Learns what ‘self’ is — and detects new emerging threats

Darktrace is the de facto solution for cyber threat defense, which, for the first time, implements new, unsupervised machine learning and probabilistic mathematics that have been proven to address the true challenge of cyber security – detecting and defending against emerging threats within the network, irrespective of their type or origin.

Used by organizations of all sizes, from small businesses through to large corporations, Darktrace is a software platform that allows for the detection and investigation of the most subtle cyber-threats from within the network, without any rules or signatures.

Powered by machine learning and a novel branch of Bayesian probability theory developed by specialists from the University of Cambridge, Darktrace is powered by Enterprise Immune System technology - the only cyber defense technology that is capable of detecting anomalous behaviors within large and complex environments, without any prior knowledge of what it is looking for.

With total visibility into network activity, Darktrace is uniquely capable of not only identifying but also classifying threats in real time. Darktrace creates unique behavioral models for every user and device, and for the enterprise as a whole, by correlating many weak indicators and subtle changes in information that would otherwise go unnoticed in the noise of a busy network. Using these models, Darktrace’s technology is able to rapidly piece together a compelling picture of genuine emerging threat activity without producing floods of false positives.

Darktrace is the first fully-scalable cyber defense technology that applies the immune system approach. It is proven to find anomalies that bypass all other legacy security tools, allowing organizations to proactively and pragmatically manage serious cyber risk before damage is done.

  • Powered by unsupervised machine learning and Bayesian mathematics
  • Learns normal and abnormal behavior in real time and detects emerging anomalies
  • Auto-classification of threats, supporting workflow and collaboration
  • Complete analysis and visibility of 100% of network traffic
  • Protects against internal and external cyber attacks
  • No rules, no signatures, no assumptions
Request our Enterprise Immune System White Paper
“Darktrace detects threats without having to define the activity in advance.”
Michael Sherwood, CIO, City of Las Vegas

Darktrace Threat Visualizer

Shine a light into your network

Darktrace’s Threat Visualizer leverages the Enterprise Immune System technology to represent global enterprise network activity in a manner that is designed for use by both C-level executives and threat analysts. In the increasingly complex threat landscape, the Threat Visualizer will use the underlying Bayesian algorithms to dynamically identify threats that are genuinely anomalous so that organizations can focus attention and expertise appropriately.

The Threat Visualizer allows you to see what is happening in your enterprise globally, visually representing all network activity and connections, both external and internal, between all machines and users. It works at both a high level, flagging diverse threats and anomalies for the analyst’s attention, and at a more granular level, allowing you to drill down and view specific clusters of activity, subnets and host events.

  • Unique global view of enterprise
  • Flexible dashboard
  • Designed for both C-level executives and threat analysts
  • Real-time global threat mapping
  • Ability to replay historical data
  • Underlying logic is discoverable
  • Create and manage custom models
“The Threat Visualizer is so impressive. The functionality, speed and visuals are like nothing else I’ve ever seen.”
Albert Marsden, IT Director, Bassadone Automotive Group

Darktrace Antigena

Self-learns, self-defends – in real time

Darktrace Antigena is an active, self-defense product that extends Darktrace’s core power of detection, acting as digital antibodies within the Enterprise Immune System.

As the human immune system produces antibodies to identify and neutralize potential threats, Darktrace’s Enterprise Immune System technology produces an Antigena response to automatically defend against potential threats in real time.

As such, Darktrace Antigena is a unique product, complementing Darktrace’s core detection capability. It allows critical, mitigating action to be taken, without human intervention – and faster than any security team can respond. Depending on the severity of the anomalous activity detected by Darktrace, these responses could involve:

  • Stopping or slowing down activity related to a specific threat
  • Quarantining people, systems or devices
  • Marking specific pieces of content for further investigation or tracking

Action taken by Darktrace is highly targeted, thanks to the unique ability of the Enterprise Immune System to detect genuine threats, without false positives. Darktrace Antigena simply enforces the normal ‘pattern of life’ of a device or user, without causing unnecessary and disruptive side-effects on business operations.

Darktrace Antigena is uniquely capable of:

  • Directly inoculating against a full range of threats
  • Preventing, slowing or disrupting activity in real time
  • Self-improving
  • Stopping threats before they spread

Antigena is available in three modules:

  • Antigena Internet — regulates user and machine access to the internet and beyond
  • Antigena Communication — regulates email, chat and other messaging protocols
  • Antigena Network — regulates machine and network connectivity, and user access permissions

Darktrace Antigena modules are deployed as physical appliances, complementing the core Enterprise Immune System appliance. They can also interface with Software Defined Networks (SDN) and Active Directory, and are fully configurable.


  • Respond to threats faster than any security team can
  • Take targeted action
  • No rules; no signatures
  • Does not disrupt day-to-day business
  • Frees up resources and people
Request our Antigena Product Overview Data Sheet
“We believe Antigena represents an important step in behavior analytics evolving to an active defense that traditional systems cannot match.”
Eric Ogren, Senior Security Analyst, 451 Research

Industrial Immune System

Protect your IT & OT networks, together

Industrial Control Systems (ICS) are indispensable for critical national infrastructures, from energy and water supplies to transportation networks and manufacturing plants. Historically, these systems have been ‘air-gapped’, protected from outside attacks by being physically isolated from the corporate enterprise network.

The IT and Operational Technology (OT) systems are converging, however, driven by the economic pressures of globalization, and the competitive advantages that stem from the integration of these disciplines, such as cost reduction through remote management, and business optimization using data transfered between IT and OT environments.

This convergence comes at the cost of increasing vulnerability to the kinds of cyber attacks more commonly found in IT environments. Examples such as the Stuxnet virus and the hack of a German steel mill in 2014 show the extent of the possible damage that such attacks can cause.

Darktrace’s Industrial Immune System for ICS is a fundamental innovation that implements a real-time “immune system” for operational technologies, using groundbreaking advances in Bayesian probability theory to create an understanding of the normal behavior of users and devices within the ICS, allowing organizations to detect emerging threats without having to define in advance what the threat might be, and to respond to them before a crisis occurs.

  • Real-time threat detection for Industrial Control Systems (ICS)
  • Powered by machine learning and Bayesian mathematics
  • Learns normal and abnormal behavior for users and devices
  • Protects against internal and external cyber attacks
“Darktrace helps us stay ahead of emerging threats and better defend our key systems.”
Martin Sloan, Group Head of Security, Drax
Request our Industrial Control Systems White Paper

‘Immune System’ Cyber Security for SCADA Systems

by Simon Fellows, Technical Director, Darktrace

This Engineering and Technology Reference report provides detailed technical insight into how Darktrace works across operational technology environments and in SCADA systems.

Request this report

What Darktrace Finds

Darktrace finds anomalies that bypass other security tools, due to the Enterprise Immune System's unique ability to detect threats without reliance on rules, signatures or any prior knowledge of what it is looking for.

Download the Data Sheet: What Darktrace Finds
“Darktrace’s Enterprise Immune System can detect threats that no other security tool would find.”
Will Bailey, Director of IT, Catholic Charities of Santa Clara County

Remote access attack linked to dangerous malware

Darktrace identified an attack on the company's corporate network using a RAT (Remote Access Tool). This appeared to be the result of activity relating to a well-known botnet, an infrastructure formed of infected computers which the attacker controls over the internet. The media reported this botnet to have been controlled by a cyber-crime group in Eastern Europe. The attackers hire out the botnet for a variety of malicious activities, including harvesting credit card details, stealing confidential corporate data and running email attacks.

This particular variant of the virus had adapted itself to avoid being detected by sandboxing defenses, as well as hiding some of its operating processes to avoid host-based security tools and anti-virus. It is an extremely clever and dynamic form of malware, which uses complex algorithms to ensure that it is not detected by legacy security tools. Darktrace was able to find traces of its presence by comparing these computers' behaviors over time.

Anomalous data transfer

Darktrace observed that a company machine was making anomalous internet connections to one IP address using the often-abused Adobe Flash software. Suspiciously, there was no evidence of this IP being resolved through DNS and the connections contained command names in the HTTP GET requests. This appeared to be a covert method of communication that an attacker had initiated, using a channel that had travelled unhindered through the company's firewall and other border defenses. Further investigation revealed this to be a malware infection.

Illegitimate access to database server

Darktrace identified that one of the company's database servers was repeatedly allowing unencrypted connections from various internet locations. These machines were using a range of IP addresses allocated to a telecoms company in the Far East. Darktrace's processing of these connections suggested that the data being transfered was financial information. Attackers often target database servers for the high-value information that they hold. The direct, unencrypted communications from the internet to this server observed by Darktrace were extremely risky. The potential for leaking or changing vital financial information through this server represented a serious risk to the company's operations and reputation.

Unauthorized use of administrator credentials

Darktrace observed that a privileged user credential was repeatedly logging in to the company network at unusual times. This activity began in the early hours of the morning, finishing at around midday. Given that this user normally only logged in during the working day, this represented anomalous behavior and constituted a serious threat to the company's security, as system administrators have the most privileged level of access to company networks and data, which an attacker exploiting these credentials may have taken advantage of.

Fast travel indicating password compromise

The Darktrace Enterprise Immune System observed that one user's credentials were used simultaneously from two locations in Europe and East Asia. While the user may have been working remotely, this activity also suggested that the user's password may have been compromised and was being used illegitimately by a third party, perhaps even from outside the company.

Connections to website linked to Advanced Persistent Threats

One of the company's devices made repeated connections to servers that have been linked to Advanced Persistent Threat (APT) groups in countries in the Far East. The user was redirected from a popular social networking website through a chain of suspicious websites, while apparently viewing a compromised video. Darktrace's detection of this suspicious activity allowed the company to effectively remediate against an emerging anomaly that threatened to leak their intellectual property to foreign competitors.

Infection with ransomware

Darktrace detected multiple indicators of suspicious behavior on one of the organization’s machines. One user was browsing a popular news website in the early hours of the morning when a suspicious search bar attached itself to the user’s browser. This was probably a result of the user clicking on malicious advertising content on the page. The machine then manipulated the user’s search results in the background, probably in an attempt to generate click-through revenue.

After clicking on one of these malicious links, the user was subsequently directed to a suspicious website where it made a number of further downloads. Detailed analysis revealed that the website had been registered one day prior to this activity, using apparently false details: the telephone number provided was Russian, but the address was US-based.

This activity exhibited the signs of infection with a well-known form of ransomware, a type of malware that encrypts the user’s files, making them unreadable, and extorts a charge to the user for unlocking them. This posed a clear risk to the integrity of the company’s data and its continued business operations. Darktrace observed that the malware had already iterated through a number of internal files containing photographs, meeting details and reports on product testing.

Domain Generation Algorithm

Darktrace detected that several of a company's devices were behaving in the same anomalous manner. The devices attempted over 1,000 connections in a short period of time with randomly-generated domain names, indicating the use of a 'Domain Generation Algorithm'. This is a method commonly used by attackers to move their servers across a number of domain names, making them difficult to pinpoint by security staff, and allowing the attacker to evade detection.

Malicious web drive-by

One of the company's users was subjected to a malicious 'drive-by' attack while browsing a legitimate website about blues music. Unbeknown to the user, the machine redirected to a separate site that had recently been registered in California. Detailed analysis revealed that the domain name looked suspicious, as part of it appeared to contain another domain name in a disguised form. Subsequently, the machine also redirected to several further sites. Darktrace determined that this was unlikely to have been user behavior and suggested that malware was already installed on the device.

Port-scanning for internal company resources

The Darktrace Enterprise Immune System observed that one of the company's machines was port-scanning the internal network, apparently to establish which machines were running a particular service. The machine involved was an Apple product, but was claiming to use an old version of the Windows operating system, which appeared suspicious. The port-scanning activity was also anomalous based on this machine's normal pattern of life, and suggested that an attacker was attempting to perform reconnaissance on the network before further exploitation.

Use of 'Tor' anonymizing network

Darktrace identified one of the company's machines connecting to the internet over the 'Tor' network, which anonymizes and encrypts connections, providing the user with complete privacy and anonymity. Darktrace was able to bring this clear breach of company policy to the attention of the organization.

Peer-to-peer connections with the Far East

One of the company's devices was detected establishing a type of 'peer-to-peer' internet connection with servers in the Far East, occurring on three consecutive days. The machine then sent information over this obscured channel. This activity was unusual compared with the machine's normal behavior, and clearly represented a risk to the company's security. The use of this peer-to-peer connection had gone unnoticed, meaning that the company would not be aware that a third party was exfiltrating company data unobserved.

Bitcoin mining

Darktrace alerted the organization about unusual connections on one of the company's machines; the machine was observed regularly mining for the virtual currency Bitcoin. This involved the machine sharing its computing power with a third party, in an attempt to generate new Bitcoins. The machine appeared to be part of a botnet, a network of multiple computers all controlled by one attacker who stood to gain by abusing the company's resources.

Attempted connections to non-existent domain names

Darktrace detected a malware infection on three of the company's devices, due to unusual behavior exhibited by the device over a period of time. The machines were requesting a large number of non-existent domain names from an external DNS server, a process that, in this case, was used to hide malicious traffic. The company also had no record of the purpose of one of the machines, which was highly suspicious and possibly indicative of an insider threat.

Anomalous internal file transfers

Darktrace observed that one of the company's computers, located in the US, downloaded an anomalously large amount of data — up to 1GB of information. This data came from one of the company's shared folders. The behavioral model created for this machine showed that it often downloaded data in this way, but never in such large volumes. Detection of this anomaly allowed the company to take remedial action against an employee abusing their access rights.

Suspicious Java download

While a user browsed a website about electronics, the machine was redirected to another site, which prompted the download of a malicious piece of JavaScript. This is a commonly-abused means of injecting malicious content. Subsequent to this, the machine also downloaded a ‘.jar’ file (a Java archive file) in the background, which was then used by attackers to exploit the machine. Although this file is known as malicious among the security community, the company's other defenses failed to prevent this attack.

Use of virtual Cyrillic keyboard

One of a company's devices was observed using a website that provides users with virtual Cyrillic keyboards. Darktrace observed this anomalous activity within the company's UK headquarters, which appeared suspicious, as it suggested that a remote attacker may have been attempting to change the keyboard in order to type commands in his own language.

Suspicious file download using XOR obfuscation

One of the company's machines was identified downloading a suspicious file from the internet into the company network. The file was in binary form but its contents were disguised using a form of obfuscation known as XOR, so its purpose was deliberately hidden. The website that provided the file has previously been known to have facilitated malware attacks. Darktrace automatically de-obfuscated the file and alerted the enterprise to the probable threat.

Risk from 'bring-your-own-device' (BYOD) policies

A user was observed downloading non-corporate email onto his personal iPhone, whilst connected to the company's corporate network. As this type of email communications is unmonitored by corporate perimeter security tools, it exposes the company to spear-phishing attacks, where attackers pose as legitimate contacts or businesses in the hope of tricking users into clicking malicious links or attachments embedded in the email. Spear-phishing attacks are well known to have a high success rate and can deliberately target personal devices, which are often less well-defended. Given that the iPhone was connected to the corporate network, any successful phishing attacks may have allowed attackers to jump from the iPhone device onto corporate resources, putting system integrity and the company's reputation at risk.

English Français 日本語