Blog
/
Network
/
August 8, 2025

Ivanti Under Siege: Investigating the Ivanti Endpoint Manager Mobile Vulnerabilities (CVE-2025-4427 & CVE-2025-4428)

Darktrace investigates active exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428. Threat actors can leverage these CVEs for unauthenticated remote code execution, delivering malware like KrustyLoader. This blog explores evolving post-exploitation tactics and emphasizes the need for continuous visibility and machine-speed response across enterprise network environments.
Written by
Nahisha Nobregas
SOC Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nahisha Nobregas
SOC Analyst
ivanti cve exploitation edge infrastructure Default blog image
08
Aug 2025

Ivanti & Edge infrastructure exploitation

Edge infrastructure exploitations continue to prevail in today’s cyber threat landscape; therefore, it was no surprise that recent Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities CVE-2025-4427 and CVE-2025-4428 were exploited targeting organizations in critical sectors such as healthcare, telecommunications, and finance across the globe, including across the Darktrace customer base in May 2025.

Exploiting these types of vulnerabilities remains a popular choice for threat actors seeking to enter an organization’s network to perform malicious activity such as cyber espionage, data exfiltration and ransomware detonation.

Vulnerabilities in Ivanti EPMM

Ivanti EPMM allows organizations to manage and configure enterprise mobile devices. On May 13, 2025, Ivanti published a security advisory [1] for their Ivanti Endpoint Manager Mobile (EPMM) devices addressing a medium and high severity vulnerability:

  • CVE-2025-4427, CVSS: 5.6: An authentication bypass vulnerability
  • CVE-2025-4428, CVSS: 7.2: Remote code execution vulnerability

Successfully exploiting both vulnerabilities at the same time could lead to unauthenticated remote code execution from an unauthenticated threat actor, which could allow them to control, manipulate, and compromise managed devices on a network [2].

Shortly after the disclosure of these vulnerabilities, external researchers uncovered evidence that they were being actively exploited in the wild and identified multiple indicators of compromise (IoCs) related to post-exploitation activities for these vulnerabilities [2] [3]. Research drew particular attention to the infrastructure utilized in ongoing exploitation activity, such as leveraging the two vulnerabilities to eventually deliver malware contained within ELF files from Amazon Web Services (AWS) S3 bucket endpoints and to deliver KrustyLoader malware for persistence. KrustyLoader is a Rust based malware that was discovered being downloaded in compromised Ivanti Connect Secure systems back in January 2024 when the zero-day critical vulnerabilities; CVE-2024-21887 and CVE-2023-46805 [10].

This suggests the involvement of the threat actor UNC5221, a suspected China-nexus espionage actor [3].

In addition to exploring the post-exploit tactics, techniques, and procedures (TTPs) observed for these vulnerabilities across Darktrace’s customer base, this blog will also examine the subtle changes and similarities in the exploitation of earlier Ivanti vulnerabilities—specifically Ivanti Connect Secure (CS) and Policy Secure (PS) vulnerabilities CVE-2023-46805 and CVE-2024-21887 in early 2024, as well as CVE-2025-0282 and CVE-2025-0283, which affected CS, PS, and Zero Trust Access (ZTA) in January 2025.

Darktrace Coverage

In May 2025, shortly after Ivanti disclosed vulnerabilities in their EPMM product, Darktrace’s Threat Research team identified attack patterns potentially linked to the exploitation of these vulnerabilities across multiple customer environments. The most noteworthy attack chain activity observed included exploit validation, payload delivery via AWS S3 bucket endpoints, subsequent delivery of script-based payloads, and connections to dpaste[.]com, possibly for dynamic payload retrieval. In a limited number of cases, connections were also made to an IP address associated with infrastructure linked to SAP NetWeaver vulnerability CVE-2025-31324, which has been investigated by Darktrace in an earlier case.

Exploit Validation

Darktrace observed devices within multiple customer environments making connections related to Out-of-Band Application Security Testing (OAST). These included a range of DNS requests and connections, most of which featured a user agent associated with the command-line tool cURL, directed toward associated endpoints. The hostnames of these endpoints consisted of a string of randomly generated characters followed by an OAST domain, such as 'oast[.]live', 'oast[.]pro', 'oast[.]fun', 'oast[.]site', 'oast[.]online', or 'oast[.]me'. OAST endpoints can be leveraged by malicious actors to trigger callbacks from targeted systems, such as for exploit validation. This activity, likely representing the initial phase of the attack chain observed across multiple environments, was also seen in the early stages of previous investigations into the exploitation of Ivanti vulnerabilities [4]. Darktrace also observed similar exploit validation activity during investigations conducted in January 2024 into the Ivanti CS vulnerabilities CVE-2023-46805 and CVE-2024-21887.

Payload Delivery via AWS

Devices across multiple customer environments were subsequently observed downloading malicious ELF files—often with randomly generated filenames such as 'NVGAoZDmEe'—from AWS S3 bucket endpoints like 's3[.]amazonaws[.]com'. These downloads occurred over HTTP connections, typically using wget or cURL user agents. Some of the ELF files were later identified to be KrustyLoader payloads using open-source intelligence (OSINT). External researchers have reported that the KrustyLoader malware is executed in cases of Ivanti EPMM exploitation to gain and maintain a foothold in target networks [2].

In one customer environment, after connections were made to the endpoint fconnect[.]s3[.]amazonaws[.]com, Darktrace observed the target system downloading the ELF file mnQDqysNrlg via the user agent Wget/1.14 (linux-gnu). Further investigation of the file’s SHA1 hash (1dec9191606f8fc86e4ae4fdf07f09822f8a94f2) linked it to the KrustyLoader malware [5]. In another customer environment, connections were instead made to tnegadge[.]s3[.]amazonaws[.]com using the same user agent, from which the ELF file “/dfuJ8t1uhG” was downloaded. This file was also linked to KrustyLoader through its SHA1 hash (c47abdb1651f9f6d96d34313872e68fb132f39f5) [6].

The pattern of activity observed so far closely mirrors previous exploits associated with the Ivanti vulnerabilities CVE-2023-46805 and CVE-2024-21887 [4]. As in those cases, Darktrace observed exploit validation using OAST domains and services, along with the use of AWS endpoints to deliver ELF file payloads. However, in this instance, the delivered payload was identified as KrustyLoader malware.

Later-stage script file payload delivery

In addition to the ELF file downloads, Darktrace also detected other file downloads across several customer environments, potentially representing the delivery of later-stage payloads.

The downloaded files included script files with the .sh extension, featuring randomly generated alphanumeric filenames. One such example is “4l4md4r.sh”, which was retrieved during a connection to the IP address 15.188.246[.]198 using a cURL-associated user agent. This IP address was also linked to infrastructure associated with the SAP NetWeaver remote code execution vulnerability CVE-2025-31324, which enables remote code execution on NetWeaver Visual Composer. External reporting has attributed this infrastructure to a China-nexus state actor [7][8][9].

In addition to the script file downloads, devices on some customer networks were also observed making connections to pastebin[.]com and dpaste[.]com, two sites commonly used to host or share malicious payloads or exploitation instructions [2]. Exploits, including those targeting Ivanti EPMM vulnerabilities, can dynamically fetch malicious commands from sites like dpaste[.]com, enabling threat actors to update payloads. Unlike the previously detailed activity, this behavior was not identified in any prior Darktrace investigations into Ivanti-related vulnerabilities, suggesting a potential shift in the tactics used in post-exploitation stages of Ivanti attacks.

Conclusion

Edge infrastructure vulnerabilities, such as those found in Ivanti EPMM and investigated across customer environments with Darktrace / NETWORK, have become a key tool in the arsenal of attackers in today’s threat landscape. As highlighted in this investigation, while many of the tactics employed by threat actors following successful exploitation of vulnerabilities remain the same, subtle shifts in their methods can also be seen.

These subtle and often overlooked changes enable threat actors to remain undetected within networks, highlighting the critical need for organizations to maintain continuous extended visibility, leverage anomaly based behavioral analysis, and deploy machine speed intervention across their environments.

Credit to Nahisha Nobregas (Senior Cyber Analyst) and Anna Gilbertson (Senior Cyber Analyst)

Appendices

Mid-High Confidence IoCs

(IoC – Type - Description)

-       trkbucket.s3.amazonaws[.]com – Hostname – C2 endpoint

-       trkbucket.s3.amazonaws[.]com/NVGAoZDmEe – URL – Payload

-       tnegadge.s3.amazonaws[.]com – Hostname – C2 endpoint

-       tnegadge.s3.amazonaws[.]com/dfuJ8t1uhG – URL – Payload

-       c47abdb1651f9f6d96d34313872e68fb132f39f5 - SHA1 File Hash – Payload

-       4abfaeadcd5ab5f2c3acfac6454d1176 - MD5 File Hash - Payload

-       fconnect.s3.amazonaws[.]com – Hostname – C2 endpoint

-       fconnect.s3.amazonaws[.]com/mnQDqysNrlg – URL - Payload

-       15.188.246[.]198 – IP address – C2 endpoint

-       15.188.246[.]198/4l4md4r.sh?grep – URL – Payload

-       185.193.125[.]65 – IP address – C2 endpoint

-       185.193.125[.]65/c4qDsztEW6/TIGHT_UNIVERSITY – URL – C2 endpoint

-       d8d6fe1a268374088fb6a5dc7e5cbb54 – MD5 File Hash – Payload

-       64.52.80[.]21 – IP address – C2 endpoint

-       0d8da2d1.digimg[.]store – Hostname – C2 endpoint

-       134.209.107[.]209 – IP address – C2 endpoint

Darktrace Model Detections

-       Compromise / High Priority Tunnelling to Bin Services (Enhanced Monitoring Model)

-       Compromise / Possible Tunnelling to Bin Services

-       Anomalous Server Activity / New User Agent from Internet Facing System

-       Compliance / Pastebin

-       Device / Internet Facing Device with High Priority Alert

-       Anomalous Connection / Callback on Web Facing Device

-       Anomalous File / Script from Rare External Location

-       Anomalous File / Incoming ELF File

-       Device / Suspicious Domain

-       Device / New User Agent

-       Anomalous Connection / Multiple Connections to New External TCP Port

-       Anomalous Connection / New User Agent to IP Without Hostname

-       Anomalous File / EXE from Rare External Location

-       Anomalous File / Internet Facing System File Download

-       Anomalous File / Multiple EXE from Rare External Locations

-       Compromise / Suspicious HTTP and Anomalous Activity

-       Device / Attack and Recon Tools

-       Device / Initial Attack Chain Activity

-       Device / Large Number of Model Alerts

-       Device / Large Number of Model Alerts from Critical Network Device

References

1.     https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US

2.     https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

3.     https://www.wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-cve-2025-4427-cve-2025-4428

4.     https://www.darktrace.com/blog/the-unknown-unknowns-post-exploitation-activities-of-ivanti-cs-ps-appliances

5.     https://www.virustotal.com/gui/file/ac91c2c777c9e8638ec1628a199e396907fbb7dcf9c430ca712ec64a6f1fcbc9/community

6.     https://www.virustotal.com/gui/file/f3e0147d359f217e2aa0a3060d166f12e68314da84a4ecb5cb205bd711c71998/community

7.     https://www.virustotal.com/gui/ip-address/15.188.246.198

8.     https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures

9.     https://www.darktrace.com/blog/tracking-cve-2025-31324-darktraces-detection-of-sap-netweaver-exploitation-before-and-after-disclosure

10.  https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein.

Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.

Written by
Nahisha Nobregas
SOC Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nahisha Nobregas
SOC Analyst

How Attackers Abuse the Chinese Nezha Monitoring Tool

Network
June 10, 2026
Nathaniel Bill
Malware Research Engineer
Watch the NIS2 Webinar
Trending blogs
1
Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches
May 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
June 10, 2026

How Attackers Abuse the Chinese Nezha Monitoring Tool

This blog examines how attackers abuse the Chinese-developed Nezha monitoring tool, a legitimate open-source platform with remote access capabilities. Darktrace analysis of a honeypot intrusion highlights malicious deployment via containers, demonstrating how dual-use software enables stealthy operations, trust inversion, and detection challenges in dynamic cloud and enterprise environments modern.
Nathaniel Bill
Malware Research Engineer
Read more
Network
May 21, 2026

Darktrace named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) For the Second Consecutive Year

Darktrace has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) for the second consecutive year. We believe this reflects continued execution in NDR, ongoing AI innovation, and strong outcomes delivered for customers globally.
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Read more
Network
May 19, 2026

When Open Source Is Weaponized: Analysis of a Trojanized 7 Zip Installer

Attackers abused a trojanized 7‑Zip installer distributed via a typo‑squatted domain to establish proxyware infections worldwide. This blog analyzes how social engineering, trusted open‑source software, and stealthy command‑and‑control activity enabled widespread compromise, highlighting the importance of software validation, user awareness, and proactive network‑level detection.
Justin Torres
Cyber Analyst
Read more

Blog

/

/

June 12, 2026

Cybersecurity for the Sports Sector: The Threats Facing a Digitized Industry in 2026

Sports Stadium cybersecurityDefault blog imageDefault blog image

Securing sporting events in 2026

When you walk into a stadium on game day, you are entering a small smart city. Ticketing, turnstiles, payments, public Wi-Fi for tens of thousands of fans, CCTV, lighting, even the HVAC all run on connected systems. The experience for fans has become unmatched, but that dependency has created a much larger attack surface than people may realize.

Our latest threat research backs that up. In the past year, a survey that Darktrace commissioned found that 84% of respondents from professional sports organizations had at least one cyber incident, and 57% were hit more than once. For a sector that relies on the impact of the live moment, those numbers translate directly into operational risk.

Why sports is a target for cyber attacks

Sport is a highly visible target with fixed timelines, so attackers know exactly when disruption will have the most impact. It also holds valuable data, athlete medical records, contracts, sponsorship deals, which carry financial, reputational, and regulatory risk if exposed. At the same time, delivery depends on a wide set of third parties: ticketing providers, broadcasters, cloud services, stadium technology. Any of those connections can become an entry point. Put visibility, timing, data, and dependency together, and you get an environment where even a small foothold can turn into a visible, time-critical incident.

How attackers target email and identity

Email and identity remain the front door. From October 2025 through March 2026, Darktrace / EMAIL™ detected more than 116,000 phishing emails aimed at sports organizations across our customer base, and our sports customers received 19% more phishing emails than organizations in other sectors. The numbers tell the story:

BY THE NUMBERS

  • 21% of phishing emails were aimed at VIPs.
  • 37% used novel social engineering.
  • 84% of malicious emails passed DMARC authentication

A large proportion of these emails passed authentication checks, which means traditional security controls are no longer a reliable barrier. Attackers are not relying on spoofed domains – they're using legitimate infrastructure and trusted platforms. Behavior matters. Once an account is compromised, the behavior shifts quickly. Login patterns change, inbox rules are created to hide responses, and accounts start being used for internal discovery or further phishing. These aren’t high-noise events. They sit in normal workflows, which is why they’re often missed.

Ransomware tells a similar story. In one case inside a sports deployment, attackers had quietly been moving data to an outside server for a full two weeks before they triggered encryption. By the time the ransom note appeared, the outcome was already set. That sequence shows up consistently is access first, movement next, disruption last. If detection starts at encryption, it’s already too late.

Why AI is an emerging blind spot in sports

The increasing adoption of AI is expanding the potential attack surface. 72% of the security professionals we surveyed expect AI to increase their cyber risk over the next year, and yet 35% are already using or planning to use it in stadium operations, the most critical functions to protect. In addition to prompt injection and AI build risks, shadow AI is becoming a more immediate issue. Staff are already putting sensitive data—performance metrics, scouting reports, contracts, health data—into tools with little or no governance. The upside is clear, but so is the exposure—and it is happening before most organizations have any visibility or control. At the same time, attackers are using the same technology to scale phishing and social engineering. The net effect is simple: more exposure, at higher speed.

How can cybersecurity professionals prepare

Across high profile events, Darktrace’s experience shows that effective cyber defense includes preparation, real‑time visibility, and the ability to respond dynamically and decisively when timing, complexity, and public exposure converge.

There are a few strategic implications for cybersecurity teams:

  • Get behavioral visibility across IT and OT, not just corporate systems.
  • Treat identity as your control plane. Most attacks in this sector start with credentials, not malware. MFA with behavioral detection helps solve that challenge.
  • Control third party and AI access the same way you control your own environment.
  • Rehearse response for live conditions, where decisions happen in minutes. Detection and response need to account for non-ideal conditions when engineers are under pressure and time constrained. In sport, timing is what turns small issues into major incidents. The same activity that would be manageable midweek becomes critical during a live event.

Why 2026 raises the cybersecurity stakes for sports

With the 2026 World Cup about to stretch across three countries and dozens of host cities, the attack surface is wide and the schedule is unforgiving.

Geopolitical signaling is raising the threat profile further. Previous international sporting events have demonstrated that nation‑state actors use the cyber domain to signal intent, influence narratives, or retaliate symbolically. In the context of the 2026 World Cup, Russia’s continued exclusion from international sport, the ongoing conflict in Ukraine, US defensive support to Ukraine, and Iran’s likely participation in the tournament introduce additional motivations for state‑aligned and non‑traditional affiliated actors to operate below the threshold of armed conflict. This doesn’t require new techniques—just the right timing and visibility.

In practice, this comes down to preparation: knowing what normal looks like across IT and OT, controlling third-party access, and spotting when behavior shifts.

In sport, disruption does not build slowly—it happens in real time and in public. By that point, the groundwork has already been set, long before the whistle goes.

About this research

Findings are based on Darktrace threat-research telemetry across sports-sector customer deployments (Q4 2025–Q1 2026) and a survey of 875 IT cybersecurity professionals in the US, UK, Australia, and Germany, fielded by Opinion Matters between May 28 and June 3, 2026. Read the full report for complete methodology, incident analysis, and strategic recommendations.

[related-resource]

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

OT

/

June 12, 2026

Protecting Stadiums & Events with AI

Default blog imageDefault blog image

Stadium and large public venue operators are confronted with a unique set of cyber security challenges. Often described as a ‘honeypot’ for cyber-criminals, the sports and entertainment industry is an attractive target for threat actors for three main reasons:

  • Modern sports organizations process sensitive and highly valuable data at scale;
  • Sporting events are highly visible and time-critical, operating in front of live audiences with no room for error;
  • Sports organizations rely on sprawling vendor ecosystems and supply chains to deliver broadcast, commerce, fan engagement services, and more.

In a recent Darktrace-commissioned survey, 84% of professional sports organizations reported at least one cyber incident in the past year, and 57% were hit more than once [1]. The potential ramifications of cyber disruption during a large-scale sports event cannot be overstated. A momentary lapse in access to power could bring TV broadcasts to a halt; disruption to access controls could restrict fans from entering the grounds; CCTV outages could increase the risk of criminal behavior and physical injuries. If data is not reliable and stadium machines are outputting the wrong metrics, a venue could become dangerously overcrowded. The barrier between the cyber and physical worlds has long dissolved – cyber-attacks threaten human safety.

In this blog, I explore the key challenges of stadium cyber security and explain the unique capabilities of Self-Learning AI that led me to adopt Darktrace as a head of ICT and cyber security for international venues and events. Over my career I have helped secure football and rugby World Cups, World Athletics Championships and more than 500 events ,and the lessons from each have only sharpened my conviction in this approach.

The access paradox

The biggest challenge lies in the paradox of securing a site where various internal services are provided to a large number of unknown and unmanaged users, suppliers and devices. When it’s game time, or ‘D-Day’, you see a huge influx of thousands of people, each with their own devices, needing to connect to your network and your infrastructure. The floodgates are opened. But certain parts of your digital environment need to remain protected: your sensitive employee and customer data, your critical OT systems. I liken this to opening the door to your home, and letting the entire town come in and wander around. But you still need to secure your master bedroom.

A multitude of different actors must be able to work on-site to provide services or content during the event. Broadcasters, staff and suppliers need to have access to manage the show, and all these people need to access or interact with the IT infrastructure. In many ways, these additional bodies are already inside the perimeter and could host unknown malicious threats.

This year, the paradox is wider than ever. A tournament spread across hundreds of suppliers and vendors means the foothold an attacker needs may already belong to a trusted partner – a single compromised supplier can become the doorway to everything else. And the adversary is no longer working alone: generative AI now lets attackers probe and weaponize vulnerabilities across thousands of software dependencies at a speed no human team could match, turning the access paradox from a manageable risk into a fast-moving target.

Achieving this balance between accessibility and security requires a shift in mindset from perimeter-based security to one that can detect and respond to threats on the inside. The complexities involved requires technology that can identify malicious behavior in real time based on the wider context of an incident. A particular behavior or connection may be benign in one context and yet critically disruptive in another — tools and technology must be able to discern between the two.

This is why I considered Darktrace’s Self-Learning AI a suitable fit: rather than defending at the perimeter, it focuses on detecting and responding to malicious activity already inside. Because it learns the unique ‘patterns of life’ of its surroundings, it can detect subtle deviations that indicate a threat and initiate a targeted response – without relying on pre-programmed rules and playbooks.

IT/OT convergence

The second key challenge is the issue of IT and OT convergence. Typical stadiums and arenas consist of a wide range of Industrial Control Systems (ICS).

This involves a complex and messy array of switches, cables, CCTV cameras, as well as devices and technologies being brought in by the media and the press, and all these IT and OT components are now interconnected, which means these technologies now have Internet Protocol (IP)-based threats to manage. The same challenges that the corporate infrastructure for stadium management faces in cyber security are therefore also now an issue for ICS security.

This challenge cannot be addressed by viewing IT and OT security in isolation — these two environments are linked because of the analogue migration to IP. A unified approach is required to detect and respond to threats that start in IT before moving to industrial systems.

The stakes are physical. CCTV, Access Control, Public Annoucement system, lighting and the giant screens are all now running over IP, and a disruption to any of them can force a venue to halt play on safety grounds. Scale compounds the problem. At the Qatar 2022 World Cup, eight stadiums were purpose-built to a single technical standard, which made the digital environment relatively uniform to defend. The 2026 tournament is the opposite: dozens of host venues across three countries, each with its own operator, its own contractors and its own legacy systems.This creates a far more fragmented and unpredictable estate to secure.

In addition, cyber security technology must be able to deal with complexity. Darktrace’s AI thrives in the most complex environments, with more data points adding more context to inform the AI’s decision making. It covers OT and IT with a single, unified AI engine, that can also detect and respond across cloud infrastructure, SaaS applications, email systems and endpoints. It is ready to adapt to the messy, interconnected systems that make up large stadiums’ digital infrastructure.

The time factor

Finally, the nature of stadium events means that timing is critical and puts enormous pressure on the organizers and operators. ‘D-Day’ cannot be replayed or postponed, and so if cyber disruption occurs during the event, every minute is crucial. You cannot reschedule a World Cup final or move an opening ceremony; the date is fixed, the world is watching, and there is no second take.

There is consequently a strong emphasis on two key metrics

  • Mean Time To Know (MTTK) — how long it takes the security team need to be aware of an incident; and
  • Mean Time To Restore (MTTR) — how quickly a team can act to contain the threat.

It is perhaps more imperative in stadium event management than anywhere else that these two metrics be minimized.

This leads to the third criteria in assessing cyber security technology: does it help with response? And critically, can that response be nuanced and targeted, able to contain that threat without causing further disruption?

To this end, Darktrace’s Autonomous Response takes machine-speed action to contain cyber-attacks, when humans are too slow to react or aren’t around at all. It’s powered by Darktrace’s AI, so it has a nuanced and continuously updating understanding of what’s ‘normal’ across IT and OT systems. This means its response actions are targeted: designed to eliminate the threat, but not at the cost of disruption. Crucially, this enables responses that are surgical rather than blunt. For example, taking an entire server offline to stop a ransomware attack can cause more disruption than the attack itself, so the real value lies in neutralizing the malicious activity precisely — containing the threat without taking down the systems the event and business depends on.

Depending on the nature and severity of the threat, the technology can block specific malicious connections by enforcing the normal ‘pattern of life’ of a device or account. When every second counts, this is the speed and granularity that you need in a cybersecurity technology.

Darktrace can be deployed across every area of the digital enterprise, including network, email, cloud and SaaS environments with the same self-learning approach, stopping anomalous behaviors that point to account takeover and other cloud-based threats. Earlier this year, we announced that Darktrace is also extending its behavioral approach to help businesses deploy and scale AI securely by understanding how these AI systems and agents behave, interact with other systems and humans, and evolve over time. This is critical because 72% of cybersecurity professionals at sports organizations believe AI will increase their cyber risk over the next 12 months [2].

Wherever it is deployed, Darktrace allows the stadium operator to focus on the vital part of the game and offers real-time protection without any modification in the network topology or infrastructure.

An adaptive defense

Cyber-criminals are constantly developing their approach in an attempt to evade security tools trained to look for specific hallmarks of an attack. As they get creative and continuously experiment with new tactics and techniques, the human operators using these tools are forced into a constant state of catch up.

An AI-based approach that learns an organization and its normal behavior patterns from the ground up puts an end to this game of ‘cat and mouse’, shifting the balance in favor of the defenders and allowing them to stay ahead of the threat. This matters more than ever, because adversaries are now using AI to scale their attacks. If you do not have AI working to protect you against malicious AI, you are already at a disadvantage.

With a nuanced understanding of what’s ‘normal’ for the business, unified IT/OT coverage, and an Autonomous Response solution that takes immediate, surgical action, the playing field is leveled, and large stadium and events operators can focus on delivering the best possible experience for attendees, digital viewers, partners and performers.

[related-resource]

References:

[1] [2] Darktrace: Cybersecurity in Global Sport, June 2026. Findings based on survey of 875 IT cybersecurity professionals based in the US, UK, Australia and Germany, working in professional sports organizations (including clubs, societies & sporting bodies) employing 10+ people. The survey was fielded between May 28, 2026 and June 3, 2026 by independent market research agency, Opinion Matters.

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI