How Darktrace uses AI to defend against evolving cyber threats

Executive overview

Cyber attacks have become professionalized: ransomware, malware, and attack tools are now available as commercial services on the dark web, complete with helplines and PR statements. The threat landscape is not binary or static — it is analog, novel, and constantly shifting, making rule-based defenses insufficient.

Darktrace's insight: learn the business, not the threat — and you can catch attacks you never anticipated.

Darktrace addresses this by building a unique digital fingerprint of each organization, then detecting anomalies against that baseline. Its AI operates autonomously, progressing from detection to active response to proactive hardening — a self-reinforcing cycle that improves without requiring threat database updates.

The professionalisation of cyber crime

• Ransomware-as-a-service, malware-as-a-service: attack tools available to rent
• Dark-web criminal enterprises mimic legitimate business models
• Hackers issue public statements apologizing for societal harm — treating reputation like a brand
• Threat actors range from nation states to bedroom hackers to malicious insiders
• One-third of Davos businesses reported financial impact from significant cyber threats in the past 12 months

Why traditional defenses fall short

• Cybersecurity is not binary: threats are analog, transitory, and constantly evolving
• Perimeter tools (antivirus, firewalls) protect against known, historical attacks only
• Novel and unpredictable attacks bypass "secure by design" approaches
• Human error — a forgotten update, an off day — always leaves a gap
• The gap between people and technology is exactly what attackers exploit

How Darktrace works: learn the business, not the threat

• AI ingests and studies the daily ebb and flow of each organization's digital activity
• Builds a unique digital DNA — a baseline of normal behavior specific to that organization
• Detects anomalies, whether large alarm bells or small clusters of unusual signals
• No threat-database updates needed: if it deviates from the baseline, it's a candidate threat
• Each installation becomes bespoke over time; day one is identical software, but it diverges as it learns

Three phases of Darktrace's evolution

1. Detect — identify and alert on in-progress attacks
2. Respond — autonomously stop attacks in real time, limiting data loss
3. Harden — proactively identify unique organizational vulnerabilities and wrap protection around them; each phase feeds into the next

The deepfake and generative AI threat

• A Hong Kong finance worker was scammed out of $25 million via a deepfake video call impersonating the CFO
• Generative AI tools produce phishing emails with far higher linguistic quality and natural tone
• Deepfakes now extend to audio, video, Slack, Teams, and other chat interfaces
• Attackers exploit urgency: pressure people to act before they can think
• Defense heuristic: focus on the outcome being driven, not just the authenticity of the content — unusual behavior or artificial urgency are the real signals

Human vulnerability as the root attack surface

• Without humans, cyber attacks would almost disappear; without humans, businesses wouldn't exist
• Attackers always target the interface between people and technology
• Election interference and influence operations exploit the same human-manipulation playbook as corporate attacks
• Cybersecurity done well is invisible: staff should be able to trust and use technology without thinking about it

Running a cybersecurity business

• Bad news in the industry is not good news for Darktrace — ambulance-chasing is not the goal
• The paradox of success: best case, nothing happens and the client never notices
• Cybersecurity reframes from a wagging-finger compliance burden to an enabler of technology adoption
• Business problems, unlike math problems, do not always have a clear answer — the right response is to decide quickly, with trusted advisors, and course-correct when wrong