Blog
/
Proactive Security
/
January 2, 2023

Analyst's Guide to the ActiveAI Security Platform

Understand Darktrace's full functionality in preventing and detecting cyber threats, and how analysts can benefit from Darktrace's AI technology.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Gabriel Hernandez
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
02
Jan 2023

On countless occasions, Darktrace has observed cyber-attacks disrupting business operations by using a vulnerable internet-facing asset as a starting point for infection. Finding that one entry point could be all a threat actor needs to compromise an entire organization. With the objective to prevent such vulnerabilities from being exploited, Darktrace’s latest product family includes Attack Surface Management (ASM) to continuously monitor customer attack surfaces for risks, high-impact vulnerabilities and potential external threats. 

An attack surface is the sum of exposed and internet-facing assets and the associated risks a hacker can exploit to carry out a cyber-attack. Darktrace / Attack Surface Management uses AI to understand what external assets belong to an organization by searching beyond known servers, networks, and IPs across public data sources. 

This blog discusses how Darktrace / Attack Surface Management could combine with Darktrace / NETWORK to find potential vulnerabilities and subsequent exploitation within network traffic. In particular, this blog will investigate the assets of a large Australian company which operates in the environmental sciences industry.   

Introducing ASM

In order to understand the link between PREVENT and DETECT, the core features of ASM should first be showcased.

Figure 1: The PREVENT/ASM dashboard.

When facing the landing page, the UI highlights the number of registered assets identified (with zero prior deployment). The tool then organizes the information gathered online in an easily assessable manner. Analysts can see vulnerable assets according to groupings like ‘Misconfiguration’, ‘Social Media Threat’ and ‘Information Leak’ which shows the type of risk posed to said assets.

Figure 2: The Network tab identifies the external facing assets and their hierarchy in a graphical format.

The Network tab helps analysts to filter further to take more rapid action on the most vulnerable assets and interact with them to gather more information. The image below has been filtered by assets with the ‘highest scoring’ risk.

Figure 3: PREVENT/ASM showing a high scoring asset.

Interacting with the showcased asset selected above allows pivoting to the following page, this provides more granular information around risk metrics and the asset itself. This includes a more detailed description of what the vulnerabilities are, as well as general information about the endpoint including its location, URL, web status and technologies used.

  Figure 4: Asset pages for an external web page at risk.

Filtering does not end here. Within the Insights tab, analysts can use the search bar to craft personalized queries and narrow their focus to specific types of risk such as vulnerable software, open ports, or potential cybersquatting attempts from malicious actors impersonating company brands. Likewise, filters can be made for assets that may be running software at risk from a new CVE. 

Figure 5: Insights page with custom queries to search for assets at risk of Log4J exploitation.

For each of the entries that can be read on the left-hand side, a query that could resemble the one on the top right exists. This allows users to locate specific findings beyond those risks that are categorized as critical. These broader searches can range from viewing the inventory as a whole, to seeing exposed APIs, expiring certificates, or potential shadow IT. Queries will return a list with all the assets matching the given criteria, and users can then explore them further by viewing the asset page as seen in Figure 4.

Compromise Scenario

Now that a basic explanation of PREVENT/ASM has been given, this scenario will continue to look at the Australian customer but show how Darktrace can follow a potential compromise of an at-risk ASM asset into the network. 

Having certain ports open could make it particularly easy for an attacker to access an internet-facing asset, particularly those sensitive ones such as 3389 (RDP), 445 (SMB), 135 (RPC Epmapper). Alternatively, a vulnerable program with a well-known exploitation could also aid the task for threat actors.

In this specific case, PREVENT/ASM identified multiple external assets that belonged to the customer with port 3389 open. One of these assets can be labelled as ‘Server A'. Whilst RDP connections can be protected with a password for a given user, if those were weak to bruteforce, it could be an easy task for an attacker to establish an admin session remotely to the victim machine.

Figure 6: Insights tab query filtering for open RDP port 3389.

N or zero-day vulnerabilities associated with the protocol could also be exploited; for example, CVE-2019-0708 exploits an RCE vulnerability in Remote Desktop where an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. 

Certain protocols are known to be sensitive according to the control they provide on a destination machine. These are developed for administrative purposes but have the potential to ease an attacker’s job if accessible. Thanks to PREVENT/ASM, security teams can anticipate such activity by having visibility over those assets that could be vulnerable. If this RDP were successfully exploited, DETECT/Network would then highlight the unusual activity performed by the compromised device as the attacker moved through the kill chain.  

There are several models within Darktrace which monitor for risks against internet facing assets. For example, ‘Server A’ which had an open 3389 port on ASM registered the following model breach in the network:

Figure 7: Breach log showing Anomalous Server Activity / New Internet Facing System model for ‘Server A’.

A model like this could highlight a misconfiguration that has caused an internal device to become unexpectedly open to the internet. It could also suggest a compromised device that has now been opened to the internet to allow further exploitation. If the result of a sudden change, such an asset would also be detected by ASM and highlighted within the ‘New Assets’ part of the Insights page. Ultimately this connection was not malicious, however it shows the ability for security teams to track between PREVENT to DETECT and verify an initial compromise.  

A mock scenario can take this further. Using the continued example of an open port 3389 intrusion, new RDP cookies may be registered (perhaps even administrative). This could enable further lateral movement and eventual privilege escalation. Various DETECT models would highlight actions of this nature, two examples are below:

Figure 8: RDP Lateral Movement related model breaches on customer.

Alongside efforts to move laterally, Darktrace may find attempts at reconnaissance or C2 communication from compromised internet facing devices by looking at Darktrace DETECT model breaches including ‘Network Scan’, ‘SMB Scanning’ and ‘Active Directory Reconnaissance’. In this case the network also saw repeated failed internal connections followed by the ‘LDAP Brute-Force Activity model’ around the same time as the RDP activity. Had this been malicious, DETECT would then continue to provide visibility into the C2 and eventual malware deployment stages. 

With the combined visibility of both tools, Darktrace users have support for greater triage across the whole kill chain. For customers also using RESPOND, actions will be taken from the DETECT alerting to subsequently block malicious activity. In doing so, inputs will have fed across the whole Cyber AI Loop by having learnt from PREVENT, DETECT and RESPOND.

This feed from the Cyber AI Loop works both ways. In Figure 9, below, a DETECT model breach shows a customer alert from an internet facing device: 

Figure 9: Model breach on internet-facing server.

This breach took place because an established server suddenly started serving HTTP sessions on a port commonly used for HTTPS (secure) connections. This could be an indicator that a criminal may have gained control of the device and set it to listen on the given port and enable direct connection to the attacker’s machine or command and control server. This device can be viewed by an analyst in its Darktrace PREVENT version, where new metrics can be observed from a perspective outside of the network.

Figure 10: Assets page for server. PREVENT shows few risks for this asset. 

This page reports the associated risks that could be leveraged by malicious actors. In this case, the events are not correlated, but in the event of an attack, this backwards pivoting could help to pinpoint a weak link in the chain and show what allowed the attacker into the network. In doing so this supports the remediation and recovery process. More importantly though, it allows organizations to be proactive and take appropriate security measures required before it could ever be exploited.

Concluding Thoughts

The combination of Darktrace / Attack Surface Management with Darktrace / NETWORK provides wide and in-depth visibility over a company’s infrastructure. Through the Darktrace platform, this coverage is continually learning and updating based on inputs from both. ASM can show companies the potential weaknesses that a cybercriminal could take advantage of. In turn this allows them to prioritize patching, updating, and management of their internet facing assets. At the same time, Darktrace will show the anomalous behavior of any of these internet facing devices, enabling security teams or respond to stop an attack. Use of these tools by an analyst together is effective in gaining informed security data which can be fed back to IT management. Leveraging this allows normal company operations to be performed without the worry of cyber disruption.

Credit to: Emma Foulger, Senior Cyber Analyst at Darktrace

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Gabriel Hernandez

More in this series

No items found.

Blog

/

/

April 21, 2025

Why Asset Visibility and Signature-Based Threat Detection Fall Short in ICS Security

operational technology operators looking at equipment Default blog imageDefault blog image

In the realm of Industrial Control System (ICS) security, two concepts often dominate discussions:

  1. Asset visibility
  2. Signature-based threat detection

While these are undoubtedly important components of a cybersecurity strategy, many organizations focus on them as the primary means to enhance ICS security. However, this is more of a short-term approach and these organizations often realize too late that these efforts do not translate into actually securing their environment.

To truly secure your environment, organizations should focus their efforts on anomaly detection across core network segments. This shift enables enhanced threat detection, while also providing a more meaningful and dynamic view of asset communication.

By prioritizing anomaly detection, organizations can build a more resilient security posture, detecting and mitigating threats before they escalate into serious incidents.

The shortcomings of asset visibility and signature-based threat detection

Asset visibility is frequently touted as the foundation of ICS security. The idea is that you cannot protect what you cannot see.

However, organizations that invest heavily in asset discovery tools often end up with extensive inventories of connected devices but little actionable insight into their security posture or risk level, let alone any indication as to whether these assets have been compromised.

Simply knowing what assets exist does not equate to securing them.

Worse, asset discovery is often a time-consuming static process. By the time practitioners complete their inventory, not only is there likely to have been changes to their assets, but the threat landscape may have already evolved, introducing new vulnerabilities and attack vectors  that were not previously accounted for.

Signature-based detection is reactive, not proactive

Traditional signature-based threat detection relies on known attack patterns and predefined signatures to identify malicious activity. This approach is fundamentally reactive because it can only detect threats that have already been identified elsewhere.

In an ICS environment where cyber-attacks on OT systems have become more frequent, sophisticated, and destructive, signature-based detection provides a false sense of security while failing to detect sophisticated, previously unseen threats:

Additionally, adversaries often dwell within OT networks for extended periods, studying their specific conditions to identify the most effective way to cause disruption. This means that the likelihood of any attack within OT network looking the same as a previous attack is unlikely.

Implementation effort vs. actual security gains

Many organizations spend considerable time and resources implementing asset visibility solutions and signature-based detection systems only to be required to constantly tune and adjust the sensitivity of the solution.

Despite these efforts, these tools often fail to deliver the level of protection expected, leaving gaps in detection, an overwhelming amount of asset data, and a constant stream of false positives and false negatives from signature-based systems.

A more effective approach: Anomaly detection at core network segments

While it's important to understand the type of device involved during alert triage, organizations should shift their focus from static asset visibility and threat signatures to anomaly detection across critical network segments. This method provides a superior approach to ICS security for several reasons:

Proactive threat detection

Anomaly detection monitors network behavior in real time and identifies deviations . This means that even novel or previously unseen threats can be detected based on unusual network activity, rather than relying on predefined signatures.

Granular security insights

By analyzing traffic patterns across key network segments, organizations can gain deeper insights into how assets interact. This not only improves threat detection but also organically enhances asset visibility. Instead of simply cataloging devices, organizations gain meaningful visibility into how they behave within the network, understanding their unique pattern of life, and making it easier to detect malicious activity.

Efficiency and scalability

Implementing anomaly detection allows security teams to focus on real threats rather than sifting through massive inventories of assets or managing signature updates. It scales better with evolving threats and provides continuous monitoring without requiring constant manual intervention.

Enhanced threat detection for critical infrastructure

Unlike traditional security approaches that rely on static baselines or threat intelligence that doesn't reflect the unique behaviors of your OT environment, Darktrace / OT uses multiple AI techniques to continuously learn and adapt to your organization’s real-world activity across IT, OT, and IoT.

By building a dynamic understanding of each device’s pattern of life, it detects threats at every stage of the kill chain — from known malware to zero-days and insider attacks — without overwhelming your team with false positives or unnecessary alerts. This ensures scalable protection as your environment evolves, without a significant increase in operational overhead.

[related-resource]

Continue reading
About the author
Jeffrey Macre
Industrial Security Solutions Architect

Blog

/

/

April 16, 2025

Introducing Version 2 of Darktrace’s Embedding Model for Investigation of Security Threats (DEMIST-2)

woman looking at laptop at deskDefault blog imageDefault blog image

DEMIST-2 is Darktrace’s latest embedding model, built to interpret and classify security data with precision. It performs highly specialized tasks and can be deployed in any environment. Unlike generative language models, DEMIST-2 focuses on providing reliable, high-accuracy detections for critical security use cases.

DEMIST-2 Core Capabilities:  

  • Enhances Cyber AI Analyst’s ability to triage and reason about security incidents by providing expert representation and classification of security data, and as a part of our broader multi-layered AI system
  • Classifies and interprets security data, in contrast to language models that generate unpredictable open-ended text responses  
  • Incorporates new innovations in language model development and architecture, optimized specifically for cybersecurity applications
  • Deployable across cloud, on-prem, and edge environments, DEMIST-2 delivers low-latency, high-accuracy results wherever it runs. It enables inference anywhere.

Cybersecurity is constantly evolving, but the need to build precise and reliable detections remains constant in the face of new and emerging threats. Darktrace’s Embedding Model for Investigation of Security Threats (DEMIST-2) addresses these critical needs and is designed to create stable, high-fidelity representations of security data while also serving as a powerful classifier. For security teams, this means faster, more accurate threat detection with reduced manual investigation. DEMIST-2's efficiency also reduces the need to invest in massive computational resources, enabling effective protection at scale without added complexity.  

As an embedding language model, DEMIST-2 classifies and creates meaning out of complex security data. This equips our Self-Learning AI with the insights to compare, correlate, and reason with consistency and precision. Classifications and embeddings power core capabilities across our products where accuracy is not optional, as a part of our multi-layered approach to AI architecture.

Perhaps most importantly, DEMIST-2 features a compact architecture that delivers analyst-level insights while meeting diverse deployment needs across cloud, on-prem, and edge environments. Trained on a mixture of general and domain-specific data and designed to support task specialization, DEMIST-2 provides privacy-preserving inference anywhere, while outperforming larger general-purpose models in key cybersecurity tasks.

This proprietary language model reflects Darktrace's ongoing commitment to continually innovate our AI solutions to meet the unique challenges of the security industry. We approach AI differently, integrating diverse insights to solve complex cybersecurity problems. DEMIST-2 shows that a refined, optimized, domain-specific language model can deliver outsized results in an efficient package. We are redefining possibilities for cybersecurity, but our methods transfer readily to other domains. We are eager to share our findings to accelerate innovation in the field.  

The evolution of DEMIST-2

Key concepts:  

  • Tokens: The smallest units processed by language models. Text is split into fragments based on frequency patterns allowing models to handle unfamiliar words efficiently
  • Low-Rank Adaptors (LoRA): Small, trainable components added to a model that allow it to specialize in new tasks without retraining the full system. These components learn task-specific behavior while the original foundation model remains unchanged. This approach enables multiple specializations to coexist, and work simultaneously, without drastically increasing processing and memory requirements.

Darktrace began using large language models in our products in 2022. DEMIST-2 reflects significant advancements in our continuous experimentation and adoption of innovations in the field to address the unique needs of the security industry.  

It is important to note that Darktrace uses a range of language models throughout its products, but each one is chosen for the task at hand. Many others in the artificial intelligence (AI) industry are focused on broad application of large language models (LLMs) for open-ended text generation tasks. Our research shows that using LLMs for classification and embedding offers better, more reliable, results for core security use cases. We’ve found that using LLMs for open-ended outputs can introduce uncertainty through inaccurate and unreliable responses, which is detrimental for environments where precision matters. Generative AI should not be applied to use cases, such as investigation and threat detection, where the results can deeply matter. Thoughtful application of generative AI capabilities, such as drafting decoy phishing emails or crafting non-consequential summaries are helpful but still require careful oversight.

Data is perhaps the most important factor for building language models. The data used to train DEMIST-2 balanced the need for general language understanding with security expertise. We used both publicly available and proprietary datasets.  Our proprietary dataset included privacy-preserving data such as URIs observed in customer alerts, anonymized at source to remove PII and gathered via the Call Home and aianalyst.darktrace.com services. For additional details, read our Technical Paper.  

DEMIST-2 is our way of addressing the unique challenges posed by security data. It recognizes that security data follows its own patterns that are distinct from natural language. For example, hostnames, HTTP headers, and certificate fields often appear in predictable ways, but not necessarily in a way that mirrors natural language. General-purpose LLMs tend to break down when used in these types of highly specialized domains. They struggle to interpret structure and context, fragmenting important patterns during tokenization in ways that can have a negative impact on performance.  

DEMIST-2 was built to understand the language and structure of security data using a custom tokenizer built around a security-specific vocabulary of over 16,000 words. This tokenizer allows the model to process inputs more accurately like encoded payloads, file paths, subdomain chains, and command-line arguments. These types of data are often misinterpreted by general-purpose models.  

When the tokenizer encounters unfamiliar or irregular input, it breaks the data into smaller pieces so it can still be processed. The ability to fall back to individual bytes is critical in cybersecurity contexts where novel or obfuscated content is common. This approach combines precision with flexibility, supporting specialized understanding with resilience in the face of unpredictable data.  

Along with our custom tokenizer, we made changes to support task specialization without increasing model size. To do this, DEMIST-2 uses LoRA . LoRA is a technique that integrates lightweight components with the base model to allow it to perform specific tasks while keeping memory requirements low. By using LoRA, our proprietary representation of security knowledge can be shared and reused as a starting point for more highly specialized models, for example, it takes a different type of specialization to understand hostnames versus to understand sensitive filenames. DEMIST-2 dynamically adapts to these needs and performs them with purpose.  

The result is that DEMIST-2 is like having a room of specialists working on difficult problems together, while sharing a basic core set of knowledge that does not need to be repeated or reintroduced to every situation. Sharing a consistent base model also improves its maintainability and allows efficient deployment across diverse environments without compromising speed or accuracy.  

Tokenization and task specialization represent only a portion of the updates we have made to our embedding model. In conjunction with the changes described above, DEMIST-2 integrates several updated modeling techniques that reduce latency and improve detections. To learn more about these details, our training data and methods, and a full write-up of our results, please read our scientific whitepaper.

DEMIST-2 in action

In this section, we highlight DEMIST-2's embeddings and performance. First, we show a visualization of how DEMIST-2 classifies and interprets hostnames, and second, we present its performance in a hostname classification task in comparison to other language models.  

Embeddings can often feel abstract, so let’s make them real. Figure 1 below is a 2D visualization of how DEMIST-2 classifies and understands hostnames. In reality, these hostnames exist across many more dimensions, capturing details like their relationships with other hostnames, usage patterns, and contextual data. The colors and positions in the diagram represent a simplified view of how DEMIST-2 organizes and interprets these hostnames, providing insights into their meaning and connections. Just like an experienced human analyst can quickly identify and group hostnames based on patterns and context, DEMIST-2 does the same at scale.  

DEMIST-2 visualization of hostname relationships from a large web dataset.
Figure 1: DEMIST-2 visualization of hostname relationships from a large web dataset.

Next, let’s zoom in on two distinct clusters that DEMIST-2 recognizes. One cluster represents small businesses (Figure 2) and the other, Russian and Polish sites with similar numerical formats (Figure 3). These clusters demonstrate how DEMIST-2 can identify specific groupings based on real-world attributes such as regional patterns in website structures, common formats used by small businesses, and other properties such as its understanding of how websites relate to each other on the internet.

Cluster of small businesses
Figure 2: Cluster of small businesses
Figure 3: Cluster of Russian and Polish sites with a similar numerical format

The previous figures provided a view of how DEMIST-2 works. Figure 4 highlights DEMIST-2’s performance in a security-related classification task. The chart shows how DEMIST-2, with just 95 million parameters, achieves nearly 94% accuracy—making it the highest-performing model in the chart, despite being the smallest. In comparison, the larger model with 2.78 billion parameters achieves only about 89% accuracy, showing that size doesn’t always mean better performance. Small models don’t mean poor performance. For many security-related tasks, DEMIST-2 outperforms much larger models.

Hostname classification task performance comparison against comparable open source foundation models
Figure 4: Hostname classification task performance comparison against comparable open source foundation models

With these examples of DEMIST-2 in action, we’ve shown how it excels in embedding and classifying security data while delivering high performance on specialized security tasks.  

The DEMIST-2 advantage

DEMIST-2 was built for precision and reliability. Our primary goal was to create a high-performance model capable of tackling complex cybersecurity tasks. Optimizing for efficiency and scalability came second, but it is a natural outcome of our commitment to building a strong, effective solution that is available to security teams working across diverse environments. It is an enormous benefit that DEMIST-2 is orders of magnitude smaller than many general-purpose models. However, and much more importantly, it significantly outperforms models in its capabilities and accuracy on security tasks.  

Finding a product that fits into an environment’s unique constraints used to mean that some teams had to settle for less powerful or less performant products. With DEMIST-2, data can remain local to the environment, is entirely separate from the data of other customers, and can even operate in environments without network connectivity. The size of our model allows for flexible deployment options while at the same time providing measurable performance advantages for security-related tasks.  

As security threats continue to evolve, we believe that purpose-built AI systems like DEMIST-2 will be essential tools for defenders, combining the power of modern language modeling with the specificity and reliability that builds trust and partnership between security practitioners and AI systems.

Conclusion

DEMIST-2 has additional architectural and deployment updates that improve performance and stability. These innovations contribute to our ability to minimize model size and memory constraints and reflect our dedication to meeting the data handling and privacy needs of security environments. In addition, these choices reflect our dedication to responsible AI practices.

DEMIST-2 is available in Darktrace 6.3, along with a new DIGEST model that uses GNNs and RNNs to score and prioritize threats with expert-level precision.

[related-resource]

Continue reading
About the author
Margaret Cunningham, PhD
Director, Security & AI Strategy, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI