Blog
/
Network
/
February 6, 2025

Reimagining Your SOC: Unlocking a Proactive State of Security

Reimagining your SOC Part 3/3: This blog explores the challenges security professionals face in managing cyber risk, evaluates current market solutions, and outlines strategies for building a proactive security posture.
No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
06
Feb 2025

Part 1: How to Achieve Proactive Network Security

Part 2: Overcoming Alert Fatigue with AI-Led Investigations  

While the success of a SOC team is often measured through incident management effectiveness (E.g MTTD, MTTR), a true measure of maturity is the reduction of annual security incidents.

Organizations face an increasing number of alerts each year, yet the best SOC teams place focus on proactive operations which don’t reduce the threshold for what becomes an incident but targets the source risks that prevent them entirely.

Freeing up time to focus on cyber risk management is a challenge in and of itself, we cover this in the previous two blogs in this series (see above). However, when the time comes to manage risk, there are several challenges that are unique when compared to detection & response functions within cybersecurity.

Why do cyber risks matter?

While the volume of reported CVEs is increasing at an alarming rate[1], determining the criticality of each vulnerability is becoming increasingly challenging, especially when the likelihood and impact may be different for each organization. Yet vulnerabilities have stood as an important signpost in traditional security and mitigation strategies. Now, without clear prioritization, potentially severe risks may go unreported, leaving organizations exposed to significant threats.

Vulnerabilities also represent just one area of potential risks. Cyberattacks are no longer confined to a single technology type. They now traverse various platforms, including cloud services, email systems, and networks. As technology infrastructure continues to expand, so does the attack surface, making comprehensive visibility across all technology types essential for reducing risk and preventing multi-vector attacks.

However, achieving this visibility is increasingly difficult as infrastructure grows and the cyber risk market remains oversaturated. This visibility challenge extends beyond technology to include personnel and individual cyber hygiene which can still exacerbate broader cyberattacks whether malicious or not.

Organizations must adopt a holistic approach to preventative security. This includes improving visibility across all technology types, addressing human risks, and mobilizing swiftly against emerging security gaps.

“By 2026, 60% of cybersecurity functions will implement business-impact-focused risk assessment methods, aligning cybersecurity strategies with organizational objectives.” [2]

The costs of a fragmented approach

siloed preventative security measures or technologies
Figure 1: Organizations may have a combination of siloed preventative security measures or technologies in place

Unlike other security tools (like SIEM, NDR or SOAR) which contain an established set of capabilities, cyber risk reduction has not traditionally been defined by a single market, rather a variety of products and practices that each provide their own value and are overwhelming if too many are adopted. Just some examples include:

  • Threat and Vulnerability management: Leverages threat intelligence, CVEs and asset management; however, leaves teams with significant patching workflows, ignores business & human factors and is reliant on the speed of teams to keep up with each passing update.  
  • Continuous Controls Monitoring (CCM): Automatically audits the effectiveness of security controls based on industry frameworks but requires careful prioritization and human calculations to set-up effectively. Focuses solely on mobilization.
  • Breach and Attack Simulation (BAS): Automates security posture testing through mock scenarios but require previous prioritization and might not tell you how your specific technologies can be mitigated to reduce that risk.
  • Posture Management technologies: Siloed approaches across Cloud, SaaS, Data Security and even Gen AI that reactively assess misconfigurations and suggest improvements but with only industry frameworks to validate the importance of the risks.
  • Red teaming & Penetration testing: Required by several regulations including (GDPR, HIPPA, PCI, DSS), many organizations hire 'red teams' to perform real breaches in trusted conditions. Penetration tests reveal many flaws, but are not continuous, requiring third-party input and producing long to-do lists with input of broader business risk dependent on the cost of the service.
  • Third-party auditors: Organizations also use third-party auditors to identify assets with vulnerabilities, grade compliance, and recommend improvements. At best, these exercises become tick-box exercises for companies to stay in compliance with the responsibility still on the client to perform further discovery and actioning.

Many of these individual solutions on the market offer simple enhancement, or an automated version of an existing human security task. Ultimately, they lack an understanding of the most critical assets at your organization and are limited in scope, only working in a specific technology area or with the data you provide.

Even when these strategies are complete, implementation of the results require resources, coordination, and buy-in from IT, cybersecurity, and compliance departments. Given the nature of modern business structures, this can be labor and time intensive as responsibilities are shared by organizational segmentation spread across IT, governance, risk and compliance (GRC), and security teams.

Prioritize your true cyber risk with a CTEM approach

Organizations with robust security programs benefit from well-defined policies, standards, key risk indicators (KRIs), and operational metrics, making it easier to measure and report cyber risk accurately.

Implementing a framework like Gartner’s CTEM (Continuous Threat Exposure Management) can help governance by defining the most relevant risks to each organization and which specific solutions meet your improvement needs.

This five-step approach—scoping, discovery, prioritization, validation, and mobilization—encourages focused management cycles, better delegation of responsibilities and a firm emphasis on validating potential risks through technological methods like attack path modeling or breach and attack simulation to add credibility.

Implementing CTEM requires expertise and structure. This begins with an exposure management solution developed uniquely alongside a core threat detection and response offering, to provide visibility of an organization’s most critical risks, whilst linking directly to their incident-based workflows.

“By 2026, organizations prioritizing their security investments, based on a continuous threat exposure management program, will realize a two-third reduction in breaches.” [3]

Achieving a proactive security posture across the whole estate

Unlike conventional tools that focus on isolated risks, Darktrace / Proactive Exposure Management breaks down traditional barriers. Teams can define risk scopes with full, prioritized visibility of the critical risks between: IT/OT networks, email, Active Directory, cloud resources, operational groups, (or even the external attack surface by integrating with Darktrace / Attack Surface Management).

Our innovative, AI-led risk discovery provides a view that mirrors actual attacker methodologies. It does this through advanced algorithms that determine risk based on business importance, rather than traditional device-type prioritization. By implementing a sophisticated damage assessment methodology, security teams don’t just prioritize via severity but instead, the inherent impact, damage, weakness and external exposure of an asset or user.

These calculations also revolutionize vulnerability management by combining industry standard CVE measurements with that organization-specific context to ensure patch management efforts are efficient, rather than an endless list.

Darktrace also integrates MITRE ATT&CK framework mappings to connect all risks through attack path modeling. This offers validation to our AI’s scoring by presenting real world incident scenarios that could occur across your technologies, and the actionable mitigations to mobilize against them.

For those human choke points, security may also deploy targeted phishing engagements. These send real but harmless email ‘attacks’ to test employee susceptibility, strengthening your ability to identify weak points in your security posture, while informing broader governance strategies.

Combining risk with live detection and response

Together, each of these capabilities let teams take the best steps towards reducing risk and the volume of incidents they face. However, getting proactive also sharpens your ability to handle live threats if they occur.  

During real incidents Darktrace users can quickly evaluate the potential impact of affected assets, create their own risk detections based on internal policies, strengthen their autonomous response along critical attack paths, or even see the possible stage of the next attack.

By continually ingesting risk information into live triage workflows, security teams will develop a proactive-first mindset, prioritizing the assets and alerts that have the most impact to the business. This lets them utilize their resource in the most efficient way, freeing up even more time for risk management, mitigation and ensuring continuity for the business.

Whether your organization is laying the foundation for a cybersecurity program or enhancing an advanced one, Darktrace’s self-learning AI adapts to your needs:

  • Foundational stage: For organizations establishing visibility and automating detection and response.
  • Integrated stage: For teams expanding coverage across domains and consolidating tools for simplicity.
  • Proactive stage: For mature security programs enhancing posture with vulnerability management and risk prioritization.

The Darktrace ActiveAI Security Platform empowers security teams to adopt a preventative defense strategy by using Cyber AI Analyst and autonomous response to fuel quicker triage, incident handling and give time back for proactive efforts designed around business impact. The platform encapsulates the critical capabilities that help organizations be proactive and stay ahead of evolving threats.

darktrace proactive exposure management solution brief reduce risk cyber risk

Download the solution brief

Maximize security visibility and reduce risk:

  • Unify risk exposure across all technologies with AI-driven scoring for CVEs, human communications, and architectures.
  • Gain cost and ROI insights on CVE risks, breach costs, patch latency, and blind spots.
  • Strengthen employee awareness with targeted phishing simulations and training.
  • Align proactive and reactive security by assessing device compromises and prevention strategies.
  • Reduce risk with tailored guidance that delivers maximum impact with minimal effort.

Take control of your security posture today. Download here!

References

[1] https://nvd.nist.gov/vuln/search, Search all, Statistics, Total matches By Year 2023 against 2024

[2] https://www.gartner.com/en/documents/5598859

[3] https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes

No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

Network
April 21, 2026
Joanna Ng
Associate Principal Analyst
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
April 21, 2026

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

A malicious eScan software update triggered a supply chain compromise that deployed multi‑stage malware and used blockchain‑based domains for resilient C2 communications. Darktrace identified rare, anomalous network activity across customer environments, helping organizations uncover the attack chain and strengthen defenses against increasingly sophisticated supply chain threats.
Joanna Ng
Associate Principal Analyst
Read more
Network
April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Darktrace's latest threat research reveals how Chinese-nexus cyber operations have evolved from isolated intrusions into long-term strategic positioning, with attackers prioritizing persistent access to critical infrastructure and digital ecosystems to gain lasting operational and economic advantage.
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more
Network
March 26, 2026

Phantom Footprints: Tracking GhostSocks Malware

GhostSocks is an emerging threat turning compromised devices into residential proxy nodes to help attackers evade detection. Darktrace identifies its growing use alongside Lumma Stealer, highlighting the malware’s stealth, payload delivery, and persistence. AI-driven detection and Autonomous Response reveal the full attack lifecycle and underscore the need for proactive defense.
Isabel Evans
Cyber Analyst
Read more

Blog

/

/

April 30, 2026

Mythos vs Ethos: Defending in an Era of AI‑Accelerated Vulnerability Discovery

mythos vulnerability discoveryDefault blog imageDefault blog image

Anthropic’s Mythos and what it means for security teams

Recent attention on systems such as Anthropic Mythos highlights a notable problem for defenders. Namely that disclosure’s role in coordinating defensive action is eroding.

As AI systems gain stronger reasoning and coding capability, their usefulness in analyzing complex software environments and identifying weaknesses naturally increases. What has changed is not attacker motivation, but the conditions under which defenders learn about and organize around risk. Vulnerability discovery and exploitation increasingly unfold in ways that turn disclosure into a retrospective signal rather than a reliable starting point for defense.

Faster discovery was inevitable and is already visible

The acceleration of vulnerability discovery was already observable across the ecosystem. Publicly disclosed vulnerabilities (CVEs) have grown at double-digit rates for the past two years, including a 32% increase in 2024 according to NIST, driven in part by AI even prior to Anthropic’s Mythos model. Most notably XBOW topped the HackerOne US bug bounty leaderboard, marking the first time an autonomous penetration tester had done so.  

The technical frontier for AI capabilities has been described elsewhere as jagged, and the implication is that Mythos is exceptional but not unique in this capability. While Mythos appears to make significant progress in complex vulnerability analysis, many other models are already able to find and exploit weaknesses to varying degrees.  

What matters here is not which model performs best, but the fact that vulnerability discovery is no longer a scarce or tightly bounded capability.

The consequence of this shift is not simply earlier discovery. It is a change in the defender-attacker race condition. Disclosure once acted as a rough synchronization point. While attackers sometimes had earlier knowledge, disclosure generally marked the moment when risk became visible and defensive action could be broadly coordinated. Increasingly, that coordination will no longer exist. Exploitation may be underway well before a CVE is published, if it is published at all.

Why patch velocity alone is not the answer

The instinctive response to this shift is to focus on patching faster, but treating patch velocity as the primary solution misunderstands the problem. Most organizations are already constrained in how quickly they can remediate vulnerabilities. Asset sprawl, operational risk, testing requirements, uptime commitments, and unclear ownership all limit response speed, even when vulnerabilities are well understood.

If discovery and exploitation now routinely precede disclosure, then patching cannot be the first line of defense. It becomes one necessary control applied within a timeline that has already shifted. This does not imply that organizations should patch less. It means that patching cannot serve as the organizing principle for defense.

Defense needs a more stable anchor

If disclosure no longer defines when defense begins, then defense needs a reference point that does not depend on knowing the vulnerability in advance.  

Every digital environment has a behavioral character. Systems authenticate, communicate, execute processes, and access resources in relatively consistent ways over time. These patterns are not static rules or signatures. They are learned behaviors that reflect how an organization operates.

When exploitation occurs, even via previously unknown vulnerabilities, those behavioral patterns change.

Attackers may use novel techniques, but they still need to gain access, create processes, move laterally, and will ultimately interact with systems in ways that diverge from what is expected. That deviation is observable regardless of whether the underlying weakness has been formally named.

In an environment where disclosure can no longer be relied on for timing or coordination, behavioral understanding is no longer an optional enhancement; it becomes the only consistently available defensive signal.

Detecting risk before disclosure

Darktrace’s threat research has consistently shown that malicious activity often becomes visible before public disclosure.

In multiple cases, including exploitation of Ivanti, SAP NetWeaver, and Trimble Cityworks, Darktrace detected anomalous behavior days or weeks ahead of CVE publication. These detections did not rely on signatures, threat intelligence feeds, or awareness of the vulnerability itself. They emerged because systems began behaving in ways that did not align with their established patterns.

This reflects a defensive approach grounded in ‘Ethos’, in contrast to the unbounded exploration represented by ‘Mythos’. Here, Mythos describes continuous vulnerability discovery at speed and scale. Ethos reflects an understanding of what is normal and expected within a specific environment, grounded in observed behavior.

Revisiting assume breach

These conditions reinforce a principle long embedded in Zero Trust thinking: assume breach.

If exploitation can occur before disclosure, patching vulnerabilities can no longer act as the organizing principle for defense. Instead, effective defense must focus on monitoring for misuse and constraining attacker activity once access is achieved. Behavioral monitoring allows organizations to identify early‑stage compromise and respond while uncertainty remains, rather than waiting for formal verification.

AI plays a critical role here, not by predicting every exploit, but by continuously learning what normal looks like within a specific environment and identifying meaningful deviation at machine speed. Identifying that deviation enables defenders to respond by constraining activity back towards normal patterns of behavior.

Not an arms race, but an asymmetry

AI is often framed as fueling an arms race between attackers and defenders. In practice, the more important dynamic is asymmetry.

Attackers operate broadly, scanning many environments for opportunities. Defenders operate deeply within their own systems, and it’s this business context which is so significant. Behavioral understanding gives defenders a durable advantage. Attackers may automate discovery, but they cannot easily reproduce what belonging looks like inside a particular organization.

A changed defensive model

AI‑accelerated vulnerability discovery does not mean defenders have lost. It does mean that disclosure‑driven, patch‑centric models no longer provide a sufficient foundation for resilience.

As vulnerability volumes grow and exploitation timelines compress, effective defense increasingly depends on continuous behavioral understanding, detection that does not rely on prior disclosure, and rapid containment to limit impact. In this model, CVEs confirm risk rather than define when defense begins.

The industry has already seen this approach work in practice. As AI continues to reshape both offense and defense, behavioral detection will move from being complementary to being essential.

Continue reading
About the author

Blog

/

Network

/

April 27, 2026

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

multi-stage malwareDefault blog imageDefault blog image

The rise of supply chain attacks

In recent years, the abuse of trusted software has become increasingly common, with supply chain compromises emerging as one of the fastest growing vectors for cyber intrusions. As highlighted in Darktrace’s Annual Threat Report 2026, attackers and state-actors continue to find significant value in gaining access to networks through compromised trusted links, third-party tools, or legitimate software. In January 2026, a supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product was reported, with malicious updates distributed to customers through the legitimate update infrastructure. This, in turn, resulted in a multi‑stage loader malware being deployed on compromised devices [1][2].

An overview of eScan exploitation

According to eScan’s official threat advisory, unauthorized access to a regional update server resulted in an “incorrect file placed in the update distribution path” [3]. Customers associated with the affected update servers who downloaded the update during a two-hour window on January 20 were impacted, with affected Windows devices subsequently have experiencing various errors related to update functions and notifications [3].

While eScan did not specify which regional update servers were affected by the malicious update, all impacted Darktrace customer environments were located in the Europe, Middle East, and Africa (EMEA) region.

External research reported that a malicious 32-bit executable file , “Reload.exe”, was first installed on affected devices, which then dropped the 64-bit downloader, “CONSCTLX.exe”. This downloader establishes persistence by creating scheduled tasks such as “CorelDefrag”, which are responsible for executing PowerShell scripts. Subsequently, it evades detection by tampering with the Windows HOSTS file and eScan registry to prevent future remote updates intended for remediation. Additional payloads are then downloaded from its command-and-control (C2) server [1].

Darktrace’s coverage of eScan exploitation

Initial Access and Blockchain as multi-distributed C2 Infrastructure

On January 20, the same day as the aforementioned two‑hour exploit window, Darktrace observed multiple devices across affected networks downloading .dlz package files from eScan update servers, followed by connections to an anomalous endpoint, vhs.delrosal[.]net, which belongs to the attackers’ C2 infrastructure.

The endpoint contained a self‑signed SSL certificate with the string “O=Internet Widgits Pty Ltd, ST=SomeState, C=AU”, a default placeholder commonly used in SSL/TLS certificates for testing and development environments, as well as in malicious C2 infrastructure [4].

Utilizing a multi‑distributed C2 infrastructure, the attackers also leveraged domains linked with the Solana open‑source blockchain for C2 purposes, namely “.sol”. These domains were human‑readable names that act as aliases for cryptocurrency wallet addresses. As browsers do not natively resolve .sol domains, the Solana Naming System (formerly known as Bonfida, an independent contributor within the Solana ecosystem) provides a proxy service, through endpoints such as sol-domain[.]org, to enable browser access.

Darktrace observed devices connecting to blackice.sol-domain[.]org, indicating that attackers were likely using this proxy to reach a .sol domain for C2 activity. Given this behavior, it is likely that the attackers leveraged .sol domains as a dead drop resolver, a C2 technique in which threat actors host information on a public and legitimate service, such as a blockchain. Additional proxy resolver endpoints, such as sns-resolver.bonfida.workers[.]dev, were also observed.

Solana transactions are transparent, allowing all activity to be viewed publicly. When Darktrace analysts examined the transactions associated with blackice[.]sol, they observed that the earliest records dated November 7, 2025, which coincides with the creation date of the known C2 endpoint vhs[.]delrosal[.]net as shown in WHOIS Lookup information [4][5].

WHOIS Look records of the C2 endpoint vhs[.]delrosal[.]net.
Figure 1: WHOIS Look records of the C2 endpoint vhs[.]delrosal[.]net.
Earliest observed transaction record for blackice[.]sol on public ledgers.
Figure 2: Earliest observed transaction record for blackice[.]sol on public ledgers.

Subsequent instructions found within the transactions contained strings such as “CNAME= vhs[.]delrosal[.]net”, indicating attempts to direct the device toward the malicious endpoint. A more recent transaction recorded on January 28 included strings such as “hxxps://96.9.125[.]243/i;code=302”, suggesting an effort to change C2 endpoints. Darktrace observed multiple alerts triggered for these endpoints across affected devices.

Similar blockchain‑related endpoints, such as “tumama.hns[.]to”, were also observed in C2 activities. The hns[.]to service allows web browsers to access websites registered on Handshake, a decentralized blockchain‑based framework designed to replace centralized authorities and domain registries for top‑level domains. This shift toward decentralized, blockchain‑based infrastructure likely reflects increased efforts by attackers to evade detection.

In outgoing connections to these malicious endpoints across affected networks, Darktrace / NETWORK recognized that the activity was 100% rare and anomalous for both the devices and the wider networks, likely indicative of malicious beaconing, regardless of the underlying trusted infrastructure. In addition to generating multiple model alerts to capture this malicious activity across affected networks, Darktrace’s Cyber AI Analyst was able to compile these separate events into broader incidents that summarized the entire attack chain, allowing customers’ security teams to investigate and remediate more efficiently. Moreover, in customer environments where Darktrace’s Autonomous Response capability was enabled, Darktrace took swift action to contain the attack by blocking beaconing connections to the malicious endpoints, even when those endpoints were associated with seemingly trustworthy services.

Conclusion

Attacks targeting trusted relationships continue to be a popular strategy among threat actors. Activities linked to trusted or widely deployed software are often unintentionally whitelisted by existing security solutions and gateways. Darktrace observed multiple devices becoming impacted within a very short period, likely because tools such as antivirus software are typically mass‑deployed across numerous endpoints. As a result, a single compromised delivery mechanism can greatly expand the attack surface.

Attackers are also becoming increasingly creative in developing resilient C2 infrastructure and exploiting legitimate services to evade detection. Defenders are therefore encouraged to closely monitor anomalous connections and file downloads. Darktrace’s ability to detect unusual activity amidst ever‑changing tactics and indicators of compromise (IoCs) helps organizations maintain a proactive and resilient defense posture against emerging threats.

Credit to Joanna Ng (Associate Principal Cybersecurity Analyst) and Min Kim (Associate Principal Cybersecurity Analyst) and Tara Gould (Malware Researcher Lead)

Edited by Ryan Traill (Content Manager)

Appendices

Darktrace Model Detections

  • Anomalous File::Zip or Gzip from Rare External Location
  • Anomalous Connection / Suspicious Self-Signed SSL
  • Anomalous Connection / Rare External SSL Self-Signed
  • Anomalous Connection / Suspicious Expired SSL
  • Anomalous Server Activity / Anomalous External Activity from Critical Network Device

List of Indicators of Compromise (IoCs)

  • vhs[.]delrosal[.]net – C2 server
  • tumama[.]hns[.]to – C2 server
  • blackice.sol-domain[.]org – C2 server
  • 96.9.125[.]243 – C2 Server

MITRE ATT&CK Mapping

  • T1071.001 - Command and Control: Web Protocols
  • T1588.001 - Resource Development
  • T1102.001 - Web Service: Dead Drop Resolver
  • T1195 – Supple Chain Compromise

References

[1] https://www.morphisec.com/blog/critical-escan-threat-bulletin/

[2] https://www.bleepingcomputer.com/news/security/escan-confirms-update-server-breached-to-push-malicious-update/

[3] hxxps://download1.mwti.net/documents/Advisory/eScan_Security_Advisory_2026[.]pdf

[4] https://www.virustotal.com/gui/domain/delrosal.net

[5] hxxps://explorer.solana[.]com/address/2wFAbYHNw4ewBHBJzmDgDhCXYoFjJnpbdmeWjZvevaVv

Continue reading
About the author
Joanna Ng
Associate Principal Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI