Blog
/
Network
/
June 16, 2025

Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure 

A critical SAP vulnerability, CVE-2025-31324, allows unauthenticated remote code execution via NetWeaver Visual Composer. Despite early mitigation guidance, many systems remain exposed. Darktrace detected exploitation attempts six days before public disclosure, highlighting the importance of proactive, threat-agnostic detection.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Signe Zaharka
Principal Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
16
Jun 2025

Introduction: Exploiting SAP platforms

Global enterprises depend extensively on SAP platforms, such as SAP NetWeaver and Visual Composer, to run critical business processes worldwide. These systems; however, are increasingly appealing targets for well-resourced adversaries:

What is CVE-2025-31324?

CVE-2025-31324 affects SAP’s NetWeaver Visual Composer, a web-based software modeling tool. SAP NetWeaver is an application server and development platform that runs and connects SAP and non-SAP applications across different technologies [2]. It is commonly used by process specialists to develop application components without coding in government agencies, large enterprises, and by critical infrastructure operators [4].

CVE-2025-31324 affects SAP’s Netweaver Visual Composer Framework 7.1x (all SPS) and above [4]. The vulnerability in a Java Servlet (/irj/servlet_jsp) would enable an unauthorized actor to upload arbitrary files to the /developmentserver/metadatauploader endpoint, potentially resulting in remote code execution (RCE) and full system compromise [3]. The issue stems from an improper authentication and authorization check in the SAP NetWeaver Application Server Java systems [4].

What is the severity rating of CVE-2025-31324?

The vulnerability, first disclosed on April 24, 2025, carries the highest severity rating (CVSS v3 score: 10.0) and could allow remote attackers to upload malicious files without requiring authentication [1][5]. Although SAP released a workaround on April 8, many organizations are hesitant to take their business-critical SAP NetWeaver systems offline, leaving them exposed to potential exploitation [2].

How is CVE-2025-31324 exploited?

The vulnerability is exploitable by sending specifically crafted GET, POST, or HEAD HTTP requests to the /developmentserver/metadatauploader URL using either HTTP or HTTPS. Attackers have been seen uploading malicious files (.jsp, .java, or .class files to paths containing “\irj\servlet_jsp\irj\”), most of them being web shells, to publicly accessible SAP NetWeaver systems.

External researchers observed reconnaissance activity targeting this vulnerability in late January 2025, followed by a surge in exploitation attempts in February. The first confirmed compromise was reported in March [4].

Multiple threat actors have reportedly targeted the vulnerability, including Chinese Advanced Persistent Threats (APTs) groups Chaya_004 [7], UNC5221, UNC5174, and CL-STA-0048 [8], as well as ransomware groups like RansomEXX, also known as Storm-2460, BianLian [4] or Qilin [6] (the latter two share the same indicators of  compromise (IoCs)).

Following the initial workaround published on April 8, SAP released a security update addressing CVE-2025-31324 and subsequently issued a patch on May 13 (Security Note 3604119) to resolve the root cause of the vulnerability [4].

Darktrace’s coverage of CVE-2025-31324 exploitation

Darktrace has observed activity indicative of threat actors exploiting CVE-2025-31324, including one instance detected before the vulnerability was publicly disclosed.

In April 2025, the Darktrace Threat Research team investigated activity related to the CVE-2025-31324 on SAP devices and identified two cases suggesting active exploitation of the vulnerability. One case was detected prior to the public disclosure of the vulnerability, and the other just two days after it was published.

Early detection of CVE 2025-31324 by Darktrace

Figure 1: Timeline of events for an internet-facing system, believed to be a SAP device, exhibiting activity indicative of CVE-2025-31324 exploitation.
Figure 1: Timeline of events for an internet-facing system, believed to be a SAP device, exhibiting activity indicative of CVE-2025-31324 exploitation.

On April 18, six days prior to the public disclosure of CVE-2025-31324, Darktrace began to detect unusual activity on a device belonging to a logistics organization in the Europe, the Middle East and Africa (EMEA) region. Multiple IoCs observed during this incident have since been linked via OSINT to the exploitation of CVE-2025-31324. Notably, however, this reporting was not available at the time of detection, highlighting Darktrace’s ability to detect threats agnostically, without relying on threat intelligence.

The device was observed making  domain name resolution request for the Out-of-Band Application Security Testing (OAST) domain cvvr9gl9namk9u955tsgaxy3upyezhnm6.oast[.]online. OAST is often used by security teams to test if exploitable vulnerabilities exist in a web application but can similarly be used by threat actors for the same purpose [9].

Four days later, on April 22, Darktrace observed the same device, an internet-facing system believed to be a SAP device, downloading multiple executable (.exe) files from several Amazon Simple Storage Service (S3). Darktrace’s Threat Research team later found these files to be associated with the KrustyLoader  malware [23][24][25].

KrustyLoader is known to be associated with the Chinese threat actor UNC5221, also known as UTA0178, which has been reported to aggressively target devices exposed to the internet [10] [14] [15]. It is an initial-stage malware which downloads and launches a second-stage payload – Sliver C2. Sliver is a similar tool to Cobalt Strike (an open-source post-exploitation toolkit). It is used for command-and-control (C2) connections [11][12]13]. After its successful download, KrustyLoader deletes itself to evade detection.  It has been reported that multiple Chinese APT groups have deployed KrustyLoader on SAP Netweaver systems post-compromise [8].

The actors behind KrustyLoader have also been associated with the exploitation of zero-day vulnerabilities in other enterprise systems, including Ivanti devices [12]. Notably, in this case, one of the Amazon S3 domains observed (abode-dashboard-media.s3.ap-south-1.amazonaws[.]com ) had previously been investigated by Darktrace’s Threat Research team as part of their investigation into Ivanti Connect Secure (CS) and Policy Secure (PS) appliances.

In addition to the download of known malicious files, Darktrace also detected new IoCs, including several executable files that could not be attributed to any known malware families or previous attacks, and for which no corresponding OSINT reporting was available.

Figure 2: Darktrace's detection of a likely SAP device downloading an executable file from an Amazon S3 domain on April 22*.

*The model alert was recreated in a demo environment using real incident metadata, as the original customer environment was no longer accessible.

Post-CVE publication detection

Exploit Validation

Between April 27 and 29, Darktrace observed unusual activity from an SAP device on the network of a manufacturing customer in EMEA.

Darktrace / NETWORK’s detection of an SAP device performing a large volume of suspicious activity between April 27 and April 29.
Figure 3: Darktrace / NETWORK’s detection of an SAP device performing a large volume of suspicious activity between April 27 and April 29.

The device was observed making DNS requests for OAST domains (e.g. aaaaaaaa.d06qqn7pu5a6u25tv9q08p5xhbjzw33ge.oast[.]online and aaaaaaaaaaa.d07j2htekalm3139uk2gowmxuhapkijtp.oast[.]pro), suggesting that a threat actor was testing for exploit validation [9].

Darktrace / NETWORK’s detection of a SAP device making suspicious domain name resolution requests for multiple OAST domains.
Figure 4: Darktrace / NETWORK’s detection of a SAP device making suspicious domain name resolution requests for multiple OAST domains.

Privilege escalation tool download attempt

One day later, Darktrace observed the same device attempting to download an executable file from hxxp://23.95.123[.]5:666/xmrigCCall/s.exe (SHA-1 file hash: e007edd4688c5f94a714fee036590a11684d6a3a).

Darktrace / NETWORK identified the user agents Microsoft-CryptoAPI/10.0 and CertUtil URL Agent during the connections to 23.95.123[.]5. The connections were made over port 666, which is not typically used for HTTP connections.

Multiple open-source intelligence (OSINT) vendors have identified the executable file as either JuicyPotato or SweetPotato, both Windows privilege escalation tools[16][17][18][19]. The file hash and the unusual external endpoint have been associated with the Chinese APT group Gelsemium in the past, however, many threat actors are known to leverage this tool in their attacks [20] [21].

Figure 5: Darktrace’s Cyber AI Analyst’s detection of a SAP device downloading a suspicious executable file from hxxp://23.95.123[.]5:666/xmrigCCall/s.exe on April 28, 2025.

Darktrace deemed this activity highly suspicious and triggered an Enhanced Monitoring model alert, a high-priority security model designed to detect activity likely indicative of compromise. As the customer was subscribed to the Managed Threat Detection service, Darktrace’s Security Operations Centre (SOC) promptly investigated the alert and notified the customer for swift remediation. Additionally, Darktrace’s Autonomous Response capability automatically blocked connections to the suspicious IP, 23.95.123[.]5, effectively containing the compromise in its early stages.

Actions taken by Darktrace’s Autonomous Response to block connections to the suspicious external endpoint 23.95.123[.]5. This event log shows that the connections to 23.95.123[.]5 were made over a rare destination port for the HTTP protocol and that new user agents were used during the connections.
Figure 6: Actions taken by Darktrace’s Autonomous Response to block connections to the suspicious external endpoint 23.95.123[.]5. This event log shows that the connections to 23.95.123[.]5 were made over a rare destination port for the HTTP protocol and that new user agents were used during the connections.

Conclusion

The exploitation of CVE-2025-31324 to compromise SAP NetWeaver systems highlights the persistent threat posed by vulnerabilities in public-facing assets. In this case, threat actors leveraged the flaw to gain an initial foothold, followed by attempts to deploy malware linked to groups affiliated with China [8][20].

Crucially, Darktrace demonstrated its ability to detect and respond to emerging threats even before they are publicly disclosed. Six days prior to the public disclosure of CVE-2025-31324, Darktrace detected unusual activity on a device believed to be a SAP system, which ultimately represented an early detection of the CVE. This detection was made possible through Darktrace’s behavioral analysis and anomaly detection, allowing it to recognize unexpected deviations in device behavior without relying on signatures, rules or known IoCs. Combined with its Autonomous Response capability, this allowed for immediate containment of suspicious activity, giving security teams valuable time to investigate and mitigate the threat.

Credit to Signe Zaharka (Principal Cyber Analyst), Emily Megan Lim, (Senior Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

List of IoCs

23.95.123[.]5:666/xmrigCCall/s.exe - URL- JuicyPotato/SweetPotato - high confidence

29274ca90e6dcf5ae4762739fcbadf01- MD5 file hash - JuicyPotato/SweetPotato - high confidence

e007edd4688c5f94a714fee036590a11684d6a3a - SHA-1 file hash - JuicyPotato/SweetPotato -high confidence

3268f269371a81dbdce8c4eedffd8817c1ec2eadec9ba4ab043cb779c2f8a5d2 - SHA-256 file hash - JuicyPotato/SweetPotato -high confidence

abode-dashboard-media.s3.ap-south-1.amazonaws[.]com/nVW2lsYsYnv58 - URL- high confidence

applr-malbbal.s3.ap-northeast-2.amazonaws[.]com/7p3ow2ZH - URL- high confidence

applr-malbbal.s3.ap-northeast-2.amazonaws[.]com/UUTICMm - URL- KrustyLoader - high confidence

beansdeals-static.s3.amazonaws[.]com/UsjKy - URL- high confidence

brandnav-cms-storage.s3.amazonaws[.]com/3S1kc - URL- KrustyLoader - high confidence

bringthenoiseappnew.s3.amazonaws[.]com/pp79zE - URL- KrustyLoader - high confidence

f662135bdd8bf792a941ea222e8a1330 - MD5 file hash- KrustyLoader - high confidence

fa645f33c0e3a98436a0161b19342f78683dbd9d - SHA-1 file hash- KrustyLoader - high confidence

1d26fff4232bc64f9ab3c2b09281d932dd6afb84a24f32d772d3f7bc23d99c60 - SHA-256 file hash- KrustyLoader - high confidence

6900e844f887321f22dd606a6f2925ef - MD5 file hash- KrustyLoader - high confidence

da23dab4851df3ef7f6e5952a2fc9a6a57ab6983 - SHA-1 file hash- KrustyLoader - high confidence

1544d9392eedf7ae4205dd45ad54ec67e5ce831d2c61875806ce4c86412a4344 - SHA-256 file hash- KrustyLoader - high confidence

83a797e5b47ce6e89440c47f6e33fa08 - MD5 file hash - high confidence

a29e8f030db8990c432020441c91e4b74d4a4e16 - SHA-1 file hash - high confidence

72afde58a1bed7697c0aa7fa8b4e3b03 - MD5 file hash- high confidence

fe931adc0531fd1cb600af0c01f307da3314c5c9 - SHA-1 file hash- high confidence

b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8 - SHA-256 file hash- KrustyLoader - high confidence

17d65a9d8d40375b5b939b60f21eb06eb17054fc - SHA-1 file hash- KrustyLoader - high confidence

8c8681e805e0ae7a7d1a609efc000c84 - MD5 file hash- KrustyLoader - high confidence

29274ca90e6dcf5ae4762739fcbadf01 - MD5 file hash- KrustyLoader - high confidence

Darktrace Model Detections

Anomalous Connection / CertUtil Requesting Non Certificate

Anomalous Connection / CertUtil to Rare Destination

Anomalous Connection / Powershell to Rare External

Anomalous File / EXE from Rare External Location

Anomalous File / Multiple EXE from Rare External Locations

Anomalous File / Internet Facing System File Download

Anomalous File / Masqueraded File Transfer (Enhanced Monitoring)

Anomalous Server Activity / New User Agent from Internet Facing System

Compliance / CertUtil External Connection

Compromise / High Priority Tunnelling to Bin Services (Enhanced Monitoring)

Compromise / Possible Tunnelling to Bin Services

Device / Initial Attack Chain Activity (Enhanced Monitoring)

Device / Suspicious Domain

Device / Internet Facing Device with High Priority Alert

Device / Large Number of Model Alerts

Device / Large Number of Model Alerts from Critical Network Device (Enhanced Monitoring)

Device / New PowerShell User Agent

Device / New User Agent

Autonomous Response Model Alerts

Antigena / Network / External Threat / Antigena Suspicious File Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena/ Network / External Threat / Antigena Suspicious File Block

Antigena/ Network / External Threat / Antigena Suspicious File Pattern of Life Block

Antigena/ Network / Significant Anomaly / Antigena Alerts Over Time Block

Antigena/ Network / Significant Anomaly / Antigena Controlled and Model Alert

Antigena/ Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena/ Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Cyber AI Analyst Incidents

Possible HTTP Command and Control

Suspicious File Download

MITRE ATT&CK Mapping

Malware - RESOURCE DEVELOPMENT - T1588.001

PowerShell - EXECUTION - T1059.001

Drive-by Compromise - INITIAL ACCESS - T1189

Ingress Tool Transfer - COMMAND AND CONTROL - T1105

Application Layer Protocol - COMMAND AND CONTROL - T1071

Exploitation of Remote Services - LATERAL MOVEMENT - T1210

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - EXFILTRATION - T1048.003

References

1. https://nvd.nist.gov/vuln/detail/CVE-2025-31324

2. https://www.bleepingcomputer.com/news/security/over-1-200-sap-netweaver-servers-vulnerable-to-actively-exploited-flaw/

3. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

4. https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/

5. https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/

6. https://op-c.net/blog/sap-cve-2025-31324-qilin-breach/

7. https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/

8. https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures

9. https://portswigger.net/burp/application-security-testing/oast

10. https://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure  

11. https://malpedia.caad.fkie.fraunhofer.de/details/elf.krustyloader

12. https://www.broadcom.com/support/security-center/protection-bulletin/krustyloader-backdoor

13. https://labs.withsecure.com/publications/new-krustyloader-variant-dropped-via-screenconnect-exploit

14. https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

15. https://thehackernews.com/2024/01/chinese-hackers-exploiting-critical-vpn.html

16. https://www.virustotal.com/gui/file/3268f269371a81dbdce8c4eedffd8817c1ec2eadec9ba4ab043cb779c2f8a5d2

17. https://bazaar.abuse.ch/sample/3268f269371a81dbdce8c4eedffd8817c1ec2eadec9ba4ab043cb779c2f8a5d2/

18. https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/report-juicypotato-hacking-tool-discovered.pdf

19. https://www.manageengine.com/log-management/correlation-rules/detecting-sweetpotato.html

20. https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/

21. https://assets.kpmg.com/content/dam/kpmg/in/pdf/2023/10/kpmg-ctip-gelsemium-apt-31-oct-2023.pdf

22. https://securityaffairs.com/177522/hacking/experts-warn-of-a-second-wave-of-attacks-targeting-sap-netweaver-bug-cve-2025-31324.html

23. https://www.virustotal.com/gui/file/b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4fbbdd7668492de548b5df8

24. https://www.virustotal.com/gui/file/1d26fff4232bc64f9ab3c2b09281d932dd6afb84a24f32d772d3f7bc23d99c60/detection

25. https://www.virustotal.com/gui/file/1544d9392eedf7ae4205dd45ad54ec67e5ce831d2c61875806ce4c86412a4344/detection

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Signe Zaharka
Principal Cyber Analyst

More in this series

No items found.

Blog

/

/

September 25, 2025

Announcing Unified Real-Time CDR and Automated Investigations to Transform Cloud Security Operations

Default blog imageDefault blog image

Fragmented Tools are Failing SOC Teams in the Cloud Era

The cloud has transformed how businesses operate, reshaping everything from infrastructure to application delivery. But cloud security has not kept pace. Most tools still rely on traditional models of logging, policy enforcement, and posture management; approaches that provide surface-level visibility but lack the depth to detect or investigate active attacks.

Meanwhile, attackers are exploiting vulnerabilities, delivering cloud-native exploits, and moving laterally in ways that posture management alone cannot catch fast enough. Critical evidence is often missed, and alerts lack the forensic depth SOC analysts need to separate noise from true risk. As a result, organizations remain exposed: research shows that nearly nine in ten organizations have suffered a critical cloud breach despite investing in existing security tools [1].

SOC teams are left buried in alerts without actionable context, while ephemeral workloads like containers and serverless functions vanish before evidence can be preserved. Point tools for logging or forensics only add complexity, with 82% of organizations using multiple platforms to investigate cloud incidents [2].

The result is a broken security model: posture tools surface risks but don’t connect them to active attacker behaviors, while investigation tools are too slow and fragmented to provide timely clarity. Security teams are left reactive, juggling multiple point solutions and still missing critical signals. What’s needed is a unified approach that combines real-time detection and response for active threats with automated investigation and cloud posture management in a single workflow.

Just as security teams once had to evolve beyond basic firewalls and antivirus into network and endpoint detection, response, and forensics, cloud security now requires its own next era: one that unifies detection, response, and investigation at the speed and scale of the cloud.

A Powerful Combination: Real-Time CDR + Automated Cloud Forensics

Darktrace / CLOUD now uniquely unites detection, investigation, and response into one workflow, powered by Self-Learning AI. This means every alert, from any tool in your stack, can instantly become actionable evidence and a complete investigation in minutes.

With this release, Darktrace / CLOUD delivers a more holistic approach to cloud defense, uniting real-time detection, response, and investigation with proactive risk reduction. The result is a single solution that helps security teams stay ahead of attackers while reducing complexity and blind spots.

  • Automated Cloud Forensic Investigations: Instantly capture and analyze volatile evidence from cloud assets, reducing investigation times from days to minutes and eliminating blind spots
  • Enhanced Cloud-Native Threat Detection: Detect advanced attacker behaviors such as lateral movement, privilege escalation, and command-and-control in real time
  • Enhanced Live Cloud Topology Mapping: Gain continuous insight into cloud environments, including ephemeral workloads, with live topology views that simplify investigations and expose anomalous activity
  • Agentless Scanning for Proactive Risk Reduction: Continuously monitor for misconfigurations, vulnerabilities, and risky exposures to reduce attack surface and stop threats before they escalate.

Automated Cloud Forensic Investigations

Darktrace / CLOUD now includes capabilities introduced with Darktrace / Forensic Acquisition & Investigation, triggering automated forensic acquisition the moment a threat is detected. This ensures ephemeral evidence, from disks and memory to containers and serverless workloads can be preserved instantly and analyzed in minutes, not days. The integration unites detection, response, and forensic investigation in a way that eliminates blind spots and reduces manual effort.

Figure 1: Easily view Forensic Investigation of a cloud resource within the Darktrace / CLOUD architecture map

Enhanced Cloud-Native Threat Detection

Darktrace / CLOUD strengthens its real-time behavioral detection to expose early attacker behaviors that logs alone cannot reveal. Enhanced cloud-native detection capabilities include:

• Reconnaissance & Discovery – Detects enumeration and probing activity post-compromise.

• Privilege Escalation via Role Assumption – Identifies suspicious attempts to gain elevated access.

• Malicious Compute Resource Usage – Flags threats such as crypto mining or spam operations.

These enhancements ensure active attacks are detected earlier, before adversaries can escalate or move laterally through cloud environments.

Figure 2: Cyber AI Analyst summary of anomalous behavior for privilege escalation and establishing persistence.

Enhanced Live Cloud Topology Mapping

New enhancements to live topology provide real-time mapping of cloud environments, attacker movement, and anomalous behavior. This dynamic visibility helps SOC teams quickly understand complex environments, trace attack paths, and prioritize response. By integrating with Darktrace / Proactive Exposure Management (PEM), these insights extend beyond the cloud, offering a unified view of risks across networks, endpoints, SaaS, and identity — giving teams the context needed to act with confidence.

Figure 3: Enhanced live topology maps unify visibility across architectures, identities, network connections and more.

Agentless Scanning for Proactive Risk Reduction

Darktrace / CLOUD now introduces agentless scanning to uncover malware and vulnerabilities in cloud assets without impacting performance. This lightweight, non-disruptive approach provides deep visibility into cloud workloads and surfaces risks before attackers can exploit them. By continuously monitoring for misconfigurations and exposures, the solution strengthens posture management and reduces attack surface across hybrid and multi-cloud environments.

Figure 4: Agentless scanning of cloud assets reveals vulnerabilities, which are prioritized by severity.

Together, these capabilities move cloud security operations from reactive to proactive, empowering security teams to detect novel threats in real time, reduce exposures before they are exploited, and accelerate investigations with forensic depth. The result is faster triage, shorter MTTR, and reduced business risk — all delivered in a single, AI-native solution built for hybrid and multi-cloud environments.

Accelerating the Evolution of Cloud Security

Cloud security has long been fragmented, forcing teams to stitch together posture tools, log-based monitoring, and external forensics to get even partial coverage. With this release, Darktrace / CLOUD delivers a holistic, unified approach that covers every stage of the cloud lifecycle, from proactive posture management and risk identification to real-time detection, to automated investigation and response.

By bringing these capabilities together in a single AI-native solution, Darktrace is advancing cloud security beyond incremental change and setting a new standard for how organizations protect their hybrid and multi-cloud environments.

With Darktrace / CLOUD, security teams finally gain end-to-end visibility, response, and investigation at the speed of the cloud, transforming cloud defense from fragmented and reactive to unified and proactive.

[related-resource]

Sources: [1], [2] Darktrace Report: Organizations Require a New Approach to Handle Investigations in the Cloud

Continue reading
About the author
Adam Stevens
Senior Director of Product, Cloud | Darktrace

Blog

/

/

September 25, 2025

Introducing the Industry’s First Truly Automated Cloud Forensics Solution

Default blog imageDefault blog image

Why Cloud Investigations Fail Today

Cloud investigations have become one of the hardest problems in modern cybersecurity. Traditional DFIR tools were built for static, on-prem environments, rather than dynamic and highly scalable cloud environments, containing ephemeral workloads that disappear in minutes. SOC analysts are flooded with cloud security alerts with one-third lacking actionable data to confirm or dismiss a threat[1], while DFIR teams waste 3-5 days requesting access and performing manual collection, or relying on external responders.

These delays leave organizations vulnerable. Research shows that nearly 90% of organizations suffer some level of damage before they can fully investigate and contain a cloud incident [2]. The result is a broken model: alerts are closed without a complete understanding of the threat due to a lack of visibility and control, investigations drag on, and attackers retain the upper hand.

For SOC teams, the challenge is scale and clarity. Analysts are inundated with alerts but lack the forensic depth to quickly distinguish real threats from noise. Manual triage wastes valuable time, creates alert fatigue, and often forces teams to escalate or dismiss incidents without confidence — leaving adversaries with room to maneuver.

For DFIR teams, the challenge is depth and speed. Traditional forensics tools were built for static, on-premises environments and cannot keep pace with ephemeral workloads that vanish in minutes. Investigators are left chasing snapshots, requesting access from cloud teams, or depending on external responders, leading to blind spots and delayed response.

That’s why we built Darktrace / Forensic Acquisition & Investigation, the first automated forensic solution designed specifically for the speed, scale, and complexities of the cloud. It addresses both sets of challenges by combining automated forensic evidence capture, attacker timeline reconstruction, and cross-cloud scale. The solution empowers SOC analysts with instant clarity and DFIR teams with forensic depth, all in minutes, not days. By leveraging the very nature of the cloud, Darktrace makes these advanced capabilities accessible to security teams of all sizes, regardless of expertise or resources.

Introducing Automated Forensics at the Speed and Scale of Cloud

Darktrace / Forensic Acquisition & Investigation transforms cloud investigations by capturing, processing, and analyzing forensic evidence of cloud workloads, instantly, even from time-restricted ephemeral resources. Triggered by a detection from any cloud security tool, the entire process is automated, providing accurate root cause analysis and deep insights into attacker behavior in minutes rather than days or weeks. SOC and DFIR teams no longer have to rely on manual processes, snapshots, or external responders, they can now leverage the scale and elasticity of the cloud to accelerate triage and investigations.

Seamless Integration with Existing Detection Tools

Darktrace / Forensic Acquisition & Investigation does not require customers to replace their detection stack. Instead, it integrates with cloud-native providers, XDR platforms, and SIEM/SOAR tools, automatically initiating forensic capture whenever an alert is raised. This means teams can continue leveraging their existing investments while gaining the forensic depth required to validate alerts, confirm root cause, and accelerate response.

Most importantly, the solution is natively integrated with Darktrace / CLOUD, turning real-time detections of novel attacker behaviors into full forensic investigations instantly. When Darktrace / CLOUD identifies suspicious activity such as lateral movement, privilege escalation, or abnormal usage of compute resources, Darktrace / Forensic Acquisition & Investigation automatically preserves the underlying forensic evidence before it disappears. This seamless workflow unites detection, response, and investigation in a way that eliminates gaps, accelerates triage, and gives teams confidence that every critical cloud alert can be investigated to completion.

Figure 1: Integration with Darktrace / CLOUD – this example is showing the ability to pivot into the forensic investigation associated with a compromised cloud asset

Automated Evidence Collection Across Hybrid and Multi-Cloud

The solution provides automated forensic acquisition across AWS, Microsoft Azure, GCP, and on-prem environments. It supports both full volume capture, creating a bit-by-bit copy of an entire storage device for the most comprehensive preservation of evidence, and triage collection, which prioritizes speed by gathering only the most essential forensic artifacts such as process data, logs, network connections, and open file contents. This flexibility allows teams to strike the right balance between speed and depth depending on the investigation at hand.

Figure 2: Ability to acquire forensic data from Cloud, SaaS and on-prem environments

Automated Investigations, Root Cause Analysis and Attacker Timelines

Once evidence is collected, Darktrace applies automation to reconstruct attacker activity into a unified timeline. This includes correlating commands, files, lateral movement, and network activity into a single investigative view enriched with custom threat intelligence such as IOCs. Detailed investigation reporting including an investigation summary, an overview of the attacker timeline, and key events. Analysts can pivot into detailed views such as the filesystem view, traversing directories or inspecting file content, or filter and search using faceted options to quickly narrow the scope of an investigation.

Figure 3: Automated Investigation view surfacing the most significant attacker activity, which is contextualized with Alarm information

Forensics for Containers and Ephemeral Assets

Investigating containers and serverless workloads has historically been one of the hardest challenges for DFIR teams, as these assets often disappear before evidence can be preserved. Darktrace / Forensic Acquisition & Investigation captures forensic evidence across managed Kubernetes cloud services, even from distroless or no-shell containers, AWS ECS and other environments, ensuring that ephemeral activity is no longer a blind spot. For hybrid organizations, this extends to on-premises Kubernetes and OpenShift deployments, bringing consistency across environments.

Figure 4: Container investigations – this example is showing the ability to capture containers from managed Kubernetes cloud services

SaaS Log Collection for Modern Investigations

Beyond infrastructure-level data, the solution collects logs from SaaS providers such as Microsoft 365, Entra ID, and Google Workspace. This enables investigations into common attack types like business email compromise (BEC), account takeover (ATO), and insider threats — giving teams visibility into both infrastructure-level and SaaS-driven compromise from a single platform.

Figure 5: Ability to import logs from SaaS providers including Microsoft 365, Entra ID, and Google Workspace

Proactive Vulnerability and Malware Discovery

Finally, the solution surfaces risk proactively with vulnerability and malware discovery for Linux-based cloud resources. Vulnerabilities are presented in a searchable table and correlated with the attacker timeline, enabling teams to quickly understand not just which packages are exposed, but whether they have been targeted or exploited in the context of an incident.

Figure 6: Vulnerability data with pivot points into the attacker timeline

Cloud-Native Scale and Performance

Darktrace / Forensic Acquisition & Investigation uses a cloud-native parallel processing architecture that spins up compute resources on demand, ensuring that investigations run at scale without bottlenecks. Detailed reporting and summaries are automatically generated, giving teams a clear record of the investigation process and supporting compliance, litigation readiness, and executive reporting needs.

Scalable and Flexible Deployment Options

Every organization has different requirements for speed, control, and integration. Darktrace / Forensic Acquisition & Investigation is designed to meet those needs with two flexible deployment models.

  • Self-Hosted Virtual Appliance delivers deep integration and control across hybrid environments, preserving forensic data for compliance and litigation while scaling to the largest enterprise investigations.
  • SaaS-Delivered Deployment provides fast time-to-value out of the box, enabling automated forensic response without requiring deep cloud expertise or heavy setup.

Both models are built to scale across regions and accounts, ensuring organizations of any size can achieve rapid value and adapt the solution to their unique operational and compliance needs. This flexibility makes advanced cloud forensics accessible to every security team — whether they are optimizing for speed, integration depth, or regulatory alignment

Delivering Advanced Cloud Forensics for Every Team

Until now, forensic investigations were slow, manual, and reserved for only the largest organizations with specialized DFIR expertise. Darktrace / Forensic Acquisition & Investigation changes that by leveraging the scale and elasticity of the cloud itself to automate the entire investigation process. From capturing full disk and memory at detection to reconstructing attacker timelines in minutes, the solution turns fragmented workflows into streamlined investigations available to every team.

Whether deployed as a SaaS-delivered service for fast time-to-value or as a self-hosted appliance for deep integration, Darktrace / Forensic Acquisition & Investigation provides the features that matter most: automated evidence capture, cross-cloud investigations, forensic depth for ephemeral assets, and root cause clarity without manual effort.

With Darktrace / Forensic Acquisition & Investigation, what once took days now takes minutes. Now, forensic investigations in the cloud are faster, more scalable, and finally accessible to every security team, no matter their size or expertise.

[related-resource]

Sources: [1], [2] Darktrace Report: Organizations Require a New Approach to Handle Investigations in the Cloud

Additional Resources

Continue reading
About the author
Paul Bottomley
Director of Product Management | Darktrace
Your data. Our AI.
Elevate your network security with Darktrace AI