Blog
/
Network
/
January 31, 2024

How Darktrace Defeated SmokeLoader Malware

Read how Darktrace's AI identified and neutralized SmokeLoader malware. Gain insights into their proactive approach to cybersecurity.
Written by
Patrick Anjos
Senior Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Patrick Anjos
Senior Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
31
Jan 2024

What is Loader Malware?

Loader malware is a type of malicious software designed primarily to infiltrate a system and then download and execute additional malicious payloads.

In recent years, loader malware has emerged as a significant threat for organizations worldwide. This trend is expected to continue given the widespread availability of many loader strains within the Malware-as-a-Service (MaaS) marketplace. The MaaS marketplace contains a wide variety of innovative strains which are both affordable, with toolkits ranging from USD 400 to USD 1,650 [1], and continuously improving, aiming to avoid traditional detection mechanisms.

SmokeLoader is one such example of a MaaS strain that has been observed in the wild since 2011 and continues to pose a significant threat to organizations and their security teams.

How does SmokeLoader Malware work?

SmokeLoader’s ability to drop an array of different malware strains onto infected systems, from backdoors, ransomware, cryptominers, password stealers, point-of-sale malware and banking trojans, means its a highly versatile loader that has remained consistently popular among threat actors.

In addition to its versatility, it also exhibits advanced evasion strategies that make it difficult for traditional security solutions to detect and remove, and it is easily distributed via methods like spam emails or malicious file downloads.

Between July and August 2023, Darktrace observed an increasing trend in SmokeLoader compromises across its customer base. The anomaly-based threat detection capabilities of Darktrace, coupled with the autonomous response technology, identified and contained the SmokeLoader infections in their initial stages, preventing attackers from causing further disruption by deploying other malicious software or ransomware.

SmokeLoader Malware Attack Details

PROPagate Injection Technique

SmokeLoader utilizes the PROPagate code injection technique, a less common method that inserts malicious code into existing processes in order to appear legitimate and bypass traditional signature-based security measures [2] [3]. In the case of SmokeLoader, this technique exploits the Windows SetWindowsSubclass function, which is typically used to add or change the behavior of Windows Operation System. By manipulating this function, SmokeLoader can inject its code into other running processes, such as the Internet Explorer. This not only helps to disguise  the malware's activity but also allows attackers to leverage the permissions and capabilities of the infected process.

Obfuscation Methods

SmokeLoader is known to employ several obfuscation techniques to evade the detection and analysis of security teams. The techniques include scrambling portable executable files, encrypting its malicious code, obfuscating API functions and packing, and are intended to make the malware’s code appear harmless or unremarkable to antivirus software. This allows attackers to slip past defenses and execute their malicious activities while remaining undetected.

Infection Vector and Communication

SmokeLoader typically spreads via phishing emails that employ social engineering tactics to convince users to unknowingly download malicious payloads and execute the malware. Once installed on target networks, SmokeLoader acts as a backdoor, allowing attackers to control infected systems and download further malicious payloads from command-and-control (C2) servers. SmokeLoader uses fast flux, a DNS technique utilized by botets whereby IP addresses associated with C2 domains are rapidly changed, making it difficult to trace the source of the attack. This technique also boosts the resilience of attack, as taking down one or two malicious IP addresses will not significantly impact the botnet's operation.

Continuous Evolution

As with many MaaS strains, SmokeLoader is continuously evolving, with its developers regularly adding new features and techniques to increase its effectiveness and evasiveness. This includes new obfuscation methods, injection techniques, and communication protocols. This constant evolution makes SmokeLoader a significant threat and underscores the importance of advanced threat detection and response capabilities solution.

Darktrace’s Coverage of SmokeLoader Attack

Between July and August 2023, Darktrace detected one particular SmokeLoader infection at multiple stages of its kill chain on a customer network. This detection was made possible by Darktrace DETECT’s anomaly-based approach and Self-Learning AI that allows it to identify subtle deviations in device behavior.

One of the key components of this process is the classification of endpoint rarity and determining whether an endpoint is new or unusual for any given network. This classification is applied to various aspects of observed endpoints, such as domains, IP addresses, or hostnames within the network. It thereby plays a vital role in identifying SmokeLoader activity, such as the initial infection vector or C2 communication, which typically involve a device contacting a malicious endpoint associated with SmokeLoader.

The First Signs of Infection SmokeLoader Infection

Beginning in July 2023, Darktrace observed a surge in suspicious activities that were assessed with moderate to high confidence to be associated with SmokeLoader malware.

For example on July 30, a device was observed making a successful HTTPS request to humman[.]art, a domain that had never been seen on the network, and therefore classified as 100% rare by DETECT. During this connection, the device in question received a total of 6.0 KiB of data from the unusual endpoint. Open-source intelligence (OSINT) sources reported with high confidence that this domain was associated with the SmokeLoader C2 botnet.

The device was then detected making an HTTP request to another 100% rare external IP, namely 85.208.139[.]35, using a new user agent. This request contained the URI ‘/DefenUpdate.exe’, suggesting a possible download of an executable (.exe) file. This was corroborated by the total amount of data received in this connection, 4.3 MB. Both the file name and its size suggest that the offending device may have downloaded additional malicious tooling from the SmokeLoader C2 endpoint, such as a trojan or information stealer, as reported on OSINT platforms [4].

Figure 1: Device event log showing the moment when a device made its first connection to a SmokeLoader associated domain, and the use of a new user agent. A few seconds later, the DETECT model “Anomalous Connection / New User Agent to IP Without Hostname” breached.

The observed new user agent, “Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko” was identified as suspicious by Darktrace leading to the “Anomalous Connection / New User Agent to IP Without Hostname” DETECT model breach.

As this specific user agent was associated with the Internet Explorer browser running on Windows 10, it may not have appeared suspicious to traditional security tools. However, Darktrace’s anomaly-based detection allows it to identify and mitigate emerging threats, even those that utilize sophisticated evasion techniques.

This is particularly noteworthy in this case because, as discussed earlier, SmokeLoader is known to inject its malicious code into legitimate processes, like Internet Explorer.

Figure 2: Darktrace detecting the affected device leveraging a new user agent and establishing an anomalous HTTP connection with an external IP, which was 100% rare to the network.

C2 Communication

Darktrace continued to observe the device making repeated connections to the humman[.]art endpoint. Over the next few days. On August 7, the device was observed making unusual POST requests to the endpoint using port 80, breaching the ‘Anomalous Connection / Multiple HTTP POSTs to Rare Hostname’ DETECT model. These observed POST requests were observed over a period of around 10 days and consisted of a pattern of 8 requests, each with a ten-minute interval.

Figure 3: Model Breach Event Log highlighting the Darktrace DETECT model breach ‘Anomalous Connection / Multiple HTTP POSTs to Rare Hostname’.

Upon investigating the details of this activity identified by Darktrace DETECT, a particular pattern was observed in these requests: they used the same user-agent, “Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko”, which was previously detected in the initial breach.

Additionally, they the requests had a constantly changing  eferrer header, possibly using randomly generated domain names for each request. Further examination of the packet capture (PCAP) from these requests revealed that the payload in these POST requests contained an RC4 encrypted string, strongly indicating SmokeLoader C2 activity.

Figure4: Advanced Search results display an unusual pattern in the requests made by the device to the hostname humman[.]art. This pattern shows a constant change in the referrer header for each request, indicating anomalous behavior.
Figure 5: The PCAP shows the payload seen in these POST requests contained an RC4 encrypted string strongly indicating SmokeLoader C2 activity.  

Unfortunately in this case, Darktrace RESPOND was not active on the network meaning that the attack was able to progress through its kill chain. Despite this, the timely alerts and detailed incident insights provided by Darktrace DETECT allowed the customer’s security team to begin their remediation process, implementing blocks on their firewall, thus preventing the SmokeLoader malware from continuing its communication with C2 infrastructure.

Darktrace RESPOND Halting Potential Threats from the Initial Stages of Detection

With Darktrace RESPOND, organizations can move beyond threat detection to proactive defense against emerging threats. RESPOND is designed to halt threats as soon as they are identified by DETECT, preventing them from escalating into full-blown compromises. This is achieved through advanced machine learning and Self-Learning AI that is able to understand  the normal ‘pattern of life’ of customer networks, allowing for swift and accurate threat detection and response.

One pertinent example was seen on July 6, when Darktrace detected a separate SmokeLoader case on a customer network with RESPOND enabled in autonomous response mode. Darktrace DETECT initially identified a string of anomalous activity associated with the download of suspicious executable files, triggering the ‘Anomalous File / Multiple EXE from Rare External Locations’ model to breach.

The device was observed downloading an executable file (‘6523.exe’ and ‘/g.exe’) via HTTP over port 80. These downloads originated from endpoints that had never been seen within the customer’s environment, namely ‘hugersi[.]com’ and ‘45.66.230[.]164’, both of which had strongly been linked to SmokeLoader by OSINT sources, likely indicating the initial infection stage of the attack [5].

Figure 6: This figure illustrates Darktrace DETECT observing a device downloading multiple .exe files from rare endpoints and the associated model breach, ‘Anomalous File / Multiple EXE from Rare External Locations’.

Around the same time, Darktrace also observed the same device downloading an unusual file with a numeric file name. Threat actors often employ this tactic in order to avoid using file name patterns that could easily be recognized and blocked by traditional security measures; by frequently changing file names, malicious executables are more likely to remain undetected.

Figure 7: Graph showing the unusually high number of executable files downloaded by the device during the initial infection stage of the attack. The orange and red circles represent the number of model breaches that the device made during the observed activity related to SmokeLoader infection.
Figure 8: This figure illustrates the moment when Darktrace DETECT identified a suspicious download with a numeric file name.

With Darktrace RESPOND active and enabled in autonomous response mode, the SmokeLoader infection was thwarted in the first instance. RESPOND took swift autonomous action by blocking connections to the suspicious endpoints identified by DETECT, blocking all outgoing traffic, and enforcing a pre-established “pattern of life” on offending devices. By enforcing a patten of life on a device, Darktrace RESPOND ensures that it cannot deviate from its ‘normal’ activity to carry out potentially malicious activity, while allowing the device to continue expected business operations.

Figure 9:  A total of 8 RESPOND actions were applied, including blocking connections to suspicious endpoints and domains associated with SmokeLoader.

In addition to the autonomous mitigative actions taken by RESPOND, this customer also received a Proactive Threat Notification (PTN) informing them of potentially malicious activity on their network. This prompted the Darktrace Security Operations Center (SOC) to investigate and document the incident, allowing the customer’s security team to shift their focus to remediating and removing the threat of SmokeLoader.

Conclusion

Ultimately, Darktrace showcased its ability to detect and contain versatile and evasive strains of loader malware, like SmokeLoader. Despite its adeptness at bypassing conventional security tools by frequently changing its C2 infrastructure, utilizing existing processes to infect malicious code, and obfuscating malicious file and domain names, Darktrace’s anomaly-based approach allowed it to recognize such activity as deviations from expected network behavior, regardless of their apparent legitimacy.

Considering SmokeLoader’s wide array of functions, including C2 communication that could be used to facilitate additional attacks like exfiltration, or even the deployment of information-stealers or ransomware, Darktrace proved to be crucial in safeguarding customer networks. By identifying and mitigating SmokeLoader at the earliest possible stage, Darktrace effectively prevented the compromises from escalating into more damaging and disruptive compromises.

With the threat of loader malware expected to continue growing alongside the boom of the MaaS industry, it is paramount for organizations to adopt proactive security solutions, like Darktrace DETECT+RESPOND, that are able to make intelligent decisions to identify and neutralize sophisticated attacks.

Credit to Patrick Anjos, Senior Cyber Analyst, Justin Torres, Cyber Analyst

Appendices

Darktrace DETECT Model Detections

- Anomalous Connection / New User Agent to IP Without Hostname

- Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

- Anomalous File / Multiple EXE from Rare External Locations

- Anomalous File / Numeric File Download

List of IOCs (IOC / Type / Description + Confidence)

- 85.208.139[.]35 / IP / SmokeLoader C2 Endpoint

- 185.174.137[.]109 / IP / SmokeLoader C2 Endpoint

- 45.66.230[.]164 / IP / SmokeLoader C2 Endpoint

- 91.215.85[.]147 / IP / SmokeLoader C2 Endpoint

- tolilolihul[.]net / Hostname / SmokeLoader C2 Endpoint

- bulimu55t[.]net / Hostname / SmokeLoader C2 Endpoint

- potunulit[.]org / Hostname / SmokeLoader C2 Endpoint

- hugersi[.]com / Hostname / SmokeLoader C2 Endpoint

- human[.]art / Hostname / SmokeLoader C2 Endpoint

- 371b0d5c867c2f33ae270faa14946c77f4b0953 / SHA1 / SmokeLoader Executable

References:

[1] https://bazaar.abuse.ch/sample/d7c395ab2b6ef69210221337ea292e204b0f73fef8840b6e64ab88595eda45b3/#intel

[2] https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

[3] https://www.darkreading.com/cyber-risk/breaking-down-the-propagate-code-injection-attack

[4] https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/

[5] https://therecord.media/surge-in-smokeloader-malware-attacks-targeting-ukrainian-financial-gov-orgs

MITRE ATT&CK Mapping

Model: Anomalous Connection / New User Agent to IP Without Hostname

ID: T1071.001

Sub technique: T1071

Tactic: COMMAND AND CONTROL

Technique Name: Web Protocols

Model: Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

ID: T1185

Sub technique: -

Tactic: COLLECTION

Technique Name: Man in the Browser

ID: T1071.001

Sub technique: T1071

Tactic: COMMAND AND CONTROL

Technique Name: Web Protocols

Model: Anomalous File / Multiple EXE from Rare External Locations

ID: T1189

Sub technique: -

Tactic: INITIAL ACCESS

Technique Name: Drive-by Compromise

ID: T1588.001

Sub technique: - T1588

Tactic: RESOURCE DEVELOPMENT

Technique Name: Malware

Model: Anomalous File / Numeric File Download

ID: T1189

Sub technique: -

Tactic: INITIAL ACCESS

Technique Name: Drive-by Compromise

ID: T1588.001

Sub technique: - T1588

Tactic: RESOURCE DEVELOPMENT

Technique Name: Malware

Written by
Patrick Anjos
Senior Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Patrick Anjos
Senior Cyber Analyst

From Amazon to Louis Vuitton: How Darktrace Detects Black Friday Phishing Attacks

Email
November 27, 2025
Ryan Traill
Analyst Content Lead
Watch the NIS2 Webinar
Trending blogs
1
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
November 26, 2025

CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System

TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks.
Read more
Network
November 20, 2025

Xillen Stealer Updates to Version 5 to Evade AI Detection

Xillen Stealer v4/v5 introduces advanced features to evade AI detection, steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. With polymorphic engines, container persistence, and behavioral mimicking, this Python-based malware highlights evolving threats and future AI integration in cybercrime campaigns.
Tara Gould
Threat Researcher
Read more
Network
November 12, 2025

Unmasking Vo1d: Inside Darktrace’s Botnet Detection

Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. This blog explores how Darktrace detected Vo1d and presents a detailed timeline of Cyber AI Analyst’s investigation.
Christina Kreza
Cyber Analyst
Read more

Blog

/

Email

/

December 3, 2025

Darktrace Named as a Leader in 2025 Gartner® Magic Quadrant™ for Email Security Platforms

Default blog imageDefault blog image

Darktrace is proud to be named as a Leader in the Gartner® Magic Quadrant™ for Email Security Platforms (ESP). We believe this recognition reflects what our customers already know: our product is exceptional – and so is the way we deliver it.

In July 2025, Darktrace was named a Customers’ Choice in the Gartner® Peer Insights™ Voice of the Customer for Email Security, a distinction given to vendors who have scores that meet or exceed the market average for both axes (User Interest and Adoption, and Overall Experience). To us, both achievements are testament to the customer-first approach that has fueled our rapid growth. We feel this new distinction from Gartner validates the innovation, efficacy, and customer-centric delivery that set Darktrace apart.

A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. CIOs and CISOs can use this research to make informed decisions about which email security platform can best accomplish their goals. We encourage our customers to read the full report to get the complete picture.

This acknowledgement follows the recent recognition of Darktrace / NETWORK, also designated a Leader in the Gartner Magic Quadrant for Network Detection & Response and named the only Customers’ Choice in its category.

Why do we believe Darktrace is leading in the email security market?

Our relentless innovation which drives proven results  

At Darktrace we continue to push the frontier of email security, with industry-first AI-native detection and response capabilities that go beyond traditional SEG approaches. How do we do it?

  • With a proven approach that gets results. Darktrace’s unique business-centric anomaly detection catches advanced phishing, supply chain compromises, and BEC attacks – detecting them on average 13 days earlier than attack-centric solutions. That’s why 75% of our customers have removed their SEG and now rely on their native email security provider combined with Darktrace.
  • By offering comprehensive protection beyond the inbox. Darktrace / EMAIL goes further than traditional inbound filtering, delivering account and messaging protection, DLP, and DMARC capabilities, ensuring best-in-class security across inbound, outbound, and domain protection scenarios.  
  • Continuous innovation. We are ranked second highest in the Gartner Critical Capabilities research for core email security function, likely thanks to our product strategy and rapid pace of innovation. We’ve release major capabilities twice a year for nearly five years, including advanced AI models and expanded coverage for collaboration platforms.

We deliver exceptional customer experiences worldwide

Darktrace’s leadership isn’t just about excelling in technology, it’s about delivering an outstanding experience that customers value. Let’s dig into what makes our customers tick.

  • Proven loyalty from our base. Recognition from Gartner Peer Insights as a Customers’ Choice, combined with a 4.8-star rating (based on 340 reviews as of November 2025), demonstrates for us the trust of thousands of organizations worldwide, not just the analysts.  
  • Customer-first support. Darktrace goes beyond ticket-only models with dedicated account teams and award-winning service, backed by significant headcount growth in technical support and analytics roles over the past year.
  • Local expertise. With offices spanning continents, Darktrace is able to provide regional language support and tailored engagement from teams on the ground, ensuring personalized service and a human-first experience.

Darktrace enhances security stacks with a partner-first architecture

There are plenty of tools out there than encourage a siloed approach. Darktrace / EMAIL plays well with others, enhancing your native security provider and allowing you to slim down your stack. It’s designed to set you up for future growth, with:

  • A best-in-breed platform approach. Natively built on Self-Learning AI, Darktrace / EMAIL delivers deep integration with our / NETWORK, / IDENTITY, and / CLOUD products as part of a unified platforms – that enables and enhances comprehensive enterprise-wise security.
  • Optimized workflows. Darktrace integrates tightly with an extended ecosystem of security tools – including a strategic partnership with Microsoft enabling unified threat response and quarantine capabilities – bringing constant innovation to all of your SOC workflows.  
  • A channel-first strategy. Darktrace is making significant investments in partner-driven architectures, enabling integrated ecosystems that deliver maximum value and future-ready security for our customers.

Analyst recognized. Customer approved.  

Darktrace / EMAIL is not just another inbound email security tool; it’s an advanced email security platform trusted by thousands of users to protect them against advanced phishing, messaging, and account-level attacks.  

As a Leader, we believe we owe our positioning to our customers and partners for supporting our growth. In the upcoming years we will continue to innovate to serve the organizations who depend on Darktrace for threat protection.  

To learn more about Darktrace’s position as a Leader, view a complimentary copy of the Magic Quadrant report, register for the Darktrace Innovation Webinar on 9 December, 2025, or simply request a demo.

Gartner, Gartner® Magic Quadrant™ for Email Security Platforms, Max Taggett, Nikul Patel, 3 December 2025

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Darktrace.

[related-resource]

Continue reading
About the author
Carlos Gray
Senior Product Marketing Manager, Email

Blog

/

/

December 2, 2025

Protecting the Experience: How a global hospitality brand stays resilient with Darktrace

Default blog imageDefault blog image

For the Global Chief Technology Officer (CTO) of a leading experiential leisure provider, security is mission critical to protecting a business built on reputation, digital innovation, and guest experience. The company operates large-scale immersive venues across the UK and US, blending activity-driven hospitality with premium dining and vibrant spaces designed for hundreds of guests. With a lean, centrally managed IT team responsible for securing locations worldwide, the challenge is balancing robust cybersecurity with operational efficiency and customer experience.

Brand buzz attracts attention – and attacks

Mid-sized, fast-growing hospitality organizations face a unique risk profile. When systems go down in a venue, the impact is immediate: hundreds of disrupted guest experiences, lost revenue during peak hours, and potential long-term reputation damage. Each time the organization opened a new venue, the surge of marketing buzz attracted attention in local markets and waves of sophisticated cyberattacks, including:

Phishing campaigns leveraging brand momentum to lure employees into clicking on malicious links.

AI-enhanced impersonation using advanced techniques to create AI-generated video calls and deep-researched, contextualized emails  

Fake domains targeting leadership with AI-generated messages that contained insider context gleaned from public information.

“Our endpoint security and antivirus tools were powerless against these sophisticated AI-powered campaigns. We didn’t want to manage incidents anymore. We wanted to prevent them from ever happening.”  - Global CTO

Proactive, preventative security with Darktrace AI

The company’s cybersecurity vision was clear: “Proactive, preventative – that was our mandate,” said the CTO. With a lean and busy IT group, the business evaluated several security solutions using deep-dive workshops. Darktrace proved the best fit for supporting the organization’s proactive mindset, offering:

  • Autonomy without added headcount: Darktrace provided powerful AI-driven detection and autonomous response functions with minimal manual oversight required.
  • Modular adoption: The company could start with core email and network protection and expand into cloud and endpoint coverage, aligning spend with growth.
  • Partnership and responsiveness: “We wanted people we trust, respect, and know will show up when we need them. Darktrace did just that,” said the CTO.
  • Affordability at scale: Darktrace offered reasonable upfront costs plus predictable, sustainable economics as the company and IT infrastructure expanded.  

“The combination of AI capabilities, a scalable model, and a strong engagement team tipped the balance in Darktrace’s favor, and we have not been disappointed,” said the CTO.

Phased deployment builds trust

To minimize disruption to critical hospitality systems like global Point of Sales (POS) terminals and Audio-Visual (AV) infrastructure, deployment was phased:

  1. Observation and human-led response: Initially, Darktrace was deployed in detection-only mode. Alerts were manually reviewed.
  2. Incremental autonomous response: Darktrace Autonomous Response was enabled on select models, taking action on low-risk scenarios. Higher-risk subnets and devices remained under human control.
  3. Full autonomous coverage: With tuning and reinforcement, autonomous response was expanded across domains, trusted to take decisive action in real time. Analysts retained the ability to review and contextualize incidents.

“Darktrace managed the rollout through detailed, professional, and responsive project management – ensuring a smooth, successful adoption and creating a standardized cybersecurity playbook for future venue launches,” said the CTO.  

AI delivers the outcomes that matter  

Measurable efficiency replaces endless alerts

Darktrace autonomous response significantly decreased false alerts and noise. “If it’s quiet, we’re confident there isn’t a problem,” said the CTO. Within six months, Darktrace conducted 3,599 total investigations, detected and contained 320 incidents indicative of an attack, resolved 91% of those events autonomously, and escalated only 9% to human analysts. The efficiency gains were enormous, saving analysts 740 hours on investigations within a single month.  

Precision AI turns inbox chaos into calm

Darktrace Self-Learning AI modeled sender/recipient norms, content/linguistic baselines, and communication patterns unique to the organization’s launch cadence, resulting in:

  • Automated holds and neutralizations of anomalous executive-style messages
  • Rapid detection of novel templates and tone shifts that deviated from the organization’s lived email graph, even when indicators were not yet on any feed
  • Downstream reduction in help-desk escalations tied to suspicious email

Full visibility fuels real-time response

Darktrace gives IT direct visibility without extra licensing, and it surfaces ground truth across every venue, including:

  • Device geolocation and placement drift: Darktrace exposed devices and users operating outside approved zones, prompting new segmentation and access-control policies.
  • Guest Wi-Fi realities: Darktrace AI uncovered high-risk activity on guest networks, like crypto-mining and dark-web traffic, driving stricter VLAN separation and access hygiene.
  • Lateral-movement containment: Autonomous response fenced suspicious activity in real time, buying time for human investigation while keeping POS and AV systems unaffected.

Smarter endpoints for a smarter network

Endpoints once relied on static agents effective only against known signatures. Darktrace’s behavioral models now detect subtle anomalies at the endpoint process level that EDRs often miss, such as misuse of legitimate applications (commonly used in living-off-the-land attacks), unapproved application usage and policy violations. This increases the accuracy and fidelity of network-based investigations by adding endpoint process context alongside existing EDR alerts.

Autonomous response for continuous compliance

Across PCI, GDPR, and cross-border privacy obligations, Darktrace’s native evidencing is helping the team demonstrate control rather than merely assert it:

  • Asset and flow awareness: Knowing “what is where” and “who talks to what” underpins PCI scoping and data-flow diagrams.
  • Layered safeguards: Showing autonomous prevention, network segmentation, and rapid containment supports risk registers and control attestations.
  • Audit-ready artifacts: Investigations and autonomous actions produce artifacts that “tick the box” without additional tooling.  

Defining the next era of resilience with AI

With rapid global expansion underway, the company is using its cybersecurity playbook to streamline and secure future venue launches. In the near term, IT is focused on strengthening prevention, using Darktrace insights to guide new policy updates and infrastructure changes like imposing stricter guest-network posture and refining venue device baselines.

For tech leaders charting their path to proactive cyber defense, the CTO stresses success won’t come from sidestepping AI, but from turning it into a core capability.

“AI isn’t optional – it’s operational. The real risk to your business is trying to out-scale automated adversaries with human speed alone. When applied to the right use case, AI becomes a catalyst for efficiency, resilience, and business growth.” - Global CTO
Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI