The communication attack surface is expanding

Modern attackers no longer focus solely on inboxes, they target people and the productivity systems where work actually happens. Meanwhile, the boundary between internal and external usage of tools is becoming blurrier everyday – turning the entire workplace into the attack surface. In 2025, identity compromise emerged as the single most consistent threat across the global threat landscape, as observed by Darktrace research across our entire customer base. Over 70% of incidents in the US involved SaaS/M365 account compromise and phishing or email-based social engineering, making credential abuse the single most effective initial access vector.

Despite this upward trend, investment in existing security awareness training (SAT) isn’t moving the needle on reducing risk. 84% of organizations still measure success through completion rates¹, even though completion of standard training correlates with less than 2% real improvement in risky behavior.² By prioritizing completion, organizations reward time spent rather than meaningful engagement, yet time in training doesn’t translate to retention or real-world decision-making. This compliance-first approach has left the workforce unprepared for the threats they actually face.

At the same time, attacks have evolved. Highly personalized, AI-generated campaigns now move fluidly across email, Slack, Teams, Zoom, and beyond, blending channels and even targeting systems directly through techniques like prompt injection. This new reality demands a different approach: one that treats people and the tools they use as a single ecosystem, where behavior and detection continuously inform and strengthen each other.

Only an adaptive communication security system can keep pace with the speed, creativity, and cross channel nature of today’s threats. 

Ushering in the adaptive era of workplace security

With this release, Darktrace brings together our new behavior-driven training solution with email detection, cross-channel visibility, and platform-level insights. Powered by Self-Learning AI, it delivers protection across both people and the communication tools they rely on every day, including email, Slack, Teams, and Zoom.

Each component learns from the others – training adapts to real user behavior, detection evolves across channels, and response is continuously refined – creating a powerful feedback loop that strengthens resilience and improves accuracy against today’s AI-driven threats.

Introducing: Unified training and email security for a self-improving email defense

Our brand new product, Darktrace / Adaptive Human Defense, closes the gap between human behavior and email security to continuously strengthen both people and defenses. Each user receives personalized training that adapts to their own inbox activity and skill level, with learning delivered directly within the flow of their day-to-day email interactions.

By learning from each user’s interactions with security training, it adapts security responses, creating a closed-loop system where training reinforces detection and detection informs training. Let’s look at some of the benefits.

• Reduce successful phishing at the source with contextual Just in Time coaching: Contextual coaching appears directly in real email threads the moment risky behavior is detected, so habits change where mistakes actually happen. Configurable triggers and group policies target the right users, reducing repeated errors and administrative overhead.
• Adaptive phishing simulations that progress automatically with each user: Embedded simulations vary in their degree of realism, from generic phishing to generative AI-enabled spear phishing. Users progress through the difficulty levels based on their performance to give an accurate picture of their phishing preparedness.  
• Native email security integration turns human behavior into quantified risk: The native email security integration allows engagement, links clicked, and question success signals to flow back into / EMAIL recipes and models, so detection and response adapt automatically as users learn.  
• Actionable risk and trend analytics beyond completion rates: Analytics that surface repeat offenders, high-value targets, and measurable exposure, moving beyond completion metrics to give leaders actionable insights tied to real behavior.

Learn more about / Adaptive Human Defense in the product solution brief.

Industry-first cross-channel full-message analysis for email, Slack, Teams, and Zoom

Darktrace now brings full-message analysis to Email, Slack, Teams, Zoom, and even generative AI prompts. The same leading behavioral analysis from EMAIL extends to every message, tracing intent, tone, relationships, and conversation flow across all communication activity for a complete understanding of every user interaction.

By correlating messaging and collaboration activity with email and account environments, cross-channel analysis reveals multi-domain attack paths and follows both users and threats as a single, continuous narrative – delivering better context to improve detection across the entire organization.

• Eliminate cross-channel blind spots: Detect phishing, malware, account takeovers, and conversational manipulation across email and collaboration platforms, so attackers can’t exploit Slack, Teams, or Zoom as a new entry point. Unified behavioral analysis gives security teams a coherent, single view, for no more fragmented, channel-specific gaps.
• Spot generative AI prompt injection attacks before they manipulate assistants: Dedicated models surface threats targeting corporate AI assistants – like ShadowLeak and Hashjack – before they can silently manipulate workflows, reducing risk before static filters catch up.

Learn more about Darktrace’s messaging security offering in the product solution brief.

Industry-first DMARC with bi-directional ASM and email security integration

Darktrace transforms domain protection by linking DMARC, attack surface intelligence, and email security into a single, continuously evolving workflow. Instead of treating domain authentication and exposure as separate tasks, this unified approach shows not just where domains are vulnerable, but how attackers are actively exploiting them.

• Fix authentication weaknesses faster: SPF, DKIM, DMARC configurations, and external exposure data are analyzed together, giving teams clear guidance to correct weaknesses before they can be abused. Deep bidirectional integration with attack surface intelligence reduces impersonation risk at the source.
• Accelerate email investigations: DMARC context is embedded directly into email workflows, enriching triage with authentication posture, internal/external sender lists, and seamless pivots between email and domain intelligence for faster, more accurate investigations.

Committed to innovation

These updates are part of a broader Darktrace release, which also includes:

• Innovations in cloud security with continuous Kubernetes posture management, as well as native integrations with Proactive Exposure Management (PEM) and Attack Surface Management (ASM).
• Innovations to Darktrace / Forensic Acquisition & Investigation, including faster cloud incident investigations, automated and on-demand forensic data capture across hybrid environments, and open forensic coverage for third-party endpoint and XDR ecosystems.
• Introduction of a new Alerts Dashboard in the ActiveAI Security Portal, enabling unified alert triage, AI-driven incident correlation, and coordinated investigations across multiple deployments to reduce response times and operational complexity.‍
• Innovations in OT security, including Operational Overview Architecture diagrams, Operational Overview reporting, expanded ICS & IoMT device classification, and expanded OT & IIoT Protocol Coverage.
• Further updates to / NETWORK, / ENDPOINT, Cyber AI Analyst, and cross-platform products.

‍

Join our Live Launch Event on April 14, 2026.

Join us for an exclusive announcement event where Darktrace, the leader in AI-native cybersecurity, will be announcing our latest innovations, including  a demo of our new product / Adaptive Human Defense, an exclusive conversation with a Darktrace customer, and a deep dive into the Darktrace ActiveAI Security Portal.  

Register here.

‍

‍References

[1] 84% of organizations still measure security awareness training success through completion rates, a vanity metric with no correlation to behavior change. (Source:  NIST Awareness Effectiveness Study, Forrester 2025)

[2] 'Limited benefit from embedded phishing training. Using randomized controlled trials and statistical modeling, embedded training provides a statistically-significant reduction in average failure rate, but of only 2%.' Ho, G., Mirian, A., Luo, E., Tong, K., Lee, E., Liu, L., Longhurst, C. A., Dameff, C., Savage, S., & Voelker, G. M. (2025). Understanding the Efficacy of Phishing Training in Practice. Proceedings of the 2025 IEEE Symposium on Security and Privacy.

The challenge of operational understanding in complex OT environments

Most industrial organizations today already have some level of asset visibility. The bigger challenge is maintaining a trusted, shared understanding of the environment as it evolves. OT teams still frequently rely on static diagrams, spreadsheets, and manually maintained documentation because these are often the only artifacts trusted by auditors, leadership, and engineering teams. However, these references quickly become outdated as environments change.

At the same time, compliance expectations continue to increase, particularly around IEC-62443 aligned programs. Producing defensible security evidence often requires teams to manually assemble reports across multiple tools while still debating asset inventories and classifications. This creates operational overhead and reduces confidence during audits, risk reviews, and incident response situations.

Advancing operational OT security with Darktrace / OT

Darktrace / OT's latest updates focus on helping industrial organizations close this operational gap by strengthening how OT security platforms support real workflows. This release enhances Operational Overview with architecture visibility, improves how industrial assets are represented, and introduces structured reporting capabilities aligned to governance needs.

Together, these improvements help organizations maintain a more reliable operational picture of their environments while reducing manual effort associated with documentation, reporting, and asset validation.

Native OT architecture visibility inside Operational Overview

Understanding how industrial environments are structured is critical during investigations and risk reviews, yet architecture diagrams are typically maintained outside security platforms and quickly fall out of sync with operational changes. This disconnect makes it harder for OT, IT, and security teams to maintain a shared understanding of their environments when incidents occur.

Darktrace / OT introduces native OT architecture diagrams directly within Operational Overview, allowing teams to maintain a live representation of how OT assets and systems relate to each other inside the same platform used for monitoring and investigations.

These updates help organizations:

• Maintain a shared architectural understanding across OT, IT, and security teams
• Improve investigation context by understanding how systems relate operationally
• Reduce reliance on static diagrams that quickly become outdated

Improving OT governance with operational asset and compliance reporting

Accurate reporting remains a major operational challenge for industrial organizations, particularly when security posture must be demonstrated to auditors, regulators, and leadership. Many OT teams still rely on manual screenshots, spreadsheets, or fragmented exports to show asset inventories and compliance alignment.

Darktrace / OT introduces structured OT asset reporting and IEC-62443-3-3 compliance reporting directly from Operational Overview. These capabilities allow organizations to generate consistent, repeatable outputs based on continuously observed OT environments rather than manually assembled documentation.

These updates help customers:

• Reduce manual compliance effort through automated IEC-62443 reporting aligned to live OT data
• Support governance workflows with structured OT asset and architecture reporting
• Improve audit readiness with consistent reporting aligned to operational security posture

Expanding industrial context through improved asset representation and protocol coverage

Industrial environments rely on diverse technologies spanning manufacturing systems, power and utilities infrastructure, healthcare devices, and Industrial IoT deployments. Maintaining strong visibility across these environments requires both accurate device representation and deeper protocol understanding.

Darktrace / OT strengthens industrial context through expanded ICS and IoMT device classification alongside broader industrial protocol coverage. These improvements help organizations better understand specialized devices and communications across sectors such as manufacturing, energy, healthcare, and Industrial IoT.

These enhancements enable organizations to:

• Improve visibility into specialized ICS, IoMT, and industrial infrastructure devices
• Strengthen monitoring across sector-specific industrial communications in manufacturing, utilities, and IIoT environments
• Increase confidence in detection across complex and evolving industrial technology estates

Supporting practical OT security outcomes for industrial organizations

Darktrace / OT continues our focus on delivering capabilities that help industrial organizations operationalize security rather than simply deploy tools. By improving architecture understanding, strengthening asset representation, and supporting governance reporting, this release helps organizations manage OT security with greater confidence.

As industrial environments continue to evolve, organizations need more than visibility. They need the ability to maintain trusted operational understanding and demonstrate security readiness without increasing operational friction. This release reflects Darktrace’s continued commitment to supporting the priorities that matter most in OT: safety, uptime, and resilience.