Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
For Managed Security Service Providers (MSSPs), this challenge is amplified: delivering consistent, high quality outcomes across multiple customers and deployments without multiplying tools, consoles, or analyst workload.
Darktrace aims to address this challenge with new capabilities within the ActiveAI Security Portal. This includes the introduction of a new Alerts Dashboard, designed to help MSSPs, and the customers they serve, operate more efficiently when triaging security alerts at scale.
From alert volume to operational clarity
Modern security teams often struggle to coordinate alerts across complex environments with multiple deployments, whether due to geography, regulation, or organizational structure.
As environments expand across regions, business units, and architectures, analysts are frequently required to log into multiple systems simply to understand what requires attention. This fragmentation slows triage, increases cognitive load, and makes it harder to deliver consistent outcomes.
The ActiveAI Security Portal addresses this challenge by providing a single, unified triage workspace that brings alerts from multiple Darktrace deployments together in one place without changing how those environments are architected.
For MSSPs, this creates a clearer operational view across customer accounts. For internal SOC teams, it delivers the same clarity across distributed enterprise environments.
Built for alert investigation across complex and multi-customer environments
The new ActiveAI Security Portal Alerts Dashboard is designed as a coordination layer, not a replacement for investigation tools.
From a single view, teams can:
Triage alerts across connected deployments
Assign and track investigations across analysts
Capture notes to support clean handoffs and auditability
Move seamlessly into deeper investigation when required
By reducing context switching and manual coordination, the dashboard helps SOC teams focus on decision making rather than navigation, improving efficiency across shifts and service tiers.
Figure 1: ActiveAI Security Portal Dashboard
AI driven triage that reduces analyst burden
At the core of the triage workflow is Darktrace’s Cyber AI Analyst, which automatically performs Level 1 and Level 2 triage by grouping related activity into evolving incidents.
Rather than presenting analysts with disconnected alerts, Cyber AI Analyst builds context automatically,reducing noise and surfacing what matters most. As new events or assets are detected, incidents update dynamically, ensuring teams are always working with the most current information.
This allows analysts to prioritize effectively, respond faster, and spend less time manually correlating activity across systems.
Unified visibility for multiple deployments in a single operational queue
Many MSSPs and enterprises operate environments that are intentionally segmented by geography, regulation, or business function. The ActiveAI Security Portal respects this reality.
Alerts from multiple deployments are surfaced in a single operational queue, but incidents remain scoped to how environments are configured. Where customers use a Unified View, Cyber AI Analyst can correlate activity across submasters; where they do not, the dashboard still provides consolidated triage without forcing artificial correlation.
This flexibility makes the Alerts Dashboard valuable across a wide range of operational and architectural models.
Figure 2: ActiveAI Security Portal AI Analyst Alerts Dashboard
Supporting MSSPs and complex customers alike
While the ActiveAI Security Portal is purpose-built for MSSPs managing multi-customer operations, it also delivers immediate value for customers with complex, multi-deployment environments.
Enterprise SOC teams can now triage alerts across regions or business units from one place without deploying additional infrastructure purely for visibility. In this way, the dashboard supports both outsourced and in-house security teams facing similar coordination challenges.
Continuing the ActiveAI Security Portal journey
The new Alerts Dashboard builds on capabilities introduced in the ActiveAI Security Portal in November, reflecting Darktrace’s continued focus on operational efficiency and AI-driven workflows.
Together, these enhancements bring the efficiency gains of Cyber AI Analyst and self-learning detection directly into the day-to-day work of SOC teams, making it easier to operate, scale, and deliver outcomes across increasingly complex environments.
This is not a one-off feature launch, but part of a broader evolution toward AI-native security operations.
Looking Ahead
As AI continues to reshape both the threat landscape and security operations, the ability to coordinate, prioritize, and respond efficiently will define successful SOCs.
The ActiveAI Security Portal is designed to help MSSPs and customers meet that challenge today, while providing a strong foundation for what comes next.
To learn more about availability and onboarding, contact your Darktrace partner manager.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Always On, Always Defending: Inside the AI-Driven SOC
Security leaders from global organizations share how the SOC is being redefined under growing pressure. In this roundtable blog, they explore challenges facing today’s SOCs and how AI is transforming operations to drive resilience, efficiency, and business growth.
Stadium and large public venue operators are confronted with a unique set of cyber security challenges. Often described as a ‘honeypot’ for cyber-criminals, the sports and entertainment industry is an attractive target for threat actors for three main reasons:
Modern sports organizations process sensitive and highly valuabledata at scale;
Sporting events are highly visible and time-critical, operating in front of live audiences with no room for error;
Sports organizations rely on sprawling vendor ecosystems and supply chains to deliver broadcast, commerce, fan engagement services, and more.
In a recent Darktrace-commissioned survey, 84% of professional sports organizations reported at least one cyber incident in the past year, and 57% were hit more than once [1]. The potential ramifications of cyber disruption during a large-scale sports event cannot be overstated. A momentary lapse in access to power could bring TV broadcasts to a halt; disruption to access controls could restrict fans from entering the grounds; CCTV outages could increase the risk of criminal behavior and physical injuries. If data is not reliable and stadium machines are outputting the wrong metrics, a venue could become dangerously overcrowded. The barrier between the cyber and physical worlds has long dissolved – cyber-attacks threaten human safety.
In this blog, I explore the key challenges of stadium cyber security and explain the unique capabilities of Self-Learning AI that led me to adopt Darktrace as a head of ICT and cyber security for international venues and events. Over my career I have helped secure football and rugby World Cups, World Athletics Championships and more than 500 events ,and the lessons from each have only sharpened my conviction in this approach.
The access paradox
The biggest challenge lies in the paradox of securing a site where various internal services are provided to a large number of unknown and unmanaged users, suppliers and devices. When it’s game time, or ‘D-Day’, you see a huge influx of thousands of people, each with their own devices, needing to connect to your network and your infrastructure. The floodgates are opened. But certain parts of your digital environment need to remain protected: your sensitive employee and customer data, your critical OT systems. I liken this to opening the door to your home, and letting the entire town come in and wander around. But you still need to secure your master bedroom.
A multitude of different actors must be able to work on-site to provide services or content during the event. Broadcasters, staff and suppliers need to have access to manage the show, and all these people need to access or interact with the IT infrastructure. In many ways, these additional bodies are already inside the perimeter and could host unknown malicious threats.
This year, the paradox is wider than ever. A tournament spread across hundreds of suppliers and vendors means the foothold an attacker needs may already belong to a trusted partner – a single compromised supplier can become the doorway to everything else. And the adversary is no longer working alone: generative AI now lets attackers probe and weaponize vulnerabilities across thousands of software dependencies at a speed no human team could match, turning the access paradox from a manageable risk into a fast-moving target.
Achieving this balance between accessibility and security requires a shift in mindset from perimeter-based security to one that can detect and respond to threats on the inside. The complexities involved requires technology that can identify malicious behavior in real time based on the wider context of an incident. A particular behavior or connection may be benign in one context and yet critically disruptive in another — tools and technology must be able to discern between the two.
This is why I considered Darktrace’s Self-Learning AI a suitable fit: rather than defending at the perimeter, it focuses on detecting and responding to malicious activity already inside. Because it learns the unique ‘patterns of life’ of its surroundings, it can detect subtle deviations that indicate a threat and initiate a targeted response – without relying on pre-programmed rules and playbooks.
IT/OT convergence
The second key challenge is the issue of IT and OT convergence. Typical stadiums and arenas consist of a wide range of Industrial Control Systems (ICS).
This involves a complex and messy array of switches, cables, CCTV cameras, as well as devices and technologies being brought in by the media and the press, and all these IT and OT components are now interconnected, which means these technologies now have Internet Protocol (IP)-based threats to manage. The same challenges that the corporate infrastructure for stadium management faces in cyber security are therefore also now an issue for ICS security.
This challenge cannot be addressed by viewing IT and OT security in isolation — these two environments are linked because of the analogue migration to IP. A unified approach is required to detect and respond to threats that start in IT before moving to industrial systems.
The stakes are physical. CCTV, Access Control, Public Annoucement system, lighting and the giant screens are all now running over IP, and a disruption to any of them can force a venue to halt play on safety grounds. Scale compounds the problem. At the Qatar 2022 World Cup, eight stadiums were purpose-built to a single technical standard, which made the digital environment relatively uniform to defend. The 2026 tournament is the opposite: dozens of host venues across three countries, each with its own operator, its own contractors and its own legacy systems.This creates a far more fragmented and unpredictable estate to secure.
In addition, cyber security technology must be able to deal with complexity. Darktrace’s AI thrives in the most complex environments, with more data points adding more context to inform the AI’s decision making. It covers OT and IT with a single, unified AI engine, that can also detect and respond across cloud infrastructure, SaaS applications, email systems and endpoints. It is ready to adapt to the messy, interconnected systems that make up large stadiums’ digital infrastructure.
The time factor
Finally, the nature of stadium events means that timing is critical and puts enormous pressure on the organizers and operators. ‘D-Day’ cannot be replayed or postponed, and so if cyber disruption occurs during the event, every minute is crucial. You cannot reschedule a World Cup final or move an opening ceremony; the date is fixed, the world is watching, and there is no second take.
There is consequently a strong emphasis on two key metrics
Mean Time To Know (MTTK) — how long it takes the security team need to be aware of an incident; and
Mean Time To Restore (MTTR) — how quickly a team can act to contain the threat.
It is perhaps more imperative in stadium event management than anywhere else that these two metrics be minimized.
This leads to the third criteria in assessing cyber security technology: does it help with response? And critically, can that response be nuanced and targeted, able to contain that threat without causing further disruption?
To this end, Darktrace’s Autonomous Response takes machine-speed action to contain cyber-attacks, when humans are too slow to react or aren’t around at all. It’s powered by Darktrace’s AI, so it has a nuanced and continuously updating understanding of what’s ‘normal’ across IT and OT systems. This means its response actions are targeted: designed to eliminate the threat, but not at the cost of disruption. Crucially, this enables responses that are surgical rather than blunt. For example, taking an entire server offline to stop a ransomware attack can cause more disruption than the attack itself, so the real value lies in neutralizing the malicious activity precisely — containing the threat without taking down the systems the event and business depends on.
Depending on the nature and severity of the threat, the technology can block specific malicious connections by enforcing the normal ‘pattern of life’ of a device or account. When every second counts, this is the speed and granularity that you need in a cybersecurity technology.
Darktrace can be deployed across every area of the digital enterprise, including network, email, cloud and SaaS environments with the same self-learning approach, stopping anomalous behaviors that point to account takeover and other cloud-based threats. Earlier this year, we announced that Darktrace is also extending its behavioral approach to help businesses deploy and scale AI securely by understanding how these AI systems and agents behave, interact with other systems and humans, and evolve over time. This is critical because 72% of cybersecurity professionals at sports organizations believe AI will increase their cyber risk over the next 12 months [2].
Wherever it is deployed, Darktrace allows the stadium operator to focus on the vital part of the game and offers real-time protection without any modification in the network topology or infrastructure.
An adaptive defense
Cyber-criminals are constantly developing their approach in an attempt to evade security tools trained to look for specific hallmarks of an attack. As they get creative and continuously experiment with new tactics and techniques, the human operators using these tools are forced into a constant state of catch up.
An AI-based approach that learns an organization and its normal behavior patterns from the ground up puts an end to this game of ‘cat and mouse’, shifting the balance in favor of the defenders and allowing them to stay ahead of the threat. This matters more than ever, because adversaries are now using AI to scale their attacks. If you do not have AI working to protect you against malicious AI, you are already at a disadvantage.
With a nuanced understanding of what’s ‘normal’ for the business, unified IT/OT coverage, and an Autonomous Response solution that takes immediate, surgical action, the playing field is leveled, and large stadium and events operators can focus on delivering the best possible experience for attendees, digital viewers, partners and performers.
[related-resource]
References:
[1] [2] Darktrace: Cybersecurity in Global Sport, June 2026. Findings based on survey of 875 IT cybersecurity professionals based in the US, UK, Australia and Germany, working in professional sports organizations (including clubs, societies & sporting bodies) employing 10+ people. The survey was fielded between May 28, 2026 and June 3, 2026 by independent market research agency, Opinion Matters.
