The Early Bird Catches the Worm: Darktrace’s Hunt for Raspberry Robin
quality 7/10 · good
0 net
Tags
Darktrace's Investigation of Raspberry Robin Worm Webinar, April 14th | Introducing the Adaptive Era of Email Security | Register Now Darktrace LIVE: Global Roadshow | Secure AI, Unlock Innovation | Register Now Solutions Why Darktrace Partners Resources Get a demo Solutions Why Darktrace Partners Resources Get a demo Blog / Network / April 2, 2024 Darktrace's Investigation of Raspberry Robin Worm Discover how Darktrace is leading the hunt for Raspberry Robin. Explore early insights and strategies in the battle against cyber threats. Written by Alexandra Sentenac Cyber Analyst Inside the SOC Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field. Written by Alexandra Sentenac Cyber Analyst Share 02 Apr 2024 Introduction In the face of increasingly hardened digital infrastructures and skilled security teams, malicious actors are forced to constantly adapt their attack methods, resulting in sophisticated attacks that are designed to evade human detection and bypass traditional network security measures. One such example that was recently investigated by Darktrace is Raspberry Robin, a highly evasive worm malware renowned for merging existing and novel techniques, as well as leveraging both physical hardware and software, to establish a foothold within organization’s networks and propagate additional malicious payloads. What is Raspberry Robin? Raspberry Robin, also known as ‘QNAP worm’, is a worm malware that was initially discovered at the end of 2023 [1], however, its debut in the threat landscape may have predated this, with Microsoft uncovering malicious artifacts linked to this threat (which it tracks under the name Storm-0856) dating back to 2019 [4]. At the time, little was known regarding Raspberry Robin’s objectives or operators, despite the large number of successful infections worldwide. While the identity of the actors behind Raspberry Robin still remains a mystery, more intelligence has been gathered about the malware and its end goals as it was observed delivering payloads from different malware families. Who does Raspberry Robin target? While it was initially reported that Raspberry Robin primarily targeted the technology and manufacturing industries, researchers discovered that the malware had actually targeted multiple sectors [3] [4]. Darktrace’s own investigations echoed this, with Raspberry Robin infections observed across various industries, including public administration, finance, manufacturing, retail, education and transportation. How does Raspberry Robin work? Initially, it appeared that Raspberry Robin's access to compromised networks had not been utilized to deliver final-stage malware payloads, nor to steal corporate data. This uncertainty led researchers to question whether the actors involved were merely “cybercriminals playing around” or more serious threats [3]. This lack of additional exploitation was indeed peculiar, considering that attackers could easily escalate their attacks, given Raspberry Robin’s ability to bypass User Account Control using legitimate Windows tools [4]. However, at the end of July 2022, some clarity emerged regarding the operators' end goals. Microsoft researchers revealed that the access provided by Raspberry Robin was being utilized by an access broker tracked as DEV-0206 to distribute the FakeUpdates malware downloader [2]. Researchers further discovered malicious activity associated with Evil Corp TTPs (i.e., DEV-0243) [5] and payloads from the Fauppod malware family leveraging Raspberry Robin’s access [8]. This indicates that Raspberry Robin may, in fact, be an initial access broker, utilizing its presence on hundreds of infected networks to distribute additional payloads for paying malware operators. Thus far, Raspberry Robin has been observed distributing payloads linked to FIN11, Clop Gang, BumbleBee , IcedID, and TrueBot on compromised networks [12]. Raspberry Robin’s Continued Evolution Since it first appeared in the wild, Raspberry Robin has evolved from "being a widely distributed worm with no observed post-infection actions [...] to one of the largest malware distribution platforms currently active" [8]. The fact that Raspberry Robin has become such a prevalent threat is likely due to the continual addition of new features and evasion capabilities to their malware [6] [7]. Since its emergence, the malware has “changed its communication method and lateral movement” [6] in order to evade signature detections based on threat intelligence and previous versions. Endpoint security vendors commonly describe it as heavily obfuscated malware, employing multiple layers of evasion techniques to hinder detection and analysis. These include for example dropping a fake payload when analyzed in a sandboxed environment and using mixed-case executing commands, likely to avoid case-sensitive string-based detections. In more recent campaigns, Raspberry Robin further appears to have added a new distribution method as it was observed being downloaded from archive files sent as attachments using the messaging service Discord [11]. These attachments contained a legitimate and signed Windows executable, often abused by attackers for side-loading, alongside a malicious dynamic-link library (DLL) containing a Raspberry Robin sample. Another reason for the recent success of the malware may be found in its use of one-day exploits. According to researchers, Raspberry Robin now utilizes several local privilege escalation exploits that had been recently disclosed, even before a proof of concept had been made available [9] [10]. This led cyber security professionals to believe that operators of the malware may have access to an exploit seller [6]. The use of these exploits enhances Raspberry Robin's detection evasion and persistence capabilities, enabling it to propagate on networks undetected. Darktrace’s Coverage of Raspberry Robin Through two separate investigations carried out by Darktrace’s Threat Research team, first in late 2022 and then in November 2023, it became evident that Raspberry Robin was capable of integrating new functionalities and tactics, techniques and procedures (TTPs) into its attacks. Darktrace DETECT ™ provided full visibility over the evolving campaign activity, allowing for a comparison of the threat across both investigations. Additionally, if Darktrace RESPOND ™ was enabled on affected networks, it was able to quickly mitigate and contain emerging activity during the initial stages, thwarting the further escalation of attacks. Raspberry Robin Initial Infection The most prevalent initial infection vector appears to be the introduction of an infected external drive, such as a USB stick, containing a malicious .LNK file (i.e., a Windows shortcut file) disguised as a thumb drive or network share. When clicked, the LNK file automatically launches cmd.exe to execute the malicious file stored on the external drive, and msiexec.exe to connect to a Raspberry Robin command-and-control (C2) endpoint and download the main malware component. The whole process leverages legitimate Windows processes and is therefore less likely to raise any alarms from more traditional security solutions. However, Darktrace DETECT was able to identify the use of Msiexec to connect to a rare endpoint as anomalous in every case investigated. Little is currently known regarding how the external drives are infected and distributed, but it has been reported that affected USB drives had previously been used for printing at printing and copying shops, suggesting that the infection may have originated from such stores [13]. A method as simple as leaving an infected USB on a desk in a public location can be a highly effective social engineering tactic for attackers. Exploiting both curiosity and goodwill, unsuspecting individuals may innocently plug in a found USB, hoping to identify its owner, unaware that they have unwittingly compromised their device. As Darktrace primarily operates on the network layer, the insertion of a USB endpoint device would not be within its visibility. Nevertheless, Darktrace did observe several instances wherein multiple Microsoft endpoints were contacted by compromised devices prior to the first connection to a Raspberry Robin domain. For example, connections to the URI '/fwlink/?LinkID=252669&clcid=0x409' were observed in multiple customer environments prior to the first Raspberry Robin external connection. This connectivity seems to be related to Windows attempting to retrieve information about installed hardware, such as a printer, and could also be related to the inserting of an external USB drive. Figure 1: Device Event Log showing an affected device making connections to Microsoft endpoints, prior to contacting the Raspberry Robin C2 endpoint ‘vqdn[.]net’. Raspberry Robin Command-and-Control Activity In all cases investigated by Darktrace, compromised devices were detected making HTTP GET connections via the unusual port 8080 to Raspberry Robin C2 endpoints using the new user agent 'Windows Installer'. The C2 hostnames observed were typically short and matched the regex /[a-zA-Z0-9]{2,4}.[a-zA-Z0-9]{2,6}/, and were hosted on various top-level domains (TLD) such as ‘.rocks’, ‘.pm’, and ‘.wf’. On one customer network, Darktrace observed the download of an MSI file from the Raspberry Robin domain ‘wak[.]rocks’. This package contained a heavily protected malicious DLL file whose purpose was unknown at the time. However, in September 2022, external researchers revealed that the main purpose of this DLL was to download further payloads and enable lateral movement, persistence and privilege escalation on compromised devices, as well as exfiltrating sensitive information about the device. As worm infections spread through networks automatically, exfiltrating device data is an essential process for threat actor to keep track of which systems have been infected. On affected networks investigated by Darktrace, compromised devices were observed making C2 connections that contained sensitive device information, including hostnames and credentials, with additional host information likely found within the data packets [12]. Figure 2: Model Breach Event Log displaying the events that triggered the the ‘New User Agent and Suspicious Request Data’ DETECT model breach. As for C2 infrastructure, Raspberry Robin leverages compromised Internet of Things (IoT) devices such as QNAP network attached storage (NAS) systems with hijacked DNS settings [13]. NAS devices are data storage servers that provide access to the files they store from anywhere in the world. These features have been abused by Raspberry Robin operators to distribute their malicious payloads, as any uploaded file could be stored and shared easily using NAS features. However, Darktrace found that QNAP servers are not the only devices being exploited by Raspberry Robin, with DETECT identifying other IoT devices being used as C2 infrastructure, including a Cerio wireless access point in one example. Darktrace recognized that this connection was new to the environment and deemed it as suspicious, especially as it also used new software and an unusual port for the HTTP protocol (i.e., 8080 rather than 80). In several instances, Darktrace observed Raspberry Robin utilizing TOR exit notes as backup C2 infrastructure, with compromised devices detected connecting to TOR endpoints. Figure 3: Raspberry Robin C2 endpoint when viewed in a sandbox environment. Figure 4: Raspberry Robin C2 endpoint when viewed in a sandbox environment. Raspberry Robin in 2022 vs 2023 Despite the numerous updates and advancements made to Raspberry Robin between the investigations carried out in 2022 and 2023, Darktrace’s detection of the malware was largely the same. DETECT models breached during first investigation at the end of 2022: Device / New User Agent Anomalous Server Activity / New User Agent from Internet Facing System Device / New User Agent and New IP Compromise / Suspicious Request Data Compromise / Uncommon Tor Usage Possible Tor Usage DETECT models breached during second investigation in late 2023: Device / New User Agent and New IP Device / New User Agent and Suspicious Request Data Device / New User Agent Device / Suspicious Domain Possible Tor Usage Darktrace’s anomaly-based approach to threat detection enabled it to consistently detect the TTPs and IoCs associated with Raspberry Robin across the two investigations, despite the operator’s efforts to make it stealthier and more difficult to analyze. In the first investigation in late 2022, Darktrace detected affected devices downloading addition executable (.exe) files following connections to the Raspberry Robin C2 endpoint, including a numeric executable file that appeared to be associated with the Vidar information stealer. Considering the advanced evasion techniques and privilege escalation capabilities of Raspberry Robin, early detection is key to prevent the malware from downloading additional malicious payloads. In one affected customer environment investigated in late 2023, a total of 12 devices were compromised between mid-September and the end of October. As this particular customer did not have Darktrace RESPOND, the Raspberry Robin infection was able to spread through the network unabated until the customer acted upon Darktrace DETECT’s alerts. Had Darktrace RESPOND been enabled in autonomous response mode, it would have been able to take immediate action following the first observed connection to a Raspberry Robin C2 endpoint, by blocking connections to the suspicious endpoint and enforcing a device’s normal ‘pattern of life’. By enforcing a pattern of life on an affected device, RESPOND would prevent it from carrying out any activity that deviates from this learned pattern, including connections to new endpoints using new software as was the case in Figure 5, effectively shutting down the attack in the first instance. Figure 5: Model Breach Event Log showing RESPOND’s actions against connections to Raspberry Robin C2 endpoints. Conclusion Raspberry Robin is a highly evasive and adaptable worm known to evolve and change its TTPs on a regular basis in order to remain undetected on target networks for as long as possible. Due to its ability to drop additional malware variants onto compromised devices, it is crucial for organizations and their security teams to detect Raspberry Robin infections at the earliest possible stage to prevent the deployment of potentially disruptive secondary attacks. Despite its continued evolution, Darktrace's detection of Raspberry Robin remained largely unchanged across the two investigations. Rather than relying on previous IoCs or leveraging existing threat intelligence, Darktrace DETECT’s anomaly-based approach allows it to identify emerging compromises by detecting the subtle deviations in a device’s learned behavior that would typically come with a malware compromise. By detecting the attacks at an early stage, Darktrace gave its customers full visibility over malicious activity occurring on their networks, empowering them to identify affected devices and remove them from their environments. In cases where Darktrace RESPOND was active, it would have been able to take autonomous follow-up action to halt any C2 communication and prevent the download of any additional malicious payloads. Credit to Alexandra Sentenac, Cyber Analyst, Trent Kessler, Senior Cyber Analyst, Victoria Baldie, Director of Incident Management Appendices Darktrace DETECT Model Coverage Device / New User Agent and New IP Device / New User Agent and Suspicious Request Data Device / New User Agent Compromise / Possible Tor Usage Compromise / Uncommon Tor Usage MITRE ATT&CK Mapping Tactic - Technique Command & Control - T1090.003 Multi-hop Proxy Lateral Movement - T1210 Exploitation of remote services Exfiltration over C2 Data - T1041 Exfiltration over C2 Channel Data Obfuscation - T1001 Data Obfuscation Vulnerability Scanning - T1595.002 Vulnerability Scanning Non-Standard Port - T1571 Non-Standard Port Persistence - T1176 Browser Extensions Initial Access - T1189 Drive By Compromise / T1566.002 Spearphishing Link Collection - T1185 Man in the browser List of IoCs IoC - Type - Description + Confidence vqdn[.]net - Hostname - C2 Server mwgq[.]net - Hostname - C2 Server wak[.]rocks - Hostname - C2 Server o7car[.]com - Hostname - C2 Server 6t[.]nz - Hostname - C2 Server fcgz[.]net - Hostname - Possible C2 Server d0[.]wf - Hostname - C2 Server e0[.]wf - Hostname - C2 Server c4z[.]pl - Hostname - C2 Server 5g7[.]at - Hostname - C2 Server 5ap[.]nl - Hostname - C2 Server 4aw[.]ro - Hostname - C2 Server 0j[.]wf - Hostname - C2 Server f0[.]tel - Hostname - C2 Server h0[.]pm - Hostname - C2 Server y0[.]pm - Hostname - C2 Server 5qy[.]ro - Hostname - C2 Server g3[.]rs - Hostname - C2 Server 5qe8[.]com - Hostname - C2 Server 4j[.]pm - Hostname - C2 Server m0[.]yt - Hostname - C2 Server zk4[.]me - Hostname - C2 Server 59.15.11[.]49 - IP address - Likely C2 Server 82.124.243[.]57 - IP address - C2 Server 114.32.120[.]11 - IP address - Likely C2 Server 203.186.28[.]189 - IP address - Likely C2 Server 70.124.238[.]72 - IP address - C2 Server 73.6.9[.]83 - IP address - Likely C2 Server References [1] https://redcanary.com/blog/raspberry-robin/ [2] https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-malware-to-evil-corp-attacks/ [3] https://7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/FLINT%202022-016%20-%20QNAP%20worm_%20who%20benefits%20from%20crime%20(1).pdf [4] https://www.bleepingcomputer.com/news/security/microsoft-finds-raspberry-robin-worm-in-hundreds-of-windows-networks/ [5] https://therecord.media/microsoft-ties-novel-raspberry-robin-malware-to-evil-corp-cybercrime-syndicate [6] https://securityaffairs.com/158969/malware/raspberry-robin-1-day-exploits.html [7] https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/ [8] https://redmondmag.com/articles/2022/10/28/microsoft-details-threat-actors-leveraging-raspberry-robin-worm.aspx [9] https://www.bleepingcomputer.com/news/security/raspberry-robin-malware-evolves-with-early-access-to-windows-exploits/ [10] https://www.bleepingcomputer.com/news/security/raspberry-robin-worm-drops-fake-malware-to-confuse-researchers/ [11] https://thehackernews.com/2024/02/raspberry-robin-malware-upgrades-with.html [12] https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ [13] https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html Written by Alexandra Sentenac Cyber Analyst Inside the SOC Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field. Written by Alexandra Sentenac Cyber Analyst Share this post Latest blogs Darktrace Identifies New Chaos Malware Variant Exploiting Misconfigurations in the Cloud • April 7, 2026 Nathaniel Bill Malware Research Engineer Bringing Together SOC and IR teams with Automated Threat Investigations for the Hybrid World Cloud • April 9, 2026 Paul Bottomley Director of Product Management | Darktrace Watch the NIS2 Webinar Newsletter Enjoying the blog? Sign up to receive the latest news and insights from the Darktrace newsletter – delivered directly to your inbox Thanks for signing up! Look out for your first newsletter, coming soon. Oops! Something went wrong while submitting the form. Trending blogs 1 Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms Mar 20, 2026 2 What the Darktrace Annual Threat Report 2026 Means for Security Leaders Feb 26, 2026 3 State of AI Cybersecurity 2026: 92% of security professionals concerned about the impact of AI agents Mar 26, 2026 4 Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace Dec 15, 2025 5 Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom Mar 24, 2026 More in this series No items found. Continue reading Network • April 2, 2026 How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience Darktrace's latest threat research reveals how Chinese-nexus cyber operations have evolved from isolated intrusions into long-term strategic positioning, with attackers prioritizing persistent access to critical infrastructure and digital ecosystems to gain lasting operational and economic advantage. Nathaniel Jones VP, Security & AI Strategy, Field CISO Read more Network • March 26, 2026 Phantom Footprints: Tracking GhostSocks Malware GhostSocks is an emerging threat turning compromised devices into residential proxy nodes to help attackers evade detection. Darktrace identifies its growing use alongside Lumma Stealer, highlighting the malware’s stealth, payload delivery, and persistence. AI-driven detection and Autonomous Response reveal the full attack lifecycle and underscore the need for proactive defense. Isabel Evans Cyber Analyst Read more Network • March 17, 2026 When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack World Leaks, a rebrand of Hunters International, are known for their extortion-only attack model, abandoning the tactic of file encryption. However, contrary to these claims, Darktrace detected a World Leaks compromise where a ransomware payload was deployed, and customer data was encrypted. Tiana Kelly Senior Cyber Analyst & Team Lead Read more Blog / Cloud / April 9, 2026 Bringing Together SOC and IR teams with Automated Threat Investigations for the Hybrid World The investigation gap: Why incident response is slow, fragmented and reactive Modern investigations often fall apart the moment analysts move beyond an initial alert. Whether detections originate in cloud or on-prem environments, SOC and Incident Response (IR) teams are frequently hindered by fragmented tools and data sources, closed ecosystems, and slow, manual evidence collection just to access the forensic context they need. SOC analysts receive alerts without the depth required to confidently confirm or dismiss a threat, while IR teams struggle with inconsistent visibility across cloud, on‑premises, and contained endpoints, creating delays, blind spots, and incomplete attack timelines. This gap between SOC and Digital Forensics and Incident Response (DFIR) slows response and forces teams into reactive and inefficient investigation patterns. Security teams struggle to collect high‑fidelity forensic data during active incidents, particularly from cloud workloads, on‑prem systems, and XDR‑contained endpoints where traditional tools cannot operate without deploying new agents or disrupting containment. The result is a fragmented response process where investigations slow down, context gets lost, and critical attacker activity can slip through the cracks. What’s new at Darktrace Helping teams move from detection to root cause faster, more efficiently, and with greater confidence The latest update to Darktrace / Forensic Acquisition & Investigation eliminates the traditional handoff between the SOC and IR teams, enabling analysts to seamlessly pivot from alert into forensic investigation. It also brings on-demand and automated data capture through Darktrace / ENDPOINT as well as third-party detection platforms, where investigators can safely collect critical forensic data from network contained endpoints, preserving containment while accelerating investigation and response. Together, this solidifies / Forensic Acquisition & Investigation as an investigation-first platform beyond the cloud, fit for any organization that has adopted a multi-technology infrastructure. In practice, when these various detection sources and host‑level forensics are combined, investigations move from limited insight to complete understanding quickly, giving security teams the clarity and deep context required to drive confident remediation and response based on the exact tactics, techniques and procedures employed. Integrated forensic context inside every incident workflow SOC analysts now have seamless access to forensic evidence at the exact moment they need it. There is a new dedicated Forensics tab inside Cyber AI Analyst™ incidents, allowing users to move instantly from detection to rich forensic context in a single click, without the need to export data or get other teams involved. For investigations that previously required multiple tools, credentials, or intervention by a dedicated team, this change represents a shift toward truly embedded incident‑driven forensics – accelerating both decision‑making and response quality at the point of detection. Figure 1: The forensic investigation associated with the Cyber AI Analyst™ incident appears in a dedicated ‘Forensics’ tab, with the ability to pivot into the / Forensic Acquisition & Investigation UI for full context and deep analysis workflows. Reliable automated and manual hybrid evidence capture across any environment Across cloud, on‑premises, and hybrid environments, analysts can now automate or request on‑demand forensic evidence collection the moment a threat is detected via Darktrace / ENDPOINT. This allows investigators to quickly capture high-fidelity forensic data from endpoints already under protection, accelerating investigations without additional tooling or disrupting systems. Especially in larger environments where the ability to scale is critical, automated data capture across hybrid environments significantly reduces response time and enables consistent, repeatable investigations. Unlike EDR‑only solutions, which capture only a narrow slice of activity, these workflows provide high‑quality, cross‑environment forensic depth, even on third‑party XDR‑contained devices that many vendor ecosystems cannot reach. The result is a single, unified process for capturing the forensic context analysts need no matter where the threat originates, even in third-party vendor protected areas. Figure 2: The ability to acquire, process, and investigate devices with the Darktrace / ENDPOINT agent installed using the ‘Darktrace Endpoint’ import provider Figure 3: A Linux device that has the Darktrace / ENDPOINT agent installed has been acquired and processed by / Forensic Acquisition & Investigation Investigation‑first design flexible for hybrid organizations Luckily, taking advantage of automated forensic data capture of non-cloud assets won’t be subject to those who purely use Darktrace / ENDPOINT. This functionality is also available where CrowdStrike, Microsoft Defender for Endpoint, or SentinelOne agents are deployed. In the case of CrowdStrike, Darktrace / Forensic Acquisition & Investigation can also perform a triage capture of a device that has been contained using CrowdStrike’s network containment capability. What’s critical here is the fact that investigators can safely acquire additional forensic evidence without breaking or altering containment. That massively improves investigation and response time without adding more risk factors. Figure 4: ‘cado.xdr.test2’ has been contained using CrowdStrike’s network containment capability Figure 5: Successful triage capture of contained endpoint ‘cado.xdr.test2’ using / Forensic Acquisition & Investigation The benefits of extending forensics to on‑premises and endpoint environments Despite Darktrace / Forensic Acquisition & Investigation originating as a cloud‑first solution, the challenges of incident response are not limited to the cloud. Many investigations span on‑premises servers, unmanaged endpoints, legacy systems, or devices locked inside third‑party ecosystems. By extending automated investigation capabilities into on‑premises environments and endpoints, Darktrace delivers several critical benefits: Unified investigations across hybrid infrastructure and a heterogeneous security stack Consistent forensic depth regardless of asset type Faster and more accurate root-cause analysis Stronger incident response readiness Figure 6: Unified alerts from cloud and on-prem environments, grouped into incident-centric investigations with forensic depth Simplifying deep investigations across hybrid environments These enhancements move Darktrace / Forensic Acquisition & Investigation closer to a vision out of reach for most security teams: seamless, integrated, high‑fidelity forensics across cloud, on‑prem, and endpoint environments where other solutions usually stop at detection. Automated forensics as a whole is fueling faster outcomes with complete clarity throughout the end-to-end investigation process, which now takes teams from alert to understanding in minutes compared to days or even weeks. All without added agents, disruptions, or specialized teams. The result is an incident response lifecycle that finally matches the reality of modern infrastructure. Ready to see Darktrace / Forensic Acquisition & Investigation in your environment? Request a demo. Hear from industry-leading experts on the latest developments in AI cybersecurity at Darktrace LIVE. Coming to a city near you. [related-resource] Continue reading About the author Paul Bottomley Director of Product Management | Darktrace Blog / AI / April 9, 2026 How to Secure AI and Find the Gaps in Your Security Operations What “securing AI” actually means (and doesn’t) Security teams are under growing pressure to “secure AI” at the same pace which businesses are adopting it. But in many organizations, adoption is outpacing the ability to govern, monitor, and control it. When that gap widens, decision-making shifts from deliberate design to immediate coverage. The priority becomes getting something in place, whether that’s a point solution, a governance layer, or an extension of an existing platform, rather than ensuring those choices work together. At the same time, AI governance is lagging adoption. 37% of organizations still lack AI adoption policies, shadow AI usage across SaaS has surged, and there are notable spikes in anomalous data uploads to generative AI services. First and foremost, it’s important to recognize the dual nature of AI risk. Much of the industry has focused on how attackers will use AI to move faster, scale campaigns, and evade detection. But what’s becoming just as significant is the risk introduced by AI inside the organization itself. Enterprises are rapidly embedding AI into workflows, SaaS platforms, and decision-making processes, creating new pathways for data exposure, privilege misuse, and unintended access across an already interconnected environment. Because the introduction of complex AI systems into modern, hybrid environments is reshaping attacker behavior and exposing gaps between security functions, the challenge is no longer just having the right capabilities in place but effectively coordinating prevention, detection, investigation, response, and remediation together. As threats accelerate and systems become more interconnected, security depends on coordinated execution, not isolated tools, which is why lifecycle-based approaches to governance, visibility, behavioral oversight, and real-time control are gaining traction. From cloud consolidation to AI systems what we can learn We have seen a version of AI adoption before in cloud security. In the early days, tooling fragmented into posture, workload/runtime, identity, data, and more. Gradually, cloud security collapsed into broader cloud platforms. The lesson was clear: posture without runtime misses active threats; runtime without posture ignores root causes. Strong programs ran both in parallel and stitched the findings together in operations. Today’s AI wave stretches that lesson across every domain. Adversaries are compressing “time‑to‑tooling” using LLM‑assisted development (“vibecoding”) and recycling public PoCs at unprecedented speed. That makes it difficult to secure through siloed controls, because the risk is not confined to one layer. It emerges through interactions across layers. Keep in mind, most modern attacks don’t succeed by defeating a single control. They succeed by moving through the gaps between systems faster than teams can connect what they are seeing. Recent exploitation waves like React2Shell show how quickly opportunistic actors operationalize fresh disclosures and chain misconfigurations to monetize at scale. In the React2Shell window , defenders observed rapid, opportunistic exploitation and iterative payload diversity across a broad infrastructure footprint, strains that outpace signature‑first thinking. You can stay up to date on attacker behavior by signing up for our newsletter where Darktrace’s threat research team and analyst community regularly dive deep into threat finds. Ultimately, speed met scale in the cloud era; AI adds interconnectedness and orchestration. Simple questions — What happened? Who did it? Why? How? Where else? — now cut across identities, SaaS agents, model/service endpoints, data egress, and automated actions. The longer it takes to answer, the worse the blast radius becomes. The case for a platform approach in the age of AI Think of security fusion as the connective tissue that lets you prevent, detect, investigate, and remediate in parallel , not in sequence. In practice, that looks like: Unified telemetry with behavioral context across identities, SaaS, cloud, network, endpoints, and email—so an anomalous action in one plane automatically informs expectations in others. (Inside‑the‑SOC investigations show this pays off when attacks hop fast between domains.) Pre‑CVE and “in‑the‑wild” awarenes s feeding controls before signatures—reducing dwell time in fast exploitation windows. Automated, bounded response that can contain likely‑malicious actions at machine speed without breaking workflows—buying analysts time to investigate with full context. (Rapid CVE coverage and exploit‑wave posts illustrate how critical those first minutes are.) Investigation workflows that assume AI is in the loop —for both defenders and attackers. As adversaries adopt “agentic” patterns, investigations need graph‑aware, sequence‑aware reasoning to prioritize what matters early. This isn’t theoretical. It’s reflected in the Darktrace posts that consistently draw readership: timely threat intel with proprietary visibility and executive frameworks that transform field findings into operating guidance. The five questions that matter (and the one that matters more) When alerted to malicious or risky AI use, you’ll ask: What happened? Who did it? Why did they do it? How did they do it? Where else can this happen? The sixth, more important question is: How much worse does it get while you answer the first five? The answer depends on whether your controls operate in sequence (slow) or in fused parallel (fast). What to watch next: How the AI security market will likely evolve Security markets tend to follow a familiar pattern. New technologies drive an initial wave of specialized tools (posture, governance, observability) each focused on a specific part of the problem. Over time, those capabilities consolidate as organizations realize the new challenge is coordination. AI is accelerating the shift of focus to coordination because AI-powered attackers can move faster and operate across more systems at once. Recent exploitation waves show exactly this. Adversaries can operationalize new techniques and move across domains, turning small gaps into full attack paths. Anticipate a continued move toward more integrated security models because fragmented approaches can’t keep up with the speed and interconnected nature of modern attacks. Building the Groundwork for Secure AI: How to Test Your Stack’s True Maturity AI doesn’t create new surfaces as much as it exposes the fragility of the seams that already exist . Darktrace’s own public investigations consistently show that modern attacks, from LinkedIn‑originated phishing that pivots into corporate SaaS to multi‑stage exploitation waves like BeyondTrust CVE‑2026‑1731 and React2Shell, succeed not because a single control failed, but because no control saw the whole sequence, or no system was able to respond at the speed of escalation. Before thinking about “AI security,” customers should ensure they’ve built a security foundation where visibility, signals, and responses can pass cleanly between domains. That requires pressure‑testing the seams. Below are the key integration questions and stack‑maturity tests every organization should run. 1. Do your controls see the same event the same way? Integration questions When an identity behaves strangely (impossible travel, atypical OAuth grants), does that signal automatically inform your email, SaaS, cloud, and endpoint tools? Do your tools normalize events in a way that lets you correlate identity → app → data → network without human stitching? Why it matters Darktrace’s public SOC investigations repeatedly show attackers starting in an unmonitored domain, then pivoting into monitored ones , such as phishing on LinkedIn that bypassed email controls but later appeared as anomalous SaaS behavior. If tools can’t share or interpret each other's context, AI‑era attacks will outrun every control. Tests you can run Shadow Identity Test Create a temporary identity with no history. Perform a small but unusual action: unusual browser, untrusted IP, odd OAuth request. Expected maturity signal : other tools (email/SaaS/network) should immediately score the identity as high‑risk. Context Propagation Test Trigger an alert in one system (e.g., endpoint anomaly) and check if other systems automatically adjust thresholds or sensitivity. Low maturity signal: nothing changes unless an analyst manually intervenes. 2. Does detection trigger coordinated action, or does everything act alone? Integration questions When one system blocks or contains something, do other systems automatically tighten, isolate, or rate‑limit? Does your stack support bounded autonomy — automated micro‑containment without broad business disruption? Why it matters In public cases like BeyondTrust CVE‑2026‑1731 exploitation, Darktrace observed rapid C2 beaconing, unusual downloads, and tunneling attempts across multiple systems. Containment windows were measured in minutes, not hours. Tests you can run Chain Reaction Test Simulate a primitive threat (e.g., access from TOR exit node). Your identity provider should challenge → email should tighten → SaaS tokens should re‑authenticate. Weak seam indicator: only one tool reacts. Autonomous Boundary Test Induce a low‑grade anomaly (credential spray simulation). Evaluate whether automated containment rules activate without breaking legitimate workflows. 3. Can your team investigate a cross‑domain incident without swivel‑chairing? Integration questions Can analysts pivot from identity → SaaS → cloud → endpoint in one narrative , not five consoles? Does your investigation tooling use graphs or sequence-based reasoning , or is it list‑based? Why it matters Darktrace’s Cyber AI Analyst and DIGEST research highlights why investigations must interpret structure and progression, not just standalone alerts. Attackers now move between systems faster than human triage cycles. Tests you can run One‑Hour Timeline Build Test Pick any detection. Give an analyst one hour to produce a full sequence: entry → privilege → movement → egress. Weak seam indicator: they spend >50% of the hour stitching exports. Multi‑Hop Replay Test Simulate an incident that crosses domains (phish → SaaS token → data access). Evaluate whether the investigative platform auto‑reconstructs the chain. 4. Do you detect intent or only outcomes? Integration questions Can your stack detect the setup behaviors before an attack becomes irreversible? Are you catching pre‑CVE anomalies or post‑compromise symptoms? Why it matters Darktrace publicly documents multiple examples of pre‑CVE detection, where anomalous behavior was flagged days before vulnerability disclosure. AI‑assisted attackers will hide behind benign‑looking flows until the very last moment. Tests you can run Intent‑Before‑Impact Test Simulate reconnaissance-like behavior (DNS anomalies, odd browsing to unknown SaaS, atypical file listing). Mature systems will flag intent even without an exploit. CVE‑Window Test During a real CVE patch cycle, measure detection lag vs. public PoC release. Weak seam indicator: your detection rises only after mass exploitation begins. 5. Are response and remediation two separate universes? Integration questions When you contain something, does that trigger root-cause remediation workflows in identity, cloud config, or SaaS posture? Does fixing a misconfiguration automatically update correlated controls? Why it matters Darktrace’s cloud investigations (e.g., cloud compromise analysis) emphasize that remediation must close both runtime and posture gaps in parallel. Tests you can run Closed‑Loop Remediation Test Introduce a small misconfiguration (over‑permissioned identity). Trigger an anomaly. Mature stacks will: detect → contain → recommend or automate posture repair. Drift‑Regression Test After remediation, intentionally re‑introduce drift. The system should immediately recognize deviation from known‑good baseline. 6. Do SaaS, cloud, email, and identity all agree on “normal”? Integration questions Is “normal behavior” defined in one place or many? Do baselines update globally or per-tool? Why it matters Attackers (including AI‑assisted ones) increasingly exploit misaligned baselines, behaving “normal” to one system and anomalous to another. Tests you can run Baseline Drift Test Change the behavior of a service account for 24 hours. Mature platforms will flag the deviation early and propagate updated expectations. Cross‑Domain Baseline Consistency Test Compare identity’s risk score vs. cloud vs. SaaS. Weak seam indicator: risk scores don’t align. Final takeaway Security teams should ask be focused on how their stack operates as one system before AI amplifies pressure on every seam. Only once an organization can reliably detect, correlate, and respond across domains can it safely begin to secure AI models, agents, and workflows. Continue reading About the author Nabil Zoldjalali VP, Field CISO Your data. Our AI. Elevate your network security with Darktrace AI Get a demo Check out this article by Darktrace: Darktrace's Investigation of Raspberry Robin Worm