Security

Darktrace enhances its ActiveAI Security Platform

Posted 24 October 2025

Darktrace has announced a wave of innovations across its ActiveAI Security Platform to protect organisations from increasingly complex, multivector and novel attacks, extending novel threat detection and autonomous investigations across email, network, OT, cloud and SaaS and consequently delivering deeper endpoint visibility than ever before.

Image by Pop Tikka / copyright Shutterstock

Together, these innovations provide a new level of understanding across an organisation’s digital footprint, enabling security teams to close the seams attackers exploit as they cross IT domain boundaries, stop emerging threats and act with the speed, context and confidence needed to stay ahead of attackers.

Most organisations still rely on fragmented security tools that each see only part of the picture. Endpoint products often miss what’s happening on the network, while network tools lack context about processes running on devices. Analysts are left pivoting between dashboards, stitching together evidence, and wasting time chasing down root causes. Meanwhile, novel threats now outpace known ones and attackers are increasingly exploiting the seams between disconnected email, network, endpoint, cloud, distributed identity, and OT environments.

Darktrace is closing these seams with the introduction of the industry’s first Network Endpoint eXtended Telemetry (NEXT) agent which natively combines full network packet data with endpoint process data using Self-Learning AI. By unifying insights from network to endpoint, Darktrace is the first Network Detection and Response leader to natively provide security teams with the ability to trace network threats directly to their endpoint root cause. For analysts, this means investigations that once took hours and multiple pivots between NDR, EDR and XDR tools can now be resolved in seconds. Instead of seeing only an unusual network connection, Darktrace immediately shows which process on which device initiated the connection and unearths threats that would otherwise be missed such as the misuse of legitimate software, living off the land techniques or unapproved software usage.

With this new level of visibility, Cyber AI Analyst, Darktrace’s sophisticated agentic AI system, becomes the first of its kind to have full native context across endpoint processes, network, cloud, SaaS, identity and email — giving it a complete view of incidents as they unfold. This unified understanding allows it to spot and stop unknown and undetected threats that move between these domains — all without relying on external integrations, central data lakes, or manual correlation. By cutting out harmless noise, improving detection accuracy and providing clearer incident summaries, Cyber AI Analyst augments human teams and helps them focus on what truly needs attention.

By extending Self-Learning AI across all of these environments, Darktrace amplifies its ability to deliver AI-native, real-time threat detection, investigation, and response for activity that moves across domains, strengthening defenders’ ability to stay ahead of emerging attacks.

Pip Robbins, IT Manager at M&S Logistics, a global specialist in bulk liquid logistics and an early adopter of Darktrace’s new endpoint capabilities, commented: “The complete network to endpoint process understanding provided by the NEXT agent, combined with Cyber AI Analyst’s investigative capabilities, have had a huge impact on our ability to investigate potential incidents. Our investigations now happen faster, we’re not jumping between tools and we have more context than we’ve ever had before.”

Darktrace / NETWORK has also introduced enhancements to support autonomous response in highly complex and segmented networks, plus increased response efficacy with additional firewall integrations. This enables security teams to respond to network threats faster and more effectively with a solution proven to contain zero-day threats up to eight days before public disclosure.

Real-Time Understanding In Operational Environments
For organisations running operational technologies, the dangers of bad actors targeting their networks at the seams are even greater as OT and IT environments continue to converge and teams look to bridge the gap. As operational technology becomes increasingly interconnected with traditional IT infrastructure, defenders face new challenges in maintaining visibility, modeling risk and responding to threats across converged ecosystems. Many alternative OT security tools narrowly focus on asset discovery or rule-based detection, leaving critical gaps in understanding how attackers can move between IT and OT, exploit exposed vulnerabilities, or disrupt operations through misconfigured segmentation.

These blind spots matter not just to security teams but to OT engineers responsible for keeping systems running. Both groups need shared context to collaborate effectively — securing the environment while maintaining uptime.

New updates to Darktrace / OT, Darktrace’s purpose-built platform for securing operational technologies, provide a step forward in defenders’ ability to address these challenges with operationally relevant insights, real-time attack path modeling and unified governance across their entire ecosystem.

Dashboards tailored for OT engineers enable them to track operational anomalies without navigating ill-fitting systems and workflows designed around IT systems, boosting their productivity and device adoption.
Expanded firewall rule analysis for Fortinet FortiGate, provides a clear view of how attackers could reach critical devices, identifies new segmentation opportunities and helps teams focus patching on genuinely exposed assets rather than those already protected by existing controls.
Configuration Management integration with ServiceNow, automatically syncs asset intelligence to improve governance and reduce manual maintenance.
Expanded protocol support for GE-SRTP and MELSOFT, increases visibility across GE and Mitsubishi environments without requiring manual rules or configuration.

New Tools Help Security Teams Focus on The Most Critical Internal and External Risks
Traditional vulnerability and attack surface management tools often operate in silos, producing long lists of issues without context or prioritisation. Security teams are left trying to determine which vulnerabilities pose real risk, which are exploitable and which should be patched first — wasting valuable time and effort.

Darktrace’s latest updates integrate external attack surface and internal exposure management to give defenders a complete, continuous view of their risk, based on the unique context of their environment. By validating exposures against live network data, mapping vulnerabilities to specific devices and understanding how attackers could exploit them, Darktrace helps security teams focus on what’s truly critical and take pre-emptive action before attackers can act and is making continuous threat exposure management (CTEM) workflows easier for security teams, no matter where threats lie.‍

‍Darktrace / Attack Surface Management now conducts surgical and scheduled penetration assessments of exposed systems for the most common CVEs, helping defenders see which weaknesses are likely to be exploited in practice, continually test against them, and fill a gap between annual penetration tests. It also includes continuous monitoring of leaked credentials, the number 2 initial attack vector, across millions of sites, forums, and marketplaces on the deep and dark web. This continuous monitoring greatly expands the visibility and reach teams have of their attack surface, giving defenders time to mitigate and change credentials before they can be taken advantage of.

Darktrace / Proactive Exposure Management now identifies and prioritizes vulnerabilities without relying on third-party vulnerability management scanners. It uses internal context — such as network layout, existing controls, and real-world accessibility — to show which issues matter most and includes cost-benefit analysis to help teams weigh the effort of patching against the potential business impact of leaving a vulnerability unaddressed.

Managing Security at Scale
The newly introduced ActiveAI Security Portal, designed for large enterprises, partners and MSSPs, unifies control, configuration and visibility across all Darktrace deployments. It provides one login across products and deployments, centralised and granular permissions management and unified API setup, bringing all the intelligence Darktrace provides, from identity, to network, to cloud and email, into one place making it easier to scale and manage in the most complex environments.

As security teams work to protect their organisations from increasingly complex, multivector attacks, Darktrace’s latest innovations help put them on the front foot — uniting visibility across their digital footprint, closing the seams attackers exploit and giving defenders the speed, context and confidence to act before threats take hold.

“Security teams are under pressure to move faster but most tools still leave them piecing together fragments of information,” said Connie Stride, SVP of Product, Darktrace. “With Darktrace’s latest innovations, we’re giving them the full picture: from tracing a network threat straight to its root cause on a device, to easily understanding attack paths across IT and OT. By closing the seams between systems and uniting visibility across domains, Darktrace is helping organisations stay ahead of evolving threats with greater speed, context and confidence.”