ブログ
/
Cloud
/
January 13, 2025

Agent vs. Agentless Cloud Security: Why Deployment Methods Matter

Cloud security solutions can be deployed with agentless or agent-based approaches or use a combination of methods. Organizations must weigh which method applies best to the assets and data the tool will protect.
Written by
Kellie Regan
Director, Product Marketing - Cloud Security
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Kellie Regan
Director, Product Marketing - Cloud Security
Default blog image
13
Jan 2025

The rapid adoption of cloud technologies has brought significant security challenges for organizations of all sizes. According to recent studies, over 70% of enterprises now operate in hybrid or multi-cloud environments, with 93% employing a multi-cloud strategy[1]. This complexity requires robust security tools, but opinions vary on the best deployment method—agent-based, agentless, or a combination of both.

Agent-based and agentless cloud security approaches offer distinct benefits and limitations, and organizations often make deployment choices based on their unique needs depending on the function of the specific assets covered, the types of data stored, and cloud architecture, such as hybrid or multi-cloud deployments.

For example, agentless solutions are increasingly favored for their ease of deployment and ability to provide broad visibility across dynamic cloud environments. These are especially useful for DevOps teams, with 64% of organizations citing faster deployment as a key reason for adopting agentless tools[2].

On the other hand, agent-based solutions remain the preferred choice for environments requiring deep monitoring and granular control, such as securing sensitive high-value workloads in industries like finance and healthcare. In fact, over 50% of enterprises with critical infrastructure report relying on agent-based solutions for their advanced protection capabilities[3].

As the debate continues, many organizations are turning to combined approaches, leveraging the strengths of both agent-based and agentless tools to address the full spectrum of their security needs for comprehensive coverage. Understanding the capabilities and limitations of these methods is critical to building an effective cloud security strategy that adapts to evolving threats and complex infrastructures.

Agent-based cloud security

Agent-based security solutions involve deploying software agents on each device or system that needs protection. Agent-based solutions are great choices when you need in-depth monitoring and protection capabilities. They are ideal for organizations that require deep security controls and real-time active response, particularly in hybrid and on-premises environments.

Key advantages include:

1. Real-time monitoring and protection: Agents detect and block threats like malware, ransomware, and anomalous behaviors in real time, providing ongoing protection and enforcing compliance by continuously monitoring workload activities.  Agents enable full control over workloads for active response such as blocking IP addresses, killing processes, disabling accounts, and isolating infected systems from the network, stopping lateral movement.

2. Deep visibility for hybrid environments: Agent-based approaches allow for full visibility across on-premises, hybrid, and multi-cloud environments by deploying agents on physical and virtual machines. Agents offer detailed insights into system behavior, including processes, files, memory, network connections, and more, detecting subtle anomalies that might indicate security threats. Host-based monitoring tracks vulnerabilities at the system and application level, including unpatched software, rogue processes, and unauthorized network activity.

3. Comprehensive coverage: Agents are very effective in hybrid environments (cloud and on-premises), as they can be installed on both physical and virtual machines.  Agents can function independently on each host device onto which they are installed, which is especially helpful for endpoints that may operate outside of constant network connectivity.

Challenges:

1. Resource-intensive: Agents can consume CPU, memory, and network resources, which may affect performance, especially in environments with large numbers of workloads or ephemeral resources.

2. Challenging in dynamic environments: Managing hundreds or thousands of agents in highly dynamic or ephemeral environments (e.g., containers, serverless functions) can be complex and labor-intensive.

3. Slower deployment: Requires agent installation on each workload or instance, which can be time-consuming, particularly in large or complex environments.  

Agentless cloud security

Agentless security does not require software agents to be installed on each device. Instead, it uses cloud infrastructure and APIs to perform security checks. Agentless solutions are highly scalable with minimal impact on performance, and ideal for cloud-native and highly dynamic environments like serverless and containerized. These solutions are great choices for your cloud-native and multi-cloud environments where rapid deployment, scalability, and minimal impact on performance are critical, but response actions can be handled through external tools or manual processes.

Key advantages include:

1. Scalability and ease of deployment: Because agentless security doesn’t require installation on each individual device, it is much easier to deploy and can quickly scale across a vast number of cloud assets. This approach is ideal for environments where resources are frequently created and destroyed (e.g., serverless, containerized workloads), as there is no need for agent installation or maintenance.

2. Reduced system overhead: Without the need to run local agents, agentless security minimizes the impact on system performance. This is crucial in high-performance environments.

3. Broad visibility: Agentless security connects via API to cloud service providers, offering near-instant visibility and threat detection. It provides a comprehensive view of your cloud environment, making it easier to manage and secure large and complex infrastructures.

Challenges

1. Infrastructure-level monitoring: Agentless solutions rely on cloud service provider logs and API calls, meaning that detection might not be as immediate as agent-based solutions. They collect configuration data and logs, focusing on infrastructure misconfigurations, identity risks, exposed resources, and network traffic, but lack visibility and access to detailed, system-level information such as running processes and host-level vulnerabilities.

2. Cloud-focused: Primarily for cloud environments, although some tools may integrate with on-premises systems through API-based data gathering. For organizations with hybrid cloud environments, this approach fragments visibility and security, leading to blind spots and increasing security risk.

3. Passive remediation: Typically provides alerts and recommendations, but lacks deep control over workloads, requiring manual intervention or orchestration tools (e.g., SOAR platforms) to execute responses. Some agentless tools trigger automated responses via cloud provider APIs (e.g., revoking permissions, adjusting security groups), but with limited scope.

Combined agent-based and agentless approaches

A combined approach leverages the strengths of both agent-based and agentless security for complete coverage. This hybrid strategy helps security teams achieve comprehensive coverage by:

  • Using agent-based solutions for deep, real-time protection and detailed monitoring of critical systems or sensitive workloads.
  • Employing agentless solutions for fast deployment, broader visibility, and easier scalability across all cloud assets, which is particularly useful in dynamic cloud environments where workloads frequently change.

The combined approach has distinct practical applications. For example, imagine a financial services company that deals with sensitive transactions. Its security team might use agent-based security for critical databases to ensure stringent protections are in place. Meanwhile, agentless solutions could be ideal for less critical, transient workloads in the cloud, where rapid scalability and minimal performance impact are priorities. With different data types and infrastructures, the combined approach is best.

Best of both worlds: The benefits of a combined approach

The combined approach not only maximizes security efficacy but also aligns with diverse operational needs. This means that all parts of the cloud environment are secured according to their risk profile and functional requirements. Agent-based deployment provides in-depth monitoring and active protection against threats, suitable for environments requiring tight security controls, such as financial services or healthcare data processing systems. Agentless deployment complements agents by offering broader visibility and easier scalability across diverse and dynamic cloud environments, ideal for rapidly changing cloud resources.

There are three major benefits from combining agent-based and agentless approaches.

1. Building a holistic security posture: By integrating both agent-based and agentless technologies, organizations can ensure that all parts of their cloud environments are covered—from persistent, high-risk endpoints to transient cloud resources. This comprehensive coverage is crucial for detecting and responding to threats promptly and effectively.

2. Reducing overhead while boosting scalability: Agentless systems require no software installation on each device, reducing overhead and eliminating the need to update and maintain agents on a large number of endpoints. This makes it easier to scale security as the organization grows or as the cloud environment changes.

3. Applying targeted protection where needed: Agent-based solutions can be deployed on selected assets that handle sensitive information or are critical to business operations, thus providing focused protection without incurring the costs and complexity of universal deployment.

Use cases for a combined approach

A combined approach gives security teams the flexibility to deploy agent-based and agentless solutions based on the specific security requirements of different assets and environments. As a result, organizations can optimize their security expenditures and operational efforts, allowing for greater adaptability in cloud security use cases.

Let’s take a look at how this could practically play out. In the combined approach, agent-based security can perform the following:

1. Deep monitoring and real-time protection:

  • Workload threat detection: Agent-based solutions monitor individual workloads for suspicious activity, such as unauthorized file changes or unusual resource usage, providing high granularity for detecting threats within critical cloud applications.
  • Behavioral analysis of applications: By deploying agents on virtual machines or containers, organizations can monitor behavior patterns and flag anomalies indicative of insider threats, lateral movement, or Advanced Persistent Threats (APTs).
  • Protecting high-sensitivity environments: Agents provide continuous monitoring and advanced threat protection for environments processing sensitive data, such as payment processing systems or healthcare records, leveraging capabilities like memory protection and file integrity monitoring.

2. Cloud asset protection:

  • Securing critical infrastructure: Agent-based deployments are ideal for assets like databases or storage systems that require real-time defense against exploits and ransomware.
  • Advanced packet inspection: For high-value assets, agents offer deep packet inspection and in-depth logging to detect stealthy attacks such as data exfiltration.
  • Customizable threat response: Agents allow for tailored security rules and automated responses at the workload level, such as shutting down compromised instances or quarantining infected files.

At the same time, agentless cloud security provides complementary benefits such as:

1. Broad visibility and compliance:

  • Asset discovery and management: Agentless systems can quickly scan the entire cloud environment to identify and inventory all assets, a crucial capability for maintaining compliance with regulations like GDPR or HIPAA, which require up-to-date records of data locations and usage.
  • Regulatory compliance auditing and configuration management: Quickly identify gaps in compliance frameworks like PCI DSS or SOC 2 by scanning configurations, permissions, and audit trails without installing agents. Using APIs to check configurations across cloud services ensures that all instances comply with organizational and regulatory standards, an essential aspect for maintaining security hygiene and compliance.
  • Shadow IT Detection: Detect and map unauthorized cloud services or assets that are spun up without security oversight, ensuring full inventory coverage.

2. Rapid environmental assessment:

  • Vulnerability assessment of new deployments: In environments where new code is frequently deployed, agentless security can quickly assess new instances, containers, or workloads in CI/CD pipelines for vulnerabilities and misconfigurations, enabling secure deployments at DevOps speed.
  • Misconfiguration alerts: Detect and alert on common cloud configuration issues, such as exposed storage buckets or overly permissive IAM roles, across cloud providers like AWS, Azure, and GCP.
  • Policy enforcement: Validate that new resources adhere to established security baselines and organizational policies, preventing security drift during rapid cloud scaling.

Combining agent-based and agentless approaches in cloud security not only maximizes the protective capabilities, but also offers flexibility, efficiency, and comprehensive coverage tailored to the diverse and evolving needs of modern cloud environments. This integrated strategy ensures that organizations can protect their assets more effectively while also adapting quickly to new threats and regulatory requirements.

Darktrace offers complementary and flexible deployment options for holistic cloud security

Powered by multilayered AI, Darktrace / CLOUD is a Cloud Detection and Response (CDR) solution that is agentless by default, with optional lightweight, host-based server agents for enhanced real-time actioning and deep inspection. As such, it can deploy in cloud environments in minutes and provide unified visibility and security across hybrid, multi-cloud environments.

With any deployment method, Darktrace supports multi-tenant, hybrid, and serverless cloud environments. Its Self-Learning AI learns the normal behavior across architectures, assets, and users to identify unusual activity that may indicate a threat. With this approach, Darktrace / CLOUD quickly disarms threats, whether they are known, unknown, or completely novel. It then accelerates the investigation process and responds to threats at machine speed.

Learn more about how Darktrace / CLOUD secures multi and hybrid cloud environments in the Solution Brief.

References:

1. Flexera 2023 State of the Cloud Report

2. ESG Research 2023 Report on Cloud-Native Security

3. Gartner, Market Guide for Cloud Workload Protection Platforms, 2023

執筆者
Kellie Regan
Director, Product Marketing - Cloud Security
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Kellie Regan
Director, Product Marketing - Cloud Security

中国系APTキャンペーン、アップデートされたFDMTPバックドアで企業を狙う

Network
May 14, 2026
Tara Gould
Malware Research Lead
Watch the NIS2 Webinar
よく読まれているブログ
1
ダークトレース、2026年度Gartner® CPS Protection Platforms部門のMagic Quadrant™ において唯一のVisionaryの評価を受ける
Mar 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
さらに読む
Cloud
March 4, 2026

Inside Cloud Compromise: Investigating Attacker Activity with Darktrace / Forensic Acquisition & Investigation

Darktrace / Forensic Acquisition & Investigation automates cloud forensic analysis, enabling rapid investigation of compromised servers via Cloudypots honeypot data. It reveals attacker activity, highlights key events, decodes malicious payloads, and identifies malware campaigns like perfctl, helping defenders accelerate triage and understand cloud-based intrusion techniques.
Nathaniel Bill
Malware Research Engineer
Read more
Cloud
January 14, 2026

React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and How Threat Actors Moved So Quickly

This blog breaks down how attackers rapidly weaponized the React2Shell vulnerability, with a particular focus on cloud‑native financial environments. Drawing on Darktrace’s honeypot research, it explores emerging threat actor tooling, exploitation timelines, and why behavioral‑anomaly‑led security is critical in today’s cloud landscape.
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more
Cloud
January 13, 2026

クラウドセキュリティが本当に重要な場所はランタイム:検知、フォレンジック、リアルタイムアーキテクチャ認識の重要性

クラウドセキュリティはこれまで予防、ポスチャ管理、設定にかなりの重点が置かれてきました。しかし実際の攻撃はそこでは発生しません。 攻撃はランタイムにおいて、稼働中のワークロードやアイデンティティにわたって進行していきますが、そこでは可視性が限られており証拠が短時間で消滅します。 このブログではランタイムが保護すべき最もクリティカルなレイヤーである理由、動的なクラウドの挙動を攻撃者がどのように悪用しているか、なぜポスチャベースだけでは不十分かを紹介します。
Adam Stevens
Senior Director of Product, Cloud | Darktrace
Read more

Blog

/

AI

/

June 1, 2026

効率化が露出へ:AI導入が製造現場にもたらす見えない脆弱性

Default blog imageDefault blog image

AIエージェントが製造業に与える影響

製造業界のセキュリティチームやIT担当者は、生産を守り、稼働時間を維持し、重要資産を保護するという絶え間ないプレッシャー下にあります。そしてAIは非常に大きなチャンスとともに、新たなサイバーリスクももたらしています。製造業全体で、AIはワークフローや意思決定に組み込まれつつあり、自律型AIエージェントが従業員やシステムに代わって行動する場面が増えています。

エージェント型システムは独立して行動できるため強力ですが、その同じ自律性がサイバーリスク、運用上のリスクも生み出します。エージェントは広範な権限を持ち、複雑なタスクの実行、意思決定、ツールや外部システムとのやり取りを、ほとんどまたは全く人間の介入なしに行うことができます。

あらかじめ定義されたタスクを実行する従来のAIモデルとは異なり、AIエージェントは高度なテクニックを使用して人間の意思決定プロセスを模倣することにより、新たな課題に動的に適応し、また自らの判断に基づいて意思決定し、アクションを実行します。彼らは業務の上では従業員のように見えますが、人間が持つ判断力、倫理観、または行動の結果に対する恐れが欠けています。これは、サイバー犯罪者によって簡単に操られる可能性があることを意味しており、OTネットワーク全体に埋め込まれたAIエージェントは、データ漏洩をはるかに超える脅威を生み出します。たとえば、BMWでは、AI は溶接プロセスのエラーの発生を識別するのに使われています。同社のスパータンバーグ(米サウスカロライナ州)の工場では、すべてのSUVフレーム上の300-400個のスタッドの溶接をAIが監視し、スタッドの配置間違いや欠陥を検知し直ちに修正します。このAIシステムが破損すれば壊滅的な品質管理問題につながる恐れがあります。

製造全体にエージェント型AIシステムを導入することについて多くのセキュリティチームはさまざまな懸念を示しています。ダークトレースの行ったAIサイバーセキュリティの現状調査では、製造業のセキュリティプロフェッショナルの78%が従業員によるAIエージェントの利用に懸念を抱いており、これは彼らの最も大きな危惧でした。それに続く問題点が従業員によるCopilotやChatGPT等の生成AIツールの使用であり、製造業のセキュリティプロフェッショナルの76%が懸念を抱いていました。これらのツールがますます多くのビジネスデータやプロセスにアクセスし、組織内でより多くの自律性を持つようになるにつれ、エージェントのアクティビティがほとんど可視化されていない現在、セキュリティチームにおいては機密データの露出(60%)や偶発的なポリシーおよび規制違反(59%)への懸念が高まっています。

外部からのAIによる脅威も急激に進化

製造業を変革しているのと同じAIの能力が、サイバー攻撃の形も変貌させています。

AIにより攻撃者は偵察を自動化し、標的をより高度に絞り込み、リアルタイムで適応できるようになっています。かつては人手による作業と時間を要していたことが、今では継続的かつ大規模に実行できるようになりました。そして、製造業はすでにその影響を実感しています。当社が調査した製造業のセキュリティプロフェッショナルの76%は、すでにAIを活用した脅威の影響を受けており、90%がAIによってソーシャルエンジニアリング攻撃の成功率が高まっていると回答しています。

また、攻撃のテクニック自体も進化しています。製造業界全体で、AIを利用した攻撃の経路の多様化に対する懸念が高まっています。特にリアルタイムで進化する適応型マルウェアについて、調査対象の製造業のセキュリティプロフェッショナルの半数近く(49%)が懸念しており、これは全産業の平均よりも9%高い数値です。AIを使った適応型マルウェアに続くその他の懸念には次が含まれます:

  • 自動化された脆弱性スキャンとエクスプロイトチェイニング(48%):Anthropicの新しいMythos AIモデルにより脆弱性探索が深刻化する中で、この問題は一層差し迫ったものとなっています。
  • 超パーソナライズされたフィッシングキャンペーン(46%):フィッシングは依然としてハッカーの主力兵器の1つであり、AIによってフィッシングメールはより説得力が高く検知困難なものとなり、その効果は増幅されました。

これは単に攻撃の量の増加だけでなく、攻撃の展開につれて静的な防御が対応できるよりも速く進化する脅威への変化なのです。

こうした認識が高まっているにもかかわらず、製造業の多くはまだこの変化に対応する準備ができていません。半数以上(51%)がAI駆動の脅威への準備が十分にできていないと回答し、AIの導入を管理する正式なポリシーを持っている組織はわずか37%でした。  

可視性、コンテキスト、およびガードレールを通じてAIのセキュリティを確保

これらの問題に対処するためにAIイノベーションを遅らせる必要はありません。それには、AIと同じスピードと規模で動作できる、これまでとは異なるアプローチのセキュリティが必要です。具体的には、製造業がAIの力を活用する上で、次の3つの優先課題が浮上しています。

可視性はすべての土台  

AIがどこで使用されているか、何にアクセスできるか、そしてITおよびOT環境にわたってどのように動作するかを理解する必要があります。それがなければ、リスクを測定したり管理したりすることはできません。ダークトレースの調査において、製造業のセキュリティプロフェッショナルの91%が、AIを信頼する前に、それがどのように意思決定を行うかを理解する必要があると回答したのは当然のことです。OT環境においてこのことはさらに重要です。稼働の中断は安全や環境、財務、および評判に大きな影響を及ぼすからです。

可視性をアクションにつなげるにはコンテキストが必要  

AIによって形作られる環境において、正常とされる挙動は絶えず変化します。つまり、脅威を検知するにはビヘイビアベースのアプローチが必要なのです。組織全体で生活パターンを理解し、わずかな逸脱をリアルタイムに検知すること- これは従来のセキュリティとリスク管理に対するアプローチからの根本的な変化です。

エージェントからの露出を防ぐガードレール  

AIシステムがより大きな責任を担うようになるなかで、組織はAIが何をできるか、そしていつ独立して行動できるかについて、明確な境界を設ける必要があります。これらのコントロールは何かがあってから適用されるのではなく、システム自体に組み込んでおかなければなりません。  

製造業のITおよびOT環境におけるAIエージェントのセキュリティ

エージェント型AIの出現は製造業を変革し、次世代のオペレーションを支える一方で、脅威ランドスケープも一変させています。これは単なる脅威の増加ではなく、自律型システムへの移行、挙動の絶え間ない変化、そしてマシンスピードで進行するリスクです。AIを活用しつつリスクを管理するという課題に取り組む組織にとって、可視性、コンテキスト、ガードレールはセキュリティの基盤となります。

Darktraceはこの基盤を実現することにより、製造業の安全なAIアプローチ構築を支援します。ITおよびOT環境全体を可視化し、異常なアクティビティに対するリアルタイムの検知および対応を提供することにより、従業員が使用するプロンプトや構築するエージェントから、それらのエージェントの環境全体での動作に至るまで、AIアクティビティの理解を可能にします。これにより、AIの導入を拡大する製造業はコントロールを犠牲にすることなくイノベーションの基盤を構築することができます。

Continue reading
About the author
Oakley Cox
Director of Product

Blog

/

Proactive Security

/

June 1, 2026

Defend What You Trust: Stories from the Front Lines of Modern Cyber Defense

Default blog imageDefault blog image

Modern attacks don’t always announce themselves, follow obvious patterns, or rely on known malware. Often, they move quietly inside trusted systems, authenticated sessions, and everyday behavior.

They don’t break in. They blend in.

That’s why an AI-powered defense is essential. It turns invisible signals into actionable insights at a scale neither analysts nor traditional tools can achieve alone.

Confidence is creating risk

One of the most dangerous assumptions in cybersecurity today is that strong controls equal strong protection.

Multi-factor authentication (MFA), for example, is widely viewed as a foundational safeguard. But as the CISO for a professional sports organization explains, that confidence can be misplaced. “A lot of organizations assume that once you have MFA, those accounts are safe. That’s not true.”

In one instance, his team identified a sophisticated attack where a threat actor bypassed MFA entirely, not by breaking it, but by going around it. A user’s authenticated session was hijacked and re-used, allowing the attacker to impersonate them without triggering traditional controls.

“Darktrace picked up that a session had been re-injected by the hacker, and we were able to block it right away,” he explains.

Attackers anticipate what we miss

Even well-trained users can become entry points.

“An email bypassed our existing security tools,” shares the VP of IT at a U.S.-based risk management services provider.  “The user missed one signal and entered their credentials into a malicious site. That’s what the bad guys count on.”

The organization responded quickly, but not before damage was done. Crucially, this occurred while Darktrace was in “watch mode,” before autonomous response was fully enabled. “Darktrace would have seen that and shut it down immediately,” he notes.

Mistakes and oversights like misconfigurations, forgotten machines, and missed patches can create serious vulnerabilities.

The CIO of a utility services organization shares an instance when Darktrace detected a breach to a client’s network via their ZTNA VPN due to misconfigured MFA. “Darktrace alerted us and autonomously blocked the scanning, preventing what could have been a ransomware-type incident.”  

The most dangerous threats are already inside

The Head of Security at a global business services provider knows firsthand how blind spots can persist inside environments. His team uncovered evidence of dormant ransomware artifacts sitting unnoticed within a company’s environment ¬¬– long before modern detection was in place.

“During a routine file transfer, Darktrace flagged the suspicious activity, identified the ransomware, and immediately quarantined the server,” he recalls.  While the attack was never executed, the implication was significant: the risk existed long before it was finally detected.

Cyber threats are also successful because they take advantage of normal human behavior, exploiting moments of cognitive overload, urgency, and trust.

The Executive Director of IT and Business Applications at a pharmaceutical lab describes the time Darktrace flagged an employee logging into Microsoft 365 from Singapore, despite him being physically located in the U.S. Darktrace immediately cut off his access and within minutes revealed that the employee’s son was using a VPN to play a video game.

While the threat was benign, it demonstrated the strength of AI to use contextual information to detect threats other tools miss. The information also saved security analysts hours of investigation and minimized downtime for the employee. “That level of precision and speed isn’t just convenient, it’s game changing.”

“Unusual” behavior is the new red flag

Detecting modern threats requires an understanding of what “normal” looks like and recognizing when something subtly deviates.

One security leader  at an AI technology enterprise described a scenario in which an employee connected to a proxy service in China. The service itself was legitimate, and although traditional tools didn’t flag it, the behavior was unusual for that user specifically.

“That’s what Darktrace picked up on. The activity turned out to be benign, but without visibility into behavioral deviations, it could just as easily have been something more serious.”

AI shifts defense from reaction to anticipation

These stories point to a fundamental shift by cyber attackers, both tactically and strategically. Because traditional security tools were built to detect what’s already known, modern attacks are often:

  • Credential-based, not malware-based
  • Behavioral, not signature-based
  • Subtle, not overt

They may operate within the boundaries of what appears normal, exploiting what organizations trust, not what they block:

  • Trusted sessions
  • Legitimate services
  • Human error

This is where AI is changing the equation. Rather than relying on predefined rules or known threat signatures, AI can:

  • Establish a baseline of normal behavior
  • Detect subtle anomalies in real time
  • Act autonomously to contain potential threats

Resilience, not perfection, is the new security standard

As these frontline experiences show, the organizations that lead are those that move beyond reactive defense and embrace AI as a core part of their strategy.

It eliminates the blind spots and uncertainty, says the CISO of a professional sports organization. “If you lack visibility, you’re not managing risk, you’re assuming it. AI gives you the actionable insights needed to turn uncertainty into control.”

And it provides the speed and agility that are vital when seconds matter, says the Executive Director of IT and Business Applications. “When Darktrace alerted us at 3:00 am to a ransomware attack, it had already quarantined the affected systems, blocked the attacker’s access, and provided us with the critical details and time needed to investigate. That action likely saved us hundreds of thousands, if not millions, of dollars.”

The modern SOC has become a cornerstone of enterprise resilience, responsible for protecting data and operational continuity while enabling digital growth and innovation. For today’s security professional, that means success is no longer measured by what they keep out, but by what they protect: revenue, reputation, and trust.

Continue reading
About the author
あなたのデータ × DarktraceのAI
唯一無二のDarktrace AIで、ネットワークセキュリティを次の次元へ