Darktrace

Overview

Reviews

Good tool but a LOT of false positives

7
I worked with Darktrace in a couple of organizations (from 300 to 1000+ users). Darktrace is a beneficial product to keep track of lateral …
Read full review

Why I didn't pick Darktrace

2
Brought it in to act as an intelligence gatherer for network traffic - specifically to look for anomalies and help identify potential …

Reviewer Pros & Cons

View all pros & cons

Pricing

View all pricing
N/A
Unavailable

What is Darktrace?

Darktrace headquartered in San Francisco provides enterprise network security with its machine learning autonomous network traffic analysis (NTA) software, providing an "Immune System" that detects novel or insider threats arising from malicious behavior.

Entry-level set up fee?

  • No setup fee

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting / Integration Services

Would you like us to let the vendor know that you want pricing?

27 people want pricing too

Alternatives Pricing

What is CrowdStrike Falcon?

CrowdStrike offers the Falcon Endpoint Protection suite, an antivirus and endpoint protection system emphasizing threat detection, machine learning malware detection, and signature free updating. Additionally the available Falcon Spotlight module delivers vulnerability assessment with no performance…

What is SentinelOne?

SentinelOne is endpoint security software, from the company of the same name with offices in North America and Israel, presenting a combined antivirus and EDR solution.

Features Scorecard

No scorecards have been submitted for this product yet..

Product Details

What is Darktrace?

Darktrace headquartered in San Francisco provides enterprise network security with its machine learning autonomous network traffic analysis (NTA) software, providing an "Immune System" that detects novel or insider threats arising from malicious behavior.

Darktrace Technical Details

Operating SystemsUnspecified
Mobile ApplicationNo

Alternatives

View all alternatives

Frequently Asked Questions

What is Darktrace?

Darktrace headquartered in San Francisco provides enterprise network security with its machine learning autonomous network traffic analysis (NTA) software, providing an "Immune System" that detects novel or insider threats arising from malicious behavior.

What is Darktrace's best feature?

Reviewers rate Support Rating highest, with a score of 9.4.

Who uses Darktrace?

The most common users of Darktrace are from Mid-size Companies and the Retail industry.

Reviews and Ratings

(33)

Ratings

Reviews

(1-6 of 33)
Companies can't remove reviews or game the system. Here's why
John King | TrustRadius Reviewer
Score 1 out of 10
Vetted Review
Verified User
Review Source
We implemented Darktrace 2 years ago for our organisation of approximately 350 users. The system was identified as a smart learning AI system that would protect the business against a range of cyberattacks.
  • Very Clever Marketing
  • Clever use of the AI
  • From time to time an email would appear in your inbox and within 5 to 10 seconds the email would be removed before your eyes. sometimes you could click on it if you were reading emails. Other times it would appear in your notifications and then when you looked for it later it was gone. It made you question your sanity. This problem has never been fixed. if you don't get onto it quick enough the system deletes these actions every month. No trace can be found.
  • When the system incorrectly quarantined an email, a false positive, there is no way to train the system not to do the same thing again. You have to contact IT support and get them to whitelist the email behind the scenes.
  • The BIG problem. The system is only as smart as the emails you provided for ingestion. Any email received after ingestion may be quarantined as it falls outside the pattern of behavior. Worse still. The system will let through infected emails if it can see the sender is a trusted source. Even if they have had an attack and sent emails out to their entire address book with an infected payload.
  • There was no notice of emails being quarantined until recently. When you do get sent a notice now it contains a very poor level of information.
I would warn any IT manager against this system. It is frustrating. Support is very poor and slow. Changes do not get implemented. We are removing the system and looking elsewhere. Ask yourself, how smart is a system that simply uses your existing mail history to determine if it will accept the next email. The system has no ability for the users to identify false positives or train it. It places a lot of pressure on the helps desk. I question where the AI lies.
Score 10 out of 10
Vetted Review
Verified User
Review Source
We needed a better insight into network security threats that might be in our organization. DarkTrace provides an invaluable service of not only giving us the ability to dig deep into possible network intrusions but also has a weekly summary of possible network security issues. One of the main reasons we chose DarkTrace was that they provided the weekly report put together by a security professional. We review this weekly report and take action as needed.
  • Network Security
  • Security Analysis
  • Threat Detection
  • Whole Packet Capture
  • Initial configuration
  • Security Analyst timely response to questions
  • GUI
Recommend: for a company with limited security resources that needs a better look into possible network intrusions. Not suited for: a company that has a full SOC staff that has time and resources to dedicate to network security threats.
Score 10 out of 10
Vetted Review
Verified User
Review Source
Darktrace is used across almost all of my organisation. It allows constant monitoring across all of our networks, and because it has the ability to learn "normal" behaviour for your network, it triggers alerts when it sees behaviour outside of this range. It's allowed thorough monitoring of our systems, 24/7. You can download packet captures, which can then be loaded in to wireshark, of traffic from devices on the network, and the data for these captures are held for some time as well - the exact time varies depending on the amount of traffic, but I've normally been able to retrieve traffic data from a few weeks previously when needed. There is also a mobile app that you can configure to allow monitoring of alerts on your phone. On a few occasions in the past, when something alerted that was potentially damaging to the network (such as a malware outbreak at one site), a Darktrace employee contacted me directly to let me know that there was something potentially high priority going on.
  • Monitors your network for unusual behaviour; as it learns what is normal for your network, you don't need to worry too much about things that are normal for your organisation, but might be considered odd in other places, triggering as alarms. It can also detect more subtle changes such as a device accessing a server but at an unusual time.
  • There are a large number of models that are used to create the alerts, which can all be customised, and you can also create your own from scratch, to allow you to tailor it perfectly to your situation.
  • There are few areas that I would say need to be improved; their customer support portal allows you to log tickets with any suggestions or things you feel the product is missing, and they will generally show you how to achieve what you want, or in some cases, introduce it as a feature in a later update.
Darktrace would be well suited to any environment really; the only constraint would be the budget. The cost scales on the number of devices to be monitored by the product, so it can be quite expensive in larger environments. Any company that would benefit from having 24/7 monitoring of their network would find that this product would suit that need perfectly. It can also create a number of reports, which is useful if you have any requirement to present periodic figures and statistics for your network. There are also additional features available and in development such as Antigena, which can be configured to allow potential threats to be automatically mitigated; it can block connections to a certain address, using certain ports, or it can enforce "normal behaviour" where it will only allow a machine to communicate in a way that Darktrace has observed before and considers normal. This has huge benefits particularly for 24/7 organisations where you don't have the ability to have someone monitoring the network personally at all times, as it could stop a malware outbreak in its tracks.
Any time I have had any issue with Darktrace, I've been able to contact an engineer through their support desk, and I have always had a very speedy response. Even when the issue has been caused by something outside of the Darktrace devices, they have still been very keen to try to help and identify what the problem was. The customer portal also has a large number of videos and guides that you can use to educate yourself on the product.
Score 7 out of 10
Vetted Review
Verified User
Review Source
I worked with Darktrace in a couple of organizations (from 300 to 1000+ users). Darktrace is a beneficial product to keep track of lateral network traffic inside of the organization. It augments the firewall, which looks at the traffic moving in and out of the company's LAN. Darktrace utilizes SPAN ports on switches to get the traffic, that's the only configuration needed outside of the Darktrace appliance, making installation relatively easy. If organization has multiple locations, either multiple Darktrace units will be required, or the network must be configured to forward SPAN traffic. Darktrace does provide beneficial insights into network activity inside the network, such as the use of obsolete protocols, DLP breaches, etc.
  • Ease of installation and configuration - Darktrace appliance is very close to plug and play (SPAN port configuration should be easy for any network admin). Darktrace provides comprehensive onboarding for customers as well, so you do not feel lost during the configuration of the device.
  • Identifying and tracking of the devices on the network - Hostname, OS, IP, MAC, previous activity - everything can be seen in the same interface. It is so much easier than tracking device in question across the firewall, DHCP, DNS logs.
  • False positives. Darktrace uses "AI" to create its alerts for "unusual" or "malicious" activity. It is very common to see an alert for completely benign and normal device behavior - PC tries to print for the first time in a while, for example.
  • Antigena actions. To some extent, this is a continuation of the previous point. Darktrace can break the network connectivity of the suspected device automatically. The excessive number of false positives makes administrators reluctant to use this feature, though. Also, the default Antigena actions are not relevant to real-world problems as I saw them in my experience with Darktrace.
If organization has money to spend on Darktrace (licensing is based on the number of endpoints in the network) and has staff to sift through all the alerts the device creates, Darktrace does improve security significantly. You will see what is going on inside the network, in real-time, and in easy to understand manner. The problem is that there are a lot of things going on inside of any corporate network. The AI of the Darktrace appliance has a hard time reducing the number of events to look at to a reasonable level. Whoever is thinking about buying Darktrace must be ready to spend a lot of man-hours working with the product, clearing false positives and tweaking rules.
Darktrace support is excellent in my experience. They send a competent engineer on-site to provide on-boarding training. They were also very responsive in responding to questions and concerns. Having an individual point of contact who is a competent network and security engineer is not a common experience, at least for me.
Matt Frederickson | TrustRadius Reviewer
Score 2 out of 10
Vetted Review
Verified User
Review Source
Brought it in to act as an intelligence gatherer for network traffic - specifically to look for anomalies and help identify potential threats and suspicious activity. I installed it at the network core, so it was able to view all traffic (well, mostly all traffic - we had a few issues with some of the VLANs and my switches are configured for fault tolerance, which it also had an issue with) moving from inside to outside.
  • It did an ok job of analyzing and collecting data. It used a span (mirrored) port and then using its own algorithm developed flow records.
  • It did an ok job of segmenting traffic into networks - not always correctly, but ok.
  • It tried to identify devices by type - once again, it did ok, but not that great.
  • Really had a poor time of identifying devices and what the device's purpose was - a simple nmap scan did a better job. The problem is they expect you to fine-tune the results - which is exactly what you would expect - but day one it found over 2,000 servers (and I only have 112).
  • Really had a hard time separating network traffic into locations - I use distinct subnets for my buildings, but there was no good way to create a logical map of my traffic internally. Did not garner a sense of trust that it was seeing everything.
  • Sat through a few "analyst" reports - which showed me possible threats in my environment. I am already using a few open source tools, and they actually found more than the analyst reports. Also, there was no way to get the reports on your own - you had to work through their analysts to get the information.
In my opinion, based on what I saw, the product is not ready for prime time yet. The GUI interface was slick but very difficult to use. There was no reporting capability. There was no availability to integrate other products or share data easily. The people were very nice and easy to work with - but in my opinion, no one who worked on developing the product has spent any time on a day-to-day basis in the trenches. While I get the brain trust behind the product (and it is very, very impressive), there is still a disconnect between the developers and the end-users. For the cost of the product (quite expensive), the end user base is not going to be satisfied with the product, especially since I can get the same, and better, information from other products.
Score 7 out of 10
Vetted Review
Verified User
Review Source
We use Darktrace in our main office. It helps us meet security assessment requirements of our clients that want to know how we know if there are bad actors in our environment.
  • Its very strong in recognizing unusual traffic. It learns what is normal and what is not normal.
  • It helps to show if our users are hitting malicious websites or not. That is a nice bonus to help with our security awareness and know if our training is doing its job.
  • Their weekly reports to us help highlight the most egregious traffic on our network. They are an extra set of eyes for us.
  • You have to have an appliance on each segment of your network. If you are not back hauling your traffic to your central data center, then each location has to have an appliance in order to cover that location.
  • They gather so much detailed information that it is hard at time to decipher what I'm looking at.
  • The way they name actions is unusual and should be changed. They need to label the parts of network traffic better.
It's excellent at using its AI engine to learn your environment when it first gets set up. Then over time it know what it has seen in the past and what it hasn't, so you can investigate what could be malicious traffic or not. It shouldn't be considered the end all, be all for networking monitoring, but just another tool to use.