Darktrace (Core)

Threat detection and classification

Darktrace (Core) is the Enterprise Immune System’s flagship threat detection and defense capability, based on unsupervised machine learning and probabilistic mathematics.

Powered by advanced machine learning, together with a new branch of Bayesian probability theory, developed by mathematicians from the University of Cambridge, Darktrace is the only genuinely self-learning cyber defense technology proved to work at scale. It is capable of detecting cyber-threats and anomalous behaviors that bypass traditional security tools, without prior knowledge of specific threats, or using rules or signatures.

Darktrace works by analyzing raw network data, creating unique behavioral models for every user and device, and for the relationships between them.

Leveraging its unique machine learning algorithms, Darktrace forms an evolving understanding of an organization’s ‘pattern of life’ (or ‘self’), spotting very subtle changes in behaviors, as they occur. These behavioral changes are correlated and filtered, in order to detect emerging threats and anomalies.

Darktrace is delivered as a physical appliance, which is easily and rapidly installed within an hour, at a SPAN or TAP port within the customer network(s). The appliance passively monitors raw network data in real time, without disrupting business operations, and provides instant visibility into all network activity, notifying of in-progress attacks or emerging anomalies.


  • Adaptive – evolves with your organization
  • Self-learning – constantly refines its understanding of normal
  • Probabilistic – works out likelihood of serious threat
  • Real-time – spots threats as they emerge
  • Works from day one – delivers instant value
  • Low false positives – correlation of weak indicators
  • Data agnostic – ingests all data sources
  • Highly accurate – models human, device and enterprise behavior
  • Installs in 1 hour – no configuration
Darktrace is the only cyber defense technology that is capable of detecting anomalous behaviors, without any prior knowledge of what it is looking for.
Download the What Darktrace Finds Data Sheet

Darktrace Threat Visualizer

Shine a light into your network

The Threat Visualizer is Darktrace’s real-time, 3D threat notification interface. As well as displaying threat alerts, the Threat Visualizer provides a graphical overview of the day-to-day activity of your network(s), which is easy to use, and accessible for both security specialists and business executives.

Using cutting-edge visualization techniques, the Threat Visualizer user interface automatically alerts analysts to significant incidents and threats within their environments, enabling analysts to proactively investigate specific areas of the infrastructure.


  • 3D visualization of entire network topology
  • Real-time global overview of enterprise threat level
  • Intelligently clusters anomalies
  • Pan-spectrum viewing – higher-order network topology; specific clusters, subnets, and host events
  • Searchable logs and events
  • Replay of historical data
  • Concise summary of overall behavior for device and external IPs
  • Designed for business executives and security analysts

100% visibility

Visualization techniques can also be used to provide a high-level overview of a company’s network for business executives, helping to bridge the gap between technical specialists and the boardroom. Executives are given an easy-to-consume oversight of security issues, improving their awareness and understanding of the network environment, and enhancing their ability to make management decisions.

“Darktrace shines a light onto our systems, giving us a visual overview of what’s really happening ‘under the hood’.”
Conor Claxton, COO, Macrosynergy

Darktrace ICS

Industrial Control Systems & SCADA

Darktrace ICS, also known as the Industrial Immune System, is a fundamental innovation that implements a real-time ‘immune system’ for operational technologies, such as SCADA, and enables a fundamental shift in the approach to cyber defense.

Darktrace ICS retains all of the capabilities of Darktrace in the corporate environment, creating unique, behavioral understanding of the ‘self’ for each user and device within the network, and detecting threats that cannot be defined in advance by identifying even subtle shifts in expected behavior.

Detecting threats across IT and OT

Darktrace ICS is ideally deployed to observe both the ICS and corporate networks, as most ICS compromises occur via an IT network breach.

With Darktrace ICS, organizations with industrial networks are able to detect and respond to emerging threats, even if novel or tailored. They can also detect threats regardless of whether they originate in either the IT or operational domains, or traverse between them. By identifying unexpected anomalies in behavior, defenders can investigate malware compromises and insider risks as they emerge, and through stages of the attack lifecycle.

Darktrace ICS also provides real-time visibility required to make intelligence-based decisions in live situations, while also enabling in-depth investigations into historical activity.

Installed as an appliance, Darktrace ICS passively ingests network data via a SPAN port or network tap. As such, it is able to monitor industrial networks with no disruption to normal functioning of ICS operations, including industrial plants and machinery.

“Darktrace has already identified threats with the potential to disrupt our networks. It helps us stay ahead of emergent threats and better defend our key systems.”
Martin Sloan, Group Head of Security, Drax
Darktrace ICS is specifically adapted to protect operational technologies.


  • Unprecedented visibility into ICS activity
  • Protects against insider threat, including operators and privileged users
  • Detects threats in real time
  • Coverage of both IT and OT environments
  • Correlates actions over time, for refined understanding of ‘normal’
Request our Industrial Control Systems White Paper

‘Immune System’ Cyber Security for SCADA Systems

by Simon Fellows, Technical Director, Darktrace

This Engineering and Technology Reference report provides detailed technical insight into how Darktrace works across operational technology environments and in SCADA systems.

Request this report

Darktrace Antigena

The machine fights back

When the human immune system is faced with a new threat, not only can it detect it, but it produces antibodies that bind to it, and ultimately neutralize it. Darktrace Antigena replicates this function of the human immune system, by creating ‘digital antibodies’ in response to in-progress threats.

Darktrace Antigena acts automatically to restrain or contain threats quickly enough to allow humans to catch up. It could only take 20 minutes for a major threat, such as a ransomware attack, to evolve into a crisis – Darktrace Antigena’s automated action slows, or stops threats in a targeted fashion, to provide security teams with a vital time window in which to take mitigating action.

Darktrace Antigena’s response capability allows organizations to directly fight back, and networks to self-defend against specific threats, without disrupting your organization.


Darktrace Antigena is capable of taking a range of measured, automated actions in the face of confirmed cyber-threats detected in real time by Darktrace. Because Darktrace understands the ‘pattern of life’ of users, devices, and networks, Darktrace Antigena is able to take action in a highly targeted manner, mitigating threats while avoiding over-reactions.

Darktrace Antigena works by automatically creating digital antibodies for specific features found in previously unseen cyber-threats. Once Darktrace has identified a potential threat, Darktrace Antigena has the ability to take a variety of actions, depending on the severity of the anomalous activity. It can:

  • Stop or slow down activity related to a specific threat
  • Quarantine or semi-quarantine people, systems, or devices
  • Mark specific pieces of content, such as email, for further investigation or tracking

Without disrupting business operations or damaging productivity, Darktrace Antigena essentially enforces the ‘pattern of life’ that Darktrace has learned, without restricting people unnecessarily. It gives security teams time to respond to dangerous cyber-threats as they emerge.

Darktrace Antigena modules

Darktrace Antigena modules are deployed as physical appliances, complementing the core Darktrace appliance. They can also interface with Software Defined Networks (SDNs) and Active Directory, and are fully configurable.

Request our Antigena Product Overview Data Sheet
Download the City of Las Vegas Case Study
Book a Demo
“Antigena represents an important step in behavior analytics evolving to an active defense that traditional systems cannot match.”
Eric Ogren, Senior Security Analyst, 451 Research


  • Take automated, measured, and targeted action
  • Responds faster than any security team can
  • Human confirmation mode
  • No rules, no signatures
  • Fully configurable
  • Does not disrupt day-to-day activity

Darktrace vSensors

Darktrace vSensors are lightweight software components that extend Darktrace’s visibility in virtualized environments. It provides the Enterprise Immune System with comprehensive visibility of today’s distributed infrastructures.

vSensor software is installed as a ‘virtual appliance’ configured to receive a SPAN from the virtual network switch. This allows it to capture all inter-VM traffic, without a single packet being lost or dropped by the system. It stores the packet captures on a rolling basis, optimizing the disk space and I/O performance and ensuring that there is minimal impact on the performance of the server. Only one vSensor needs to be installed on each hardware server, allowing for scalability.

A vSensor is installed as a virtual appliance configured to receive a SPAN from the virtual network switch.

The vSensor will extract only the relevant metadata using the Darkflow system, sending 1% of the original raw network traffic ingested onto the master appliance efficiently and securely, wherever it is located on the physical network.

Darktrace vSensors are distributed in industry-standard formats, representing a virtual (software) appliance. They have been developed for VMWare, ESXi and any other virtualized environment that supports Open Virtualization Formats (OVF).

Darktrace is the first company to be able to offer real-time visibility of all virtualized network traffic.


  • Ingests virtual traffic from a limited set of IPs
  • Sends data efficiently and securely to the Darktrace master appliance
  • Sends approximately 1% of the original raw network data ingested to the master appliance
  • Works with third-party clouds

Darktrace OS-Sensors

Darktrace OS-Sensors are lightweight, host-based server agents that extend Darktrace’s visibility into third-party cloud environments, including Amazon AWS, Rackspace, and Microsoft Azure.

OS-Sensors intelligently extract single copies of network traffic for analysis by the master Darktrace appliance. They are easily installed onto virtual machines in the cloud and capable of dynamically configuring themselves to avoid data duplication and streamline bandwidth use. Working in conjunction with vSensors, data is aggregated and fed back to the master appliance, via a secure connection.

Darktrace OS-Sensors are fully configurable, allowing organizations to see all or selected cloud traffic, without requiring access to the hypervisor and with minimal performance impact.

Available for Linux and Windows, Darktrace OS-Sensors are robust and resilient, allowing organizations to enhance visibility and deliver Enterprise Immune System monitoring to cloud environments, wherever they are hosted.


  • Complete visibility of third-party clouds
  • Fully configurable – you choose cloud traffic that you want to monitor
  • Lightweight and non-intrusive – easily installed onto virtual machines, without requiring access to the physical server
  • Dynamic configuration – creates only single copies of network traffic, no data duplication
Request our Cloud & Virtualized Environments Data Sheet

Compatible with major hosting services, including:

SaaS Connectors

Extending self-learning cyber defense to SaaS platforms

Darktrace SaaS Connectors allow customers to extend the power of Darktrace’s Enterprise Immune System to the blind spots within SaaS applications.

Organizations increasingly entrust high-value data to SaaS platforms outside the corporate network. Yet the rich user interactions within them are not always accessible to IT security teams. Darktrace SaaS Connectors provide coverage of these rich datasets, such as user logins, data uploads and data transfers, helping to better defend the full extent of your infrastructure.

Anomalous behaviors pertaining to activity within SaaS applications may be detected irrespective of login location, therefore allowing security operators to integrate their insights and threat detection capability across the multiple parts of their infrastructure.

Darktrace SaaS Connectors are available for major SaaS providers, including Salesforce.com, Box.com, G Suite, Dropbox and Microsoft Office 365.


  • Complete visibility of user interactions within SaaS applications
  • Easy install — less than an hour
  • Early-stage threat detection
English Français 日本語