Blog
/
Network
/
December 9, 2024

Darktrace is Positioned as a Leader in the IDC MarketScape: Worldwide Network Detection and Response 2024 Vendor Assessment

Darktrace is recognized as a Leader in the IDC MarketScape. Read this blog to find out more about Darktrace's leadership in the market and our pioneering leadership in AI over the past decade, alongside a variety of other unique differentiators and innovations in the NDR industry.
Written by
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
09
Dec 2024

Darktrace is pleased to announce that we have been positioned as a Leader in the IDC MarketScape: Worldwide Network Detection and Response 2024 Vendor Assessment. We believe this further highlights Darktrace’s position as a pioneer in the NDR market and follows similar recognition from KuppingerCole, who recently named Darktrace as an Overall Leader, Product Leader, Market Leader and Innovation Leader in the KuppingerCole Leadership Compass: Network Detection and Response (2024).

Network Detection and Response (NDR) solutions are uniquely positioned to provide visibility over the core hub of a business and employee activity, analyzing North-South and East-West traffic to identify threats across the modern network. NDR provides a rich and true source of anomalies and goes beyond process level data that is relied on by Endpoint Detection and Response (EDR) agents that do not provide network level visibility and can be misconfigured at any time.1

Metadata from network traffic can be used to detect a variety of different threats based on events such as anomalous port usage, unusual upload/download activity, impossible travel and many other activities. This has been accelerated by the increased usage of user behavioral analytics (UBA) in network security, which establishes statistical baselines about network entities and highlights deviations from expected activity.1

Darktrace is recognized as a Leader in the IDC MarketScape due to our leadership in the market and our pioneering leadership in AI over the past decade, alongside a variety of other unique differentiators and innovations in the NDR industry.

Darktrace / NETWORK™ delivers full visibility, real time threat detection and Autonomous Response capabilities across an organization’s on-premises, cloud, hybrid and virtual environments, including remote worker endpoints.

Unique Approach to AI

Most NDR vendors and network security tools such as IDS/IPS rely on detecting known attacks with historical data and supervised machine learning, leaving organizations blind and vulnerable to novel threats such as zero-days, variants of known attacks, supply chain attacks and insider threats.

These vendors also tend to apply AI models that are trained globally, and are not unique to each organization’s environment, which creates a high number of false positives and alerts that ultimately lack business context.

The IDC MarketScape recognizes that Darktrace takes a differentiated approach in the market with regards to delivering network detection and response capabilities, noting; “Darktrace is unique in that it does not rely on rules and signatures but rather learns what constitutes as normal for an organization and generates alerts when there is a deviation.”1

Darktrace / NETWORK achieves this through the use of Self-Learning AI and unsupervised machine learning to understand what is normal network behavior, continuously analyzing, mapping and modeling every connection to create a full picture of devices, identities, connections and potential attack paths. Darktrace Self-Learning AI autonomously optimizes itself to cut through the noise and quickly surface genuine, prioritized network security incidents – significantly reducing false positives and removing the hassle of needing to continually tuning alerts manually.

Darktrace’s unique approach to AI also extends to the investigation and triage of network alerts with Cyber AI Analyst. Unlike a chat or prompt based LLM, Cyber AI Analyst investigates all relevant alerts in an environment, including third party alerts, autonomously forming hypotheses and reaching conclusions just like a human analyst would, accelerating SOC Level 2 analyses of incidents by 10x. Cyber AI Analyst also typically providing SOC teams with up to 50,000 additional hours annually of Level 2 analysis producing high level alerts and written reporting, transforming security operations.2

Darktrace also uses its deep understanding of what is normal for a network to identify suspicious behavior, leveraging Autonomous Response capabilities to shut down both known and novel threats in real time, taking targeted actions without disrupting business operations. Darktrace / NETWORK is the only NDR solution that can autonomously enforce a pattern of life based on what is normal for a standalone device or group of peers, rapidly containing and disarming threats based on the overall context of the environment and a granular understanding of what is normal for a device or user – instead of relying on historical attack data.

Continued NDR Market Leadership

Darktrace has been recognized as a Leader in the NDR market, and the IDC MarketScape listed a variety of strengths:

  • Darktrace achieves roughly one-fifth of all global NDR revenue. This is important because other IT and cybersecurity solutions providers necessarily want to have integration with Darktrace.
  • The AI algorithms that Darktrace uses for NDR have had 10 years of deployments, tuning, and learning to draw from.
  • Darktrace is available as a SaaS, as an enterprise license, and as physical, hybrid, or virtual appliances. Darktrace also offers an endpoint agent and visibility into VPN and ZTNA.
  • Darktrace integrates with 30+ different interfaces including SIEM, SOAR, XDR platforms, IT ticketing solutions, and their own dashboards. The Darktrace Threat Visualizer highlights events and incidents from the entire deployment including cloud, apps, email, endpoint, zero trust, network, and OT.
  • Darktrace / NETWORK charts the progress that the SOC is making over time with key metrics such as MTTD/MTTR, alerts generated and processed, and other criteria.
  • Darktrace reported coverage of 14 MITRE ATT&CK categories, 158 techniques, and 184 subtechniques

Proactive Network Resilience

The IDC MarketScape notes, “Ultimately, NDR shines as a standalone detection and response technology but is especially powerful when combined with other platforms. NDR in combination with other control points such as endpoint, data, identity, and application provides the proper context when winnowing alerts and trying to uncover a single source of truth.” . Darktrace comprehensively addresses this as part of the ActiveAI Security Platform, by combining network alerts with data from / EMAIL, / IDENTITY, / ENDPOINT, / CLOUD and / OT, providing deeper contextual analysis for each network alert and automatically enriching investigations.

Darktrace also goes beyond NDR solutions with capabilities that are closely linked to our NDR offering, helping clients to achieve and maintain a state of proactive network resilience:

  • Darktrace / Proactive Exposure Management – look beyond just CVE risks to discover, prioritize and validate risks by business impact and how to address them early, reducing the number of real threats that security teams need to handle.
  • Darktrace / Incident Readiness & Recovery – lets teams respond in the best way to each incident and proactively test their familiarity and effectiveness of IR workflows with sophisticated incident simulations based on their own analysts and assets.

Together, these solutions allow Darktrace / NETWORK to go beyond the traditional approach to NDR and shift teams to a more hardened and proactive stance.

Protecting Clients with Continued Innovation

Darktrace invests heavily in Research and Development to continue providing customers with market-leading NDR capabilities and innovations, which was reflected in our position in the Leader category of the MarketScape report for both capabilities and strategy. We are led by the needs and challenges of our customers, which serve as the driving force behind our continued innovation and leadership in the NDR market. The IDC MarketScape report underlines this approach with the following feedback presented by Darktrace customers:

“A customer intimated that 99% of their detections were OOTB with little need to tune or define parameters.”
“A customer reported that it had early warnings for adversarial tactics such as suspicious SMB scanning, suspicious remote execution, remote desktop protocol (RDP) scanning, data exfiltration, C2C, LDAP query, and suspicious Kerberos activity.”
“The client could use Regex to determine if suspicious behavior was found elsewhere on the network.”

Thousands of customers around the world across all industries and sectors rely on Darktrace / NETWORK to protect against known and novel threats. From the latest vulnerabilities in network hardware to sophisticated new strains of ransomware and everything in-between, Darktrace helps clients detect and respond to all types of threats affecting their networks and avoid business disruption, even from the latest attacks.

Find out more about the unique capabilities of Darktrace / NETWORK and our application of AI in network security in the IDC MarketScape excerpt.

References

  1. IDC MarketScape: Worldwide Network Detection and Response 2024 Vendor Assessment (Doc #US51752324, November 2024)
  2. Darktrace Cyber AI Analyst Customer Fleet Data

Written by
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Mikey Anderson
Product Marketing Manager, Network Detection & Response

Maduro Arrest Used as a Lure to Deliver Backdoor

Network
January 9, 2026
Tara Gould
Malware Research Lead
Watch the NIS2 Webinar
Trending blogs
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
January 9, 2026

Maduro Arrest Used as a Lure to Deliver Backdoor

Darktrace researchers observed threat actors exploiting reports of Venezuelan President Maduro’s arrest to deliver backdoor malware. Attackers often use ongoing world events make their malicious content appear more credible, increasingly the likelihood of a successful attack.
Tara Gould
Malware Research Lead
Read more
Network
January 8, 2026

Under Medusa’s Gaze: How Darktrace Uncovers RMM Abuse in Ransomware Campaigns

Medusa ransomware increasingly exploits remote monitoring and management (RMM) tools for persistence, lateral movement, and data exfiltration. This blog explores Medusa’s tactics, real-world detections, and how anomaly-based solutions with Autonomous Response can stop attacks.
Signe Zaharka
Principal Cyber Analyst
Read more
Network
December 10, 2025

React2Shell: How Opportunist Attackers Exploited CVE-2025-55182 Within Hours

Darktrace observed opportunistic exploitation of the React2Shell vulnerability within minutes of honeypot deployment. Attackers leveraged shell scripts, HTTP beaconing, and cryptomining activity, highlighting rapid adaptation to unpatched flaws.
Nathaniel Bill
Malware Research Engineer
Read more

Blog

/

/

January 13, 2026

Runtime Is Where Cloud Security Really Counts: The Importance of Detection, Forensics and Real-Time Architecture Awareness

runtime, cloud security, cnaapDefault blog imageDefault blog image

Introduction: Shifting focus from prevention to runtime

Cloud security has spent the last decade focused on prevention; tightening configurations, scanning for vulnerabilities, and enforcing best practices through Cloud Native Application Protection Platforms (CNAPP). These capabilities remain essential, but they are not where cloud attacks happen.

Attacks happen at runtime: the dynamic, ephemeral, constantly changing execution layer where applications run, permissions are granted, identities act, and workloads communicate. This is also the layer where defenders traditionally have the least visibility and the least time to respond.

Today’s threat landscape demands a fundamental shift. Reducing cloud risk now requires moving beyond static posture and CNAPP only approaches and embracing realtime behavioral detection across workloads and identities, paired with the ability to automatically preserve forensic evidence. Defenders need a continuous, real-time understanding of what “normal” looks like in their cloud environments, and AI capable of processing massive data streams to surface deviations that signal emerging attacker behavior.

Runtime: The layer where attacks happen

Runtime is the cloud in motion — containers starting and stopping, serverless functions being called, IAM roles being assumed, workloads auto scaling, and data flowing across hundreds of services. It’s also where attackers:

  • Weaponize stolen credentials
  • Escalate privileges
  • Pivot programmatically
  • Deploy malicious compute
  • Manipulate or exfiltrate data

The challenge is complex: runtime evidence is ephemeral. Containers vanish; critical process data disappears in seconds. By the time a human analyst begins investigating, the detail required to understand and respond to the alert, often is already gone. This volatility makes runtime the hardest layer to monitor, and the most important one to secure.

What Darktrace / CLOUD Brings to Runtime Defence

Darktrace / CLOUD is purpose-built for the cloud execution layer. It unifies the capabilities required to detect, contain, and understand attacks as they unfold, not hours or days later. Four elements define its value:

1. Behavioral, real-time detection

The platform learns normal activity across cloud services, identities, workloads, and data flows, then surfaces anomalies that signify real attacker behavior, even when no signature exists.

2. Automated forensic level artifact collection

The moment Darktrace detects a threat, it can automatically capture volatile forensic evidence; disk state, memory, logs, and process context, including from ephemeral resources. This preserves the truth of what happened before workloads terminate and evidence disappears.

3. AI-led investigation

Cyber AI Analyst assembles cloud behaviors into a coherent incident story, correlating identity activity, network flows, and Cloud workload behavior. Analysts no longer need to pivot across dashboards or reconstruct timelines manually.

4. Live architectural awareness

Darktrace continuously maps your cloud environment as it operates; including services, identities, connectivity, and data pathways. This real-time visibility makes anomalies clearer and investigations dramatically faster.

Together, these capabilities form a runtime-first security model.

Why CNAPP alone isn’t enough

CNAPP platforms excel at pre deployment checks all the way down to developer workstations, identifying misconfigurations, concerning permission combinations, vulnerable images, and risky infrastructure choices. But CNAPP’s breadth is also its limitation. CNAPP is about posture. Runtime defense is about behavior.

CNAPP tells you what could go wrong; runtime detection highlights what is going wrong right now.

It cannot preserve ephemeral evidence, correlate active behaviors across domains, or contain unfolding attacks with the precision and speed required during a real incident. Prevention remains essential, but prevention alone cannot stop an attacker who is already operating inside your cloud environment.

Real-world AWS Scenario: Why Runtime Monitoring Wins

A recent incident detected by Darktrace / CLOUD highlights how cloud compromises unfold, and why runtime visibility is non-negotiable. Each step below reflects detections that occur only when monitoring behavior in real time.

1. External Credential Use

Detection: Unusual external source for credential use: An attacker logs into a cloud account from a never-before-seen location, the earliest sign of account takeover.

2. AWS CLI Pivot

Detection: Unusual CLI activity: The attacker switches to programmatic access, issuing commands from a suspicious host to gain automation and stealth.

3. Credential Manipulation

Detection: Rare password reset: They reset or assign new passwords to establish persistence and bypass existing security controls.

4. Cloud Reconnaissance

Detection: Burst of resource discovery: The attacker enumerates buckets, roles, and services to map high value assets and plan next steps.

5. Privilege Escalation

Detection: Anomalous IAM update: Unauthorized policy updates or role changes grant the attacker elevated access or a backdoor.

6. Malicious Compute Deployment

Detection: Unusual EC2/Lambda/ECS creation: The attacker deploys compute resources for mining, lateral movement, or staging further tools.

7. Data Access or Tampering

Detection: Unusual S3 modifications: They alter S3 permissions or objects, often a prelude to data exfiltration or corruption.

Only some of these actions would appear in a posture scan, crucially after the fact.
Every one of these runtime detections is visible only through real-time behavioral monitoring while the attack is in progress.

The future of cloud security Is runtime-first

Cloud defense can no longer revolve solely around prevention. Modern attacks unfold in runtime, across a fast-changing mesh of workloads, services, and — critically — identities. To reduce risk, organizations must be able to detect, understand, and contain malicious activity as it happens, before ephemeral evidence disappears and before attacker's pivot across identity layers.

Darktrace / CLOUD delivers this shift by turning runtime, the most volatile and consequential layer in the cloud, into a fully defensible control point through unified visibility across behavior, workloads, and identities. It does this by providing:

  • Real-time behavior detection across workloads and identity activity
  • Autonomous response actions for rapid containment
  • Automated forensic level artifact preservation the moment events occur
  • AI-driven investigation that separates weak signals from true attacker patterns
  • Live cloud environment insight to understand context and impact instantly

Cloud security must evolve from securing what might go wrong to continuously understanding what is happening; in runtime, across identities, and at the speed attackers operate. Unifying runtime and identity visibility is how defenders regain the advantage.

[related-resource]

Continue reading
About the author
Adam Stevens
Senior Director of Product, Cloud | Darktrace

Blog

/

Network

/

January 12, 2026

Maduro Arrest Used as a Lure to Deliver Backdoor

maduro arrest used as lure to deliver backdoorDefault blog imageDefault blog image

Introduction

Threat actors frequently exploit ongoing world events to trick users into opening and executing malicious files. Darktrace security researchers recently identified a threat group using reports around the arrest of Venezuelan President Nicolàs Maduro on January 3, 2025, as a lure to deliver backdoor malware.

Technical Analysis

While the exact initial access method is unknown, it is likely that a spear-phishing email was sent to victims, containing a zip archive titled “US now deciding what’s next for Venezuela.zip”. This file included an executable named “Maduro to be taken to New York.exe” and a dynamic-link library (DLL), “kugou.dll”.  

The binary “Maduro to be taken to New York.exe” is a legitimate binary (albeit with an expired signature) related to KuGou, a Chinese streaming platform. Its function is to load the DLL “kugou.dll” via DLL search order. In this instance, the expected DLL has been replaced with a malicious one with the same name to load it.  

DLL called with LoadLibraryW.
Figure 1: DLL called with LoadLibraryW.

Once the DLL is executed, a directory is created C:\ProgramData\Technology360NB with the DLL copied into the directory along with the executable, renamed as “DataTechnology.exe”. A registry key is created for persistence in “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Lite360” to run DataTechnology.exe --DATA on log on.

Registry key added for persistence.
Figure 2. Registry key added for persistence.
Folder “Technology360NB” created.
Figure 3: Folder “Technology360NB” created.

During execution, a dialog box appears with the caption “Please restart your computer and try again, or contact the original author.”

Message box prompting user to restart.
Figure 4. Message box prompting user to restart.

Prompting the user to restart triggers the malware to run from the registry key with the command --DATA, and if the user doesn't, a forced restart is triggered. Once the system is reset, the malware begins periodic TLS connections to the command-and-control (C2) server 172.81.60[.]97 on port 443. While the encrypted traffic prevents direct inspection of commands or data, the regular beaconing and response traffic strongly imply that the malware has the ability to poll a remote server for instructions, configuration, or tasking.

Conclusion

Threat groups have long used geopolitical issues and other high-profile events to make malicious content appear more credible or urgent. Since the onset of the war in Ukraine, organizations have been repeatedly targeted with spear-phishing emails using subject lines related to the ongoing conflict, including references to prisoners of war [1]. Similarly, the Chinese threat group Mustang Panda frequently uses this tactic to deploy backdoors, using lures related to the Ukrainian war, conventions on Tibet [2], the South China Sea [3], and Taiwan [4].  

The activity described in this blog shares similarities with previous Mustang Panda campaigns, including the use of a current-events archive, a directory created in ProgramData with a legitimate executable used to load a malicious DLL and run registry keys used for persistence. While there is an overlap of tactics, techniques and procedures (TTPs), there is insufficient information available to confidently attribute this activity to a specific threat group. Users should remain vigilant, especially when opening email attachments.

Credit to Tara Gould (Malware Research Lead)
Edited by Ryan Traill (Analyst Content Lead)

Indicators of Compromise (IoCs)

172.81.60[.]97
8f81ce8ca6cdbc7d7eb10f4da5f470c6 - US now deciding what's next for Venezuela.zip
722bcd4b14aac3395f8a073050b9a578 - Maduro to be taken to New York.exe
aea6f6edbbbb0ab0f22568dcb503d731  - kugou.dll

References

[1] https://cert.gov.ua/article/6280422  

[2] https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor

[3] https://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan

[4] https://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan

Continue reading
About the author
Tara Gould
Malware Research Lead
Your data. Our AI.
Elevate your network security with Darktrace AI