Darktrace's self-learning AI For operational technology
Darktrace DETECT + RESPOND/OT
Darktrace/OT uses Darktrace’s Self-Learning AI to detect and respond to cyber threats targeting industrial networks. Whether decades-old PLCs or the Industrial Internet of Things (IIoT), it learns ‘normal’ for every device in your ecosystem in order to spot known and unknown threats. The use of AI is crucial to handling the scale and complexity of real-world OT networks without placing huge burdens onto humans.
DaRKTRACE
DETECT
™
/
OT
Self-Learning AI
Identifies assets
Specialized OT and hybrid IT/OT understanding
Detects abnormalities
Analyzes for risk and context
Conducts autonomous investigations at scale
Cyber AI Analyst
DaRKTRACE
RESPOND
™
/
OT
Self-Learning AI
Autonomous Response
Configurable scope to respect operational requirements
Cyber AI Analyst
Responds to threats autonomously in seconds
Actively integrates with security stack
Supports human intervention in decision making

DARKTRACE(ダークトレース)
DETECT
TM
/
OT
UNDERSTANDING NORMAL
Analyzing every connection,
asking millions of questions.
asking millions of questions.
Unusual activity inside a control system? Unusual one-time connections between devices [PLC, HMI,...]? Unusual reprogramming requests?
It starts with total visibility
Darktrace DETECT/OT gives you a top-down visualization of your entire OT environment.
Passive (or optional active) asset identification

Darktrace DETECT/OT passively catalogues IP-connected and non-IP ICS devices, creating a profile and full history of all devices seen on the network.
IP addresses, first and last seen times, where possible MAC address and vendor, product family and model, firmware version and other device identity details.
Device types are categorised based on activity, and ‘tags’ can be used both automatically and manually to apply various kinds of additional information.
Optional active identification makes identity requests to OT devices using the specialized protocols and specific working ports that they have been passively observed to understand.


Go broad, or get granular
Start from a global view, and drill down into subnets, devices, and specific connections.
Granular visibility

Pivot from one OT device to see all the devices it is connected to or has recently contacted. View detailed logs of OT command activity.
Advanced Search allows custom queries into the underlying database, for any question not directly answerable through the graphical UI.
Explore the network from a subnet overview. Organize it into zones and conduits to compare with design documents. Explore the relationships between different tags on devices.
Advanced Search allows custom queries into the underlying database, for any question not directly answerable through the graphical UI.
Explore the network from a subnet overview. Organize it into zones and conduits to compare with design documents. Explore the relationships between different tags on devices.
Understandable events
Complex math,
simple output
simple output
Darktrace DETECT outputs intuitive and easy-to-understand alerts, reducing time-to-meaning for security teams.


Defend Against ‘Unknown Unknowns’
ICS security technology tends to center around vulnerability tracking, patching and threat intelligence. By design, this approach is ineffective against attacks leveraging new techniques, or taking advantage of zero-day exploits.
Darktrace stops novel threats using Self-Learning AI
As well as being able to identify CVEs on devices, Darktrace learns ‘normal’ for everything in your ICS network, identifying subtle deviations indicative of a cyber-threat. By combining vulnerability detection with Self-Learning AI, Darktrace protects you from both known and unknown threats.


Identify Critical Network Misconfigurations
Darktrace frequently detects anomalies resulting from network misconfigurations that wouldn’t otherwise have been caught.
If, for instance, two subnets that shouldn’t be communicating are talking to each other, Darktrace will identify the unusual connection and reveal firewall faults and misconfigurations.
Darktrace is an easy way to confirm whether your network is working the way you expect.
If, for instance, two subnets that shouldn’t be communicating are talking to each other, Darktrace will identify the unusual connection and reveal firewall faults and misconfigurations.
Darktrace is an easy way to confirm whether your network is working the way you expect.

DARKTRACE(ダークトレース)
RESPOND
TM
/
OT
Autonomous REsponse
Set the boundaries so that AI can act when you can’t
Working with Darktrace DETECT, Darktrace RESPOND uses AI-made micro-decisions to autonomously contain and disarm threats.
Tailored action when and where you need It
Autonomous Response is not a ‘one size fits all’. It takes the least aggressive action necessary to contain each threat, without disrupting your business.

Precision response
Leverages nuanced understanding to issue the perfect counter response to any threat, from blocking specific connections to enforcing a device's learned patterns of life, to a full quarantine for erratic devices.
Set it how you want it
Operates within the parameters you set. Only on certain devices? At certain times of day? In response to certain events?
Set the limits and guiderails, and let the AI do the heavy lifting.
Set the limits and guiderails, and let the AI do the heavy lifting.
Prioritization and summarization
Only takes action on events that will cause significant business disruption.
Understand what action Darktrace has taken,
and why, instantly.
Understand what action Darktrace has taken,
and why, instantly.
Network intervention should not be taken lightly
It’s all about precision.
Darktrace's analysis of unusual events, drawn from millions of daily connections, is further analyzed by Darktrace RESPOND.
Darktrace RESPOND takes in event data and combines it with the overall context of the environment, as well as human guide-rails, to determine the best possible response in milliseconds.
Darktrace RESPOND takes in event data and combines it with the overall context of the environment, as well as human guide-rails, to determine the best possible response in milliseconds.
Key actions and how they work
Darktrace RESPOND has a range of actions it can take to cut OT attacks short.
And crucially, it knows which to take, and where to take them.
And crucially, it knows which to take, and where to take them.

RESPOND ACTION
No action necessary
Block specific connections
Darktrace RESPOND/Network can determine which connections to block, even if the port, protocol, or IPs have never before been seen or used maliciously.
Enforce custom business priorities
Enforce device's patterns of life
Enforce group pattern of life
Darktrace’s granular understanding of a device’s normal behavior means that, when that device is compromised, RESPOND can enforce its ‘pattern of life’. So the malicious activity stops, but it can continue behaving as it normally does.
Block all outgoing traffic
Block all incoming traffic
Block all traffic
And in reality, these can translate into an
infinite number of actions, all determined and taken on the spot:
infinite number of actions, all determined and taken on the spot:
No action necessary
Block connections to 10.100.1.1 over port 437
Block encrypted connections to 192.168.37.18
Block RDP connections to 10.115.1.3
Block connections over port 45 for 1 hour
Block incoming connections to 10.100.1.4
Terminate instance XYZ
. . .
All in real time.
Blog Spotlight

Fully configurable and customizable
Darktrace RESPOND operates within the parameters you tell it to. Only on certain devices? At certain times of day? In response only to certain events?You set the guide-rails. Then let the AI do its thing.
Insert AI into your existing workflows
Integrates with existing tools
Action can be taken independently or via integrations with native security controls, maximizing the return on other security investments.
Alerts are sent wherever you want them.
Alerts are sent wherever you want them.
Explore /Network integrations













Combines human expertise with the speed and scale of AI
Cyber AI Analyst is trained on an ever-growing data set of expert cyber analysts. By observing and then replicating their behavior, the technology thinks like a human analyst: asking questions, testing hypotheses, reaching conclusions.


Reports on ICS threats that are easy to understand
Does the heavy lifting of investigation work, reducing potentially dozens of security events into a handful of high priority incidents for human review.
Customer Stories