Stay ahead of APT groups
APTs have evolved, and so should your security. From advanced malware to zero-day exploitation, learn how Darktrace's unique approach to security helps you stay one step ahead.
What vulnerabilities are APTs targeting?
Ivanti CS & PS
The widespread exploitation of these vulnerabilities was mirrored across Darktrace’s customer base in early 2024
PAN OS firewall devices
Darktrace's SOC detected recurring malicious activity linked to Palo Alto firewall appliances, raising security concerns.
Forti Manager
Darktrace’s Threat Research team investigated CVE-2024-23113, a critical vulnerability in FortiGate to FortiManager protocol.
Cleo MFT software
Darktrace Threat Research investigated signs of exploitation linked to a new Cleo vulnerability, CVE-2024-55956
Built to defend against unknown threats
Accelerate your investigations
10x
Darktrace's Cyber AI Analyst finds connections between isolated events and surfaces full security incidents, prioritized and contextualized. It has saved security teams the equivalent of up to 50,000 hours of investigation time per year.
Connect the dots associated with ransomware attacks
Darktrace uses advanced machine learning to automate Levels 1 and 2 SOC investigations, streamlining your ability to discover ransomware attacks. By correlating seemingly unrelated events across your environment, Darktrace brings you a full attack picture in seconds
Reduce workload and let AI do the busy work
Equivalent to adding 30 full-time Level 2 analysts without increasing headcount
Accelerate incident response by 10x
Automates Level 2 analysis, providing up to 50,000 hours annually
Accelerate your investigation
10x
The most serious ransomware incidents, prioritized and contextualized
Darktrace's Cyber Al Analyst automates Levels 1 and 2 SOC investigations, correlating seemingly unrelated events across your environment to bring you a full attack picture in seconds.
50,000 hours
Darktrace's Cyber Al Analyst automates Levels 1 and 2 SOC investigations, correlating seemingly unrelated events across your environment to bring you a full attack picture in seconds.
30 analysts
Darktrace's Cyber Al Analyst automates Levels 1 and 2 SOC investigations, correlating seemingly unrelated events across your environment to bring you a full attack picture in seconds.
Sophisticated threats require an advanced security approach
Darktrace takes targeted actions at every stage of an attack, correlating thousands of data points at machine speed to detect, contextualize, and mitigate threats in real time, from advanced spear phishing attempts to unusual network activity
Detect anomalous behavior
Identify threats earlier including signs of unusual scanning, SMB writes, and credential misuse, stopping attacks before encryption occurs
Stop lateral movement
Most threats start in the inbox. Darktrace extends its detection and response capabilities to email stopping phishing emails leveraging social engineering tactics
Defend against LOTL techniques
By understanding how users typically operate, our AI can spot subtle deviations used by criminal actors who exploit native tools to evade traditional defenses
Why EverLine chose Darktrace to help secure critical infrastructure
EverLine provides full-spectrum services to energy and infrastructure customers, protecting oil and gas pipelines, electric power generators, transportation, and other critical infrastructure. It relies on Darktrace to defend against sophisticated attacks, novel TTPs, and insider threats, enabling incident responders to contain attacks in the earliest phases before they threaten operations
visibility into the OT network, as reported by the customer
coverage with an AI-augmented SOC
incident response acceleration with Cyber AI Analyst
How Darktrace stopped an AiTM attack exploiting a zero-day vulnerability
This is the default text value
Initial intrusion via phishing
A user received a phishing email masquerading as a Dropbox file share notification. The email originated from IP 54.240.39[.]219 and contained multiple payload links to Dropbox-associated hostnames.
Darktrace flagged the message based on anomaly indicators and flagged its abuse of a legitimate cloud-sharing service
AiTM attack and token theft
After the user interacted with the Dropbox link, Darktrace/ IDENTITY detected suspicious authentication behavior. The attack leveraged AiTM techniques to steal MFA tokens and credentials, allowing the attacker to bypass MFA and impersonate the user
Unusual login and persistence attempt
The compromised account accessed Microsoft 365 from an unusual IP address in Kenya (41.90.175[.]46). Around the same time, it attempted to register new MFA details using Microsoft Authenticator from IP 13.74.161[.]104.
Darktrace identified this rare behavior and detected simultaneous logins from geographically distant locations—an indicator of compromise
Autonomous containment and SOC escalation
Darktrace’s autonomously disabled the compromised account, halting the attacker’s access. The incident was escalated to Darktrace’s Security Operations Center (SOC), which confirmed the compromise and extended containment measures. The customer was promptly notified, and further remediation steps were taken
Get ahead of the attack
Discover your most vulnerable and high-value attack paths to prioritize effectively and proactively bolster your defenses against ransomware
Tailored incident simulations
Map realistic attack scenarios to your unique environment and master incident response
Go beyond simple patch lists
Get custom mitigation advice, prioritized by risk posed to your specific environment
Get ahead of APTs
Get proactive about Advanced Persistent Threats – prioritize on true cyber risk and harden defenses ahead of time
APT attack mapping
MITRE techniques are mapped to APT groups, giving you insights into the likelihood and impact of attacks in your environment
Mitigate your risks
In cases where patches are unavailable or can’t be applied, get mitigation advice that hardens the attack path
See your most at risk users
Discover your riskiest users and assets based on liability, access, and exposure, and then shore up defenses around them
Go beyond simple patch lists
Get prioritized mitigation steps paired with their potential risk outcomes, making it easier to take proactive steps toward greater resilience
Over 267 reviews on Gartner Peer Insights
Further resources on APTs
A Guide to Proactive IT Security
This white paper explores the challenges, benefits, and strategies needed to shift toward preventing attacks, saving time and resources, and avoiding business disruption.
Detecting State-Linked ShadowPad Malware
Darktrace identified a cluster of intrusions involving the state-linked malware, ShadowPad. This blog details ShadowPad and the associated activities detected by Darktrace.
Why Darktrace / EMAIL excels against APTs
Explore the relationship between APTs and rising BEC attacks and see several recent examples of complex email attacks that Darktrace / EMAIL successfully disarmed and prevented intrusion.
See Darktrace in action
Protect your organization from supply chain attacks. See what Darktrace’s AI can find in your environment
Cyber resilience across the entire business
Frequently asked questions
Darktrace detects stealthy APT attacks by focusing on behavioral analysis rather than signature-based detection. APTs often attempt to blend in with regular network activity by mimicking legitimate user behavior and using encryption to evade detection. Darktrace learns the normal behavior of users and devices and flags deviations from this baseline, such as unexpected access to sensitive data or unusual network traffic patterns. This helps identify APTs that try to remain hidden.
Darktrace uses Self-Learning AI to build a real-time understanding of what is normal across your digital environment — including users, devices, cloud workloads, and applications. This allows it to detect subtle deviations that may indicate the presence of novel or signatureless malware, without relying on known threat indicators or static rules.
Rather than focusing on what malware looks like, Darktrace focuses on what it does. This enables it to identify early-stage behaviors like command-and-control communication, internal reconnaissance, or unusual data access patterns — even if the malware has never been seen before.
Nation-state attackers often operate slowly, stay hidden for long periods, and use highly customized tools to evade detection. Darktrace is effective in these environments because it continuously monitors network, OT, and IT environments, building a unique baseline of normal behavior for each environment.
When an attacker attempts to move laterally, escalate privileges, or exfiltrate data, even using legitimate credentials or tools, Darktrace spots the behavioral anomalies that signal a compromise. This is especially important in critical infrastructure, where attackers may use "living off the land" techniques that go undetected by traditional tools.
What role does Darktrace play in defending against attacks where APT groups use email as a primary vector for socially engineered phishing attacks?
Darktrace extends its AI-led security capabilities to the email landscape with Darktrace / EMAIL. It analyzes tone, payloads, header anomalies, and historical communication patterns to detect and stop socially engineered phishing emails, even when they come from trusted accounts.