Darktrace Self-Learning Cyber Defense

Darktrace deals with breach identification, breach remediation and insider threats by automatically alerting you to anomalies within your environment and allowing you to play events back through a threat visualiser.

Identifying a breach can take a very long time - one study measured this as an average of 146 days! Once identified you then have the additional time needed to discover what the attacker/insider has compromised and what damage has been done. Often attackers will move through an environment to give themselves multiple areas for re-entry in case of a detection and to get access to more data/accounts.

It’s often very difficult to cut through the noise that event management and SIEM technologies create to get the information you need.

Darktrace automates breach identification and remediation through network and machine learning. The tool discovers what normal user and machine behaviour looks like and then alerts your team (or the SSS team) to any anomalies within your environment. In addition it will allow your team (or ours) to play the event back through a visualiser that shows the threat through a 3D interface of your network topology.


Below is a summary of the six core elements of the Darktrace solution set:


1.DarkTrace Core:

Physical Appliance similar to a SIEM or TRIM solution but it is cutting a lot of the ‘noise’ down that Customers have to pay attention to.

Darktrace (Core) is the Enterprise Immune System’s flagship threat detection and defense capability, based on unsupervised machine learning and probabilistic mathematics.

Powered by advanced machine learning, together with a new branch of Bayesian probability theory, developed by mathematicians from the University of Cambridge, Darktrace is the only genuinely self-learning cyber defense technology proved to work at scale. It is capable of detecting cyber-threats and anomalous behaviors that bypass traditional security tools, without prior knowledge of specific threats, or using rules or signatures.

Darktrace works by analyzing raw network data, creating unique behavioral models for every user and device, and for the relationships between them.


    Adaptive – evolves with your organization

    Self-learning – constantly refines its understanding of normal

    Probabilistic – works out likelihood of serious threat

    Real-time – spots threats as they emerge

    Works from day one – delivers instant value

    Low false positives – correlation of weak indicators

    Data agnostic – ingests all data sources

    Highly accurate – models human, device and enterprise behaviour

    Installs in 1 hour – no configuration


2. Darktrace Threat Visualizer

The Threat Visualizer is Darktrace’s real-time, 3D threat notification interface. As well as displaying threat alerts, the Threat Visualizer provides a graphical overview of the day-to-day activity of your network(s), which is easy to use, and accessible for both security specialists and business executives.

Using cutting-edge visualisation techniques, the Threat Visualizer user interface automatically alerts analysts to significant incidents and threats within their environments, enabling analysts to proactively investigate specific areas of the infrastructure.


    3D visualisation of entire network topology

    Real-time global overview of enterprise threat level

    Intelligently clusters anomalies

    Pan-spectrum viewing – higher-order network topology; specific clusters, subnets, and host events

    Searchable logs and events

    Replay of historical data

    Concise summary of overall behaviour for device and external IPs

    Designed for business executives and security analysts


3.DarkTrace ICS

Industrial Control Systems & SCADA

Darktrace ICS, also known as the Industrial Immune System, is a fundamental innovation that implements a real-time ‘immune system’ for operational technologies, such as SCADA, and enables a fundamental shift in the approach to cyber defense.

Darktrace ICS retains all of the capabilities of Darktrace in the corporate environment, creating unique, behavioural understanding of the ‘self’ for each user and device within the network, and detecting threats that cannot be defined in advance by identifying even subtle shifts in expected behaviour. 


    Unprecedented visibility into ICS activity

    Protects against insider threat, including operators and privileged users

    Detects threats in real time

    Coverage of both IT and OT environments

    Correlates actions over time, for refined understanding of ‘normal’


4. Darktrace Antigena -  This is their remediation and protection module.

The machine fights back

When the human immune system is faced with a new threat, not only can it detect it, but it produces antibodies that bind to it, and ultimately neutralise it. Darktrace Antigena replicates this function of the human immune system, by creating ‘digital antibodies’ in response to in-progress threats.

Antigena acts automatically to restrain or contain threats quickly enough to allow humans to catch up. It could only take 20 minutes for a major threat, such as a ransomware attack, to evolve into a crisis – Antigena’s automated action slows, or stops threats in a targeted fashion, to provide security teams with a vital time window in which to take mitigating action.

Antigena’s response capability allows organisations to directly fight back, and networks to self-defend against specific threats, without disrupting your organisation.

Darktrace Antigena modules are deployed as physical appliances, complementing the core Darktrace appliance. They can also interface with Software Defined Networks (SDNs) and Active Directory, and are fully configurable.

    Antigena Internet – Regulates user and machine access to the internet and beyond

    Antigena Network – Regulates machine and network connectivity and user access permissions

    Antigena Email – Regulates email, chat and other messaging protocols



    Directly inoculates against a full range of threats

    Prevents, slows, or disrupts activity in real time

    Self-defends and self-improves

    Stops threats before they spread


5. Darktrace Virtulization (vSensor  & OS-Sensor)

Darktrace vSensors 

Darktrace vSensors are lightweight software components that extend Darktrace’s visibility in virtualized environments. It provides the Enterprise Immune System with comprehensive visibility of today’s distributed infrastructures.

vSensor software is installed as a ‘virtual appliance’ configured to receive a SPAN from the virtual network switch. This allows it to capture all inter-VM traffic, without a single packet being lost or dropped by the system. It stores the packet captures on a rolling basis, optimising the disk space and I/O performance and ensuring that there is minimal impact on the performance of the server. Only one vSensor needs to be installed on each hardware server, allowing for scalability.


Darktrace OS-Sensors

Darktrace OS-Sensors are lightweight, host-based server agents that extend Darktrace’s visibility into third-party cloud environments, including Amazon AWS, Rackspace, and Microsoft Azure.

OS-Sensors intelligently extract single copies of network traffic for analysis by the master Darktrace appliance. They are easily installed onto virtual machines in the cloud and capable of dynamically configuring themselves to avoid data duplication and streamline bandwidth use. Working in conjunction with vSensors, data is aggregated and fed back to the master appliance, via a secure connection.



    Ingests virtual traffic from a limited set of IPs

    Sends data efficiently and securely to the Darktrace master appliance

    Sends approximately 1% of the original raw network data ingested to the master appliance

    Works with third-party clouds


6. DarkTrace SaaS Connectors

Extending self-learning detection to rich user data in SaaS platforms

As organisations embrace cloud applications, significant blind spots have developed beyond the traditional enterprise network. Valuable enterprise data and rich user interactions within SaaS applications contain critical security insights, but are not always accessible to IT security teams.

Darktrace SaaS Connectors provide coverage of these rich datasets, extending the power of Enterprise Immune System technology into previously-unseen areas of your infrastructure, including:

    User logins

    Data transfers

    Download data

    Software updates



    Complete visibility of user interactions within SaaS applications

    Easy install — less than an hour

    Early-stage threat detection