate Internet traffic. In the case of CryptBot, two DETECT models were seen consistently breaching for CryptBot-related activity: ‘Device / Suspicious Domain’, breaching for connections to 100% rare C2 .top domains, and ‘Anomalous Connection / POST to PHP on New External Host’, breaching on the data exfiltration HTTP POST request. 

In deployments where Darktrace RESPOND was deployed, a RESPOND model breached within two seconds of the first HTTP POST request. If enabled in autonomous mode, RESPOND would block the data exfiltration connections, thus preventing the data safe from being sold in underground forums to other threat actors. In one of the cases investigated by Darktrace’s Threat Research team, DETECT was able to successfully identify and alert the customer about CryptBot-related malicious activity on a device that Darktrace had only begun to monitor one day before, showcasing how fast Darktrace’s Self-Learning AI learns every nuance of customer networks and the devices within it.

In most cases investigated by Darktrace, fewer than 5 minutes elapsed between the first connection to the endpoint offering free cracked software and the data being exfiltrated to the C2 domain. For example, in one of the attack chains observed in a university’s network, a device was seen connecting to the 100% rare endpoint official-kmspico[.]com at 16:53:47 (UTC).

Device Event Log showing SSL connections to the official-kmspico[.]com malvertising website.
Figure 2: Device Event Log showing SSL connections to the official-kmspico[.]com malvertising website.

One minute later, at 16:54:19 (UTC), the same device was seen connecting to two mega[.]co[.]nz subdomains and downloading around 13 MB of data from them. As mentioned previously, these connections likely represent the CryptBot payload and cracked software download.

Device Event Log showing SSL connections to mega[.]com endpoints following the connection to the malvertising site.
Figure 3: Device Event Log showing SSL connections to mega[.]com endpoints following the connection to the malvertising site.

At 16:56:01 (UTC), Darktrace detected the device making a first HTTP POST request to the 100% rare endpoint, avomyj24[.]top, which has been associated with CryptBot’s C2 infrastructure [22]. This initial HTTP POST connection likely represents the transfer of confidential data to the attacker’s infrastructure.

Device Event Log showing HTTP connections made by the infected device to the C2 domain. 
Figure 4: Device Event Log showing HTTP connections made by the infected device to the C2 domain. 

The full attack chain, from visiting the malvertising website to the malicious data egress, took less than three minutes to complete. In this circumstance, the machine-speed detection and response capabilities offered by Darktrace DETECT and RESPOND are paramount in order to stop CryptBot before it can successfully exfiltrates sensitive data. This is an incredibly quick infection timeline, with no lateral movement nor privilege escalation required to carry out the malware’s objective. 

Device Event Log showing the DETECT and RESPOND models breached during the attack. 
Figure 5: Device Event Log showing the DETECT and RESPOND models breached during the attack. 

Darktrace Cyber AI Analyst incidents were also generated as a result of this activity, displaying all relevant information in one panel for easy review by customer security teams.

Cyber AI Analyst event log showing the HTTP connections made by the breach device to the C2 endpoint.
Figure 6: Cyber AI Analyst event log showing the HTTP connections made by the breach device to the C2 endpoint.

Conclusion 

CryptBot info-stealer is fast, efficient, and apt at evading detection given its small size and swift process of data gathering and exfiltration via legitimate channels. Its constantly changing C2 infrastructure further makes it difficult for traditional security tools that really on rules and signatures or known indicators of compromise (IoCs) to detect these infections. 

In the face of such a threat, Darktrace’s anomaly-based detection allows it to recognize subtle deviations in a device’s pattern of behavior that may signal an evolving threat and instantly bring it to the attention of security teams. Darktrace DETECT is able to distinguish between benign activity and malicious behavior, even from newly monitored devices, while Darktrace RESPOND can move at machine-speed to prevent even the fastest moving threat actors from stealing confidential company data, as it demonstrated here by stopping CryptBot infections in as little as 2 seconds.

Credit to Alexandra Sentenac, Cyber Analyst, Roberto Romeu, Senior SOC Analyst

Darktrace Model Detections  

AI Analyst Coverage 

  • Possible HTTP Command and Control  

DETECT Model Breaches  

  • Device / Suspicious Domain 
  • Anomalous Connection / POST to PHP on New External Host 
  • Anomalous Connection / Multiple HTTP POSTs to Rare Hostname 
  • Compromise / Multiple SSL to Rare DGA Domains

List of IOCs

Indicator Type Description
luaigz34[.]top Hostname CryptBot C2 endpoint
watibt04[.]top Hostname CryptBot C2 endpoint
avolsq14[.]top Hostname CryptBot C2 endpoint

MITRE ATT&CK Mapping

Category Technique Tactic
INITIAL ACCESS Drive-by Compromise - T1189 N/A
COMMAND AND CONTROL Web Protocols - T1071.001 N/A
COMMAND AND CONTROL Domain Generation Algorithm - T1568.002 N/A

References

[1] https://www.malwarebytes.com/blog/threats/info-stealers

[2] https://cybelangel.com/what-are-infostealers/

[3] https://ke-la.com/information-stealers-a-new-landscape/

[4] https://darktrace.com/blog/vidar-info-stealer-malware-distributed-via-malvertising-on-google

[5] https://darktrace.com/blog/a-surge-of-vidar-network-based-details-of-a-prolific-info-stealer 

[6] https://darktrace.com/blog/laplas-clipper-defending-against-crypto-currency-thieves-with-detect-respond

[7] https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities 

[8] https://cybelangel.com/what-are-infostealers/

[9] https://webz.io/dwp/the-top-10-dark-web-marketplaces-in-2022/

[10] https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web

[11] https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/

[12] https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer

[13] https://www.deepinstinct.com/blog/cryptbot-how-free-becomes-a-high-price-to-pay

[14] https://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/

[15] https://asec.ahnlab.com/en/31802/

[16] https://darktrace.com/blog/the-last-of-its-kind-analysis-of-a-raccoon-stealer-v1-infection-part-1

[17] https://www.trendmicro.com/pt_br/research/21/c/websites-hosting-cracks-spread-malware-adware.html

[18] https://intel471.com/blog/privateloader-malware

[19] https://cyware.com/news/watch-out-pay-per-install-privateloader-malware-distribution-service-is-flourishing-888273be 

[20] https://regmedia.co.uk/2023/04/28/handout_google_cryptbot_complaint.pdf

[21] https://www.bankinfosecurity.com/google-wins-court-order-to-block-cryptbot-infrastructure-a-21905

[22] https://github.com/stamparm/maltrail/blob/master/trails/static/malware/cryptbot.txt

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst

More in this series

No items found.

Blog

/

/

July 8, 2026

Securing AI: Analysis of the Complete Security Stack with Governance and Controls

ai security stackDefault blog imageDefault blog image

Why traditional cybersecurity approaches are not enough for AI

AI adoption outpaces most security programs’ ability to adapt.  That gap is now one of the most consequential sources of cyber risk facing enterprises. As organizations embed generative and agentic AI into development workflows, business operations, and security tooling itself, the question is no longer whether AI will introduce risk. The question is whether organizations understand where that risk actually lives and how to manage it operationally.  

Two recent pieces of guidance underscore this shift:

  1. The upcoming Cybersecurity Framework Profile for AI from NIST
  1. The Five Eyes government guidance on the careful adoption of agentic AI services

Taken together, they point to a critical conclusion. AI security cannot be reduced to model hardening or prompt filtering. It requires a defense in depth strategy that treats AI as both a new attack surface and a force multiplier for defense, while accounting for how AI fundamentally changes scale, speed, and autonomy.  

Recent threat research suggests that today's cyber risk is driven less by initial compromise and more by an adversary's ability to blend into normal operations over time. AI systems create the same exposure in a new form: more autonomy, more scale, and more opportunities for risky behavior to blend into normal operations.

How NIST defines the three core pillars of AI security

The NIST profile organizes AI risk across three inseparable focus areas that span all cybersecurity functions, Secure, Defend and Thwart. These areas are not sequential. They exist simultaneously and must be addressed together.

Secure

This treats AI as an attack surface. It includes models, prompts, agents, pipelines, training and inference data, retrieval augmented generation corpora, and the AI supply chain itself. AI systems are opaque, probabilistic, and non-deterministic by design. Some vulnerabilities are inherent in how models are trained or how data is sourced. Traditional patching does not fully mitigate these risks. This is also where many enterprises are weakest today and, critically, where many security programs stop.  

Defend

This is AI as a defensive force multiplier. AI can improve detection speed, scale, correlation, and response, but only if the right models are used and operationalized correctly. Machine-speed behavior-based detection, response and containment becomes critical in defending non-deterministic systems. Accuracy, explainability, governance, testing, validation, and integration into SOC workflows matter as much as capability. Without those controls, hallucination risk, over automation, and misplaced trust become security risks themselves.  

Thwart

This treats AI as an adversarial accelerant. Threat actors are already using AI to generate targeted social engineering attacks, deepfakes, malware, and autonomous attack agents. Asymmetric warfare is highlighting faster vulnerability discovery and exploitation with a lag on patch development, testing and deployment.  

How this looks in practice

Darktrace researchers observed scaled, automated exploitation of the React2Shell vulnerability within days of disclosure. A vulnerable cloud asset was exploited in under 120 seconds of being deployed. Darktrace research team observed an AI/LLM-generated malware sample used in exploitation activity tied to React2Shell. The significance isn't novelty. It is that AI lowers the barrier to producing usable offensive tooling and compresses the time between experimentation and deployment.  

Tactics are getting more and more creative in order to string together steps of an attack kill chain. This creates a dependency on behavior-based detection, autonomous investigation, autonomous containment, training, resilience investment, and recovery planning across the entire enterprise.

Why agentic AI fundamentally changes enterprise cyber risk

The Five Eyes guidance on agentic AI highlights material changes to the cyber risk profile of an organization. Unlike generative AI systems that produce content for human consumption, agentic AI systems reason, plan, and act autonomously across tools, data, and environments. That autonomy, combined with access to real systems, amplifies the impact of traditional cyber failures and introduces new system level risks that are difficult to predict, observe, and contain.  

Risk in agentic systems does not live in the model alone. It emerges from interactions between models, prompts, memory, tools, APIs, identities, privileges, inter-agent trust relationships, and human assumptions baked into design. Vulnerabilities are often introduced through data, connectors, natural language interfaces, protocols, and drift by design.

In supply-chain incidents, attackers did not need sophisticated exploits to scale impact. They abused trusted systems built for automation and implicit access. Agentic AI inherits that model. Once a system can act across tools, data, and workflows, compromise propagates through trust relationships that were never designed for machine autonomy.

The major agentic AI risk classes include the following:  

  • The identity control for non-human identities or autonomous agents makes it difficult to mitigate over-permissioning, limiting access, scope, and duration, as well as access hygiene
  • Agents are frequently over permissioned
  • Compromised tools inherit agent authority
  • Static secrets enable impersonation
  • Implicit trust between agents enables lateral movement

Design and configuration risks compound this, including privileges evaluated once at startup, poor segmentation, unvetted third party tools, reused authorization decisions outside their original context, and guardrail limitations.  

Behavioral risk  

Agents can optimize for goals in unsafe ways, misinterpret ambiguous intent, chain actions into unintended sequences, change behavior during evaluation, and exhibit deceptive or sycophantic responses.  

Structural risk  

Structural risk follows from agentic systems that are tightly coupled, multicomponent ecosystems. Failures can propagate across agents. Hallucinations cascade downstream. Resource exhaustion becomes systemic. Tool misuse enables indirect prompt injection and command execution. Rogue agents can poison peer agents through trust relationships.  

Accountability

Accountability becomes unclear as autonomy increases. Autonomous agents assume human identity permissions, and humans should have clear ownership of these agents, but they don’t, and this model is flawed. Decision paths are opaque and non-deterministic. Logs are fragmented and difficult to interpret. Reproducing an incident will be impossible without explicit design for observability and forensics. An agent compromise is functionally an insider threat, often with better access and fewer behavioral constraints than a human.  

What does defense in depth look like for AI?

Agentic AI runs on software, networks, identities, and data. It must be governed using the same foundational principles that have proven resilient under uncertainty, including secure by design, defense in depth, zero trust, least privilege, continuous monitoring, behavior-based advanced threat detection and containment, and incident response and recovery.

Core components to a Defense in depth Strategy for Securing the use of AI:

  • Strong, precise identity control plane to include an identity per agent (cryptographic, non‑shared)
    • Privilege monitoring and just‑in‑time access
  • Data Governance
  • Secure‑by‑default configurations
    • Security Posture Management  
    • Zero Trust principles  
  • Strong guardrails, deny‑by‑default policies, and isolation
  • Explicit instruction hierarchies and controlled context
  • Behavioral-based detection across entire enterprise to include inputs, tools, and outputs as well as AI used on the endpoint, across the network, cloud, SaaS, email, and OT
    • Runtime anomaly detection and goal‑drift detection
    • Autonomous containment to mitigate risk and minimize damage
  • Hard boundaries on autonomy and delegation
  • Testing, Evaluation, Validation and Verification  
    • Determine when autonomous action and when human in the loop
    • Adversarial training and agent‑specific testing
    • Simulation, red teaming, and chaos testing
  • Kill‑switches, rollback, and containment mechanisms
    • Forensics data captures, interpretability, autonomous containment, and remediation/recovery plans  

Until standards, tooling, and assurance methods mature, organizations should assume agentic AI systems will behave unexpectedly and design deployments around resilience, behavior-based detection, reversibility, and containment, not efficiency.

How security leaders should prepare for enterprise AI adoption

AI security is not model security alone. Data, pipelines, identities, and agents are first class assets. Many AI attacks succeed through standard cyber failures amplified by AI. Identity, data, and supply chain risk dominate. Behavior-based detection and response are critical, not optional. Logging, provenance, versioning, and forensics data capture of detections are mandatory because you cannot investigate or recover from AI incidents without them.  

Risk will often be visible in behavior before it is clearly defined in policy or guidance. The same pattern has been seen in pre-CVE disclosure detection, where abnormal activity appears before the industry has named or described the vulnerability. AI systems introduce that uncertainty by design.

Security leaders should prioritize controls before AI is fully deployed, avoid generic AI security checklists, integrate AI risk into existing cyber programs, and mitigate the risk of non-deterministic technology with continuous oversight, monitoring, behavior analytics, anomaly detection, autonomous investigation, and autonomous containment.

Visibility has a different connotation with AI. Previously, audit logging worked for software/people, but with Generative AI-based systems, interpretability and explainability is difficult to understand, you cannot "undo" what has been done, or see the logic or control a chain of events. This is why behavioral-based detections and containment becomes critical.  

What capabilities should every AI security program include?

If an organization asked “what must be in place before scaling AI?”:

  1. AI Risk board and approval workflow
  1. IAM + PAM for all AI services and agents
  1. AI asset inventory
  1. Prompt/output DLP with sanctioned AI access – This is not just pre- and post- filters, but behavior-based detections of semantic interface as well as behavior-based analysis of output with associated risk context.  
  1. Shadow AI identification
  1. Secure MLOps – This is an entire paper itself
  1. Runtime guardrails and tool restrictions
    • Including AI Gateway/SASE/Zero trust/
  1. Runtime security with behavior-based detections
    • Complete visibility, monitoring, behavior analytics, anomaly detection, risk/intent/context evaluation of anomalies, autonomous investigation and autonomous containment of all AI assets across endpoint, network, SaaS, SASE, cloud, OT, email, and messaging platforms
  1. Secure data pipelines and data governance
  1. SOC workflow changes from malicious classification workflows to behavior-based detection workflows
  1. Remediation plans for AI-related incidents  

Layered Governance and Security Stack for Securing AI  

The following outline considers governance and security tools that should be considered, well-integrated, deployed, tested, operationalized and embedded within security workflows. These tools and controls map to NIST’s CMF for AI.  

These considerations do not need to be implemented in order. Runtime Detect and Respond will help mitigate risk while Governance, Visibility, and Identity mature.

Category Tooling Controls
Governance & Visibility
  • AI asset inventory / AI CMDB
  • Shadow AI discovery
  • SaaS discovery
  • AI usage on non-endpoint managed systems via network or cloud telemetry
  • MCP server/client usage via protocols
  • Browser telemetry
  • Gateway or SASE telemetry
  • Establish a risk board to set up controls
  • Mandatory registration of AI systems
  • Owner, data classification, intended use, and risk tier
  • Supplier disclosure requirements
  • Risk mitigation plan for AI adoption, innovation, or development
Identity, Access & Agent Control

Non-human autonomous agents should not have the full permissions associated with a human user.

  • IAM with workload identities
  • PAM for AI service accounts
  • Secrets management with short-lived tokens
  • Zero Trust principles
  • Identity, permission, and token hygiene
  • Unique identities per model, agent, and pipeline
  • Least privilege for tools, data, and APIs
  • Explicit approval for autonomous actions
Data Security & Privacy
  • Data classification and labeling
  • Enterprise DLP across endpoint, email, network, cloud, and SaaS
  • Forensics data capture after risky detections
  • Prompt-level DLP through behavior-based semantic analysis with risk and intent context
  • Input/interface analysis for risky data requests
  • Output analysis for sensitive data
  • Data integrity evaluation
  • Retention and redaction policies for prompts and responses
Secure MLOps / LLMOps
  • Secure CI/CD with AI-specific gates
  • Model registries with approval workflows
  • Dependency, container, and artifact scanning
  • SBOM/AIBOM generation
  • IaC security scanning
  • Security posture management
  • Misconfiguration identification
  • Hardening recommendations
  • Signed models and prompts
  • Versioned datasets, configurations, logging, and controls
  • Securing data pipelines
  • Controlled promotion
  • Quality assurance
  • Adversarial testing
Runtime Security

Securing runtime goes beyond guardrails and model firewalls to include behavior-based detections, response, and containment.

  • Detection, monitoring, and SOC integration
  • Centralized visibility into prompts, outputs, and tool calls
  • AI-specific detections
  • Behavior-based detection for AI usage patterns
  • Model drift and behavior monitoring
  • Autonomous containment
  • Behavior-based detection of model inputs and outputs
  • Prompt injection detection
  • Model manipulation, including jailbreaking, poisoning, and related attacks
  • Sensitive data access attempts
  • Behavior-based detection across low-code agents, high-code agents, MCP clients and servers, endpoint, network, cloud, email, SaaS, SASE, IoT, and OT
  • Policy enforcement between users, models, tools, agents, SaaS models/tools, and MCP servers/clients
  • Risk, intent, and context evaluation for detections and response actions
Response & Recovery
  • Autonomous containment
  • AI-assisted playbooks
  • Forensics data capture for AI-related events
  • Model rollback mechanisms
  • Backup and restore for models and datasets
  • Kill switch for agents
  • Autonomous response to agents performing risky behaviors
  • Model and dataset rollback
  • Remediation plans
  • Tabletop exercises
  • Supplier coordination plans
  • Post-incident AI performance validation

AI security requires continuous visibility and behavioral detection

AI changes how fast systems move, how decisions are made, and how risk propagates. It does not change the fundamentals of security. Organizations that succeed will be the ones that apply those fundamentals rigorously, assume failure, and build systems that can detect, contain, and recover when AI behaves in ways they did not anticipate. Security is not what AI is allowed to do. It is whether the organization can understand, trust, and control what AI actually does in practice.  

Take this guidance to understand different initiatives that organizations should be considering. Securing AI is the most critical component to AI safety. As organizations invest more in AI adoption, they should be investing in security in order to mitigate the risk of AI adoption. Organizations should be evaluating their governance and security stack to include well-integrated tools that are deployed, tested, operationalized and embedded within security workflows. While organizations mature in governance, visibility and identity access management, they should be investing in behavior-based detection and autonomous containment to mitigate AI risk.  

Continue reading
About the author

Blog

/

/

July 6, 2026

NIST Just Proved It: AI Security Can’t Be Solved With Rules

ai security nistDefault blog imageDefault blog image

Static AI guardrails are inherently limited

As organizations adopt generative AI, many still assume that the right set of guardrails will be enough. The problem is you can’t anticipate every way these systems might be misused, abused or attacked. What NIST has done is put a mathematical foundation under that intuition.

In recent research building on Gödel’s incompleteness theorems, which showed that any system built on a fixed set of rules will always have gaps, NIST demonstrates that there is no finite set of guardrails that can be universally robust against adversarial prompts. In plain terms, if your defense is based on a fixed set of rules, there will always be inputs that bypass them. Not because the rules are badly written, but because the problem space is bigger than static rules can ever cover.

This is not new in cybersecurity - detection rules have always had to live with this trade-off. What is different with GenAI is the scale and shape of that problem. These systems are built on human language, and human language is not bounded. It is fluid, contextual and deliberately ambiguous. The number of ways intent can be hidden is effectively limitless. You are not defending against a defined protocol or a fixed exploit chain. You are defending against the entire expressive capacity of people.

So attempting to create a complete set of rules is the wrong starting point. It assumes the problem can be deterministically described. NIST’s work shows that it cannot. Organizations still need a way to manage AI risk, but the traditional approach of defining allowed and disallowed patterns is always going to lag behind what is actually happening. The same input can be benign in one context and risky in another, and static rules struggle to capture that distinction.

The question then is what fills that gap?

AI security must shift from rules to behavior

What's required is a shift in what you are trying to understand. Rules try to describe what should and shouldn't happen. Behavior shows you what is happening. Or to put it another way, if inputs are unbounded and adversaries adapt, the only stable signal is behavior.

In a GenAI context, that means analyzing how an AI model is being used, how prompts evolve over time, how outputs are shaped, and where AI agent interactions start to drift from what is expected. It means moving from static definitions of bad to a more dynamic understanding of intent.

Instead of trying to predict every bad prompt, you focus on identifying when behavior starts to move outside expected norms. Instead of asking whether a single input matches a rule, you ask whether the overall pattern of activity makes sense for the system and how it’s being used.

Guardrails remain important but they are only one layer

This does not eliminate the need for guardrails. They still play a role. But they will never address the entire problem space and are simply one part of your defense in depth approach.

NIST’s proof is useful because it makes this explicit. It removes the assumption that with enough effort, a complete rule set is achievable. It isn’t.

Once you accept that, the shift becomes unavoidable. This is no longer a problem of writing better rules, but of understanding behavior in a space where the possible inputs are effectively unbounded.

For security leaders, that changes the nature of the problem. It is less about defining what should be allowed, and more about recognizing when something is no longer consistent with expected behavior.

That does not remove the need for guardrails, but it does change their role. They set boundaries, but they do not define understanding. The gap between the two is where risk now sits.

In the end, this is what “can’t be solved with rules” really means. Rules will always leave gaps, and those gaps are not theoretical. They show up in how systems actually behave Not what we expect them to do, or what we intended them to do, but what they are doing in practice. That is where the signal is, and increasingly, that is where the security problem sits.

References:

https://www.nist.gov/news-events/news/2026/06/nist-mathematical-proof-supports-transition-continuous-monitor-and-update

https://ieeexplore.ieee.org/document/11475847

Continue reading
About the author
Andrew Hollister
Principal Solutions Engineer, Cyber Technician
Your data. Our AI.
Elevate your network security with Darktrace AI