Fusing Vulnerability and Threat Data: Enhancing the Depth of Attack Analysis
This blog highlights how vulnerability data, collected using Cado's new vulnerability discovery feature, can be fused with threat data to help deepen the understanding of an attack, as well as guide remediation efforts.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Paul Bottomley
Director of Product Management | Darktrace
Share
02
Apr 2025
Cado Security, recently acquired by Darktrace, is excited to announce a significant enhancement to its data collection capabilities, with the addition of a vulnerability discovery feature for Linux-based cloud resources. According to Darktrace’s Annual Threat Report 2024, the most significant campaigns observed in 2024 involved the ongoing exploitation of significant vulnerabilities in internet-facing systems. Cado’s new vulnerability discovery capability further deepens its ability to provide extensive context to security teams, enabling them to make informed decisions about threats, faster than ever.
Deep context to accelerate understanding and remediation
Context is critical when understanding the circumstances surrounding a threat. It can also take many forms – alert data, telemetry, file content, business context (for example asset criticality, core function of the resource), and risk context, such as open vulnerabilities.
When performing an investigation, it is common practice to understand the risk profile of the resource impacted, specifically determining open vulnerabilities and how they may relate to the threat. For example, if an analyst is triaging an alert related to an internet-facing Webserver running Apache, it would greatly benefit the analyst to understand open vulnerabilities in the Apache version that is running, if any of them are exploitable, whether a fix is available, etc. This dataset also serves as an invaluable source when developing a remediation plan, identifying specific vulnerabilities to be prioritised for patching.
Data acquisition in Cado
Cado is the only platform with the ability to perform full forensic captures as well as utilize instant triage collection methods, which is why fusing host-based artifact data with vulnerability data is such an exciting and compelling development.
The vulnerability discovery feature can be run as part of an acquisition – full or triage – as well as independently using a fast ‘Scan only’ mode.
Figure 1: A fast vulnerability scan being performed on the acquired evidence
Once the acquisition has completed, the user will have access to a ‘Vulnerabilities’ table within their investigation, where they are able to view and filter open vulnerabilities (by Severity, CVE ID, Resource, and other properties), as well as pivot to the full Event Timeline. In the Event Timeline, the user will be able to identify whether there is any malicious, suspicious or other interesting activity surrounding the vulnerable package, given the unified timeline presents a complete chronological dataset of all evidence and context collected.
Figure 2: Vulnerabilities discovered on the acquired evidence
Figure 3: Pivot from the Vulnerabilities table to the Event Timeline provides an in-depth view of file and process data associated with the vulnerable package selected. In this example, Apache2.
Future work
In the coming months, we’ll be releasing initial versions of highly anticipated integrations between Cado and Darktrace, including the ability to ingest Darktrace / CLOUD alerts which will automatically trigger a forensic capture (as well as a vulnerability discovery) of the impacted assets.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and How Threat Actors Moved So Quickly
This blog breaks down how attackers rapidly weaponized the React2Shell vulnerability, with a particular focus on cloud‑native financial environments. Drawing on Darktrace’s honeypot research, it explores emerging threat actor tooling, exploitation timelines, and why behavioral‑anomaly‑led security is critical in today’s cloud landscape.
A New Security Challenge: The Curious Case of Prompt Language Analysis
Why prompt analysis is emerging as a key AI security challenge
If securing AI has been one of the defining cybersecurity conversations of the past year, prompt analysis is quickly becoming one of its most interesting frontiers.
Security leaders are under pressure to understand how AI is being used across the business. In some organizations, that means governing employee use of chatbots. In others, it means overseeing copilots embedded into SaaS platforms, monitoring coding assistants, or assessing the growing footprint of autonomous agents. However different these use cases may appear on the surface, they share a common factor: humans and machines are usually interacting with enterprise systems through language.
How prompt language differs from traditional security telemetry
For years, defenders have become used to working with familiar forms of telemetry: email traffic, network connections, API calls, endpoint processes, authentication events. Prompt language is different. It is not simply another log source. It is an expression of intent, instruction, curiosity, urgency, and sometimes manipulation. It reflects the end-goal of a user or agent, but not always with enough surrounding context to interpret the risk correctly.
Why existing security approaches only partially explain prompt risk
A growing number of vendors are approaching the task of securing AI from the angle they know best. Perimeter vendors are extending web or browser controls into AI usage. Identity vendors are emphasizing agent permissions and access governance. Data security and DLP providers are focusing on content inspection and exfiltration risk. All of these perspectives matter, but individually can’t fully explain the problem.
The challenge with securing AI is not just that a new application category has emerged. It is that language has become a new operating layer in the enterprise.
Employees now use prompts to summarize documents, generate code, analyze spreadsheets, query internal knowledge, and trigger multi-step actions through agents. In each case, prompt language acts as the interface between human intent and machine execution. That makes prompts incredibly valuable from a security perspective as they can hint at misuse, policy violations, data exposure, or attempts to circumvent controls. However, they can also be deeply ambiguous when viewed in isolation. That ambiguity is the heart of the issue.
Prompts as behavioral signals, not just text to classify
A prompt by itself tells you what was asked. It does not necessarily tell you whether the request is expected, risky, accidental, or entirely legitimate in context. Two nearly identical prompts can carry very different meanings depending on the role and function of who issued them, what systems they can access, and what actions followed. In other words, prompts are not just text to classify. They are behavioral signals to interpret.
Example: How context changes prompt risk entirely
Consider a common enterprise scenario. An employee is pulled into a new project with an aggressive deadline. Almost overnight, their use of AI tools spikes. They begin prompting more frequently, working across unfamiliar documents, querying new data sources, and interacting with more systems than usual to accelerate delivery. Viewed narrowly, this may look suspicious. Prompt volume increases, file access patterns change, API and SaaS activity rise. From some vantage points, it may resemble insider risk or unmanaged AI usage.
But now add context. Imagine that, earlier that day, the employee received instructions from a senior leader asking them to support a time-sensitive initiative. Their communication history shows that this leader is a legitimate reporting-line superior. Their recent collaboration patterns align with the new project team. Their subsequent activity, while unusual for that individual’s baseline, is consistent with the business task they were assigned.
What initially looked like a risk event may actually be a normal response to business pressure. Without the surrounding context of communication, organizational relationships, and broader behavioral patterns, prompt activity alone could generate more noise than insight.
The reverse is also true. A prompt may appear benign on the surface while the context around it suggests elevated risk. A request that seems routine could originate from a compromised user, a newly connected external agent, a shadow AI workflow, or a user acting outside their normal role. The language itself may not contain anything obviously malicious, but the surrounding conditions may tell a very different story.
What security teams need to analyze prompts effectively
The future of prompt analysis is not just about understanding language. It is about understanding language in context.
To do that well, security teams need more than prompt inspection. They need to understand:
Who is issuing the prompt, whether human or agent
How that identity normally behaves across the enterprise
What systems, data, and workflows are connected to the interaction
Which relationships and communications explain the surrounding activity
Whether the downstream actions align with expected business behavior
When those layers are absent, prompt analysis can become another isolated control surface: useful in theory, but limited in practice. Security teams may detect unusual wording but miss the operational function behind it, overreact to benign changes in behavior, or miss subtle misuse because the prompt itself did not appear dangerous.
How organizations should think about prompt analysis going forward
Security teams have seen this pattern before. In the cloud, posture without runtime context left important gaps. In identity, access control without behavioral understanding missed misuse that looked legitimate on paper. In data security, content inspection without business context often created friction without resolving risk. AI is exposing the same lesson again: controls are strongest when they are coordinated, not isolated. As organizations work to secure AI and identify gaps across their security operations, prompt analysis will become an increasingly important source of insight, but only as part of a broader strategy.
Prompt analysis will undoubtedly become more common, as prompts are one of the clearest windows into how people and agents are using AI systems. However, what matters most is not simply collecting prompts or filtering dangerous phrases, but being able to place that language inside a wider behavioral and operational picture.
Organizations that already have a broader understanding of how work gets done across the enterprise will be better positioned to make sense of prompt language as this category matures. They will be better able to distinguish urgency from abuse, experimentation from exfiltration, and productive AI adoption from hidden risk.
Figure 1: Darktrace / SECURE AI reconstructs the full sequence of events, showing every user and agent interaction in context, with risky prompts highlighted and categorized, including PII, sensitive data, and other policy violations.
At Darktrace, this is the key lesson emerging from the market: prompt language does matter, but it does not stand alone. It is most valuable when treated as a new behavioral input that can enrich understanding across the enterprise, not as a self-contained source of truth.
Why prompts become less useful when analyzed in isolation
The curious case of prompt language analysis, then, is this: the more important prompts become, the less useful they are in a vacuum.
The real opportunity is not just to see what was asked. It is to understand why it was asked, what it meant in that moment, and what happened next.
For a deeper look at how organizations are approaching this challenge from the strengths of prompt analysis to its limitations in isolation see Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches, which expands on the role prompt-level controls play within a broader, context-driven security strategy.
