Blog
/
Network
/
April 8, 2024

Balada Injector: Darktrace’s Investigation into the Malware Exploiting WordPress Vulnerabilities

This blog explores Darktrace’s detection of Balada Injector, a malware known to exploit vulnerabilities in WordPress to gain unauthorized access to networks. Darktrace was able to define numerous use-cases within customer environments which followed previously identified patterns of activity spikes across multiple weeks.
Written by
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
08
Apr 2024

Introduction

With millions of users relying on digital platforms in their day-to-day lives, and organizations across the world depending on them for their business operations, they have inevitably also become a prime target for threat actors. The widespread exploitation of popular services, websites and platforms in cyber-attacks highlights the pervasive nature of malicious actors in today’s threat landscape.

A prime illustration can be seen within the content management system WordPress. Its widespread use and extensive plug-in ecosystem make it an attractive target for attackers aiming to breach networks and access sensitive data, thus leading to routine exploitation attempts. In the End of Year Threat Report for 2023, for example, Darktrace reported that a vulnerability in one WordPress plug-in, namely an authentication bypass vulnerability in miniOrange's Social Login and Register. Darktrace observed it as one of the most exploited vulnerabilities observed across its customer base in the latter half of 2023.

Between September and October 2023, Darktrace observed a string of campaign-like activity associated with Balada Injector, a malware strain known to exploit vulnerabilities in popular plug-ins and themes on the WordPress platform in order to inject a backdoor to provide further access to affected devices and networks. Thanks to its anomaly-based detection, Darktrace DETECT™ was able to promptly identify suspicious connections associated with the Balada Injector, ensuring that security teams had full visibility over potential post-compromise activity and allowing them to act against offending devices.

What is Balada Injector?

The earliest signs of the Balada Injector campaign date back to 2017; however, it was not designated the name Balada Injector until December 2022 [1]. The malware utilizes plug-ins and themes in WordPress to inject a backdoor that redirects end users to malicious and fake sites. It then exfiltrates sensitive information, such as database credentials, archive files, access logs and other valuable information which may not be properly secured [1]. Balada Injector compromise activity is also reported to arise in spikes of activity that emerge every couple of weeks [4].

In its most recent attack activity patterns, specifically in September 2023, Balada Injector exploited a cross-site scripting (XSS) vulnerability in CVE-2023-3169 associated with the tagDiv composer plug-in. Some of the injection methods observed included HTML injections, database injections, and arbitrary file injections. In late September 2023, a similar pattern of behavior was observed, with the ability to plant a backdoor that could execute PHP code and install a malicious WordPress plug-in, namely ‘wp-zexit’.

According to external security researchers [2], the most recent infection activity spikes for Balada Injector include the following:

Pattern 1: ‘stay.decentralappps[.]com’ injections

Pattern 2: Autogenerated malicious WordPress users

Pattern 3: Backdoors in the Newspaper theme’s 404.php file

Pattern 4: Malicious ‘wp-zexit’ plug-in installation

Pattern 5: Three new Balada Injector domains (statisticscripts[.]com, dataofpages[.]com, and listwithstats[.]com)

Pattern 6: Promsmotion[.]com domain

Darktrace’s Coverage of Balada Injector

Darktrace detected devices across multiple customer environments making external connections to the malicious Balada Injector domains, including those associated with aforementioned six infection activity patterns. Across the incidents investigated by Darktrace, much of the activity appeared to be associated with TLS/SSL connectivity, related to Balada Injector endpoints, which correlated with the reported infection patterns of this malware. The observed hostnames were all recently registered and, in most cases, had IP geolocations in either the Netherlands or Ukraine.

In the observed cases of Balada Injector across the Darktrace fleet, Darktrace RESPOND™ was not active on the affected customer environments. If RESPOND had been active and enabled in autonomous response mode at the time of these attacks, it would have been able to quickly block connections to malicious Balada Injector endpoints as soon as they were identified by DETECT, thereby containing the threat.

Looking within the aforementioned activity patterns, Darktrace identified a Balada Injector activity within a customer’s environment on October 16, 2023, when a device was observed making a total of 9 connection attempts to ‘sleep[.]stratosbody[.]com’, a domain that had previously been associated with the malware [2]. Darktrace recognized that the endpoint had never been seen on the network, with no other devices having connected to it previously, thus treated it as suspicious.

Figure 1: The connection details above demonstrate 100% rare external connections were made from the internal device to the ‘sleep[.]stratosbody[.]com’ endpoint.

Similarly, on September 21, 2023, Darktrace observed a device on another customer network connecting to an external IP that had never previously been observed on the environment, 111.90.141[.]193. The associated server name was a known malicious endpoint, ‘stay.decentralappps[.]com’, known to be utilized by Balada Injector to host malicious scripts used to compromise WordPress sites. Although the ‘stay.decentralappps[.]com’ domain was only registered in September 2023, it was reportedly used in the redirect chain of the aforementioned stratosbody[.com] domain [2]. Such scripts can be used to upload backdoors, including malicious plug-ins, and create blog administrators who can perform administrative tasks without having to authenticate [2].

Figure 2: Advance Search results displaying the metadata logs surrounding the unusual connections to ‘stay.decentralappps[.]com’. A total of nine HTTP CONNECT requests were observed, with status messages “Proxy Authorization Required” and “Connection established”.

Darktrace observed additional connections within the same customer’s environment on October 10 and October 18, specifically SSL connections from two distinct source devices to the ‘stay.decentralappps[.]com’ endpoint. Within these connections, Darktrace observed the normalized JA3 fingerprints, “473f0e7c0b6a0f7b049072f4e683068b” and “aa56c057ad164ec4fdcb7a5a283be9fc”, the latter of which corresponds to GitHub results mentioning a Python client (curl_cffi) that is able to impersonate the TLS signatures of browsers or JA3 fingerprints [8].

Figure 3: Advanced Search query results showcasing Darktrace’s detection of SSL connections to ‘stay.decentralappps[.]com over port 443.

On September 29, 2023, a device on a separate customer’s network was observed connecting to the hostname ‘cdn[.]dataofpages[.]com’, one of the three new Balada Injector domains identified as part of the fifth pattern of activity outlined above, using a new SSL certificate via port 443. Multiple open-source intelligence (OSINT) vendors flagged this domain as malicious and associated with Balada Injector malware [9].

Figure 4: The Model Breach Event Log detailing the Balada Injector-related connections observed causing the ‘Anomalous External Activity from Critical Network Device’ DETECT model to breach.

On October 2, 2023, Darktrace observed the device of another customer connecting to the rare hostname, ‘js.statisticscripts[.]com’ with the IP address 185.39.206[.]161, both of which had only been registered in late September and are known to be associated with the Balada Injector.

Figure 5: Model Breach Event Log detailing connections to the hostname ‘js.statisticscripts[.]com’ over port 137.

On September 13, 2023, Darktrace identified a device on another customer’s network connecting to the Balada Injector endpoint ‘stay.decentralappps[.]com’ endpoint, with the destination IP 1.1.1[.]1, using the SSL protocol. This time, however, Darktrace also observed the device making subsequent connections to ‘get.promsmotion[.]com’ a subdomain of the ‘promsmotion[.]com’ domain. This domain is known to be used by Balada Injector actors to host malicious scripts that can be injected into the WordPress Newspaper theme as potential backdoors to be leveraged by attackers.

In a separate case observed on September 14, Darktrace identified a device on another environment connecting to the domain ‘collect[.]getmygateway[.]com’ with the IP 88.151.192[.]254. No other device on the customer’s network had visited this endpoint previously, and the device in question was observed repeatedly connecting to it via port 443 over the course of four days. While this specific hostname had not been linked with a specific activity pattern of Balada Injector, it was reported as previously associated with the malware in September 2023 [2].

Figure 6: Model Breach Event Log displaying a customer device making repeated connections to the endpoint ‘collect[.]getmygateway[.]com’, breaching the DETECT model ‘Repeating Connections Over 4 Days’.

In addition to DETECT’s identification of this suspicious activity, Darktrace’s Cyber AI Analyst™ also launched its own autonomous investigation into the connections. AI Analyst was able to recognize that these separate connections that took place over several days were, in fact, connected and likely represented command-and-control (C2) beaconing activity that had been taking place on the customer networks.

By analyzing the large number of external connections taking place on a customer’s network at any one time, AI Analyst is able to view seemingly isolated events as components of a wider incident, ensuring that customers maintain full visibility over their environments and any emerging malicious activity.

Figure 7: Cyber AI Analyst investigation detailing the SSL connectivity observed, including endpoint details and overall summary of the beaconing activity.

Conclusion

While Balada Injector’s tendency to interchange C2 infrastructure and utilize newly registered domains may have been able to bypass signature-based security measures, Darktrace’s anomaly-based approach enabled it to swiftly identify affected devices across multiple customer environments, without needing to update or retrain its models to keep pace with the evolving iterations of WordPress vulnerabilities.

Unlike traditional measures, Darktrace DETECT’s Self-Learning AI focusses on behavioral analysis, crucial for identifying emerging threats like those exploiting commonly used platforms such as WordPress. Rather than relying on historical threat intelligence or static indicators of compromise (IoC) lists, Darktrace identifies the subtle deviations in device behavior, such as unusual connections to newly registered domains, that are indicative of network compromise.

Darktrace’s suite of products, including DETECT+RESPOND, is uniquely positioned to proactively identify and contain network compromises from the onset, offering vital protection against disruptive cyber-attacks.

Credit to: Justin Torres, Cyber Analyst, Nahisha Nobregas, Senior Cyber Analyst

Appendices

Darktrace DETECT Model Coverage

  • Anomalous Server Activity / Anomalous External Activity from Critical Network Device
  • Anomalous Connection / Anomalous SSL without SNI to New External
  • Anomalous Connection / Rare External SSL Self-Signed
  • Compliance / Possible DNS Over HTTPS/TLS
  • Compliance / External Windows Communications
  • Compromise / Repeating Connections Over 4 Days
  • Compromise / Beaconing Activity To External Rare
  • Compromise / SSL Beaconing to Rare Destination
  • Compromise / HTTP Beaconing to Rare Destination
  • Compromise / Suspicious TLS Beaconing To Rare External
  • Compromise / Large DNS Volume for Suspicious Domain
  • Anomalous Server Activity / Outgoing from Server
  • Anomalous Server Activity / Rare External from Server
  • Device / Suspicious Domain

List of IoCs

IoC - Type - Description + Confidence

collect[.]getmygateway[.]com - Hostname - Balada C2 Endpoint

cdn[.]dataofpages[.]com - Hostname - Balada C2 Endpoint

stay[.]decentralappps[.]com - Hostname - Balada C2 Endpoint

get[.]promsmotion[.]com - Hostname - Balada C2 Endpoint

js[.]statisticscripts[.]com - Hostname - Balada C2 Endpoint

sleep[.]stratosbody[.]com - Hostname - Balada C2 Endpoint

trend[.]stablelightway[.]com - Hostname - Balada C2 Endpoint

cdn[.]specialtaskevents[.]com - Hostname - Balada C2 Endpoint

88.151.192[.]254 - IP Address - Balada C2 Endpoint

185.39.206[.]160 - IP Address - Balada C2 Endpoint

111.90.141[.]193 - IP Address - Balada C2 Endpoint

185.39.206[.]161 - IP Address - Balada C2 Endpoint

2.59.222[.]121 - IP Address - Balada C2 Endpoint

80.66.79[.]253 - IP Address - Balada C2 Endpoint

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) - User Agent - Observed User Agent in Balada C2 Connections

Gecko/20100101 Firefox/68.0 - User Agent - Observed User Agent in Balada C2 Connections

Mozilla/5.0 (Windows NT 10.0; Win64; x64) - User Agent - Observed User Agent in Balada C2 Connections

AppleWebKit/537.36 (KHTML, like Gecko) - User Agent - Observed User Agent in Balada C2 Connections

Chrome/117.0.0.0 - User Agent - Observed User Agent in Balada C2 Connections

Safari/537.36 - User Agent - Observed User Agent in Balada C2 Connections

Edge/117.0.2045.36 - User Agent - Observed User Agent in Balada C2 Connections

MITRE ATT&CK Mapping

Technique - Tactic - ID - Sub Technique

Exploit Public-Facing Application

INITIAL ACCESS

T1190

Web Protocols

COMMAND AND CONTROL

T1071.001

T1071

Protocol Tunneling

COMMAND AND CONTROL

T1572


Default Accounts

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.001

T1078

Domain Accounts

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.002

T1078

External Remote Services

PERSISTENCE, INITIAL ACCESS

T1133

NA

Local Accounts

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.003

T1078

Application Layer Protocol

COMMAND AND CONTROL

T1071

NA

Browser Extensions

PERSISTENCE

T1176

NA

Encrypted Channel

COMMAND AND CONTROL

T1573

Fallback Channels

COMMAND AND CONTROL

T1008

Multi-Stage Channels

COMMAND AND CONTROL

T1104

Non-Standard Port

COMMAND AND CONTROL

T1571

Supply Chain Compromise

INITIAL ACCESS ICS

T0862

Commonly Used Port

COMMAND AND CONTROL ICS

T0885

References

[1] https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html

[2] https://blog.sucuri.net/2023/10/balada-injector-targets-unpatched-tagdiv-plugin-newspaper-theme-wordpress-admins.html

[3] https://securityboulevard.com/2021/05/wordpress-websites-redirecting-to-outlook-phishing-pages-travelinskydream-ga-track-lowerskyactive/

[4] https://thehackernews.com/2023/10/over-17000-wordpress-sites-compromised.html

[5] https://www.bleepingcomputer.com/news/security/over-17-000-wordpress-sites-hacked-in-balada-injector-attacks-last-month/

[6]https://nvd.nist.gov/vuln/detail/CVE-2023-3169

[7] https://www.geoedge.com/balda-injectors-2-0-evading-detection-gaining-persistence/

[8] https[:]//github[.]com/yifeikong/curl_cffi/blob/master/README.md

[9] https://www.virustotal.com/gui/domain/cdn.dataofpages.com

Written by
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst

Phantom Footprints: Tracking GhostSocks Malware

Network
March 26, 2026
Isabel Evans
Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Darktrace's latest threat research reveals how Chinese-nexus cyber operations have evolved from isolated intrusions into long-term strategic positioning, with attackers prioritizing persistent access to critical infrastructure and digital ecosystems to gain lasting operational and economic advantage.
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more
Network
March 26, 2026

Phantom Footprints: Tracking GhostSocks Malware

GhostSocks is an emerging threat turning compromised devices into residential proxy nodes to help attackers evade detection. Darktrace identifies its growing use alongside Lumma Stealer, highlighting the malware’s stealth, payload delivery, and persistence. AI-driven detection and Autonomous Response reveal the full attack lifecycle and underscore the need for proactive defense.
Isabel Evans
Cyber Analyst
Read more
Network
March 17, 2026

When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack

World Leaks, a rebrand of Hunters International, are known for their extortion-only attack model, abandoning the tactic of file encryption. However, contrary to these claims, Darktrace detected a World Leaks compromise where a ransomware payload was deployed, and customer data was encrypted.
Tiana Kelly
Senior Cyber Analyst & Team Lead
Read more

Blog

/

Network

/

April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Chinese-Nexus Cyber OperationsDefault blog imageDefault blog image

Cybersecurity has traditionally organized risk around incidents, breaches, campaigns, and threat groups. Those elements still matter—but if we fixate on individual incidents, we risk missing the shaping of the entire ecosystem. Nation‑state–aligned operators are increasingly using cyber operations to establish long-term strategic leverage, not just to execute isolated attacks or short‑term objectives.  

Our latest research, Crimson Echo, shifts the lens accordingly. Instead of dissecting campaigns, malware families, or actor labels as discrete events, the threat research team analyzed Chinese‑nexus activity as a continuum of behaviors over time. That broader view reveals how these operators position themselves within environments: quietly, patiently, and persistently—often preparing the ground long before any recognizable “incident” occurs.  

How Chinese-nexus cyber threats have changed over time

Chinese-nexus cyber activity has evolved in four phases over the past two decades. This ranges from early, high-volume operations in the 1990s and early 2000s to more structured, strategically-aligned activity in the 2010s, and now toward highly adaptive, identity-centric intrusions.  

Today’s phase is defined by scale, operational restraint, and persistence. Attackers are establishing access, evaluating its strategic value, and maintaining it over time. This reflects a broader shift: cyber operations are increasingly integrated into long-term economic and geopolitical strategies. Access to digital environments, specifically those tied to critical national infrastructure, supply chains, and advanced technology, has become a form of strategic leverage for the long-term.  

How Darktrace analysts took a behavioral approach to a complex problem

One of the challenges in analyzing nation-state cyber activity is attribution. Traditional approaches often rely on tracking specific threat groups, malware families, or infrastructure. But these change constantly, and in the case of Chinese-nexus operations, they often overlap.

Crimson Echo is the result of a retrospective analysis of three years of anomalous activity observed across the Darktrace fleet between July 2022 and September 2025. Using behavioral detection, threat hunting, open-source intelligence, and a structured attribution framework (the Darktrace Cybersecurity Attribution Framework), the team identified dozens of medium- to high-confidence cases and analyzed them for recurring operational patterns.  

This long-horizon, behavior-centric approach allows Darktrace to identify consistent patterns in how intrusions unfold, reinforcing that behavioral patterns that matter.  

What the data shows

Several clear trends emerged from the analysis:

  • Targeting is concentrated in strategically important sectors. Across the dataset, 88% of intrusions occurred in organizations classified as critical infrastructure, including transportation, critical manufacturing, telecommunications, government, healthcare, and Information Technology (IT) services.  
  • Strategically important Western economies are a primary focus. The US alone accounted for 22.5% of observed cases, and when combined with major European economies including Germany, Italy, Spain and the UK, over half of all intrusions (55%) were concentrated in these regions.  
  • Nearly 63% of intrusions of intrusions began with the exploitation of internet-facing systems, reinforcing the continued risk posed by externally exposed infrastructure.  

Two models of cyber operations

Across the dataset, Chinese-nexus activity followed two operational models.  

The first is best described as “smash and grab.” These are short-horizon intrusions optimized for speed. Attackers move quickly – often exfiltrating data within 48 hours – and prioritize scale over stealth. The median duration of these compromises is around 10 days. It’s clear they are willing to risk detection for short-term gain.  

The second is “low and slow.” These operations were less prevalent in the dataset, but potentially more consequential. Here, attackers prioritize persistence, establishing durable access through identity systems and legitimate administrative tools, so they can maintain access undetected for months or even years. In one notable case, the actor had fully compromised the environment and established persistence, only to resurface in the environment more than 600 days after. The operational pause underscores both the depth of the intrusion and the actor’s long‑term strategic intent. This suggests that cyber access is a strategic asset to preserve and leverage over time, and we observed these attacks most often inin sectors of the high strategic importance.  

It’s important to note that the same operational ecosystem can employ both models concurrently, selecting the appropriate model based on target value, urgency, intended access. The observation of a “smash and grab” model should not be solely interpreted as a failure of tradecraft, but instead an operational choice likely aligned with objectives. Where “low and slow” operations are optimized for patience, smash and grab is optimized for speed; both seemingly are deliberate operational choices, not necessarily indicators of capability.  

Rethinking cyber risk

For many organizations, cyber risk is still framed as a series of discrete events. Something happens, it is detected and contained, and the organization moves on. But persistent access, particularly in deeply interconnected environments that span cloud, identity-based SaaS and agentic systems, and complex supply chain networks, creates a major ongoing exposure risk. Even in the absence of disruption or data theft, that access can provide insight into operations, dependencies, and strategic decision-making. Cyber risk increasingly resembles long-term competitive intelligence.  

This has impact beyond the Security Operations Center. Organizations need to shift how they think about governance, visibility, and resilience, and treat cyber exposure as a structural business risk instead of an incident response challenge.  

What comes next

The goal of this research is to provide a clearer understanding of how these operations work, so defenders can recognize them earlier and respond more effectively. That includes shifting from tracking indicators to understanding behaviors, treating identity providers as critical infrastructure risks, expanding supplier oversight, investing in rapid containment capabilities, and more.  

Learn more about the findings of Darktrace’s latest research, Crimson Echo: Understanding Chinese-nexus Cyber Operations Through Behavioral Analysis, by downloading the full report and summaries for business leaders, CISOs, and SOC analysts here.  

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

Proactive Security

/

April 1, 2026

AI-powered security for a rapidly growing grocery enterprise

Default blog imageDefault blog image

Protecting a complex, fast-growing retail organization

For this multi-banner grocery holding organization, cybersecurity is considered an essential business enabler, protecting operations, growth, and customer trust. The organization’s lean IT team manages a highly distributed environment spanning corporate offices, 100+ stores, distribution centers and  thousands of endpoints, users, and third-party connections.

Mergers and acquisitions fueled rapid growth, but they also introduced escalating complexity that constrained visibility into users, endpoints, and security risks inherited across acquired environments.

Closing critical visibility gaps with limited resources

Enterprise-wide visibility is a top priority for the organization, says the  Vice President of Information Technology. “We needed insights beyond the perimeter into how users and devices were behaving across the organization.”

A security breach that occurred before the current IT leadership joined the company reinforced the urgency and elevated cybersecurity to an executive-level priority with a focus on protecting customer trust. The goal was to build a multi-layered security model that could deliver autonomous, enterprise-wide protection without adding headcount.

Managing cyber risk in M&A

Mergers and acquisitions are central to the grocery holding company’s growth strategy. But each transaction introduces new cyber risk, including inherited network architectures, inconsistent tooling, excessive privileges, and remnants of prior security incidents that were never fully remediated.

“Our M&A targets range from small chains with a single IT person and limited cyber tools to large chains with more developed IT teams, toolsets and instrumentation,” explains the VP of IT. “We needed a fast, repeatable, and reliable way to assess cyber risk before transactions closed.”

AI-driven security built for scale, speed, and resilience

Rather than layering additional point tools onto an already complex environment, the retailer adopted the Darktrace ActiveAI Security Platform™ in 2020 as part of a broader modernization effort to improve resilience, close visibility gaps, and establish a security foundation that could scale with growth.

“Darktrace’s AI-driven approach provided the ideal solution to these challenges,” shares the VP of IT. “It has empowered our organization to maintain a robust security strategy, ensuring the protection of our network and the smooth operation of our business.”

Enterprise-wide visibility into traffic  

By monitoring both north-south and east-west traffic and applying Self-Learning AI, Darktrace develops a dynamic understanding of how users and devices normally behave across locations, roles, and systems.

“Modeling normal behavior across the environment enables us to quickly spot behavior that doesn’t fit. Even subtle changes that could signal a threat but appear legitimate at first glance,” explains the VP of IT.

Real-time threat containment, 24/7

Adopting autonomous response has created operational breathing room for the security team, says the company’s Cybersecurity  Engineer.

“Early on, we enabled full Darktrace autonomous mode and we continue to do so today,” shares the IT Security Architect. “Allowing the technology to act first gives us the time we need to investigate incidents during business hours without putting the business at risk.”

Unified, actionable view of security ecosystem

The grocery retailer integrated Darktrace with its existing security ecosystem of firewalls, vulnerability management tools, and endpoint detection and response, and the VP of IT described the adoption process as “exceptionally smooth.”

The team can correlate enterprise-wide security data for a unified and actionable picture of all activity and risk. Using this “single pane of glass” approach, the retailer trains Level 1 and Level 2 operations staff to assist with investigations and user follow-ups, effectively extending the reach of the security function without expanding headcount.

From reactive defense to security at scale

With Darktrace delivering continuous visibility, autonomous containment, and integrated security workflows, the organization has strengthened its cybersecurity posture while improving operational efficiency. The result is a security model that not only reduces risk, but also supports growth, resilience, and informed decision-making at the business level.

Faster detection, faster resolution

With autonomous detection and response, the retailer can immediately contain risk while analysts investigate and validate activity. With this approach, the company can maintain continuous protection even outside business hours and reduce the chance of lateral spread across systems or locations.

Enterprise-grade protection with a lean team

From cloud environments to clients to SaaS collaboration tools, Darktrace provides holistic autonomous AI defense, processing petabytes of the organization’s network traffic and investigating millions of individual events that could be indicative of a wider incident.

Today, Darktrace autonomously conducts the majority of all investigations on behalf of the IT team, escalating only a tiny fraction for analyst review. The impact has been profound, freeing analysts from endless alerts and hours of triage so they can focus on more valuable, proactive, and gratifying work.

“From an operational perspective, Darktrace gives us time back,” says the Cybersecurity Engineer. More importantly, says the VP of IT, “it gives us peace of mind that we’re protected even if we’re not actively monitoring every alert.”

A strategic input for M&A decision-making

One of the most strategic outcomes has been the role of cybersecurity on M&A. 90 days prior to closing a transaction, the security team uses Darktrace alongside other tools to perform a cyber risk assessment of the potential acquisition. “Our approach with Darktrace has consistently identified gaps and exposed risks,” says the VP of IT, including:

  • Remnants of previous incidents that were never fully remediated
  • Network configurations with direct internet exposure
  • Excessive administrative privileges in Active Directory or on critical hosts

While security findings may not alter deal timelines, the VP of IT says they can have enormous business implications. “With early visibility into these risks, we can reduce exposure to inherited cyber threats, strengthen our position during negotiations, and establish clear remediation requirements.”

A security strategy built to evolve with the business

As the holding group expands its cloud footprint, it will extend Darktrace protections into Azure, applying the same AI-driven visibility and autonomous response to cloud workloads. The VP of IT says Darktrace's evolving capabilities will be instrumental in addressing the organization’s future cybersecurity needs and ability to adapt to the dynamic nature of cloud security.

“With Darktrace’s AI-driven approach, we have moved beyond reactive defense, establishing a resilient security foundation for confident expansion and modernization.”

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI