Blog
/
AI
/
July 26, 2022

Self-Learning AI for Zero-Day and N-Day Attack Defense

Explore the differences between zero-day and n-day attacks on different customer servers to learn how Darktrace detects and prevents cyber threats effectively.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Lewis Morgan
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
26
Jul 2022

Key Terms:

Zero-day | A recently discovered security vulnerability in computer software that has no currently available fix or patch. Its name come from the reality that vendors have “zero days” to act and respond.

N-day | A vulnerability that emerges in computer software in which a vendor is aware and may have already issued (or are currently working on) a patch or fix. Active exploits often already exist and await abuse by nefarious actors.

Traditional security solutions often apply signature-based-detection when identifying cyber threats, helping to defend against legacy attacks but consequently missing novel ones. Therefore, security teams often lend a lot of focus to ensuring that the risk of zero-day vulnerabilities is reduced [1]. As explored in this blog, however, organizations can face just as much of a risk from n-day attacks, since they invite the most attention from malicious actors [2]. This is due in part to the reduced complexity, cost and time invested in researching and finding new exploits compared with that found when attackers exploit zero-days. 

This blog will examine both a zero-day and n-day attack that two different Darktrace customers faced in the fall of 2021. This will include the activity Darktrace detected, along with the steps taken by Darktrace/Network to intervene. It will then compare the incidents, discuss the possible dangers of third-party integrations, and assess the deprecation of legacy security tools.

Revisiting zero-day attacks 

Zero-days are among the greatest concerns security teams face in the era of modern technology and networking. Defending critical systems from zero-day compromises is a task most legacy security solutions are often unable to handle. Due to the complexity of uncovering new security flaws and developing elaborate code that can exploit them, these attacks are often carried out by funded or experienced groups such as nation-state actors and APTs. One of history’s most prolific zero-days, ‘Stuxnet’, sent security teams worldwide into a global panic in 2010. This involved a widespread attack on Iranian nuclear infrastructure and was widely accepted to be a result of nation-state actors [3]. The Stuxnet worm took advantage of four zero-day exploits, compromising over 200,000 devices and physically damaging around 10% of the 9,000 critical centrifuges at the Natanz nuclear site. 

More recently, 2021 saw the emergence of several critical zero-day vulnerabilities within SonicWall’s product suite [4]. SonicWall is a security hardware manufacturer that provides hardware firewall devices, unified threat management, VPN gateways and network security solutions. Some of these vulnerabilities lie within their Secure Mobile Access (SMA) 100 series (for example, CVE-2019-7481, CVE-2021-20016 and CVE-2021-20038 to name a few). These directly affected VPN devices and often allowed attackers easy remote access to company devices. CVE-2021-20016 in particular incorporates an SQL-Injection vulnerability within SonicWall’s SSL VPN SMA 100 product line [5]. If exploited, this defect would allow an unauthenticated remote attacker to perform their own malicious SQL query in order to access usernames, passwords and other session related information. 

The N-day underdog

The shadow cast by zero-day attacks often shrouds that of n-day attacks. N-days, however, often pose an equal - if not greater - risk to the majority of organizations, particularly those in industrial sectors. Since these vulnerabilities have fixes available, all of the hard work around research is already done; malicious actors only need to view proof of concepts (POCs) or, if proficient in coding, reverse-engineer software to reveal code-changes (binary diffing) in order to exploit these security flaws in the wild. These vulnerabilities are typically attributed to opportunistic hackers and script-kiddies, where little research or heavy lifting is required.  

August 2021 gave rise to a critical vulnerability in Atlassian Confluence servers, namely CVE-2021-26084 [6]. Confluence is a widely used collaboration wiki tool and knowledge-sharing platform. As introduced and discussed a few months ago in a previous Darktrace blog (Explore Internet-Facing System Vulnerabilities), this vulnerability allows attackers to remotely execute code on internet-facing servers after exploiting injection vulnerabilities in Object-Graph Navigation Language (OGNL). Whilst Confluence had patches and fixes available to users, attackers still jumped on this opportunity and began scanning the internet for signs of critical devices serving this outdated software [7]. Once identified, they would  exploit the vulnerability, often installing crypto mining software onto the device. More recently, Darktrace explored a new vulnerability (CVE-2022-26134), disclosed midway through 2022, that affected Confluence servers and data centers using similar techniques to that found in CVE-2021-26084 [8]. 

SonicWall in the wild – 1. Zero-day attack

At the beginning of August 2021, Darktrace prevented an attack from taking place within a European automotive customer’s environment (Figure 1). The attack targeted a vulnerable internet-facing SonicWall VPN server, and while the attacker’s motive remains unclear, similar historic events suggest that they intended to perform ransomware encryption or data exfiltration. 

Figure 1: Timeline of the SonicWall attack 

Darktrace was unable to confirm the definite tactics, techniques and procedures (TTPs) used by the attacker to compromise the customer’s environment, as the device was compromised before Darktrace installation and coverage. However, from looking at recently disclosed SonicWall VPN vulnerabilities and patterns of behaviour, it is likely CVE-2021-20016 played a part. At some point after this initial infection, it is also believed the device was able to move laterally to a domain controller (DC) using administrative credentials; it was this server that then initiated the anomalous activity that Darktrace detected and alerted on. 

On August 5th 2021 , Darktrace observed this compromised domain controller engaging in unusual ICMP scanning - a protocol used to discover active devices within an environment and create a map of an organization’s network topology. Shortly after, the infected server began scanning devices for open RDP ports and enumerating SMB shares using unorthodox methods. SMB delete and HTTP requests (over port 445 and 80 respectively) were made for files named delete.me in the root directory of numerous network shares using the user agent Microsoft WebDAV. However, no such files appeared to exist within the environment. This may have been the result of an attacker probing devices in the network in an effort to see their responses and gather information on properties and vulnerabilities they could later exploit. 

Soon the infected DC began establishing RDP tunnels back to the VPN server and making requests to an internal DNS server for multiple endpoints relating to exploit kits, likely in an effort to strengthen the attacker’s foothold within the environment. Some of the endpoints requested relate to:

-       EternalBlue vulnerability 

-       Petit Potam NTLM hash attack tool

-       Unusual GitHub repositories

-       Unusual Python repositories  

The DC made outgoing NTLM requests to other internal devices, implying the successful installation of Petit Potam exploitation tools. The server then began performing NTLM reconnaissance, making over 1,000 successful logins under ‘Administrator’ to several other internal devices. Around the same time, the device was also seen making anonymous SMBv1 logins to numerous internal devices, (possibly symptomatic of the attacker probing machines for EternalBlue vulnerabilities). 

Interestingly, the device also made numerous failed authentication attempts using a spoofed credential for one of the organization’s security managers. This was likely in an attempt to hide themselves using ‘Living off the Land’ (LotL) techniques. However, whilst the attacker clearly did their research on the company, they failed to acknowledge the typical naming convention used for credentials within the environment. This ultimately backfired and made the compromise more obvious and unusual. 

In the morning of the following day, the initially compromised VPN server began conducting further reconnaissance, engaging in similar activity to that observed by the domain controller. Until now, the customer had set Darktrace RESPOND to run in human confirmation mode, meaning interventions were not made autonomously but required confirmation by a member of the internal security team. However, thanks to Proactive Threat Notifications (PTNs) delivered by Darktrace’s dedicated SOC team, the customer was made immediately aware of this unusual behaviour, allowing them to apply manual Darktrace RESPOND blocks to all outgoing connections (Figure 2). This gave the security team enough time to respond and remediate before serious damage could be done.

Figure 2: Darktrace RESPOND model breach showing the manually applied “Quarantine Device” action taken against the compromised VPN server. This screenshot displays the UI from Darktrace version 5.1

Confluence in the wild – 2. N-day attack

Towards the end of 2021, Darktrace saw a European broadcasting customer leave an Atlassian Confluence internet-facing server unpatched and vulnerable to crypto-mining malware using CVE-2021-26084. Thanks to Darktrace, this attack was entirely immobilized within only a few hours of the initial infection, protecting the organization from damage (Figure 3). 

Figure 3: Timeline of the Confluence attack

On midday on September 1st 2021, an unpatched Confluence server was seen receiving SSL connections over port 443 from a suspicious new endpoint, 178.238.226[.]127.  The connections were encrypted, meaning Darktrace was unable to view the contents and ascertain what requests were being made. However, with the disclosure of CVE-2021-26084 just 7 days prior to this activity, it is likely that the TTPs used involved injecting OGNL expressions to Confluence server memory; allowing the attacker to remotely execute code on the vulnerable server.

Immediately after successful exploitation of the Confluence server, the infected device was observed making outgoing HTTP GET requests to several external endpoints using a new user agent (curl/7.61.1). Curl was used to silently download and configure multiple suspicious files relating to XMRig cryptocurrency miner, including ld.sh, XMRig and config.json. Subsequent outgoing connections were then made to europe.randomx-hub.miningpoolhub[.]com · 172.105.210[.]117 using the JSON-RPC protocol, seen alongside the mining credential maillocal.confluence (Figure 4). Only 3 seconds after initial compromise, the infected device began attempting to mine cryptocurrency using the Minergate protocol but was instantly and autonomously blocked by Darktrace RESPOND. This prevented the server from abusing system resources and generating profits for the attacker.

Figure 4: A graph showing the frequency of external connections using the JSON-RPC protocol made by the breach device over a 48-hour window. The orange-red dots represent models that breached as a result of this activity, demonstrating the “waterfall” effect commonly seen when a device suffers a compromise. This screenshot displays the UI from Darktrace version 5.1

In the afternoon, the malware persisted with its infection. The compromised server began making successive HTTP GET requests to a new rare endpoint 195.19.192[.]28 using the same curl user agent (Figures 5 & 6). These requests were for executable and dynamic library files associated with Kinsing malware (but fortunately were also blocked by Darktrace RESPOND). Kinsing is a malware strain found in numerous attack campaigns which is often associated with crypto-jacking, and has appeared in previous Darktrace blogs [9].

Figure 5: Cyber AI Analyst summarising the unusual download of Kinsing software using the new curl user agent. This screenshot displays the UI from Darktrace version 5.1

The attacker then began making HTTP POST requests to an IP 185.154.53[.]140, using the same curl user agent; likely a method for the attacker to maintain persistence within the network and establish a foothold using its C2 infrastructure. The Confluence server was then again seen attempting to mine cryptocurrency using the Minergate protocol. It made outgoing JSON-RPC connections to a different new endpoint, 45.129.2[.]107, using the following mining credential: ‘42J8CF9sQoP9pMbvtcLgTxdA2KN4ZMUVWJk6HJDWzixDLmU2Ar47PUNS5XHv4Kmfdh8aA9fbZmKHwfmFo8Wup8YtS5Kdqh2’. This was once again blocked by Darktrace RESPOND (Figure 7). 

Figure 6: VirusTotal showing the unusualness of one of these external IPs [10]
Figure 7: Log data showing the action taken by Darktrace RESPOND in response to the device breaching the “Crypto Currency Mining Activity” model. This screenshot displays the UI from Darktrace version 5.1

The final activity seen from this device involved the download of additional shell scripts over HTTP associated with Kinsing, namely spre.sh and unk.sh, from 194.38.20[.]199 and 195.3.146[.]118 respectively (Figure 8). A new user agent (Wget/1.19.5 (linux-gnu)) was used when connecting to the latter endpoint, which also began concurrently initiating repeated connections indicative of C2 beaconing. These scripts help to spread the Kinsing malware laterally within the environment and may have been the attacker's last ditch efforts at furthering their compromise before Darktrace RESPOND blocked all connections from the infected Confluence server [11]. With Darktrace RESPOND's successful actions, the customer’s security team were then able to perform their own response and remediation. 

Figure 8: Cyber AI Analyst revealing the last ditch efforts made by the threat actor to download further malicious software. This screenshot displays the UI from Darktrace version 5.1

Darktrace Coverage: N- vs Zero-days

In the SonicWall case the attacker was unable to achieve their actions on objectives (thanks to Darktrace's intervention). However, this incident displayed tactics of a more stealthy and sophisticated attacker - they had an exploited machine but waited for the right moment to execute their malicious code and initiate a full compromise. Due to the lack of visibility over attacker motive, it is difficult to deduce what type of actor led to this intrusion. However, with the disclosure of a zero-day vulnerability (CVE-2021-20016) not long before this attack, along with a seemingly dormant initially compromised device, it is highly possible that it was carried out by a sophisticated cyber criminal or gang. 

On the other hand, the Confluence case engaged in a slightly more noisy approach; it dropped crypto mining malware on vulnerable devices in the hope that the target’s security team did not maintain visibility over their network or would merely turn a blind eye. The files downloaded and credentials observed alongside the mining activity heavily imply the use of Kinsing malware [11]. Since this vulnerability (CVE-2021-26084) emerged as an n-day attack with likely easily accessible POCs, as well as there being a lack of LotL techniques and the motive being long term monetary gain, it is possible this attack was conducted by a less sophisticated or amateur actor (script-kiddie); one that opportunistically exploits known vulnerabilities in internet-facing devices in order to make a quick profit [12].

Whilst Darktrace RESPOND was enabled in human confirmation mode only during the start of the SonicWall attack, Darktrace’s Cyber AI Analyst still offered invaluable insight into the unusual activity associated with the infected machines during both the Confluence and SonicWall compromises. SOC analysts were able to see these uncharacteristic behaviours and escalate the incident through Darktrace’s PTN and ATE services. Analysts then worked through these tickets with the customers, providing support and guidance and, in the SonicWall case, quickly helping to configure Darktrace RESPOND. In both scenarios, Darktrace RESPOND was able to block abnormal connections and enforce a device’s pattern of life, affording the security team enough time to isolate the infected machines and prevent further threats such as ransomware detonation or data exfiltration. 

Concluding thoughts and dangers of third-party integrations 

Organizations with internet-facing devices will inevitably suffer opportunistic zero-day and n-day attacks. While little can be done to remove the risk of zero-days entirely, ensuring that organizations keep their systems up to date will at the very least help prevent opportunistic and script-kiddies from exploiting n-day vulnerabilities.  

However, it is often not always possible for organizations to keep their systems up to date, especially for those who require continuous availability. This may also pose issues for organizations that rely on, and put their trust in, third party integrations such as those explored in this blog (Confluence and SonicWall), as enforcing secure software is almost entirely out of their hands. Moreover, with the rising prevalence of remote working, it is essential now more than ever that organizations ensure their VPN devices are shielded from external threats, guidance on which has been released by the NSA/CISA [13].

These two case studies have shown that whilst organizations can configure their networks and firewalls to help identify known indicators of compromise (IoC), this ‘rearview mirror’ approach will not account for, or protect against, any new and undisclosed IoCs. With the aid of Self-Learning AI and anomaly detection, Darktrace can detect the slightest deviation from a device’s normal pattern of life and respond autonomously without the need for rules and signatures. This allows for the disruption and prevention of known and novel attacks before irreparable damage is caused- reassuring security teams that their digital estates are secure. 

Thanks to Paul Jennings for his contributions to this blog.

Appendices: SonicWall (Zero-day)

Darktrace model detections

·      AIA / Suspicious Chain of Administrative Credentials

·      Anomalous Connection / Active Remote Desktop Tunnel

·      Anomalous Connection / SMB Enumeration

·      Anomalous Connection / Unusual Internal Remote Desktop

·      Compliance / High Priority Compliance Model Breach

·      Compliance / Outgoing NTLM Request from DC

·      Device / Anomalous RDP Followed By Multiple Model Breaches

·      Device / Anomalous SMB Followed By Multiple Model Breaches

·      Device / ICMP Address Scan

·      Device / Large Number of Model Breaches

·      Device / Large Number of Model Breaches from Critical Network Device

·      Device / Multiple Lateral Movement Model Breaches (PTN/Enhanced Monitoring model)

·      Device / Network Scan

·      Device / Possible SMB/NTLM Reconnaissance

·      Device / RDP Scan

·      Device / Reverse DNS Sweep

·      Device / SMB Session Bruteforce

·      Device / Suspicious Network Scan Activity (PTN/Enhanced Monitoring model)

·      Unusual Activity / Possible RPC Recon Activity

Darktrace RESPOND (Antigena) actions (as displayed in example)

·      Antigena / Network / Manual / Quarantine Device

MITRE ATT&CK Techniques Observed
IoCs

Appendices: Confluence (N-day)

Darktrace model detections

·      Anomalous Connection / New User Agent to IP Without Hostname

·      Anomalous Connection / Posting HTTP to IP Without Hostname

·      Anomalous File / EXE from Rare External Location

·      Anomalous File / Script from Rare Location

·      Compliance / Crypto Currency Mining Activity

·      Compromise / High Priority Crypto Currency Mining (PTN/Enhanced Monitoring model)

·      Device / Initial Breach Chain Compromise (PTN/Enhanced Monitoring model)

·      Device / Internet Facing Device with High Priority Alert

·      Device / New User Agent

Darktrace RESPOND (Antigena) actions (displayed in example)

·      Antigena / Network / Compliance / Antigena Crypto Currency Mining Block

·      Antigena / Network / External Threat / Antigena File then New Outbound Block

·      Antigena / Network / External Threat / Antigena Suspicious Activity Block

·      Antigena / Network / External Threat / Antigena Suspicious File Block

·      Antigena / Network / Significant Anomaly / Antigena Block Enhanced Monitoring

MITRE ATT&CK Techniques Observed
IOCs

References:

[1] https://securitybrief.asia/story/why-preventing-zero-day-attacks-is-crucial-for-businesses

[2] https://electricenergyonline.com/energy/magazine/1150/article/Security-Sessions-More-Dangerous-Than-Zero-Days-The-N-Day-Threat.htm

[3] https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

[4] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SonicWall+2021 

[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016

[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084

[7] https://www.zdnet.com/article/us-cybercom-says-mass-exploitation-of-atlassian-confluence-vulnerability-ongoing-and-expected-to-accelerate/

[8] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134

[9] https://attack.mitre.org/software/S0599/

[10] https://www.virustotal.com/gui/ip-address/195.19.192.28/detection 

[11] https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/

[12] https://github.com/alt3kx/CVE-2021-26084_PoC

[13] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Lewis Morgan
Cyber Analyst

More in this series

No items found.

Blog

/

/

April 16, 2025

Introducing Version 2 of Darktrace’s Embedding Model for Investigation of Security Threats (DEMIST-2)

woman looking at laptop at deskDefault blog imageDefault blog image

DEMIST-2 is Darktrace’s latest embedding model, built to interpret and classify security data with precision. It performs highly specialized tasks and can be deployed in any environment. Unlike generative language models, DEMIST-2 focuses on providing reliable, high-accuracy detections for critical security use cases.

DEMIST-2 Core Capabilities:  

  • Enhances Cyber AI Analyst’s ability to triage and reason about security incidents by providing expert representation and classification of security data, and as a part of our broader multi-layered AI system
  • Classifies and interprets security data, in contrast to language models that generate unpredictable open-ended text responses  
  • Incorporates new innovations in language model development and architecture, optimized specifically for cybersecurity applications
  • Deployable across cloud, on-prem, and edge environments, DEMIST-2 delivers low-latency, high-accuracy results wherever it runs. It enables inference anywhere.

Cybersecurity is constantly evolving, but the need to build precise and reliable detections remains constant in the face of new and emerging threats. Darktrace’s Embedding Model for Investigation of Security Threats (DEMIST-2) addresses these critical needs and is designed to create stable, high-fidelity representations of security data while also serving as a powerful classifier. For security teams, this means faster, more accurate threat detection with reduced manual investigation. DEMIST-2's efficiency also reduces the need to invest in massive computational resources, enabling effective protection at scale without added complexity.  

As an embedding language model, DEMIST-2 classifies and creates meaning out of complex security data. This equips our Self-Learning AI with the insights to compare, correlate, and reason with consistency and precision. Classifications and embeddings power core capabilities across our products where accuracy is not optional, as a part of our multi-layered approach to AI architecture.

Perhaps most importantly, DEMIST-2 features a compact architecture that delivers analyst-level insights while meeting diverse deployment needs across cloud, on-prem, and edge environments. Trained on a mixture of general and domain-specific data and designed to support task specialization, DEMIST-2 provides privacy-preserving inference anywhere, while outperforming larger general-purpose models in key cybersecurity tasks.

This proprietary language model reflects Darktrace's ongoing commitment to continually innovate our AI solutions to meet the unique challenges of the security industry. We approach AI differently, integrating diverse insights to solve complex cybersecurity problems. DEMIST-2 shows that a refined, optimized, domain-specific language model can deliver outsized results in an efficient package. We are redefining possibilities for cybersecurity, but our methods transfer readily to other domains. We are eager to share our findings to accelerate innovation in the field.  

The evolution of DEMIST-2

Key concepts:  

  • Tokens: The smallest units processed by language models. Text is split into fragments based on frequency patterns allowing models to handle unfamiliar words efficiently
  • Low-Rank Adaptors (LoRA): Small, trainable components added to a model that allow it to specialize in new tasks without retraining the full system. These components learn task-specific behavior while the original foundation model remains unchanged. This approach enables multiple specializations to coexist, and work simultaneously, without drastically increasing processing and memory requirements.

Darktrace began using large language models in our products in 2022. DEMIST-2 reflects significant advancements in our continuous experimentation and adoption of innovations in the field to address the unique needs of the security industry.  

It is important to note that Darktrace uses a range of language models throughout its products, but each one is chosen for the task at hand. Many others in the artificial intelligence (AI) industry are focused on broad application of large language models (LLMs) for open-ended text generation tasks. Our research shows that using LLMs for classification and embedding offers better, more reliable, results for core security use cases. We’ve found that using LLMs for open-ended outputs can introduce uncertainty through inaccurate and unreliable responses, which is detrimental for environments where precision matters. Generative AI should not be applied to use cases, such as investigation and threat detection, where the results can deeply matter. Thoughtful application of generative AI capabilities, such as drafting decoy phishing emails or crafting non-consequential summaries are helpful but still require careful oversight.

Data is perhaps the most important factor for building language models. The data used to train DEMIST-2 balanced the need for general language understanding with security expertise. We used both publicly available and proprietary datasets.  Our proprietary dataset included privacy-preserving data such as URIs observed in customer alerts, anonymized at source to remove PII and gathered via the Call Home and aianalyst.darktrace.com services. For additional details, read our Technical Paper.  

DEMIST-2 is our way of addressing the unique challenges posed by security data. It recognizes that security data follows its own patterns that are distinct from natural language. For example, hostnames, HTTP headers, and certificate fields often appear in predictable ways, but not necessarily in a way that mirrors natural language. General-purpose LLMs tend to break down when used in these types of highly specialized domains. They struggle to interpret structure and context, fragmenting important patterns during tokenization in ways that can have a negative impact on performance.  

DEMIST-2 was built to understand the language and structure of security data using a custom tokenizer built around a security-specific vocabulary of over 16,000 words. This tokenizer allows the model to process inputs more accurately like encoded payloads, file paths, subdomain chains, and command-line arguments. These types of data are often misinterpreted by general-purpose models.  

When the tokenizer encounters unfamiliar or irregular input, it breaks the data into smaller pieces so it can still be processed. The ability to fall back to individual bytes is critical in cybersecurity contexts where novel or obfuscated content is common. This approach combines precision with flexibility, supporting specialized understanding with resilience in the face of unpredictable data.  

Along with our custom tokenizer, we made changes to support task specialization without increasing model size. To do this, DEMIST-2 uses LoRA . LoRA is a technique that integrates lightweight components with the base model to allow it to perform specific tasks while keeping memory requirements low. By using LoRA, our proprietary representation of security knowledge can be shared and reused as a starting point for more highly specialized models, for example, it takes a different type of specialization to understand hostnames versus to understand sensitive filenames. DEMIST-2 dynamically adapts to these needs and performs them with purpose.  

The result is that DEMIST-2 is like having a room of specialists working on difficult problems together, while sharing a basic core set of knowledge that does not need to be repeated or reintroduced to every situation. Sharing a consistent base model also improves its maintainability and allows efficient deployment across diverse environments without compromising speed or accuracy.  

Tokenization and task specialization represent only a portion of the updates we have made to our embedding model. In conjunction with the changes described above, DEMIST-2 integrates several updated modeling techniques that reduce latency and improve detections. To learn more about these details, our training data and methods, and a full write-up of our results, please read our scientific whitepaper.

DEMIST-2 in action

In this section, we highlight DEMIST-2's embeddings and performance. First, we show a visualization of how DEMIST-2 classifies and interprets hostnames, and second, we present its performance in a hostname classification task in comparison to other language models.  

Embeddings can often feel abstract, so let’s make them real. Figure 1 below is a 2D visualization of how DEMIST-2 classifies and understands hostnames. In reality, these hostnames exist across many more dimensions, capturing details like their relationships with other hostnames, usage patterns, and contextual data. The colors and positions in the diagram represent a simplified view of how DEMIST-2 organizes and interprets these hostnames, providing insights into their meaning and connections. Just like an experienced human analyst can quickly identify and group hostnames based on patterns and context, DEMIST-2 does the same at scale.  

DEMIST-2 visualization of hostname relationships from a large web dataset.
Figure 1: DEMIST-2 visualization of hostname relationships from a large web dataset.

Next, let’s zoom in on two distinct clusters that DEMIST-2 recognizes. One cluster represents small businesses (Figure 2) and the other, Russian and Polish sites with similar numerical formats (Figure 3). These clusters demonstrate how DEMIST-2 can identify specific groupings based on real-world attributes such as regional patterns in website structures, common formats used by small businesses, and other properties such as its understanding of how websites relate to each other on the internet.

Cluster of small businesses
Figure 2: Cluster of small businesses
Figure 3: Cluster of Russian and Polish sites with a similar numerical format

The previous figures provided a view of how DEMIST-2 works. Figure 4 highlights DEMIST-2’s performance in a security-related classification task. The chart shows how DEMIST-2, with just 95 million parameters, achieves nearly 94% accuracy—making it the highest-performing model in the chart, despite being the smallest. In comparison, the larger model with 2.78 billion parameters achieves only about 89% accuracy, showing that size doesn’t always mean better performance. Small models don’t mean poor performance. For many security-related tasks, DEMIST-2 outperforms much larger models.

Hostname classification task performance comparison against comparable open source foundation models
Figure 4: Hostname classification task performance comparison against comparable open source foundation models

With these examples of DEMIST-2 in action, we’ve shown how it excels in embedding and classifying security data while delivering high performance on specialized security tasks.  

The DEMIST-2 advantage

DEMIST-2 was built for precision and reliability. Our primary goal was to create a high-performance model capable of tackling complex cybersecurity tasks. Optimizing for efficiency and scalability came second, but it is a natural outcome of our commitment to building a strong, effective solution that is available to security teams working across diverse environments. It is an enormous benefit that DEMIST-2 is orders of magnitude smaller than many general-purpose models. However, and much more importantly, it significantly outperforms models in its capabilities and accuracy on security tasks.  

Finding a product that fits into an environment’s unique constraints used to mean that some teams had to settle for less powerful or less performant products. With DEMIST-2, data can remain local to the environment, is entirely separate from the data of other customers, and can even operate in environments without network connectivity. The size of our model allows for flexible deployment options while at the same time providing measurable performance advantages for security-related tasks.  

As security threats continue to evolve, we believe that purpose-built AI systems like DEMIST-2 will be essential tools for defenders, combining the power of modern language modeling with the specificity and reliability that builds trust and partnership between security practitioners and AI systems.

Conclusion

DEMIST-2 has additional architectural and deployment updates that improve performance and stability. These innovations contribute to our ability to minimize model size and memory constraints and reflect our dedication to meeting the data handling and privacy needs of security environments. In addition, these choices reflect our dedication to responsible AI practices.

DEMIST-2 is available in Darktrace 6.3, along with a new DIGEST model that uses GNNs and RNNs to score and prioritize threats with expert-level precision.

[related-resource]

Continue reading
About the author
Margaret Cunningham, PhD
Director, Security & AI Strategy, Field CISO

Blog

/

/

April 16, 2025

AI Uncovered: Introducing Darktrace Incident Graph Evaluation for Security Threats (DIGEST)

man looking at computer screenDefault blog imageDefault blog image

DIGEST advances how Cyber AI Analyst scores and prioritizes incidents. Trained on over a million anonymized incident graphs, our model brings deeper context to severity scoring by analyzing how threats are structured and how they evolve. DIGEST assesses threats as an expert, before damage is done. For more details beyond this overview, please read our Technical Research Paper.

Darktrace combines machine learning (ML) and artificial intelligence (AI) approaches using a multi-layered, multi-method approach. The result is an AI system that continuously ingests data from across an organization’s environment, learns from it, and adapts in real time. DIGEST adds a new layer to this system, specifically to our Cyber AI Analyst, the first and most experienced AI Analyst in cybersecurity, dedicated to refining how incidents are scored and prioritized. DIGEST improves what your team uses to focus on what matters the most first.

To build DIGEST, we combined Graph Neural Networks (GNNs) to interpret incident structure with Recurrent Neural Networks (RNNs) to analyze how incidents evolve over time. This pairing allows DIGEST to reliably determine the potential severity of an incident even at an early stage to give the Cyber AI Analyst a critical edge in identifying high-risk threats early and recognizing when activity is unlikely to escalate.

DIGEST works locally in real-time regardless of whether your Darktrace deployment is on prem or in the cloud, without requiring data to be sent externally for decisions to be made. It was built to support teams in all environments, including those with strict data controls and limited connectivity.

Our approach to AI is unique, drawing inspiration from multiple disciplines to tackle the toughest cybersecurity challenges. DIGEST demonstrates how a novel application of GNNs and RNNs improves the prioritization and triage of security incidents. By blending interdisciplinary expertise with innovative AI techniques, we are able to push the boundaries of what’s possible and deliver it where it is needed most. We are eager to share our findings to accelerate progress throughout the broader field of AI development.

DIGEST: Pattern, progression, and prioritization

Most security incidents start quietly. A device contacting an unusual domain. Credentials are used at unexpected hours. File access patterns shift. The fundamental challenge is not always detecting these anomalies but knowing what to address first. DIGEST gives us this capability.

To understand DIGEST, it helps to start with Cyber AI Analyst, a critical component of our Self-Learning AI system and a front-line triage partner in security investigations. It combines supervised and unsupervised machine learning (ML) techniques, natural language processing (NLP), and graph-based reasoning to investigate and summarize security incidents.

DIGEST was built as an additional layer of analysis within Cyber AI Analyst. It enhances its capabilities by refining how incidents are scored and prioritized, helping teams focus on what matters most more quickly. For a general view of the ML and AI methods that power Darktrace products, read our AI Arsenal whitepaper. This paper provides insights regarding the various approaches we use to detect, investigate, and prioritize threats.

Cyber AI Analyst is constantly investigating alerts and produces millions of critical incidents every year. The dynamic graphs produced by Cyber AI Analyst investigations represent an abstract understanding of security incidents that is fully anonymized and privacy preserving. This allowed us to use the Call Home and aianalyst.darktrace.com services to produce a dataset comprising the broad structure of millions of incidents that Cyber AI analyst detected on customer deployments, without containing any sensitive data. (Read our technical research paper for more details about our dataset).

The dynamic graphs from Cyber AI Analyst capture the structure of security incidents where nodes represent entities like users, devices or resources, and edges represent the multitude of relationships between them. As new activity is observed, the graph expands, capturing the progression of incidents over time. Our dataset contained everything from benign administrative behavior to full-scale ransomware attacks.

Unique data, unmatched insights

Key terms

Graph Neural Networks (GNNs): A type of neural network designed to analyze and interpret data structured as graphs, capturing relationships between nodes.

Recurrent Neural Networks (RNNs): A type of neural network designed to model sequences where the order of events matters, like how activity unfolds in a security incident.

The Cyber AI Analyst dataset used to train DIGEST reflects over a decade of work in AI paired with unmatched expertise in cybersecurity. Prior to training DIGEST on our incident graph data set, we performed rigorous data preprocessing to ensure to remove issues such as duplicate or ill-formed incidents. Additionally, to validate DIGEST’s outputs, expert security analysts assessed and verified the model’s scoring.

Transforming data into insights requires using the right strategies and techniques. Given the graphical nature of Cyber AI Analyst incident data, we used GNNs and RNNs to train DIGEST to understand incidents and how they are likely to change over time. Change does not always mean escalation. DIGEST’s enhanced scoring also keeps potentially legitimate or low-severity activity from being prioritized over threats that are more likely to get worse. At the beginning, all incidents might look the same to a person. To DIGEST, it looks like the beginning of a pattern.

As a result, DIGEST enhances our understanding of security incidents by evaluating the structure of the incident, probable next steps in an incident’s trajectory, and how likely it is to grow into a larger event.

To illustrate these capabilities in action, we are sharing two examples of DIGEST’s scoring adjustments from use cases within our customers’ environments.

First, Figure 1 shows the graphical representation of a ransomware attack, and Figure 2 shows how DIGEST scored incident progression of that ransomware attack. At hour two, DIGEST’s score escalated to 95% well before observation of data encryption. This means that prior to seeing malicious encryption behaviors, DIGEST understood the structure of the incident and flagged these early activities as high-likelihood precursors to a severe event. Early detection, especially when flagged prior to malicious encryption behaviors, gives security teams a valuable head start and can minimize the overall impact of the threat, Darktrace Autonomous Response can also be enabled by Cyber AI Analyst to initiate an immediate action to stop the progression, allowing the human security team time to investigate and implement next steps.

Graph representation of a ransomware attack
Figure 1: Graph representation of a ransomware attack
Timeline of DIGEST incident score escalation. Note that timestep does not equate to hours, the spike in score to 95% occurred approximately 2 hours into the attack, prior to data encryption.
Figure 2:  Timeline of DIGEST incident score escalation. Note that timestep does not equate to hours, the spike in score to 95% occurred approximately 2 hours into the attack, prior to data encryption.

In contrast, our second example shown in Figure 3 and Figure 4 illustrates how DIGEST’s analysis of an incident can help teams avoid wasting time on lower risk scenarios. In this instance, Figure 3 illustrates a graph of unusual administrative activity, where we observed connection to a large group of devices. However, the incident score remained low because DIGEST determined that high risk malicious activity was unlikely. This determination was based on what DIGEST observed in the incident's structure, what it assessed as the probable next steps in the incident lifecycle and how likely it was to grow into a larger adverse event.

Graph representation of unusual admin activity connecting to a large group of devices.
Figure 3: Graph representation of unusual admin activity connecting to a large group of devices.
Timeline of DIGEST incident scoring, where the score remained low as the unusual event was determined to be low risk.
Figure 4: Timeline of DIGEST incident scoring, where the score remained low as the unusual event was determined to be low risk.

These examples show the value of enhanced scoring. DIGEST helps teams act sooner on the threats that count and spend less time chasing the ones that do not.

The next phase of advanced detection is here

Darktrace understands what incidents look like. We have seen, investigated, and learned from them at scale, including over 90 million investigations in 2024. With DIGEST, we can share our deep understanding of incidents and their behaviors with you and triage these incidents using Cyber AI Analyst.

Our ability to innovate in this space is grounded in the maturity of our team and the experiences we have built upon in over a decade of building AI solutions for cybersecurity. This experience, along with our depth of understanding of our data, techniques, and strategic layering of AI/ML components has shaped every one of our steps forward.

With DIGEST, we are entering a new phase, with another line of defense that helps teams prioritize and reason over incidents and threats far earlier in an incident’s lifecycle. DIGEST understands your incidents when they start, making it easier for your team to act quickly and confidently.

DIGEST is available in Darktrace 6.3, along with a new embedding model – DEMIST-2 – designed to provide reliable, high-accuracy detections for critical security use cases.

[related-resource]

Continue reading
About the author
Margaret Cunningham, PhD
Director, Security & AI Strategy, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI