Blog
/
Network
/
September 13, 2023

How Darktrace Stopped Akira Ransomware

Learn how Darktrace is uniquely placed to identify and contain the novel Akira ransomware strain, first observed in March 2023.
Written by
Manoel Kadja
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Manoel Kadja
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
13
Sep 2023

Introduction to Akira Ransomware

In the face of a seemingly never-ending production line of novel ransomware strains, security teams across the threat landscape are continuing to see a myriad of new variants and groups targeting their networks. Naturally, new strains and threat groups present unique challenges to organizations. The use of previously unseen tactics, techniques, and procedures (TTPs) means that threat actors can often completely bypass traditional rule and signature-based security solutions, thus rendering an organization’s digital environment vulnerable to attack.

What is Akira Ransomware?

One such example of a novel ransomware family is Akira, which was first observed in the wild in March 2023. Much like many other strains, Akira is known to target corporate networks worldwide, encrypting sensitive files and demanding huge sums of money to retrieve the data and stop it from being posted online [1].

Key characteristics of Akira Ransomware

  • Targeted Attacks: Focuses on specific industries and organizations, often targeting those with valuable data.
  • Double Extortion Tactics: Employs double extortion by encrypting data and threatening to release it publicly if the ransom is not paid.
  • Advanced Encryption: Utilizes sophisticated encryption algorithms to ensure that data recovery is impossible without the decryption key.
  • Custom Ransom Notes: Delivers personalized ransom notes tailored to the victim, often containing detailed instructions and specific payment demands.
  • Stealth Techniques: Uses advanced evasion techniques to avoid detection by security tools and to remain undetected for extended periods.
  • Fast Encryption Process: Known for its rapid encryption process, minimizing the time window for detection and response by the victim.
  • Frequent Updates: Regularly updates its malware to bypass the latest security defenses and to improve its effectiveness.
  • Professional Communication: Maintains professional and often polite communication with victims to facilitate ransom payments and decryption.

Darktrace AI capabilities detect Akira Ransomware

In late May 2023, Darktrace observed multiple instances of Akira ransomware affecting networks across its customer base. Thanks to its anomaly-based approach to threat detection, Darktrace successfully identified the novel ransomware attacks and provided full visibility over the cyber kill chain, from the initial compromise to the eventual file encryptions and ransom notes. In cases where Darktrace was enabled in autonomous response mode, these attacks were mitigated the early stages of the attack, thus minimizing any disruption or damage to customer networks.

Initial access and privileged escalation

Methods used by Akira ransomware for privileged escalation

The Akira ransomware group typically uses spear-phishing campaigns containing malicious downloads or links as their primary initial access vector; however, they have also been known to use Remote Desktop Protocol (RDP) brute-force attacks to access target networks [2].

While Darktrace did observe the early access activities that are detailed below, it is very likely that the actual initial intrusion happened prior to this, through targeted phishing attacks that fell outside of Darktrace’s purview. The first indicators of compromise (IoCs) that Darktrace observed on customer networks affected by Darktrace were typically unusual RDP sessions, and the use of compromised administrative credentials.

Darktrace detection of initial access and priviledged escalation

On one Darktrace customer’s network (customer A), Darktrace identified a highly privileged credential being used for the first time on an internal server on May 21, 2023. Around a week later, this server was observed establishing RDP connections with multiple internal destination devices via port 3389. Further investigation carried out by the customer revealed that this credential had indeed been compromised. On May 30, Darktrace detected another device scanning internal devices and repeatedly failing to authenticate via Kerberos.

As the customer had integrated Darktrace with Microsoft Defender, their security team received additional cyber threat intelligence from Microsoft which, coupled with the anomaly alerts provided by Darktrace, helped to further contextualize these anomalous events. One specific detail gleaned from this integration was that the anomalous scanning activity and failed authentication attempts were carried out using the compromised administrative credentials mentioned earlier.

By integrating Microsoft Defender with Darktrace, customers can efficiently close security gaps across their digital infrastructure. While Darktrace understands customer environments and provides valuable network-level insights, by integrating with Microsoft Defender, customers can further enrich these insights with endpoint-specific information and activity.

In another customer’s network (customer B), Darktrace detected a device, later observed writing a ransom note, receiving an unusual RDP connection from another internal device. The RDP cookie used during this activity was an administrative RDP cookie that appeared to have been compromised. This device was also observed making multiple connections to the domain, api.playanext[.]com, and using the user agent , AnyDesk/7.1.11, indicating the use of the AnyDesk remote desktop service.

Although this external domain does not appear directly related to Akira ransomware, open-source intelligence (OSINT) found associations with multiple malicious files, and it appeared to be associated with the AnyDesk user agent, AnyDesk/6.0.1 [3]. The connections to this endpoint likely represented the malicious use of AnyDesk to remotely control the customer’s device, rather than Akira command-and-control (C2) infrastructure or payloads. Alternatively, it could be indicative of a spoofing attempt in which the threat actor is attempting to masquerade as legitimate remote desktop service to remain undetected by security tools.

Around the same time, Darktrace observed many devices on customer B’s network making anomalous internal RDP connections and authenticating via Kerberos, NTLM, or SMB using the same administrative credential. These devices were later confirmed to be affected by Akira Ransomware.

Figure 1 shows how Darktrace detected one of those internal devices failing to login via SMB multiple times with a certain credential (indication of a possible SMB/NTLM brute force), before successfully accessing other internal devices via SMB, NTLM and RDP using the likely compromised administrative credential mentioned earlier.

Figure 1: Model Breach Event Log indicating unusual SMB, NTLM and RDP activity with different credentials detected which led to the Darktrace model breaches, "Unusual Admin RDP Session” and “Successful Admin Brute-Force Activity”.

Darktrace models observed for initial access and privilege escalation:

  • Device / Anomalous RDP Followed By Multiple Model Breaches
  • Anomalous Connection / Unusual Admin RDP Session
  • New Admin Credentials on Server
  • Possible SMB/NTLM Brute Force Indicator
  • Unusual Activity / Successful Admin Brute-Force Activity

Internal Reconnaissance and Lateral Movement

The next step Darktrace observed during Akira Ransomware attacks across the customer was internal reconnaissance and lateral movement.

How Akira Ransomware conducts internal reconnaissance

In another customer’s environment (customer C), after authenticating via NTLM using a compromised credential, a domain controller was observed accessing a large amount of SMB shares it had never previously accessed. Darktrace understood that this SMB activity represented a deviation in the device’s expected behavior and recognized that it could be indicative of SMB enumeration. Darktrace observed the device making at least 196 connections to 34 unique internal IPs via port 445. SMB actions read, write, and delete were observed during those connections. This domain controller was also one of many devices on the customer’s network that was received incoming connections from an external endpoint over port 3389 using the RDP protocol, indicating that the devices were likely being remotely controlled from outside the network. While there were no direct OSINT links with this endpoint and Akira ransomware, the domain controller in question was later confirmed to be compromised and played a key role in this phase of the attack.

Moreover, this represents the second IoC that Darktrace observed that had no obvious connection to Akira, likely indicating that Akira actors are establishing entirely new infrastructure to carry out their attacks, or even utilizing newly compromised legitimate infrastructure. As Darktrace adopts an anomaly-based approach to threat detection, it can recognize suspicious activity indicative of an emerging ransomware attack based on its unusualness, rather than having to rely on previously observed IoCs and lists of ‘known-bads’.

Darktrace further observed a flurry of activity related to lateral movement around this time, primarily via SMB writes of suspicious files to other internal destinations. One particular device on customer C’s network was detected transferring multiple executable (.exe) and script files to other internal devices via SMB.

Darktrace recognized that these transfers represented a deviation from the device’s normal SMB activity and may have indicated threat actors were attempting to compromise additional devices via the transfer of malicious software.

Figure 2: Advanced Search results showing 20 files associated with suspicious SMB write activity, amongst them executable files and dynamic link libraries (DLLs).

Darktrace DETECT models observed for internal reconnaissance and lateral movement:

  • Device / RDP Scan
  • Anomalous Connection / SMB Enumeration
  • Anomalous Connection / Possible Share Enumeration Activity
  • Scanning of Multiple Devices (Cyber AI Analyst Incident)
  • Device / Possible SMB/NTLM Reconnaissance
  • Compliance / Incoming Remote Desktop
  • Compliance / Outgoing NTLM Request from DC
  • Unusual Activity / Internal Data Transfer
  • Security Integration / Lateral Movement and Integration Detection
  • Device / Anomalous SMB Followed By Multiple Model Breaches

Ransomware deployment

In the final phase of Akira ransomware attacks detected on Darktrace customer networks, Darktrace identified the file extension “.akira” being added after encryption to a variety of files on the affected network shares, as well as a ransom note titled “akira_readme.txt” being dropped on affected devices.

On customer A’s network, after nearly 9,000 login failures and 2,000 internal connection attempts indicative of scanning activity, one device was detected transferring suspicious files over SMB to other internal devices. The device was then observed connecting to another internal device via SMB and continuing suspicious file activity, such as appending files on network shares with the “.akira” extension, and performing suspicious writes to SMB shares on other internal devices.

Darktrace’s autonomous threat investigator, Cyber AI Analyst™, was able to analyze the multiple events related to this encryption activity and collate them into one AI Analyst incident, presenting a detailed and comprehensive summary of the entire incident within 10 minutes of Darktrace’s initial detection. Rather than simply viewing individual breaches as standalone activity, AI Analyst can identify the individual steps of an ongoing attack to provide complete visibility over emerging compromises and their kill chains. Not only does this bolster the network’s defenses, but the autonomous investigations carried out by AI Analyst also help to save the security team’s time and resources in triaging and monitoring ongoing incidents.

Figure 3: Darktrace Cyber AI Analyst incident correlated multiple model breaches together to show Akira ransomware encryption activity.

In addition to analyzing and compiling Darktrace model breaches, AI Analyst also leveraged the host-level insights provided by Microsoft Defender to enrich its investigation into the encryption event. By using the Security Integration model breaches, AI Analyst can retrieve timestamp and device details from a Defender alert and further investigate any unusual activity surrounding the alert to present a full picture of the suspicious activity.

In customer B’s environment, following the unusual RDP sessions and rare external connections using the AnyDesk user agent, an affected device was later observed writing around 2,000 files named "akira_readme.txt" to multiple internal SMB shares. This represented the malicious actor dropping ransom notes, containing the demands and extortion attempts of the actors.

Figure 4: Model Breach Event Log indicating the ransom note detected on May 12, 2023, which led to the Darktrace DETECT model breach, Anomalous Server Activity / Write to Network Accessible WebRoot.
Figure 5: Packet Capture (PCAP) demonstrating the Akira ransom note captured from the connection details seen in Figure 4.

As a result of this ongoing activity, an Enhanced Monitoring model breach, a high-fidelity detection model type that detects activities that are more likely to be indicative of compromise, was escalated to Darktrace’s Security Operations Center (SOC) who, in turn were able to further investigate and triage this ransomware activity. Customers who have subscribed to Darktrace’s Proactive Threat Notification (PTN) service would receive an alert from the SOC team, advising urgent follow up action.

Darktrace detection models observed during ransomware deployment:

  • Security Integration / Integration Ransomware Incident
  • Security Integration / High Severity Integration Detection
  • Security Integration / Integration Ransomware Detected
  • Device / Suspicious File Writes to Multiple Hidden SMB Shares
  • Compliance / SMB Drive Write
  • Compromise / Ransomware / Suspicious SMB Activity (Proactive Threat Notification Alerted by the Darktrace SOC)
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Anomalous File / Internal / Unusual SMB Script Write
  • Compromise / Ransomware / Ransom or Offensive Words Written to SMB
  • Anomalous Server Activity /Write to Network Accessible WebRoot
  • Anomalous Server Activity /Write to Network Accessible WebRoot

Darktrace autonomous response neutralizes Akira Ransomware

When Darktrace is configured in autonomous response mode, it is able to follow up successful threat identifications with instant autonomous actions that stop malicious actors in their tracks and prevent them from achieving their end goals.

In the examples of Darktrace customers affected by Akira Ransomware outlined above, only customer A had autonomous response mode enabled during their ransomware attack. The autonomous response capability of Darktrace helped the customer to minimize disruption to the business through multiple targeted actions on devices affected by ransomware.

One action carried out by Darktrace's Autonomous Respose was to block all on-going traffic from affected devices. In doing so, Darktrace effectively shuts down communications between devices affected by Akira and the malicious infrastructure used by threat actors, preventing the spread of data on the client network or threat actor payloads.

Another crucial response action applied on this customer’s network was combat Akira was to “Enforce a Pattern of Life” on affected devices. This action is designed to prevent devices from performing any activity that would constitute a deviation from their expected behavior, while allowing them to continue their ‘usual’ business operations without causing any disruption.

While the initial intrusion of the attack on customer A’s network likely fell outside of the scope of Darktrace’s visibility, Darktrace was able to minimize the disruption caused by Akira, containing the ransomware and allowing the customer to further investigate and remediate.

Darktrace Autonomous Response model breaches:

  • Antigena / Network / External Threat / Antigena Ransomware Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / External Threat / Antigena File then New Outbound Block
  • Antigena / Network / Insider Threat / Antigena Unusual Privileged User Activities Block
  • Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Antigena / Network /Insider Threat /Antigena SMB Enumeration Block

Conclusion

The impact of cyber attacks

Novel ransomware strains like Akira Ransomware present a significant challenge to security teams across the globe due to the constant evolution of attack methods and tactics, making it huge a challenge for security teams to stay up to date with the most current threat intelligence.  

Therefore, it is paramount for organizations to adopt a technology designed around an intelligent decision maker able to identify unusual activity that could be indicative of a ransomware attack without depending solely on rules, signatures, or statistic lists of malicious IoCs.

Importance of AI-powered cybersecurity solutions

Darktrace identified Akira ransomware at every stage of the attack’s kill chain on multiple customer networks, even when threat actors were utilizing seemingly legitimate services (or spoofed versions of them) to carry out malicious activity. While this may have gone unnoticed by traditional security tools, Darktrace’s anomaly-based detection enabled it to recognize malicious activity for what it was. When enabled in autonomous response mode, Darktrace is able to follow up initial detections with machine-speed preventative actions to stop the spread of ransomware and minimize the damage caused to customer networks.  

There is no silver bullet to defend against novel cyber-attacks, however Darktrace’s anomaly-based approach to threat detection and autonomous response capabilities are uniquely placed to detect and respond to cyber disruption without latency.

Credit to: Manoel Kadja, Cyber Analyst, Nahisha Nobregas, SOC Analyst.

Appendices

IOC - Type - Description/Confidence

202.175.136[.]197 - External destination IP -Incoming RDP Connection

api.playanext[.]com - External hostname - Possible RDP Host

.akira - File Extension - Akira Ransomware Extension

akira_readme.txt - Text File - Akira Ransom Note

AnyDesk/7.1.11 - User Agent -AnyDesk User Agent

MITRE ATT&CK Mapping

Tactic & Technique

DISCOVERY

T1083 - File and Directory Discovery

T1046 - Network Service Scanning

T1135 - Network Share Discovery

RECONNAISSANCE

T1595.002 - Vulnerability Scanning

CREDENTIAL ACCESS, COLLECTION

T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay

DEFENSE EVASION, LATERAL MOVEMENT

T1550.002 - Pass the Hash

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078 - Valid Accounts

DEFENSE EVASION

T1006 - Direct Volume Access

LATERAL MOVEMENT

T1563.002 - RDP Hijacking

T1021.001 - Remote Desktop Protocol

T1080 - Taint Shared Content

T1021.002 - SMB/Windows Admin Shares

INITIAL ACCESS

T1190 - Exploit Public-Facing Application

T1199 - Trusted Relationship

PERSISTENCE, INITIAL ACCESS

T1133 - External Remote Services

PERSISTENCE

T1505.003 - Web Shell

IMPACT

T1486 - Data Encrypted for Impact

References

[1] https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/

[2] https://www.civilsdaily.com/news/cert-in-warns-against-akira-ransomware/#:~:text=Spread%20Methods%3A%20Akira%20ransomware%20is,Desktop%20connections%20to%20infiltrate%20systems

[3] https://hybrid-analysis.com/sample/0ee9baef94c80647eed30fa463447f000ec1f50a49eecfb71df277a2ca1fe4db?environmentId=100

Written by
Manoel Kadja
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Manoel Kadja
Cyber Analyst

From Amazon to Louis Vuitton: How Darktrace Detects Black Friday Phishing Attacks

Email
November 27, 2025
Ryan Traill
Analyst Content Lead
Watch the NIS2 Webinar
Trending blogs
1
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025
2
Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response
Jun 2, 2025
3
Evaluating Email Security: How to Select the Best Solution for Your Organization
May 21, 2025
4
2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review
Aug 5, 2025
5
Introducing the AI Maturity Model for Cybersecurity
Jul 16, 2025

More in this series

No items found.
Continue reading
Network
November 26, 2025

CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System

TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks.
Ahmed Gardezi
Cyber Analyst
Read more
Network
November 20, 2025

Xillen Stealer Updates to Version 5 to Evade AI Detection

Xillen Stealer v4/v5 introduces advanced features to evade AI detection, steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. With polymorphic engines, container persistence, and behavioral mimicking, this Python-based malware highlights evolving threats and future AI integration in cybercrime campaigns.
Tara Gould
Threat Researcher
Read more
Network
November 12, 2025

Unmasking Vo1d: Inside Darktrace’s Botnet Detection

Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. This blog explores how Darktrace detected Vo1d and presents a detailed timeline of Cyber AI Analyst’s investigation.
Christina Kreza
Cyber Analyst
Read more

Blog

/

Email

/

December 3, 2025

Darktrace Named as a Leader in 2025 Gartner® Magic Quadrant™ for Email Security Platforms

Default blog imageDefault blog image

Darktrace is proud to be named as a Leader in the Gartner® Magic Quadrant™ for Email Security Platforms (ESP). We believe this recognition reflects what our customers already know: our product is exceptional – and so is the way we deliver it.

In July 2025, Darktrace was named a Customers’ Choice in the Gartner® Peer Insights™ Voice of the Customer for Email Security, a distinction given to vendors who have scores that meet or exceed the market average for both axes (User Interest and Adoption, and Overall Experience). To us, both achievements are testament to the customer-first approach that has fueled our rapid growth. We feel this new distinction from Gartner validates the innovation, efficacy, and customer-centric delivery that set Darktrace apart.

A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. CIOs and CISOs can use this research to make informed decisions about which email security platform can best accomplish their goals. We encourage our customers to read the full report to get the complete picture.

This acknowledgement follows the recent recognition of Darktrace / NETWORK, also designated a Leader in the Gartner Magic Quadrant for Network Detection & Response and named the only Customers’ Choice in its category.

Why do we believe Darktrace is leading in the email security market?

Our relentless innovation which drives proven results  

At Darktrace we continue to push the frontier of email security, with industry-first AI-native detection and response capabilities that go beyond traditional SEG approaches. How do we do it?

  • With a proven approach that gets results. Darktrace’s unique business-centric anomaly detection catches advanced phishing, supply chain compromises, and BEC attacks – detecting them on average 13 days earlier than attack-centric solutions. That’s why 75% of our customers have removed their SEG and now rely on their native email security provider combined with Darktrace.
  • By offering comprehensive protection beyond the inbox. Darktrace / EMAIL goes further than traditional inbound filtering, delivering account and messaging protection, DLP, and DMARC capabilities, ensuring best-in-class security across inbound, outbound, and domain protection scenarios.  
  • Continuous innovation. We are ranked second highest in the Gartner Critical Capabilities research for core email security function, likely thanks to our product strategy and rapid pace of innovation. We’ve release major capabilities twice a year for nearly five years, including advanced AI models and expanded coverage for collaboration platforms.

We deliver exceptional customer experiences worldwide

Darktrace’s leadership isn’t just about excelling in technology, it’s about delivering an outstanding experience that customers value. Let’s dig into what makes our customers tick.

  • Proven loyalty from our base. Recognition from Gartner Peer Insights as a Customers’ Choice, combined with a 4.8-star rating (based on 340 reviews as of November 2025), demonstrates for us the trust of thousands of organizations worldwide, not just the analysts.  
  • Customer-first support. Darktrace goes beyond ticket-only models with dedicated account teams and award-winning service, backed by significant headcount growth in technical support and analytics roles over the past year.
  • Local expertise. With offices spanning continents, Darktrace is able to provide regional language support and tailored engagement from teams on the ground, ensuring personalized service and a human-first experience.

Darktrace enhances security stacks with a partner-first architecture

There are plenty of tools out there than encourage a siloed approach. Darktrace / EMAIL plays well with others, enhancing your native security provider and allowing you to slim down your stack. It’s designed to set you up for future growth, with:

  • A best-in-breed platform approach. Natively built on Self-Learning AI, Darktrace / EMAIL delivers deep integration with our / NETWORK, / IDENTITY, and / CLOUD products as part of a unified platforms – that enables and enhances comprehensive enterprise-wise security.
  • Optimized workflows. Darktrace integrates tightly with an extended ecosystem of security tools – including a strategic partnership with Microsoft enabling unified threat response and quarantine capabilities – bringing constant innovation to all of your SOC workflows.  
  • A channel-first strategy. Darktrace is making significant investments in partner-driven architectures, enabling integrated ecosystems that deliver maximum value and future-ready security for our customers.

Analyst recognized. Customer approved.  

Darktrace / EMAIL is not just another inbound email security tool; it’s an advanced email security platform trusted by thousands of users to protect them against advanced phishing, messaging, and account-level attacks.  

As a Leader, we believe we owe our positioning to our customers and partners for supporting our growth. In the upcoming years we will continue to innovate to serve the organizations who depend on Darktrace for threat protection.  

To learn more about Darktrace’s position as a Leader, view a complimentary copy of the Magic Quadrant report, register for the Darktrace Innovation Webinar on 9 December, 2025, or simply request a demo.

Gartner, Gartner® Magic Quadrant™ for Email Security Platforms, Max Taggett, Nikul Patel, 3 December 2025

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Darktrace.

[related-resource]

Continue reading
About the author
Carlos Gray
Senior Product Marketing Manager, Email

Blog

/

AI

/

December 2, 2025

Protecting the Experience: How a global hospitality brand stays resilient with Darktrace

Default blog imageDefault blog image

For the Global Chief Technology Officer (CTO) of a leading experiential leisure provider, security is mission critical to protecting a business built on reputation, digital innovation, and guest experience. The company operates large-scale immersive venues across the UK and US, blending activity-driven hospitality with premium dining and vibrant spaces designed for hundreds of guests. With a lean, centrally managed IT team responsible for securing locations worldwide, the challenge is balancing robust cybersecurity with operational efficiency and customer experience.

Brand buzz attracts attention – and attacks

Mid-sized, fast-growing hospitality organizations face a unique risk profile. When systems go down in a venue, the impact is immediate: hundreds of disrupted guest experiences, lost revenue during peak hours, and potential long-term reputation damage. Each time the organization opened a new venue, the surge of marketing buzz attracted attention in local markets and waves of sophisticated cyberattacks, including:

Phishing campaigns leveraging brand momentum to lure employees into clicking on malicious links.

AI-enhanced impersonation using advanced techniques to create AI-generated video calls and deep-researched, contextualized emails  

Fake domains targeting leadership with AI-generated messages that contained insider context gleaned from public information.

“Our endpoint security and antivirus tools were powerless against these sophisticated AI-powered campaigns. We didn’t want to manage incidents anymore. We wanted to prevent them from ever happening.”  - Global CTO

Proactive, preventative security with Darktrace AI

The company’s cybersecurity vision was clear: “Proactive, preventative – that was our mandate,” said the CTO. With a lean and busy IT group, the business evaluated several security solutions using deep-dive workshops. Darktrace proved the best fit for supporting the organization’s proactive mindset, offering:

  • Autonomy without added headcount: Darktrace provided powerful AI-driven detection and autonomous response functions with minimal manual oversight required.
  • Modular adoption: The company could start with core email and network protection and expand into cloud and endpoint coverage, aligning spend with growth.
  • Partnership and responsiveness: “We wanted people we trust, respect, and know will show up when we need them. Darktrace did just that,” said the CTO.
  • Affordability at scale: Darktrace offered reasonable upfront costs plus predictable, sustainable economics as the company and IT infrastructure expanded.  

“The combination of AI capabilities, a scalable model, and a strong engagement team tipped the balance in Darktrace’s favor, and we have not been disappointed,” said the CTO.

Phased deployment builds trust

To minimize disruption to critical hospitality systems like global Point of Sales (POS) terminals and Audio-Visual (AV) infrastructure, deployment was phased:

  1. Observation and human-led response: Initially, Darktrace was deployed in detection-only mode. Alerts were manually reviewed.
  2. Incremental autonomous response: Darktrace Autonomous Response was enabled on select models, taking action on low-risk scenarios. Higher-risk subnets and devices remained under human control.
  3. Full autonomous coverage: With tuning and reinforcement, autonomous response was expanded across domains, trusted to take decisive action in real time. Analysts retained the ability to review and contextualize incidents.

“Darktrace managed the rollout through detailed, professional, and responsive project management – ensuring a smooth, successful adoption and creating a standardized cybersecurity playbook for future venue launches,” said the CTO.  

AI delivers the outcomes that matter  

Measurable efficiency replaces endless alerts

Darktrace autonomous response significantly decreased false alerts and noise. “If it’s quiet, we’re confident there isn’t a problem,” said the CTO. Within six months, Darktrace conducted 3,599 total investigations, detected and contained 320 incidents indicative of an attack, resolved 91% of those events autonomously, and escalated only 9% to human analysts. The efficiency gains were enormous, saving analysts 740 hours on investigations within a single month.  

Precision AI turns inbox chaos into calm

Darktrace Self-Learning AI modeled sender/recipient norms, content/linguistic baselines, and communication patterns unique to the organization’s launch cadence, resulting in:

  • Automated holds and neutralizations of anomalous executive-style messages
  • Rapid detection of novel templates and tone shifts that deviated from the organization’s lived email graph, even when indicators were not yet on any feed
  • Downstream reduction in help-desk escalations tied to suspicious email

Full visibility fuels real-time response

Darktrace gives IT direct visibility without extra licensing, and it surfaces ground truth across every venue, including:

  • Device geolocation and placement drift: Darktrace exposed devices and users operating outside approved zones, prompting new segmentation and access-control policies.
  • Guest Wi-Fi realities: Darktrace AI uncovered high-risk activity on guest networks, like crypto-mining and dark-web traffic, driving stricter VLAN separation and access hygiene.
  • Lateral-movement containment: Autonomous response fenced suspicious activity in real time, buying time for human investigation while keeping POS and AV systems unaffected.

Smarter endpoints for a smarter network

Endpoints once relied on static agents effective only against known signatures. Darktrace’s behavioral models now detect subtle anomalies at the endpoint process level that EDRs often miss, such as misuse of legitimate applications (commonly used in living-off-the-land attacks), unapproved application usage and policy violations. This increases the accuracy and fidelity of network-based investigations by adding endpoint process context alongside existing EDR alerts.

Autonomous response for continuous compliance

Across PCI, GDPR, and cross-border privacy obligations, Darktrace’s native evidencing is helping the team demonstrate control rather than merely assert it:

  • Asset and flow awareness: Knowing “what is where” and “who talks to what” underpins PCI scoping and data-flow diagrams.
  • Layered safeguards: Showing autonomous prevention, network segmentation, and rapid containment supports risk registers and control attestations.
  • Audit-ready artifacts: Investigations and autonomous actions produce artifacts that “tick the box” without additional tooling.  

Defining the next era of resilience with AI

With rapid global expansion underway, the company is using its cybersecurity playbook to streamline and secure future venue launches. In the near term, IT is focused on strengthening prevention, using Darktrace insights to guide new policy updates and infrastructure changes like imposing stricter guest-network posture and refining venue device baselines.

For tech leaders charting their path to proactive cyber defense, the CTO stresses success won’t come from sidestepping AI, but from turning it into a core capability.

“AI isn’t optional – it’s operational. The real risk to your business is trying to out-scale automated adversaries with human speed alone. When applied to the right use case, AI becomes a catalyst for efficiency, resilience, and business growth.” - Global CTO
Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI