Blog
/
Network
/
November 27, 2023

Detecting PurpleFox Rootkit with Darktrace AI

The PurpleFox rootkit poses significant risks. Discover how Darktrace leveraged advanced techniques to combat this persistent cyber threat.
Written by
Piramol Krishnan
Cyber Security Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Piramol Krishnan
Cyber Security Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
27
Nov 2023

Versatile Malware: PurpleFox

As organizations and security teams across the world move to bolster their digital defenses against cyber threats, threats actors, in turn, are forced to adopt more sophisticated tactics, techniques and procedures (TTPs) to circumvent them. Rather than being static and predictable, malware strains are becoming increasingly versatile and therefore elusive to traditional security tools.

One such example is PurpleFox. First observed in 2018, PurpleFox is a combined fileless rootkit and backdoor trojan known to target Windows machines. PurpleFox is known for consistently adapting its functionalities over time, utilizing different infection vectors including known vulnerabilities (CVEs), fake Telegram installers, and phishing. It is also leveraged by other campaigns to deliver ransomware tools, spyware, and cryptocurrency mining malware. It is also widely known for using Microsoft Software Installer (MSI) files masquerading as other file types.

The Evolution of PurpleFox

The Original Strain

First reported in March 2018, PurpleFox was identified to be a trojan that drops itself onto Windows machines using an MSI installation package that alters registry values to replace a legitimate Windows system file [1]. The initial stage of infection relied on the third-party toolkit RIG Exploit Kit (EK). RIG EK is hosted on compromised or malicious websites and is dropped onto the unsuspecting system when they visit browse that site. The built-in Windows installer (MSIEXEC) is leveraged to run the installation package retrieved from the website. This, in turn, drops two files into the Windows directory – namely a malicious dynamic-link library (DLL) that acts as a loader, and the payload of the malware. After infection, PurpleFox is often used to retrieve and deploy other types of malware.  

Subsequent Variants

Since its initial discovery, PurpleFox has also been observed leveraging PowerShell to enable fileless infection and additional privilege escalation vulnerabilities to increase the likelihood of successful infection [2]. The PowerShell script had also been reported to be masquerading as a .jpg image file. PowerSploit modules are utilized to gain elevated privileges if the current user lacks administrator privileges. Once obtained, the script proceeds to retrieve and execute a malicious MSI package, also masquerading as an image file. As of 2020, PurpleFox no longer relied on the RIG EK for its delivery phase, instead spreading via the exploitation of the SMB protocol [3]. The malware would leverage the compromised systems as hosts for the PurpleFox payloads to facilitate its spread to other systems. This mode of infection can occur without any user action, akin to a worm.

The current iteration of PurpleFox reportedly uses brute-forcing of vulnerable services, such as SMB, to facilitate its spread over the network and escalate privileges. By scanning internet-facing Windows computers, PurpleFox exploits weak passwords for Windows user accounts through SMB, including administrative credentials to facilitate further privilege escalation.

Darktrace detection of PurpleFox

In July 2023, Darktrace observed an example of a PurpleFox infection on the network of a customer in the healthcare sector. This observation was a slightly different method of downloading the PurpleFox payload. An affected device was observed initiating a series of service control requests using DCE-RPC, instructing the device to make connections to a host of servers to download a malicious .PNG file, later confirmed to be the PurpleFox rootkit. The device was then observed carrying out worm-like activity to other external internet-facing servers, as well as scanning related subnets.

Darktrace DETECT™ was able to successfully identify and track this compromise across the cyber kill chain and ensure the customer was able to take swift remedial action to prevent the attack from escalating further.

While the customer in question did have Darktrace RESPOND™, it was configured in human confirmation mode, meaning any mitigative actions had to be manually applied by the customer’s security team. If RESPOND had been enabled in autonomous response mode at the time of the attack, it would have been able to take swift action against the compromise to contain it at the earliest instance.

Attack Overview

Figure 1: Timeline of PurpleFox malware kill chain.

Initial Scanning over SMB

On July 14, 2023, Darktrace detected the affected device scanning other internal devices on the customer’s network via port 445. The numerous connections were consistent with the aforementioned worm-like activity that has been reported from PurpleFox behavior as it appears to be targeting SMB services looking for open or vulnerable channels to exploit.

This initial scanning activity was detected by Darktrace DETECT, specifically through the model breach ‘Device / Suspicious SMB Scanning Activity’. Darktrace’s Cyber AI Analyst™ then launched an autonomous investigation into these internal connections and tied them into one larger-scale network reconnaissance incident, rather than a series of isolated connections.

Figure 2: Cyber AI Analyst technical details summarizing the initial scanning activity seen with the internal network scan over port 445.

As Darktrace RESPOND was configured in human confirmation mode, it was unable to autonomously block these internal connections. However, it did suggest blocking connections on port 445, which could have been manually applied by the customer’s security team.

Figure 3: The affected device’s Model Breach Event Log showing the initial scanning activity observed by Darktrace DETECT and the corresponding suggested RESPOND action.

Privilege Escalation

The device successfully logged in via NTLM with the credential, ‘administrator’. Darktrace recognized that the endpoint was external to the customer’s environment, indicating that the affected device was now being used to propagate the malware to other networks. Considering the lack of observed brute-force activity up to this point, the credentials for ‘administrator’ had likely been compromised prior to Darktrace’s deployment on the network, or outside of Darktrace’s purview via a phishing attack.

Exploitation

Darktrace then detected a series of service control requests over DCE-RPC using the credential ‘admin’ to make SVCCTL Create Service W Requests. A script was then observed where the controlled device is instructed to launch mshta.exe, a Windows-native binary designed to execute Microsoft HTML Application (HTA) files. This enables the execution of arbitrary script code, VBScript in this case.

Figure 4: PurpleFox remote service control activity captured by a Darktrace DETECT model breach.
Figure 5: The infected device’s Model Breach Event Log showing the anomalous service control activity being picked up by DETECT.

There are a few MSIEXEC flags to note:

  • /i : installs or configures a product
  • /Q : sets the user interface level. In this case, it is set to ‘No UI’, which is used for “quiet” execution, so no user interaction is required

Evidently, this was an attempt to evade detection by endpoint users as it is surreptitiously installed onto the system. This corresponds to the download of the rootkit that has previously been associated with PurpleFox. At this stage, the infected device continues to be leveraged as an attack device and scans SMB services over external endpoints. The device also appeared to attempt brute-forcing over NTLM using the same ‘administrator’ credential to these endpoints. This activity was identified by Darktrace DETECT which, if enabled in autonomous response mode would have instantly blocked similar outbound connections, thus preventing the spread of PurpleFox.

Figure 6: The infected device’s Model Breach Event Log showing the outbound activity corresponding to PurpleFox’s wormlike spread. This was caught by DETECT and the corresponding suggested RESPOND action.

Installation

On August 9, Darktrace observed the device making initial attempts to download a malicious .PNG file. This was a notable change in tactics from previously reported PurpleFox campaigns which had been observed utilizing .MOE files for their payloads [3]. The .MOE payloads are binary files that are more easily detected and blocked by traditional signatured-based security measures as they are not associated with known software. The ubiquity of .PNG files, especially on the web, make identifying and blacklisting the files significantly more difficult.

The first connection was made with the URI ‘/test.png’.  It was noted that the HTTP method here was HEAD, a method similar to GET requests except the server must not return a message-body in the response.

The metainformation contained in the HTTP headers in response to a HEAD request should be identical to the information sent in response to a GET request. This method is often used to test hypertext links for validity and recent modification. This is likely a way of checking if the server hosting the payload is still active. Avoiding connections that could possibly be detected by antivirus solutions can help keep this activity under-the-radar.

Figure 7: Packet Capture from an affected customer device showing the initial HTTP requests to the payload server.
Figure 8: Packet Capture showing the HTTP requests to download the payloads.

The server responds with a status code of 200 before the download begins. The HEAD request could be part of the attacker’s verification that the server is still running, and that the payload is available for download. The ‘/test.png’ HEAD request was sent twice, likely for double confirmation to begin the file transfer.

Figure 9: PCAP from the affected customer device showing the Windows Installer user-agent associated with the .PNG file download.

Subsequent analysis using a Packet Capture (PCAP) tool revealed that this connection used the Windows Installer user agent that has previously been associated with PurpleFox. The device then began to download a payload that was masquerading as a Microsoft Word document. The device was thus able to download the payload twice, from two separate endpoints.

By masquerading as a Microsoft Word file, the threat actor was likely attempting to evade the detection of the endpoint user and traditional security tools by passing off as an innocuous text document. Likewise, using a Windows Installer user agent would enable threat actors to bypass antivirus measures and disguise the malicious installation as legitimate download activity.  

Darktrace DETECT identified that these were masqueraded file downloads by correctly identifying the mismatch between the file extension and the true file type. Subsequently, AI Analyst was able to correctly identify the file type and deduced that this download was indicative of the device having been compromised.

In this case, the device attempted to download the payload from several different endpoints, many of which had low antivirus detection rates or open-source intelligence (OSINT) flags, highlighting the need to move beyond traditional signature-base detections.

Figure 10: Cyber AI Analyst technical details summarizing the downloads of the PurpleFox payload.
Figure 11 (a): The Model Breach generated by the masqueraded file transfer associated with the PurpleFox payload.
Figure 11 (b): The Model Breach generated by the masqueraded file transfer associated with the PurpleFox payload.

If Darktrace RESPOND was enabled in autonomous response mode at the time of the attack it would have acted by blocking connections to these suspicious endpoints, thus preventing the download of malicious files. However, as RESPOND was in human confirmation mode, RESPOND actions required manual application by the customer’s security team which unfortunately did not happen, as such the device was able to download the payloads.

Conclusion

The PurpleFox malware is a particularly dynamic strain known to continually evolve over time, utilizing a blend of old and new approaches to achieve its goals which is likely to muddy expectations on its behavior. By frequently employing new methods of attack, malicious actors are able to bypass traditional security tools that rely on signature-based detections and static lists of indicators of compromise (IoCs), necessitating a more sophisticated approach to threat detection.  

Darktrace DETECT’s Self-Learning AI enables it to confront adaptable and elusive threats like PurpleFox. By learning and understanding customer networks, it is able to discern normal network behavior and patterns of life, distinguishing expected activity from potential deviations. This anomaly-based approach to threat detection allows Darktrace to detect cyber threats as soon as they emerge.  

By combining DETECT with the autonomous response capabilities of RESPOND, Darktrace customers are able to effectively safeguard their digital environments and ensure that emerging threats can be identified and shut down at the earliest stage of the kill chain, regardless of the tactics employed by would-be attackers.

Credit to Piramol Krishnan, Cyber Analyst, Qing Hong Kwa, Senior Cyber Analyst & Deputy Team Lead, Singapore

Appendices

Darktrace Model Detections

  • Device / Increased External Connectivity
  • Device / Large Number of Connections to New Endpoints
  • Device / SMB Session Brute Force (Admin)
  • Compliance / External Windows Communications
  • Anomalous Connection / New or Uncommon Service Control
  • Compromise / Unusual SVCCTL Activity
  • Compromise / Rare Domain Pointing to Internal IP
  • Anomalous File / Masqueraded File Transfer

RESPOND Models

  • Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block
  • Antigena / Network / External Threat / Antigena Suspicious File Block
  • Antigena / Network / External Threat / Antigena File then New Outbound Block

List of IoCs

IoC - Type - Description

/C558B828.Png - URI - URI for Purple Fox Rootkit [4]

5b1de649f2bc4eb08f1d83f7ea052de5b8fe141f - File Hash - SHA1 hash of C558B828.Png file (Malware payload)

190.4.210[.]242 - IP - Purple Fox C2 Servers

218.4.170[.]236 - IP - IP for download of .PNG file (Malware payload)

180.169.1[.]220 - IP - IP for download of .PNG file (Malware payload)

103.94.108[.]114:10837 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

221.199.171[.]174:16543 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

61.222.155[.]49:14098 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

178.128.103[.]246:17880 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

222.134.99[.]132:12539 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

164.90.152[.]252:18075 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

198.199.80[.]121:11490 - IP - IP from Service Control MSIEXEC script to download PNG file (Malware payload)

MITRE ATT&CK Mapping

Tactic - Technique

Reconnaissance - Active Scanning T1595, Active Scanning: Scanning IP Blocks T1595.001, Active Scanning: Vulnerability Scanning T1595.002

Resource Development - Obtain Capabilities: Malware T1588.001

Initial Access, Defense Evasion, Persistence, Privilege Escalation - Valid Accounts: Default Accounts T1078.001

Initial Access - Drive-by Compromise T1189

Defense Evasion - Masquerading T1036

Credential Access - Brute Force T1110

Discovery - Network Service Discovery T1046

Command and Control - Proxy: External Proxy T1090.002

References

  1. https://blog.360totalsecurity.com/en/purple-fox-trojan-burst-out-globally-and-infected-more-than-30000-users/
  2. https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
  3. https://www.akamai.com/blog/security/purple-fox-rootkit-now-propagates-as-a-worm
  4. https://www.foregenix.com/blog/an-overview-on-purple-fox
  5. https://www.trendmicro.com/en_sg/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html

Written by
Piramol Krishnan
Cyber Security Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Piramol Krishnan
Cyber Security Analyst

From Amazon to Louis Vuitton: How Darktrace Detects Black Friday Phishing Attacks

Email
November 27, 2025
Ryan Traill
Analyst Content Lead
Watch the NIS2 Webinar
Trending blogs
1
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
November 26, 2025

CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System

TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks.
Read more
Network
November 20, 2025

Xillen Stealer Updates to Version 5 to Evade AI Detection

Xillen Stealer v4/v5 introduces advanced features to evade AI detection, steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. With polymorphic engines, container persistence, and behavioral mimicking, this Python-based malware highlights evolving threats and future AI integration in cybercrime campaigns.
Tara Gould
Threat Researcher
Read more
Network
November 12, 2025

Unmasking Vo1d: Inside Darktrace’s Botnet Detection

Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. This blog explores how Darktrace detected Vo1d and presents a detailed timeline of Cyber AI Analyst’s investigation.
Christina Kreza
Cyber Analyst
Read more

Blog

/

Email

/

December 3, 2025

Darktrace Named as a Leader in 2025 Gartner® Magic Quadrant™ for Email Security Platforms

Default blog imageDefault blog image

Darktrace is proud to be named as a Leader in the Gartner® Magic Quadrant™ for Email Security Platforms (ESP). We believe this recognition reflects what our customers already know: our product is exceptional – and so is the way we deliver it.

In July 2025, Darktrace was named a Customers’ Choice in the Gartner® Peer Insights™ Voice of the Customer for Email Security, a distinction given to vendors who have scores that meet or exceed the market average for both axes (User Interest and Adoption, and Overall Experience). To us, both achievements are testament to the customer-first approach that has fueled our rapid growth. We feel this new distinction from Gartner validates the innovation, efficacy, and customer-centric delivery that set Darktrace apart.

A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. CIOs and CISOs can use this research to make informed decisions about which email security platform can best accomplish their goals. We encourage our customers to read the full report to get the complete picture.

This acknowledgement follows the recent recognition of Darktrace / NETWORK, also designated a Leader in the Gartner Magic Quadrant for Network Detection & Response and named the only Customers’ Choice in its category.

Why do we believe Darktrace is leading in the email security market?

Our relentless innovation which drives proven results  

At Darktrace we continue to push the frontier of email security, with industry-first AI-native detection and response capabilities that go beyond traditional SEG approaches. How do we do it?

  • With a proven approach that gets results. Darktrace’s unique business-centric anomaly detection catches advanced phishing, supply chain compromises, and BEC attacks – detecting them on average 13 days earlier than attack-centric solutions. That’s why 75% of our customers have removed their SEG and now rely on their native email security provider combined with Darktrace.
  • By offering comprehensive protection beyond the inbox. Darktrace / EMAIL goes further than traditional inbound filtering, delivering account and messaging protection, DLP, and DMARC capabilities, ensuring best-in-class security across inbound, outbound, and domain protection scenarios.  
  • Continuous innovation. We are ranked second highest in the Gartner Critical Capabilities research for core email security function, likely thanks to our product strategy and rapid pace of innovation. We’ve release major capabilities twice a year for nearly five years, including advanced AI models and expanded coverage for collaboration platforms.

We deliver exceptional customer experiences worldwide

Darktrace’s leadership isn’t just about excelling in technology, it’s about delivering an outstanding experience that customers value. Let’s dig into what makes our customers tick.

  • Proven loyalty from our base. Recognition from Gartner Peer Insights as a Customers’ Choice, combined with a 4.8-star rating (based on 340 reviews as of November 2025), demonstrates for us the trust of thousands of organizations worldwide, not just the analysts.  
  • Customer-first support. Darktrace goes beyond ticket-only models with dedicated account teams and award-winning service, backed by significant headcount growth in technical support and analytics roles over the past year.
  • Local expertise. With offices spanning continents, Darktrace is able to provide regional language support and tailored engagement from teams on the ground, ensuring personalized service and a human-first experience.

Darktrace enhances security stacks with a partner-first architecture

There are plenty of tools out there than encourage a siloed approach. Darktrace / EMAIL plays well with others, enhancing your native security provider and allowing you to slim down your stack. It’s designed to set you up for future growth, with:

  • A best-in-breed platform approach. Natively built on Self-Learning AI, Darktrace / EMAIL delivers deep integration with our / NETWORK, / IDENTITY, and / CLOUD products as part of a unified platforms – that enables and enhances comprehensive enterprise-wise security.
  • Optimized workflows. Darktrace integrates tightly with an extended ecosystem of security tools – including a strategic partnership with Microsoft enabling unified threat response and quarantine capabilities – bringing constant innovation to all of your SOC workflows.  
  • A channel-first strategy. Darktrace is making significant investments in partner-driven architectures, enabling integrated ecosystems that deliver maximum value and future-ready security for our customers.

Analyst recognized. Customer approved.  

Darktrace / EMAIL is not just another inbound email security tool; it’s an advanced email security platform trusted by thousands of users to protect them against advanced phishing, messaging, and account-level attacks.  

As a Leader, we believe we owe our positioning to our customers and partners for supporting our growth. In the upcoming years we will continue to innovate to serve the organizations who depend on Darktrace for threat protection.  

To learn more about Darktrace’s position as a Leader, view a complimentary copy of the Magic Quadrant report, register for the Darktrace Innovation Webinar on 9 December, 2025, or simply request a demo.

Gartner, Gartner® Magic Quadrant™ for Email Security Platforms, Max Taggett, Nikul Patel, 3 December 2025

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Darktrace.

[related-resource]

Continue reading
About the author
Carlos Gray
Senior Product Marketing Manager, Email

Blog

/

/

December 2, 2025

Protecting the Experience: How a global hospitality brand stays resilient with Darktrace

Default blog imageDefault blog image

For the Global Chief Technology Officer (CTO) of a leading experiential leisure provider, security is mission critical to protecting a business built on reputation, digital innovation, and guest experience. The company operates large-scale immersive venues across the UK and US, blending activity-driven hospitality with premium dining and vibrant spaces designed for hundreds of guests. With a lean, centrally managed IT team responsible for securing locations worldwide, the challenge is balancing robust cybersecurity with operational efficiency and customer experience.

Brand buzz attracts attention – and attacks

Mid-sized, fast-growing hospitality organizations face a unique risk profile. When systems go down in a venue, the impact is immediate: hundreds of disrupted guest experiences, lost revenue during peak hours, and potential long-term reputation damage. Each time the organization opened a new venue, the surge of marketing buzz attracted attention in local markets and waves of sophisticated cyberattacks, including:

Phishing campaigns leveraging brand momentum to lure employees into clicking on malicious links.

AI-enhanced impersonation using advanced techniques to create AI-generated video calls and deep-researched, contextualized emails  

Fake domains targeting leadership with AI-generated messages that contained insider context gleaned from public information.

“Our endpoint security and antivirus tools were powerless against these sophisticated AI-powered campaigns. We didn’t want to manage incidents anymore. We wanted to prevent them from ever happening.”  - Global CTO

Proactive, preventative security with Darktrace AI

The company’s cybersecurity vision was clear: “Proactive, preventative – that was our mandate,” said the CTO. With a lean and busy IT group, the business evaluated several security solutions using deep-dive workshops. Darktrace proved the best fit for supporting the organization’s proactive mindset, offering:

  • Autonomy without added headcount: Darktrace provided powerful AI-driven detection and autonomous response functions with minimal manual oversight required.
  • Modular adoption: The company could start with core email and network protection and expand into cloud and endpoint coverage, aligning spend with growth.
  • Partnership and responsiveness: “We wanted people we trust, respect, and know will show up when we need them. Darktrace did just that,” said the CTO.
  • Affordability at scale: Darktrace offered reasonable upfront costs plus predictable, sustainable economics as the company and IT infrastructure expanded.  

“The combination of AI capabilities, a scalable model, and a strong engagement team tipped the balance in Darktrace’s favor, and we have not been disappointed,” said the CTO.

Phased deployment builds trust

To minimize disruption to critical hospitality systems like global Point of Sales (POS) terminals and Audio-Visual (AV) infrastructure, deployment was phased:

  1. Observation and human-led response: Initially, Darktrace was deployed in detection-only mode. Alerts were manually reviewed.
  2. Incremental autonomous response: Darktrace Autonomous Response was enabled on select models, taking action on low-risk scenarios. Higher-risk subnets and devices remained under human control.
  3. Full autonomous coverage: With tuning and reinforcement, autonomous response was expanded across domains, trusted to take decisive action in real time. Analysts retained the ability to review and contextualize incidents.

“Darktrace managed the rollout through detailed, professional, and responsive project management – ensuring a smooth, successful adoption and creating a standardized cybersecurity playbook for future venue launches,” said the CTO.  

AI delivers the outcomes that matter  

Measurable efficiency replaces endless alerts

Darktrace autonomous response significantly decreased false alerts and noise. “If it’s quiet, we’re confident there isn’t a problem,” said the CTO. Within six months, Darktrace conducted 3,599 total investigations, detected and contained 320 incidents indicative of an attack, resolved 91% of those events autonomously, and escalated only 9% to human analysts. The efficiency gains were enormous, saving analysts 740 hours on investigations within a single month.  

Precision AI turns inbox chaos into calm

Darktrace Self-Learning AI modeled sender/recipient norms, content/linguistic baselines, and communication patterns unique to the organization’s launch cadence, resulting in:

  • Automated holds and neutralizations of anomalous executive-style messages
  • Rapid detection of novel templates and tone shifts that deviated from the organization’s lived email graph, even when indicators were not yet on any feed
  • Downstream reduction in help-desk escalations tied to suspicious email

Full visibility fuels real-time response

Darktrace gives IT direct visibility without extra licensing, and it surfaces ground truth across every venue, including:

  • Device geolocation and placement drift: Darktrace exposed devices and users operating outside approved zones, prompting new segmentation and access-control policies.
  • Guest Wi-Fi realities: Darktrace AI uncovered high-risk activity on guest networks, like crypto-mining and dark-web traffic, driving stricter VLAN separation and access hygiene.
  • Lateral-movement containment: Autonomous response fenced suspicious activity in real time, buying time for human investigation while keeping POS and AV systems unaffected.

Smarter endpoints for a smarter network

Endpoints once relied on static agents effective only against known signatures. Darktrace’s behavioral models now detect subtle anomalies at the endpoint process level that EDRs often miss, such as misuse of legitimate applications (commonly used in living-off-the-land attacks), unapproved application usage and policy violations. This increases the accuracy and fidelity of network-based investigations by adding endpoint process context alongside existing EDR alerts.

Autonomous response for continuous compliance

Across PCI, GDPR, and cross-border privacy obligations, Darktrace’s native evidencing is helping the team demonstrate control rather than merely assert it:

  • Asset and flow awareness: Knowing “what is where” and “who talks to what” underpins PCI scoping and data-flow diagrams.
  • Layered safeguards: Showing autonomous prevention, network segmentation, and rapid containment supports risk registers and control attestations.
  • Audit-ready artifacts: Investigations and autonomous actions produce artifacts that “tick the box” without additional tooling.  

Defining the next era of resilience with AI

With rapid global expansion underway, the company is using its cybersecurity playbook to streamline and secure future venue launches. In the near term, IT is focused on strengthening prevention, using Darktrace insights to guide new policy updates and infrastructure changes like imposing stricter guest-network posture and refining venue device baselines.

For tech leaders charting their path to proactive cyber defense, the CTO stresses success won’t come from sidestepping AI, but from turning it into a core capability.

“AI isn’t optional – it’s operational. The real risk to your business is trying to out-scale automated adversaries with human speed alone. When applied to the right use case, AI becomes a catalyst for efficiency, resilience, and business growth.” - Global CTO
Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI