Blog
/
Network
/
January 31, 2024

How Darktrace Defeated SmokeLoader Malware

Read how Darktrace's AI identified and neutralized SmokeLoader malware. Gain insights into their proactive approach to cybersecurity.
Written by
Patrick Anjos
Senior Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Patrick Anjos
Senior Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
31
Jan 2024

What is Loader Malware?

Loader malware is a type of malicious software designed primarily to infiltrate a system and then download and execute additional malicious payloads.

In recent years, loader malware has emerged as a significant threat for organizations worldwide. This trend is expected to continue given the widespread availability of many loader strains within the Malware-as-a-Service (MaaS) marketplace. The MaaS marketplace contains a wide variety of innovative strains which are both affordable, with toolkits ranging from USD 400 to USD 1,650 [1], and continuously improving, aiming to avoid traditional detection mechanisms.

SmokeLoader is one such example of a MaaS strain that has been observed in the wild since 2011 and continues to pose a significant threat to organizations and their security teams.

How does SmokeLoader Malware work?

SmokeLoader’s ability to drop an array of different malware strains onto infected systems, from backdoors, ransomware, cryptominers, password stealers, point-of-sale malware and banking trojans, means its a highly versatile loader that has remained consistently popular among threat actors.

In addition to its versatility, it also exhibits advanced evasion strategies that make it difficult for traditional security solutions to detect and remove, and it is easily distributed via methods like spam emails or malicious file downloads.

Between July and August 2023, Darktrace observed an increasing trend in SmokeLoader compromises across its customer base. The anomaly-based threat detection capabilities of Darktrace, coupled with the autonomous response technology, identified and contained the SmokeLoader infections in their initial stages, preventing attackers from causing further disruption by deploying other malicious software or ransomware.

SmokeLoader Malware Attack Details

PROPagate Injection Technique

SmokeLoader utilizes the PROPagate code injection technique, a less common method that inserts malicious code into existing processes in order to appear legitimate and bypass traditional signature-based security measures [2] [3]. In the case of SmokeLoader, this technique exploits the Windows SetWindowsSubclass function, which is typically used to add or change the behavior of Windows Operation System. By manipulating this function, SmokeLoader can inject its code into other running processes, such as the Internet Explorer. This not only helps to disguise  the malware's activity but also allows attackers to leverage the permissions and capabilities of the infected process.

Obfuscation Methods

SmokeLoader is known to employ several obfuscation techniques to evade the detection and analysis of security teams. The techniques include scrambling portable executable files, encrypting its malicious code, obfuscating API functions and packing, and are intended to make the malware’s code appear harmless or unremarkable to antivirus software. This allows attackers to slip past defenses and execute their malicious activities while remaining undetected.

Infection Vector and Communication

SmokeLoader typically spreads via phishing emails that employ social engineering tactics to convince users to unknowingly download malicious payloads and execute the malware. Once installed on target networks, SmokeLoader acts as a backdoor, allowing attackers to control infected systems and download further malicious payloads from command-and-control (C2) servers. SmokeLoader uses fast flux, a DNS technique utilized by botets whereby IP addresses associated with C2 domains are rapidly changed, making it difficult to trace the source of the attack. This technique also boosts the resilience of attack, as taking down one or two malicious IP addresses will not significantly impact the botnet's operation.

Continuous Evolution

As with many MaaS strains, SmokeLoader is continuously evolving, with its developers regularly adding new features and techniques to increase its effectiveness and evasiveness. This includes new obfuscation methods, injection techniques, and communication protocols. This constant evolution makes SmokeLoader a significant threat and underscores the importance of advanced threat detection and response capabilities solution.

Darktrace’s Coverage of SmokeLoader Attack

Between July and August 2023, Darktrace detected one particular SmokeLoader infection at multiple stages of its kill chain on a customer network. This detection was made possible by Darktrace DETECT’s anomaly-based approach and Self-Learning AI that allows it to identify subtle deviations in device behavior.

One of the key components of this process is the classification of endpoint rarity and determining whether an endpoint is new or unusual for any given network. This classification is applied to various aspects of observed endpoints, such as domains, IP addresses, or hostnames within the network. It thereby plays a vital role in identifying SmokeLoader activity, such as the initial infection vector or C2 communication, which typically involve a device contacting a malicious endpoint associated with SmokeLoader.

The First Signs of Infection SmokeLoader Infection

Beginning in July 2023, Darktrace observed a surge in suspicious activities that were assessed with moderate to high confidence to be associated with SmokeLoader malware.

For example on July 30, a device was observed making a successful HTTPS request to humman[.]art, a domain that had never been seen on the network, and therefore classified as 100% rare by DETECT. During this connection, the device in question received a total of 6.0 KiB of data from the unusual endpoint. Open-source intelligence (OSINT) sources reported with high confidence that this domain was associated with the SmokeLoader C2 botnet.

The device was then detected making an HTTP request to another 100% rare external IP, namely 85.208.139[.]35, using a new user agent. This request contained the URI ‘/DefenUpdate.exe’, suggesting a possible download of an executable (.exe) file. This was corroborated by the total amount of data received in this connection, 4.3 MB. Both the file name and its size suggest that the offending device may have downloaded additional malicious tooling from the SmokeLoader C2 endpoint, such as a trojan or information stealer, as reported on OSINT platforms [4].

Figure 1: Device event log showing the moment when a device made its first connection to a SmokeLoader associated domain, and the use of a new user agent. A few seconds later, the DETECT model “Anomalous Connection / New User Agent to IP Without Hostname” breached.

The observed new user agent, “Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko” was identified as suspicious by Darktrace leading to the “Anomalous Connection / New User Agent to IP Without Hostname” DETECT model breach.

As this specific user agent was associated with the Internet Explorer browser running on Windows 10, it may not have appeared suspicious to traditional security tools. However, Darktrace’s anomaly-based detection allows it to identify and mitigate emerging threats, even those that utilize sophisticated evasion techniques.

This is particularly noteworthy in this case because, as discussed earlier, SmokeLoader is known to inject its malicious code into legitimate processes, like Internet Explorer.

Figure 2: Darktrace detecting the affected device leveraging a new user agent and establishing an anomalous HTTP connection with an external IP, which was 100% rare to the network.

C2 Communication

Darktrace continued to observe the device making repeated connections to the humman[.]art endpoint. Over the next few days. On August 7, the device was observed making unusual POST requests to the endpoint using port 80, breaching the ‘Anomalous Connection / Multiple HTTP POSTs to Rare Hostname’ DETECT model. These observed POST requests were observed over a period of around 10 days and consisted of a pattern of 8 requests, each with a ten-minute interval.

Figure 3: Model Breach Event Log highlighting the Darktrace DETECT model breach ‘Anomalous Connection / Multiple HTTP POSTs to Rare Hostname’.

Upon investigating the details of this activity identified by Darktrace DETECT, a particular pattern was observed in these requests: they used the same user-agent, “Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko”, which was previously detected in the initial breach.

Additionally, they the requests had a constantly changing  eferrer header, possibly using randomly generated domain names for each request. Further examination of the packet capture (PCAP) from these requests revealed that the payload in these POST requests contained an RC4 encrypted string, strongly indicating SmokeLoader C2 activity.

Figure4: Advanced Search results display an unusual pattern in the requests made by the device to the hostname humman[.]art. This pattern shows a constant change in the referrer header for each request, indicating anomalous behavior.
Figure 5: The PCAP shows the payload seen in these POST requests contained an RC4 encrypted string strongly indicating SmokeLoader C2 activity.  

Unfortunately in this case, Darktrace RESPOND was not active on the network meaning that the attack was able to progress through its kill chain. Despite this, the timely alerts and detailed incident insights provided by Darktrace DETECT allowed the customer’s security team to begin their remediation process, implementing blocks on their firewall, thus preventing the SmokeLoader malware from continuing its communication with C2 infrastructure.

Darktrace RESPOND Halting Potential Threats from the Initial Stages of Detection

With Darktrace RESPOND, organizations can move beyond threat detection to proactive defense against emerging threats. RESPOND is designed to halt threats as soon as they are identified by DETECT, preventing them from escalating into full-blown compromises. This is achieved through advanced machine learning and Self-Learning AI that is able to understand  the normal ‘pattern of life’ of customer networks, allowing for swift and accurate threat detection and response.

One pertinent example was seen on July 6, when Darktrace detected a separate SmokeLoader case on a customer network with RESPOND enabled in autonomous response mode. Darktrace DETECT initially identified a string of anomalous activity associated with the download of suspicious executable files, triggering the ‘Anomalous File / Multiple EXE from Rare External Locations’ model to breach.

The device was observed downloading an executable file (‘6523.exe’ and ‘/g.exe’) via HTTP over port 80. These downloads originated from endpoints that had never been seen within the customer’s environment, namely ‘hugersi[.]com’ and ‘45.66.230[.]164’, both of which had strongly been linked to SmokeLoader by OSINT sources, likely indicating the initial infection stage of the attack [5].

Figure 6: This figure illustrates Darktrace DETECT observing a device downloading multiple .exe files from rare endpoints and the associated model breach, ‘Anomalous File / Multiple EXE from Rare External Locations’.

Around the same time, Darktrace also observed the same device downloading an unusual file with a numeric file name. Threat actors often employ this tactic in order to avoid using file name patterns that could easily be recognized and blocked by traditional security measures; by frequently changing file names, malicious executables are more likely to remain undetected.

Figure 7: Graph showing the unusually high number of executable files downloaded by the device during the initial infection stage of the attack. The orange and red circles represent the number of model breaches that the device made during the observed activity related to SmokeLoader infection.
Figure 8: This figure illustrates the moment when Darktrace DETECT identified a suspicious download with a numeric file name.

With Darktrace RESPOND active and enabled in autonomous response mode, the SmokeLoader infection was thwarted in the first instance. RESPOND took swift autonomous action by blocking connections to the suspicious endpoints identified by DETECT, blocking all outgoing traffic, and enforcing a pre-established “pattern of life” on offending devices. By enforcing a patten of life on a device, Darktrace RESPOND ensures that it cannot deviate from its ‘normal’ activity to carry out potentially malicious activity, while allowing the device to continue expected business operations.

Figure 9:  A total of 8 RESPOND actions were applied, including blocking connections to suspicious endpoints and domains associated with SmokeLoader.

In addition to the autonomous mitigative actions taken by RESPOND, this customer also received a Proactive Threat Notification (PTN) informing them of potentially malicious activity on their network. This prompted the Darktrace Security Operations Center (SOC) to investigate and document the incident, allowing the customer’s security team to shift their focus to remediating and removing the threat of SmokeLoader.

Conclusion

Ultimately, Darktrace showcased its ability to detect and contain versatile and evasive strains of loader malware, like SmokeLoader. Despite its adeptness at bypassing conventional security tools by frequently changing its C2 infrastructure, utilizing existing processes to infect malicious code, and obfuscating malicious file and domain names, Darktrace’s anomaly-based approach allowed it to recognize such activity as deviations from expected network behavior, regardless of their apparent legitimacy.

Considering SmokeLoader’s wide array of functions, including C2 communication that could be used to facilitate additional attacks like exfiltration, or even the deployment of information-stealers or ransomware, Darktrace proved to be crucial in safeguarding customer networks. By identifying and mitigating SmokeLoader at the earliest possible stage, Darktrace effectively prevented the compromises from escalating into more damaging and disruptive compromises.

With the threat of loader malware expected to continue growing alongside the boom of the MaaS industry, it is paramount for organizations to adopt proactive security solutions, like Darktrace DETECT+RESPOND, that are able to make intelligent decisions to identify and neutralize sophisticated attacks.

Credit to Patrick Anjos, Senior Cyber Analyst, Justin Torres, Cyber Analyst

Appendices

Darktrace DETECT Model Detections

- Anomalous Connection / New User Agent to IP Without Hostname

- Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

- Anomalous File / Multiple EXE from Rare External Locations

- Anomalous File / Numeric File Download

List of IOCs (IOC / Type / Description + Confidence)

- 85.208.139[.]35 / IP / SmokeLoader C2 Endpoint

- 185.174.137[.]109 / IP / SmokeLoader C2 Endpoint

- 45.66.230[.]164 / IP / SmokeLoader C2 Endpoint

- 91.215.85[.]147 / IP / SmokeLoader C2 Endpoint

- tolilolihul[.]net / Hostname / SmokeLoader C2 Endpoint

- bulimu55t[.]net / Hostname / SmokeLoader C2 Endpoint

- potunulit[.]org / Hostname / SmokeLoader C2 Endpoint

- hugersi[.]com / Hostname / SmokeLoader C2 Endpoint

- human[.]art / Hostname / SmokeLoader C2 Endpoint

- 371b0d5c867c2f33ae270faa14946c77f4b0953 / SHA1 / SmokeLoader Executable

References:

[1] https://bazaar.abuse.ch/sample/d7c395ab2b6ef69210221337ea292e204b0f73fef8840b6e64ab88595eda45b3/#intel

[2] https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

[3] https://www.darkreading.com/cyber-risk/breaking-down-the-propagate-code-injection-attack

[4] https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/

[5] https://therecord.media/surge-in-smokeloader-malware-attacks-targeting-ukrainian-financial-gov-orgs

MITRE ATT&CK Mapping

Model: Anomalous Connection / New User Agent to IP Without Hostname

ID: T1071.001

Sub technique: T1071

Tactic: COMMAND AND CONTROL

Technique Name: Web Protocols

Model: Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

ID: T1185

Sub technique: -

Tactic: COLLECTION

Technique Name: Man in the Browser

ID: T1071.001

Sub technique: T1071

Tactic: COMMAND AND CONTROL

Technique Name: Web Protocols

Model: Anomalous File / Multiple EXE from Rare External Locations

ID: T1189

Sub technique: -

Tactic: INITIAL ACCESS

Technique Name: Drive-by Compromise

ID: T1588.001

Sub technique: - T1588

Tactic: RESOURCE DEVELOPMENT

Technique Name: Malware

Model: Anomalous File / Numeric File Download

ID: T1189

Sub technique: -

Tactic: INITIAL ACCESS

Technique Name: Drive-by Compromise

ID: T1588.001

Sub technique: - T1588

Tactic: RESOURCE DEVELOPMENT

Technique Name: Malware

Written by
Patrick Anjos
Senior Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Patrick Anjos
Senior Cyber Analyst

Phantom Footprints: Tracking GhostSocks Malware

Network
March 26, 2026
Isabel Evans
Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Darktrace's latest threat research reveals how Chinese-nexus cyber operations have evolved from isolated intrusions into long-term strategic positioning, with attackers prioritizing persistent access to critical infrastructure and digital ecosystems to gain lasting operational and economic advantage.
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more
Network
March 26, 2026

Phantom Footprints: Tracking GhostSocks Malware

GhostSocks is an emerging threat turning compromised devices into residential proxy nodes to help attackers evade detection. Darktrace identifies its growing use alongside Lumma Stealer, highlighting the malware’s stealth, payload delivery, and persistence. AI-driven detection and Autonomous Response reveal the full attack lifecycle and underscore the need for proactive defense.
Isabel Evans
Cyber Analyst
Read more
Network
March 17, 2026

When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack

World Leaks, a rebrand of Hunters International, are known for their extortion-only attack model, abandoning the tactic of file encryption. However, contrary to these claims, Darktrace detected a World Leaks compromise where a ransomware payload was deployed, and customer data was encrypted.
Tiana Kelly
Senior Cyber Analyst & Team Lead
Read more

Blog

/

Network

/

April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Chinese-Nexus Cyber OperationsDefault blog imageDefault blog image

Cybersecurity has traditionally organized risk around incidents, breaches, campaigns, and threat groups. Those elements still matter—but if we fixate on individual incidents, we risk missing the shaping of the entire ecosystem. Nation‑state–aligned operators are increasingly using cyber operations to establish long-term strategic leverage, not just to execute isolated attacks or short‑term objectives.  

Our latest research, Crimson Echo, shifts the lens accordingly. Instead of dissecting campaigns, malware families, or actor labels as discrete events, the threat research team analyzed Chinese‑nexus activity as a continuum of behaviors over time. That broader view reveals how these operators position themselves within environments: quietly, patiently, and persistently—often preparing the ground long before any recognizable “incident” occurs.  

How Chinese-nexus cyber threats have changed over time

Chinese-nexus cyber activity has evolved in four phases over the past two decades. This ranges from early, high-volume operations in the 1990s and early 2000s to more structured, strategically-aligned activity in the 2010s, and now toward highly adaptive, identity-centric intrusions.  

Today’s phase is defined by scale, operational restraint, and persistence. Attackers are establishing access, evaluating its strategic value, and maintaining it over time. This reflects a broader shift: cyber operations are increasingly integrated into long-term economic and geopolitical strategies. Access to digital environments, specifically those tied to critical national infrastructure, supply chains, and advanced technology, has become a form of strategic leverage for the long-term.  

How Darktrace analysts took a behavioral approach to a complex problem

One of the challenges in analyzing nation-state cyber activity is attribution. Traditional approaches often rely on tracking specific threat groups, malware families, or infrastructure. But these change constantly, and in the case of Chinese-nexus operations, they often overlap.

Crimson Echo is the result of a retrospective analysis of three years of anomalous activity observed across the Darktrace fleet between July 2022 and September 2025. Using behavioral detection, threat hunting, open-source intelligence, and a structured attribution framework (the Darktrace Cybersecurity Attribution Framework), the team identified dozens of medium- to high-confidence cases and analyzed them for recurring operational patterns.  

This long-horizon, behavior-centric approach allows Darktrace to identify consistent patterns in how intrusions unfold, reinforcing that behavioral patterns that matter.  

What the data shows

Several clear trends emerged from the analysis:

  • Targeting is concentrated in strategically important sectors. Across the dataset, 88% of intrusions occurred in organizations classified as critical infrastructure, including transportation, critical manufacturing, telecommunications, government, healthcare, and Information Technology (IT) services.  
  • Strategically important Western economies are a primary focus. The US alone accounted for 22.5% of observed cases, and when combined with major European economies including Germany, Italy, Spain and the UK, over half of all intrusions (55%) were concentrated in these regions.  
  • Nearly 63% of intrusions of intrusions began with the exploitation of internet-facing systems, reinforcing the continued risk posed by externally exposed infrastructure.  

Two models of cyber operations

Across the dataset, Chinese-nexus activity followed two operational models.  

The first is best described as “smash and grab.” These are short-horizon intrusions optimized for speed. Attackers move quickly – often exfiltrating data within 48 hours – and prioritize scale over stealth. The median duration of these compromises is around 10 days. It’s clear they are willing to risk detection for short-term gain.  

The second is “low and slow.” These operations were less prevalent in the dataset, but potentially more consequential. Here, attackers prioritize persistence, establishing durable access through identity systems and legitimate administrative tools, so they can maintain access undetected for months or even years. In one notable case, the actor had fully compromised the environment and established persistence, only to resurface in the environment more than 600 days after. The operational pause underscores both the depth of the intrusion and the actor’s long‑term strategic intent. This suggests that cyber access is a strategic asset to preserve and leverage over time, and we observed these attacks most often inin sectors of the high strategic importance.  

It’s important to note that the same operational ecosystem can employ both models concurrently, selecting the appropriate model based on target value, urgency, intended access. The observation of a “smash and grab” model should not be solely interpreted as a failure of tradecraft, but instead an operational choice likely aligned with objectives. Where “low and slow” operations are optimized for patience, smash and grab is optimized for speed; both seemingly are deliberate operational choices, not necessarily indicators of capability.  

Rethinking cyber risk

For many organizations, cyber risk is still framed as a series of discrete events. Something happens, it is detected and contained, and the organization moves on. But persistent access, particularly in deeply interconnected environments that span cloud, identity-based SaaS and agentic systems, and complex supply chain networks, creates a major ongoing exposure risk. Even in the absence of disruption or data theft, that access can provide insight into operations, dependencies, and strategic decision-making. Cyber risk increasingly resembles long-term competitive intelligence.  

This has impact beyond the Security Operations Center. Organizations need to shift how they think about governance, visibility, and resilience, and treat cyber exposure as a structural business risk instead of an incident response challenge.  

What comes next

The goal of this research is to provide a clearer understanding of how these operations work, so defenders can recognize them earlier and respond more effectively. That includes shifting from tracking indicators to understanding behaviors, treating identity providers as critical infrastructure risks, expanding supplier oversight, investing in rapid containment capabilities, and more.  

Learn more about the findings of Darktrace’s latest research, Crimson Echo: Understanding Chinese-nexus Cyber Operations Through Behavioral Analysis, by downloading the full report and summaries for business leaders, CISOs, and SOC analysts here.  

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

Proactive Security

/

April 1, 2026

AI-powered security for a rapidly growing grocery enterprise

Default blog imageDefault blog image

Protecting a complex, fast-growing retail organization

For this multi-banner grocery holding organization, cybersecurity is considered an essential business enabler, protecting operations, growth, and customer trust. The organization’s lean IT team manages a highly distributed environment spanning corporate offices, 100+ stores, distribution centers and  thousands of endpoints, users, and third-party connections.

Mergers and acquisitions fueled rapid growth, but they also introduced escalating complexity that constrained visibility into users, endpoints, and security risks inherited across acquired environments.

Closing critical visibility gaps with limited resources

Enterprise-wide visibility is a top priority for the organization, says the  Vice President of Information Technology. “We needed insights beyond the perimeter into how users and devices were behaving across the organization.”

A security breach that occurred before the current IT leadership joined the company reinforced the urgency and elevated cybersecurity to an executive-level priority with a focus on protecting customer trust. The goal was to build a multi-layered security model that could deliver autonomous, enterprise-wide protection without adding headcount.

Managing cyber risk in M&A

Mergers and acquisitions are central to the grocery holding company’s growth strategy. But each transaction introduces new cyber risk, including inherited network architectures, inconsistent tooling, excessive privileges, and remnants of prior security incidents that were never fully remediated.

“Our M&A targets range from small chains with a single IT person and limited cyber tools to large chains with more developed IT teams, toolsets and instrumentation,” explains the VP of IT. “We needed a fast, repeatable, and reliable way to assess cyber risk before transactions closed.”

AI-driven security built for scale, speed, and resilience

Rather than layering additional point tools onto an already complex environment, the retailer adopted the Darktrace ActiveAI Security Platform™ in 2020 as part of a broader modernization effort to improve resilience, close visibility gaps, and establish a security foundation that could scale with growth.

“Darktrace’s AI-driven approach provided the ideal solution to these challenges,” shares the VP of IT. “It has empowered our organization to maintain a robust security strategy, ensuring the protection of our network and the smooth operation of our business.”

Enterprise-wide visibility into traffic  

By monitoring both north-south and east-west traffic and applying Self-Learning AI, Darktrace develops a dynamic understanding of how users and devices normally behave across locations, roles, and systems.

“Modeling normal behavior across the environment enables us to quickly spot behavior that doesn’t fit. Even subtle changes that could signal a threat but appear legitimate at first glance,” explains the VP of IT.

Real-time threat containment, 24/7

Adopting autonomous response has created operational breathing room for the security team, says the company’s Cybersecurity  Engineer.

“Early on, we enabled full Darktrace autonomous mode and we continue to do so today,” shares the IT Security Architect. “Allowing the technology to act first gives us the time we need to investigate incidents during business hours without putting the business at risk.”

Unified, actionable view of security ecosystem

The grocery retailer integrated Darktrace with its existing security ecosystem of firewalls, vulnerability management tools, and endpoint detection and response, and the VP of IT described the adoption process as “exceptionally smooth.”

The team can correlate enterprise-wide security data for a unified and actionable picture of all activity and risk. Using this “single pane of glass” approach, the retailer trains Level 1 and Level 2 operations staff to assist with investigations and user follow-ups, effectively extending the reach of the security function without expanding headcount.

From reactive defense to security at scale

With Darktrace delivering continuous visibility, autonomous containment, and integrated security workflows, the organization has strengthened its cybersecurity posture while improving operational efficiency. The result is a security model that not only reduces risk, but also supports growth, resilience, and informed decision-making at the business level.

Faster detection, faster resolution

With autonomous detection and response, the retailer can immediately contain risk while analysts investigate and validate activity. With this approach, the company can maintain continuous protection even outside business hours and reduce the chance of lateral spread across systems or locations.

Enterprise-grade protection with a lean team

From cloud environments to clients to SaaS collaboration tools, Darktrace provides holistic autonomous AI defense, processing petabytes of the organization’s network traffic and investigating millions of individual events that could be indicative of a wider incident.

Today, Darktrace autonomously conducts the majority of all investigations on behalf of the IT team, escalating only a tiny fraction for analyst review. The impact has been profound, freeing analysts from endless alerts and hours of triage so they can focus on more valuable, proactive, and gratifying work.

“From an operational perspective, Darktrace gives us time back,” says the Cybersecurity Engineer. More importantly, says the VP of IT, “it gives us peace of mind that we’re protected even if we’re not actively monitoring every alert.”

A strategic input for M&A decision-making

One of the most strategic outcomes has been the role of cybersecurity on M&A. 90 days prior to closing a transaction, the security team uses Darktrace alongside other tools to perform a cyber risk assessment of the potential acquisition. “Our approach with Darktrace has consistently identified gaps and exposed risks,” says the VP of IT, including:

  • Remnants of previous incidents that were never fully remediated
  • Network configurations with direct internet exposure
  • Excessive administrative privileges in Active Directory or on critical hosts

While security findings may not alter deal timelines, the VP of IT says they can have enormous business implications. “With early visibility into these risks, we can reduce exposure to inherited cyber threats, strengthen our position during negotiations, and establish clear remediation requirements.”

A security strategy built to evolve with the business

As the holding group expands its cloud footprint, it will extend Darktrace protections into Azure, applying the same AI-driven visibility and autonomous response to cloud workloads. The VP of IT says Darktrace's evolving capabilities will be instrumental in addressing the organization’s future cybersecurity needs and ability to adapt to the dynamic nature of cloud security.

“With Darktrace’s AI-driven approach, we have moved beyond reactive defense, establishing a resilient security foundation for confident expansion and modernization.”

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI