Darktrace

Overview

Darktrace is the AI-native network detection and response (NDR) platform that's been on the market since 2013, making it one of the oldest players in the "AI for cybersecurity" space. The company was founded by mathematicians from the University of Cambridge, and that heritage shows up in the product's approach: rather than relying on signatures or threat intelligence feeds, Darktrace builds a behavioral model of your network and flags deviations from that baseline. They call this "Self-Learning AI," and it's the core of everything the platform does — from detection to investigation to autonomous response.

Darktrace's product line has expanded considerably over the years. The original Network product (now called Darktrace/Network) monitors east-west and north-south traffic. Darktrace/Email handles inbound email threats. Darktrace/Cloud covers AWS, Azure, and GCP workload behavior. Darktrace/Endpoint is their newer agent-based module. And HEAL is their incident response planning module. The AI approach is consistent across all of these — learn normal behavior, flag anomalies — but the data sources and detection context vary by module.

The company went public on the London Stock Exchange in 2021 and was taken private by Thoma Bravo in 2024 for about $5.3 billion. The acquisition raised some customer concerns about future pricing and investment in the product, but as of our testing, the platform continues to receive regular updates and the support quality hasn't degraded.

How It Works

Darktrace's core technology is unsupervised machine learning applied to network metadata and, in newer modules, endpoint and cloud telemetry. The platform deploys sensors (physical or virtual appliances for network data, agents for endpoints, API connectors for cloud and email) that feed traffic metadata into Darktrace's AI engine. The engine builds a "pattern of life" for every device, user, and subnet it observes, learning what's normal in terms of connection patterns, data transfer volumes, protocol usage, timing, and peer relationships.

The key technical differentiator is that Darktrace doesn't need labeled training data or predefined rules. It learns your environment's baseline from scratch, which means it can detect novel threats that wouldn't match any signature or known indicator. The flip side of this approach is that it generates a lot of noise during the learning period (typically 2-4 weeks) and can continue to produce false positives on legitimate-but-unusual activity long after deployment. Tuning Darktrace is an ongoing project, not a one-time setup task.

The autonomous response capability, branded as Antigena, can take action on detected threats in real time — blocking connections, throttling bandwidth, isolating devices, or enforcing "pattern of life" restrictions that allow a device to continue normal communications while blocking anomalous ones. The granularity of Antigena's response actions is one of Darktrace's genuine technical achievements. Rather than a binary "isolate or don't" decision, it can surgically restrict just the anomalous behavior while keeping the device operational. In practice, this works better than full isolation for many scenarios, particularly for servers and critical infrastructure that can't be taken offline.

Darktrace also includes Cyber AI Analyst, an automated investigation module that groups related anomalies into incidents, determines the likely attack narrative, and presents a human-readable report. This is not the same as the LLM-based chatbots that competitors offer — it's a purpose-built AI model that reasons about attack patterns rather than generating text. The output is more structured and less conversational than Charlotte AI or Purple AI, but it's often more reliable because it's not trying to generate natural language answers to open-ended questions.

What We Liked

Darktrace catches things that other tools miss. During our testing, it flagged a low-and-slow data exfiltration pattern — a device gradually uploading data to an external endpoint in small increments over several days — that our SIEM, EDR, and email security tools all missed because no individual event crossed any threshold. Darktrace saw the behavioral trend and flagged it. This is exactly the use case that justifies the unsupervised ML approach, and when it works, it's genuinely impressive.

The Cyber AI Analyst is underrated. While the industry is chasing ChatGPT-style conversational interfaces, Darktrace's automated investigation model quietly produces incident reports that are more consistently accurate than what we got from LLM-based tools. It correctly grouped related anomalies, identified the likely attack stage, and even predicted the probable next steps in the attack chain. The reports aren't pretty — they're functional, structured summaries — but they're reliable in a way that generative AI outputs often aren't.

The network visibility is exceptionally deep. Darktrace sees every device on your network, including unmanaged devices, IoT, OT systems, and shadow IT that your EDR and asset inventory don't know about. During deployment, it almost always discovers devices that the customer didn't know were on their network. That discovery alone has security value, even before you get to the detection capabilities. For organizations with OT environments — manufacturing, utilities, healthcare — this visibility into non-standard devices is a major differentiator.

Antigena's surgical response actions impressed us. We tested a scenario where a compromised workstation was beaconing to a C2 server while the user continued legitimate work. Antigena blocked only the C2 communication while allowing the user's normal browsing and application access to continue. The user experienced no disruption, and the threat was contained. Compare this to EDR-style full isolation, which would've taken the user offline entirely and generated an immediate help desk ticket.

What Fell Short

The false positive rate during the first 4-6 weeks is brutal. We don't mean a few extra alerts — we mean hundreds of model breaches per day on a mid-size network, most of them triggered by legitimate but unusual activity: a system admin running a backup job at an unusual time, a developer downloading a large dataset, marketing uploading files to a new cloud service. The tuning process requires someone who understands both the platform and your environment, and Darktrace's documentation on tuning best practices is surprisingly thin for a product that's been on the market for over a decade. We spent more time tuning Darktrace in the first month than we did on any other tool in this review.

The pricing is eye-watering. Darktrace uses a sensor-based licensing model that scales with the number of devices monitored, and the per-device cost is higher than almost any other NDR on the market. A mid-size deployment monitoring 5,000 devices typically runs $200,000-$400,000/year, and that's before you add the email, cloud, and endpoint modules. Multi-year contracts with significant discounts are the norm, which means you're locked in. We've heard from multiple customers who felt the renewal pricing was aggressive, with Darktrace knowing that the switching costs (losing the behavioral baseline) give them negotiating leverage.

The UI is functional but dated. Darktrace's Threat Visualizer — the 3D network topology view that features in every demo — looks impressive but is impractical for daily SOC use. Most analysts end up using the model breach list and Cyber AI Analyst views instead. The interface has improved over the years, but it still feels like a product designed by data scientists rather than by someone who's sat in a SOC chair. Navigation is inconsistent, filtering is clunky, and there are too many clicks required for common workflows.

Pricing and Value

Darktrace pricing is opaque and negotiation-heavy. Expect to pay $200,000-$400,000/year for a mid-size network deployment (3,000-10,000 devices) with the Network module. Adding Email, Cloud, and Endpoint modules can push the total to $400,000-$700,000/year. Three-year contracts are standard, and Darktrace offers significant upfront discounts to lock you in. Renewal pricing tends to increase, and the switching cost argument ("you'll lose your baseline") gives their sales team leverage. Some customers have reported 20-30% renewal increases, though your mileage will vary based on your negotiating position.

The value is hardest to quantify because Darktrace's primary benefit is finding things other tools miss. If it catches one insider threat or one advanced attack that your SIEM and EDR didn't see, it's paid for itself. If it sits there generating false positives and your other tools would've caught the real threats anyway, it's an expensive noise generator. The ROI is real but lumpy — you might go months without a meaningful Darktrace-only detection, and then it catches something that saves your organization millions.

Who Should Use This

Darktrace is best suited for organizations that have already invested in traditional detection tools (SIEM + EDR) and want an additional layer that catches what those tools miss. It's particularly valuable for environments with significant unmanaged device populations — healthcare networks with medical devices, manufacturing with OT/ICS, retail with point-of-sale systems. Mid-size to large enterprises (1,000+ devices) with a dedicated security team of 5+ people will get the most value, because you need someone to own the tuning and investigate the anomalies.

It's a poor fit for small teams that can't dedicate ongoing attention to tuning, for organizations that want a "set it and forget it" detection tool, or for environments where virtually all devices are managed endpoints already covered by EDR. If your primary security gap is email phishing, buy a dedicated email security product first — Darktrace/Email is good but not worth the full platform cost on its own. And if your budget is under $150,000/year for detection tools, Darktrace will eat your entire allocation and then some.

The Bottom Line

Darktrace is expensive, noisy, and requires ongoing care and feeding. We're still recommending it. The unsupervised ML approach finds threats that signature-based and rule-based tools simply cannot, and when you're on the receiving end of a sophisticated attack, that capability is priceless. Just don't buy it expecting magic — buy it expecting a powerful but temperamental instrument that requires a skilled operator. Budget for the tuning period, assign a dedicated owner, negotiate hard on the contract terms, and treat it as a complement to your existing detection stack rather than a replacement. The organizations that get the most out of Darktrace are the ones that treat it like a long-term investment rather than a product deployment.