Darktrace Releases New Forensics Capabilities in Platform

Darktrace has introduced “Darktrace / Forensic Acquisition & Investigation,” a new solution it calls the industry’s first fully automated cloud forensics platform.

Closing the gap between cloud adoption and security

According to Darktrace, cloud adoption has expanded faster than security operations can keep pace, creating exploitable blind spots. A survey of 300 cloud security decision makers found that:

• Nearly 90% of organizations report damage before they can contain cloud incidents.
• 65% say cloud investigations take three to five days longer than those in on-premises environments.

Traditional log-based alerts often fail to capture behaviors such as lateral movement or privilege escalation. Additionally, evidence from ephemeral workloads, such as containers and serverless functions, frequently disappears before teams can investigate it. Darktrace says these challenges make timely forensics essential.

“In a cloud-first world, security teams need to be able to investigate anything, anywhere, at any time — without delay. With Darktrace / Forensic Acquisition & Investigation, what was once a highly specialized,  time-consuming process is now an automated, one-click action for our team. Darktrace collects  forensic-level evidence instantly, even in fast-moving cloud environments, and transforms investigative  dead ends into actionable intelligence. This has drastically reduced our mean time to respond and  empowered our team to shift from reactive archaeology to real-time investigation,” said Justin Dimmick, the senior security response engineer at Cloudera.  

Features of the new solution address challenges with scalability and data capture

Darktrace’s answer to these challenges is designed to give security teams immediate access to forensic-level data, enabling faster and more thorough investigations across hybrid, multi-cloud, and on-premises environments.

Key capabilities include:

• Automated hybrid forensic capture: Collects host-level data such as disks, memory, logs, and artifacts the moment an alert is triggered across AWS, Azure, GCP, SaaS, and on-premises systems.
• Ephemeral data capture: Preserves evidence from short-lived workloads, including AWS ECS, Kubernetes, and no-shell containers.
• Automated investigation timelines: Reconstructs attacker behavior into unified timelines to highlight root causes within minutes.
• Scalable response and reporting: Supports parallel investigations and generates exportable reports to reduce analyst workload and aid compliance.
• Rapid deployment and integration: Offers SaaS or on-premises options, integrating with SIEM, XDR, CNAPP, EDR, NDR, and cloud-native tools.

“Cloud investigations are notoriously complex and heavily manual, with evidence scattered across  fragmented logs and ephemeral assets that often disappear before they can be collected. Darktrace’s  automated cloud forensics solution represents a significant innovation leveraging the speed and scale of  cloud to automatically collect, preserve and investigate volatile data at the time of detection, enabling  teams to investigate faster, respond more effectively, and reduce overall business risk,” said Philip Bues,  the senior research manager of cloud security and confidential computing at IDC.

The solution builds on capabilities gained through Darktrace’s acquisition of Cado Security earlier this year. At the time, the companies touted the deal as a way to grow mutual security capabilities, including Cado’s forensics capabilities.

The addition of Cado’s deep expertise in cloud-based data collection and forensics will enhance our ability to protect customers, ensuring they can operate securely and confidently across all areas of their business. Together, Darktrace and Cado will help customers quickly and effectively prevent and deter cyber threats, maintaining resilience in a fast-evolving threat landscape,” Darktrace CEO Jill Popelka said at the time.

Integration with Darktrace / CLOUD promises a full suite of security

Darktrace is also enhancing its “Darktrace / CLOUD” product, which provides cloud detection and response. When combined with the new forensic acquisition tool, the two products enable security teams to detect threats and simultaneously preserve the evidence needed to investigate them. Enhancements include:

• Autonomous detection and response powered by self-learning AI.
• Live cloud asset mapping to reveal blind spots and track attacker movement.
• Automated posture checks and attack path modeling for proactive risk management.

“Cloud adoption has unlocked extraordinary opportunities for innovation but has also created new challenges and blind spots for security teams,” said Connie Stride, the SVP of product, at Darktrace.  

“By bringing pioneering forensic technology into the Darktrace platform, we’ve combined industry-leading cloud detection, autonomous response, and automated forensics in one place. This transforms how organisations can defend the cloud – delivering forensic-level clarity in minutes, ensuring access to essential data before it disappears, and empowering every security team to respond decisively against modern cloud threats,” Stride continued.

In August, we talked to Darktrace’s director of enterprise security about how the company leverages distribution to reach the channel. Revisit our conversation with Daniel Jaramillo about working with Climb Global Solutions.