Threat detection and classification

Darktrace’s Enterprise Immune System’s flagship threat detection and defense capability are based on unsupervised machine learning and probabilistic mathematics.

Powered by advanced machine learning, together with a new branch of Bayesian probability theory, Darktrace is the only self-learning cyber defense technology proven to work at scale. It is capable of detecting cyber-threats and anomalous behaviors that bypass traditional security tools, without prior knowledge of specific threats, or using rules or signatures.

Darktrace works by creating unique behavioral models for every user and device across the enterprise, and analyzing the relationships between them.

Leveraging its unique machine learning algorithms, Darktrace forms an evolving understanding of an organization’s ‘pattern of life’ (or ‘self’), spotting very subtle changes in behaviors, as they occur. These behavioral changes are correlated and filtered, in order to detect emerging threats and anomalies.

Darktrace is easily and rapidly installed into the heart of the network, typically at a SPAN or TAP port. It passively monitors raw network data – including cloud interactions – in real time, without disrupting business operations. Darktrace then provides instant visibility into all digital activity, notifying of in-progress attacks or emerging anomalies.

Our self-learning approach is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. The typical installation time is one hour.


  • Adaptive – evolves with your organization
  • Self-learning – constantly refines its understanding of normal
  • Probabilistic – works out likelihood of serious threat
  • Real-time – spots threats as they emerge
  • Works from day one – delivers instant value
  • Low false positives – correlation of weak indicators
  • Data agnostic – ingests all data sources
  • Highly accurate – models human, device and enterprise behavior
  • Installs in 1 hour – no configuration
“Darktrace is a market leader that provides a strong example of leveraging artificial intelligence.”
Request the Darktrace Global Threat Report 2017
Request Enterprise Immune System: What’s New in Version 3

Darktrace Threat Visualizer

Shine a light into your network

The Threat Visualizer is Darktrace’s real-time, 3D threat notification interface. As well as displaying threat alerts, the Threat Visualizer provides a graphical overview of the day-to-day activity of your network(s), which is easy to use, and accessible for both security specialists and business executives.

Using cutting-edge visualization techniques, the Threat Visualizer user interface automatically alerts analysts to significant incidents and threats within their environments, enabling analysts to proactively investigate specific areas of the infrastructure.


  • 3D visualization of entire network topology
  • Real-time global overview of enterprise threat level
  • Intelligently clusters anomalies
  • Pan-spectrum viewing – higher-order network topology; specific clusters, subnets, and host events
  • Searchable logs and events
  • Replay of historical data
  • Concise summary of overall behavior for device and external IPs
  • Designed for business executives and security analysts

100% visibility

Visualization techniques can also be used to provide a high-level overview of a company’s network for business executives, helping to bridge the gap between technical specialists and the boardroom. Executives are given an easy-to-consume oversight of security issues, improving their awareness and understanding of the network environment, and enhancing their ability to make management decisions.

“Darktrace shines a light onto our systems, giving us a visual overview of what’s really happening ‘under the hood’.”
Conor Claxton, COO, Macrosynergy

Darktrace Industrial

Industrial Control Systems & SCADA

Darktrace Industrial, also known as the Industrial Immune System, is a fundamental innovation that implements a real-time ‘immune system’ for operational technologies, such as SCADA, and enables a fundamental shift in the approach to cyber defense.

Darktrace Industrial retains all of the capabilities of Darktrace in the corporate environment, creating unique, behavioral understanding of the ‘self’ for each user and device within the network, and detecting threats that cannot be defined in advance by identifying even subtle shifts in expected behavior.

Detecting threats across IT and OT

Darktrace Industrial is ideally deployed to observe both the ICS and corporate networks, as most ICS compromises occur via an IT network breach.

With Darktrace Industrial, organizations with industrial networks are able to detect and respond to emerging threats, even if novel or tailored. They can also detect threats regardless of whether they originate in either the IT or operational domains, or traverse between them. By identifying unexpected anomalies in behavior, defenders can investigate malware compromises and insider risks as they emerge, and through stages of the attack lifecycle.

Darktrace Industrial also provides real-time visibility required to make intelligence-based decisions in live situations, while also enabling in-depth investigations into historical activity.

Darktrace Industrial passively ingests network data via a SPAN port or network tap. As such, it is able to monitor industrial networks with no disruption to normal functioning of ICS operations, including industrial plants and machinery.


  • Unprecedented visibility into ICS activity
  • Protects against insider threat, including operators and privileged users
  • Detects threats in real time
  • Coverage of both IT and OT environments
  • Correlates actions over time, for refined understanding of ‘normal’
“Darktrace has already identified threats with the potential to disrupt our networks. It helps us stay ahead of emergent threats and better defend our key systems.”
Martin Sloan, Group Head of Security, Drax
Darktrace Industrial is specifically adapted to protect operational technologies.
Find out more at www.darktraceindustrial.com
Download our Industrial Immune System Data Sheet
Request our Industrial Control Systems White Paper

‘Immune System’ Cyber Security for SCADA Systems

by Simon Fellows, Technical Director, Darktrace

This Engineering and Technology Reference report provides detailed technical insight into how Darktrace works across operational technology environments and in SCADA systems.

Request ‘Immune System’ Cyber Security for SCADA Systems

Darktrace Antigena

The machine fights back

When the human immune system is faced with a new threat, not only can it detect it, but it produces antibodies that bind to it, and ultimately neutralize it. Darktrace Antigena replicates this function of the human immune system, by creating ‘digital antibodies’ in response to in-progress threats.

Darktrace Antigena acts automatically to restrain or contain threats quickly enough to allow humans to catch up. It could only take 20 minutes for a major threat, such as a ransomware attack, to evolve into a crisis – Darktrace Antigena’s automated action slows, or stops threats in a targeted fashion, to provide security teams with a vital time window in which to take mitigating action.

Darktrace Antigena’s autonomous response capability allows organizations to directly fight back, and networks to self-defend against specific threats, without disrupting your organization.


Darktrace Antigena is capable of taking a range of measured, automated actions in the face of confirmed cyber-threats detected in real time by Darktrace. Because Darktrace understands the ‘pattern of life’ of users, devices, and networks, Darktrace Antigena is able to take action in a highly targeted manner, mitigating threats while avoiding over-reactions.

Darktrace Antigena works by automatically creating digital antibodies for specific features found in previously unseen cyber-threats. Once Darktrace has identified a potential threat, Darktrace Antigena has the ability to take a variety of actions, depending on the severity of the anomalous activity. It can:

  • Stop or slow down activity related to a specific threat
  • Quarantine or semi-quarantine people, systems, or devices
  • Mark specific pieces of content, such as email, for further investigation or tracking

Without disrupting business operations or damaging productivity, Darktrace Antigena essentially enforces the ‘pattern of life’ that Darktrace has learned, without restricting people unnecessarily. It gives security teams time to respond to dangerous cyber-threats as they emerge.

Request Darktrace Antigena: Product Overview
Download the City of Las Vegas Case Study
Book a Demo
“Antigena represents an important step in behavior analytics evolving to an active defense that traditional systems cannot match.”
Eric Ogren, Senior Security Analyst, 451 Research


  • Take automated, measured, and targeted action
  • Responds faster than any security team can
  • Human confirmation mode
  • No rules, no signatures
  • Fully configurable
  • Does not disrupt day-to-day activity

Darktrace vSensors

Darktrace vSensors are lightweight software components that extend Darktrace’s visibility in virtualized environments. It provides the Enterprise Immune System with comprehensive visibility of today’s distributed infrastructures.

vSensor software is installed as a ‘virtual appliance’ configured to receive a SPAN from the virtual network switch. This allows it to capture all inter-VM traffic, without a single packet being lost or dropped by the system. It stores the packet captures on a rolling basis, optimizing the disk space and I/O performance and ensuring that there is minimal impact on the performance of the server. Only one vSensor needs to be installed on each hardware server, allowing for scalability.

A vSensor is installed as a virtual appliance configured to receive a SPAN from the virtual network switch.

The vSensor will extract only the relevant metadata using the Darkflow system, sending 1% of the original raw network traffic ingested onto the master appliance efficiently and securely, wherever it is located on the physical network.

Darktrace vSensors are distributed in industry-standard formats, representing a virtual (software) appliance. They have been developed for VMWare, ESXi and any other virtualized environment that supports Open Virtualization Formats (OVF).

Darktrace is the first company to be able to offer real-time visibility of all virtualized network traffic.


  • Ingests virtual traffic from a limited set of IPs
  • Sends data efficiently and securely to the Darktrace master appliance
  • Sends approximately 1% of the original raw network data ingested to the master appliance
  • Works with third-party clouds

Darktrace OS-Sensors

Darktrace OS-Sensors are lightweight, host-based server agents that extend Darktrace’s visibility into third-party cloud environments, including Amazon AWS, Rackspace, and Microsoft Azure.

OS-Sensors intelligently extract single copies of network traffic for analysis by the master Darktrace appliance. They are easily installed onto virtual machines in the cloud and capable of dynamically configuring themselves to avoid data duplication and streamline bandwidth use. Working in conjunction with vSensors, data is aggregated and fed back to the master appliance, via a secure connection.

Darktrace OS-Sensors are fully configurable, allowing organizations to see all or selected cloud traffic, without requiring access to the hypervisor and with minimal performance impact.

Available for Linux and Windows, Darktrace OS-Sensors are robust and resilient, allowing organizations to enhance visibility and deliver Enterprise Immune System monitoring to cloud environments, wherever they are hosted.


  • Complete visibility of third-party clouds
  • Fully configurable – you choose cloud traffic that you want to monitor
  • Lightweight and non-intrusive – easily installed onto virtual machines, without requiring access to the physical server
  • Dynamic configuration – creates only single copies of network traffic, no data duplication
Request Darktrace for Cloud, Hybrid and Virtual Networks

Compatible with major hosting services, including:

Cloud Connectors

Extending self-learning cyber defense to the cloud

Darktrace Cloud Connectors allow companies to easily extend Darktrace’s visibility and detection capabilities to cloud-based offerings. This allows anomalous behaviors to be detected, extending Darktrace’s Enterprise Immune System defense beyond the physical enterprise network and into cloud environments.

Anomalous behaviors pertaining to activity within cloud applications may be detected irrespective of login location, allowing security operators to integrate their insights and threat detection capability across the multiple parts of their infrastructure. Darktrace Cloud Connectors provide coverage of these rich datasets, such as user logins, data uploads and data transfers, helping to better defend the full extent of your infrastructure.

Darktrace Cloud Connectors are available for major providers including AWS, Salesforce.com, Box.com, G Suite, Dropbox and Microsoft Office 365.

Request Darktrace for Cloud, Hybrid and Virtual Networks


  • Complete visibility of user interactions within cloud applications
  • Easy install — less than an hour
  • Early-stage threat detection

Output Connectors

Integrating Darktrace into your existing infrastructure

There are a number of methods by which Darktrace can interact and integrate with an organization’s existing security infrastructure. Enterprise Immune System can be integrated with SIEM dashboards, SOC environments or any other downstream ticketing and alerting tool, allowing security teams to adopt Darktrace without changing existing business processes and working practices.

Darktrace is compatible with all major SIEMs that support the industry-standard Common Event Format (CEF) and Log Event Extended Format (LEEF). These include providers such as ArcSight, LogRhythm, QRadar and Splunk. Darktrace can also be configured to trigger alerts when the most serious threats are detected.

While SIEMs can use threat intelligence and correlation for some known threat detection, Darktrace can detect a much broader range of threats, both internal and external, and does not rely on rules or signatures, thus enhancing existing tools.

Darktrace can also support a range of deployment strategies for different Security Operations Center (SOC) environments, from continuous monitoring and alerting, to dedicated threat hunting. Darktrace models, as defined in the Threat Visualizer, define the conditions under which Darktrace will notify an operator of an event. These events are surfaced within the Darktrace Threat Visualizer but may also be issued to external systems or be actively queried via the Darktrace API.