- Launch of Darktrace / Forensic Acquisition & Investigation™, the industry’s first truly automated cloud forensics solution, can cut investigation times from days to minutes.
- The launch comes amid a widening cloud security gap, with nearly 90% of surveyed organizations across the US and UK reporting that they suffered damage before they could contain cloud incidents.
- When paired with Darktrace / CLOUD™, customers gain unified detection, response and investigation at scale.
CAMBRIDGE, UK – Darktrace, a global leader in AI for cybersecurity, today announced the launch of Darktrace / Forensic Acquisition & Investigation™, the industry’s first truly automated cloud forensics solution. The solution provides security teams immediate access to forensic-level data, equipping them with critical context to investigate threats quickly and thoroughly across hybrid, multi-cloud and on-premises environments. When paired with the newly enhanced Darktrace / CLOUD™, organizations gain a complete cloud security solution that combines posture management with real-time detection, response and forensic investigation – potentially reducing investigation times from days to mere minutes.
Cloud adoption has outpaced security operations, creating blind spots that adversaries are quick to exploit. Nearly 90% of organizations report suffering damage before they can contain cloud incidents, and 65% say investigations take three to five days longer in the cloud compared to on-premises environments, according to a survey of 300 cloud security decision makers. Traditional log-based alerts miss behaviors such as lateral movement or privilege escalation, while evidence from ephemeral assets like containers and serverless functions often disappears before it can be collected — leaving security teams struggling to respond effectively.
At the same time, attacks against cloud workloads are increasingly aggressive. New analysis of Darktrace’s Cloudypot honeypots reveals that attacks on tools like Jupyter Notebooks often arrive in sudden bursts, generating high volumes of attacks in a short period of time from a small group of persistent attackers. These findings highlight that when adversaries target the cloud, they strike quickly and at scale, leaving defenders little time to investigate before critical evidence disappears.
Introducing Darktrace / Forensic Acquisition & Investigation
Darktrace / Forensic Acquisition & Investigation is an automated forensic investigation solution designed for the speed and complexity of modern cloud environments. It captures and analyzes host-level evidence — including disk, memory, and logs — at the exact moment a threat is detected, even from short-lived assets such as containers or serverless workloads. These investigations can be triggered by Darktrace or by detections from existing cloud security tools.
Unlike point solutions that depend on manual snapshots or agents, Darktrace collects evidence directly through cloud APIs, ensuring investigations begin instantly, and critical data from ephemeral workloads is never lost. By preserving volatile data and reconstructing attacker behavior in real time, the solution adds critical context to everyday investigations, enabling security teams to understand root causes quickly and shorten investigation times from days to mere minutes — a critical advantage as over 40% of organizations report suffering significant damage from cloud alerts that were never investigated at all.
“Cloud investigations are notoriously complex and heavily manual, with evidence scattered across fragmented logs and ephemeral assets that often disappear before they can be collected. Darktrace’s automated cloud forensics solution represents a significant innovation leveraging the speed and scale of cloud to automatically collect, preserve and investigate volatile data at the time of detection, enabling teams to investigate faster, respond more effectively, and reduce overall business risk,” said Philip Bues, Senior Research Manager, Cloud Security & Confidential Computing, IDC.
This solution represents the evolution of capabilities gained through Darktrace’s acquisition of Cado Security earlier this year, alongside continued research and development investment to expand and advance Darktrace’s cloud security portfolio.
Key capabilities of the Darktrace / Forensic Acquisition & Investigation solution include:
- Automated hybrid forensic capture: Collects host-level data, including disks, memory, logs, and artifacts the moment an alert is raised across on-premises, AWS, Azure, GCP and SaaS environments.
- Ephemeral data capture: Preserves evidence from short-lived workloads including AWS ECS, Kubernetes, and distro-less or no-shell containers, retaining critical data so that it can be investigated.
- Automated investigation with complete timelines: Automatically reconstructs attacker behavior into unified timelines, distilling massive volumes of events into the most significant insights providing rapid clarity and root cause in minutes without manual correlation.
- Scalable response and reporting: Supports parallel investigations across multiple systems and automatically generates exportable reports to help reduce analyst workload and assist with compliance burdens.
- Rapid deployment and seamless integration: Offers flexible SaaS or on-premises deployment, and integrates with existing SIEM, XDR, CNAPP, EDR, NDR, and cloud-native tools so that any alert can trigger immediate forensic capture and investigation.
“In a cloud-first world, security teams need to be able to investigate anything, anywhere, at any time — without delay. With Darktrace / Forensic Acquisition & Investigation, what was once a highly specialized, time-consuming process is now an automated, one-click action for our team. Darktrace collects forensic-level evidence instantly, even in fast-moving cloud environments, and transforms investigative dead ends into actionable intelligence. This has drastically reduced our mean time to respond and empowered our team to shift from reactive archaeology to real-time investigation,” said Justin Dimmick, Senior Security Response Engineer, Cloudera.
Darktrace / Forensic Acquisition & Investigation can be deployed as a standalone product, giving new customers immediate access to automated cloud forensics to support SOC and incident response teams in their day-to-day management of cloud security threats, or integrated across the Darktrace ActiveAI Security Platform for end-to-end investigations and response across an organization’s entire digital estate. It is particularly powerful when paired with Darktrace / CLOUD, where the two solutions bring together real-time cloud detection and response and forensic-level investigation in a single workflow.
Unifying Cloud Detection, Response, and Forensic Investigation with Darktrace / CLOUD
Customers can now add Darktrace / Forensic Acquisition & Investigation capabilities to Darktrace’s leading cloud detection and response (CDR) product. With Darktrace / CLOUD, security teams benefit from:
- Autonomous detection and response: Self-Learning AI continuously monitors cloud environments to spot both known and novel threats and automatically contain them at machine speed.
- Dynamic cloud visibility: Live mapping of assets, services, and architectures to reveal blind spots, track attacker movement, and provide real-time context.
- Proactive risk management: Automated posture checks and attack path modeling that surface misconfigurations and exposures before attackers can exploit them.
“At papernest, our mission is to simplify life for our users, and security is essential to that journey. The cloud is critical to our innovation, but it also introduces risks that can be complex to manage,” said Andrea Carriero, Head of Infrastructure & Security, papernest. “We needed full-spectrum visibility and a way to cut through noise so our team could focus on real risks. Darktrace / CLOUD gives us that clarity — helping us see our entire cloud architecture, prioritize investigations, and save valuable time while keeping our platform secure. It has allowed us to embrace our proactive, security-focused culture, which is essential to unlocking continued growth.”
When adding Darktrace / Forensic Acquisition & Investigation to Darktrace / CLOUD, the solutions work together seamlessly to detect threats as they emerge and preserve the forensic evidence needed to investigate them. As Darktrace / CLOUD detects and blocks suspicious cloud activity, Darktrace / Forensic Acquisition & Investigation will capture disk, memory, and log data from the affected asset, allowing teams to immediately contain threats while preserving the critical evidence needed to investigate and remediate the incident.
Alongside this integration, Darktrace has strengthened its core cloud capabilities to make investigations even faster and more intuitive. Enhancements include more intuitive cloud architecture diagrams that make complex environments easier to interpret, along with expanded detection of advanced attacker techniques such as lateral movement, command-and-control, and privilege escalation.
When uniting threat detection, response, and automated forensics in one platform, security teams can shift cloud investigations from reactive and fragmented to fast, automated, and context-rich — enabling organizations to harness the benefits of the cloud while effectively mitigating risks.
“Cloud adoption has unlocked extraordinary opportunities for innovation but has also created new challenges and blind spots for security teams,” said Connie Stride, Senior Vice President of Product, Darktrace. “By bringing pioneering forensic technology into the Darktrace platform, we’ve combined industry-leading cloud detection, autonomous response, and automated forensics in one place. This transforms how organizations can defend the cloud – delivering forensic-level clarity in minutes, ensuring access to essential data before it disappears, and empowering every security team to respond decisively against modern cloud threats.”
Availability
Darktrace / Forensic Acquisition & Investigation, the integrations across the Darktrace ActiveAI Security Platform and new features in Darktrace / CLOUD are available now.
Additional Resources
- Tune in to the Darktrace Innovation Launch on October 9th to see how Darktrace is redefining cloud security.
- For more information on Darktrace / Forensic Acquisition & Investigation, read our blog or check out the solution brief.
- For more on the latest enhancements to Darktrace / CLOUD, check out our blog.
About Darktrace
Darktrace is a global leader in AI for cybersecurity that keeps organizations ahead of the changing threat landscape every day. Founded in 2013, Darktrace provides the essential cybersecurity platform protecting organizations from unknown threats using its proprietary AI that learns from the unique patterns of life for each customer in real-time. The Darktrace ActiveAI Security Platform™ delivers a proactive approach to cyber resilience to secure the business across the entire digital estate – from network to cloud to email. It provides pre-emptive visibility into the customer’s security posture, transforms operations with a Cyber AI Analyst™, and detects and autonomously responds to threats in real-time. Breakthrough innovations from our R&D teams in Cambridge, UK, and The Hague, Netherlands have resulted in over 200 patent applications filed. Darktrace’s platform and services are supported by over 2,300 employees around the world who protect nearly 10,000 customers across all major industries globally. To learn more, visit http://www.darktrace.com.
