Darktrace, a British cybersecurity company specializing in AI, has introduced Darktrace / Forensic Acquisition & Investigation™, a solution that promises to automate forensics in hybrid and multi-cloud environments and reduce investigation times from days to minutes. The launch includes enhancements to Darktrace / CLOUD™, its cloud detection and response product, with the declared goal of unifying posture, detection, containment, and forensics within a single operational flow.
The proposal addresses a growing pain: cloud adoption has outpaced security operations’ capacity. According to a survey of 300 cloud security decision-makers in the US and UK, almost 90% of organizations admit to suffering damage before containing a cloud incident, and 65% acknowledge that investigating in the cloud takes three to five days longer than on-premises. Meanwhile, more than 40% report experiencing significant damage from cloud alerts that were never investigated.
In this context, Darktrace proposes two ideas: capture and preserve evidence at the moment of the alert — including volatile evidence — and automatically reconstruct the attacker’s behavior so that analysts spend less time “patching” signals and more time making decisions.
A problem intensified by the cloud: ephemeral evidence and scattered signals
Evidence of a cloud attack disintegrates faster than in a traditional data center. Ephemeral containers, serverless functions without disks, instances that are born and die within minutes, and fragmented logs across providers and services complicate SOC efforts. Tools relying solely on logs tend to miss key behaviors — Lateral movements, privilege escalations, sneaky techniques — and when someone attempts to take a snapshot, the asset may already no longer exist.
The Cloudypots— honeypots deployed by Darktrace— add a troubling nuance: in services like Jupyter Notebooks, attacks concentrate in bursts of high volume from a small group of persistent attackers. The operational conclusion is clear: little margin for investigation before evidence disappears.
What is Darktrace / Forensic Acquisition & Investigation and how does it work?
This new component is essentially an automated forensic acquisition engine for cloud, hybrid, and on-premises that:
- Captures at the host level — disks, memory, logs, and artifacts — at the moment a threat is detected, including short-lived resources (containers, ECS, Kubernetes, serverless, distro-less or no-shell containers).
- Starts agentless, wait-free acquisition via cloud APIs, avoiding manual snapshots and ensuring volatile evidence is not lost.
- Automatically reconstructs the attacker’s timeline, distilling massive volumes of events into high-value insights to determine root cause within minutes, without manual correlation.
- Scales investigations in parallel and generates exportable reports to ease analysts’ workload and support compliance.
- Available as SaaS or on-premises, and able to integrate with existing stacks (SIEM, XDR, CNAPP, EDR, NDR, native cloud services), so that any alert can trigger immediate forensic acquisition.
The automation and API-first approach distinguish this solution from point solutions that depend on manual snapshots or pre-installed agents. In dynamic environments, “being late” often means not arriving at all.
“Cloud investigations are complex and manual, with scattered evidence in fragmented logs and ephemeral assets that vanish before collection,” explains Philip Bues, Senior Research Manager, Cloud Security & Confidential Computing, at IDC. “Automated forensics that collect, preserve, and investigate volatile data at detection time enables faster investigation, better response, and reduced risk.”
The company attributes part of these capabilities to the technology integrated after acquiring Cado Security earlier this year, combined with ongoing R&D investments.
Complete timelines and evidence that doesn’t vanish: the “before and after” for SOCs
The practical value is evident in two areas:
- Preserved evidence. By freezing disks, memories, and artifacts at the moment of alert, we avoid the usual cloud investigation dead-end: lack of evidence (disappearing when containers are recycled or functions deactivated).
- Unified context. The engine automatically builds a coherent timeline with movements, credentials, calls, and targets, accelerating and standardizing root cause analysis. Instead of piecing things together manually, analysts receive explained sequences.
Use case: “In a cloud-first world, you need to be able to investigate anything, anywhere, without delay,” says Justin Dimmick, Senior Security Response Engineer at Cloudera. “With Darktrace / Forensic Acquisition & Investigation, what used to be a specialized and slow process is now an automatic action, with a single click. It collects forensic evidence instantly, even in fast-moving cloud environments, and turns dead-ends into actionable intelligence. We have drastically reduced our MTTR and shifted from reactive archaeology to real-time investigation.”
A dual piece: automated forensics + Darktrace / CLOUD
The integration with Darktrace / CLOUD — the cloud detection & response solution from Darktrace — completes the picture:
- Autonomous detection and response: self-learning AI monitors the cloud environment to detect both known and novel threats, and contain them at machine speed.
- Dynamic visibility: real-time mapping of assets, services, and architectures to identify blind spots, track attacker mobility, and provide context.
- Proactive risk management: posture checks and attack route modeling to uncover exposures and misconfigurations before exploitation.
When coexisting, Darktrace / CLOUD detects and blocks suspicious activity, while Forensic Acquisition & Investigation captures disks, memory, and logs from the affected asset. The team immediately contains the threat and preserves the evidence necessary for investigation and remediation without data loss.
The company also added visual improvements (more intuitive cloud architecture diagrams) and extended detection of advanced techniques (lateral movement, C2, Privilege Escalation) to further shorten the path to understanding.
Triggers and deployment: standalone or integrated, SaaS or on-premises
Automated forensics can deploy as a standalone product—empowering SOCs and response teams with forensic capabilities—or integrate into Darktrace’s ActiveAI Security Platform™ for end-to-end investigations across the entire digital perimeter. The trigger can be a Darktrace detection or any alert from SIEM/XDR/CNAPP/EDR/NDR or native cloud services already in place.
Deployment is flexible: SaaS or on-premises, recognizing that certain industries (finance, healthcare, public sector) may require additional control over where evidence resides and how it is secured.
A market in a hurry: damages before containment and extra days in investigation
The numbers from the survey of 300 security leaders in the US and UK underline the urgency:
- ~90% suffered damage before containing a cloud incident.
- 65% take 3–5 more days to investigate cloud incidents compared to on-premises.
- >40% report damage from cloud alerts that were never investigated.
If attackers launch coordinated bursts and on scale, as indicated by Cloudypot deployments in services like notebook, the window for preserving evidence and responding effectively is narrow. Automation in capturing and reconstructing evidence is no longer a luxury — it’s a necessity to ensure control.
Voices from the industry and a roadmap
“Cloud adoption has unlocked extraordinary opportunities but also new challenges and blind spots,” summarizes Connie Stride, Senior Vice President of Product at Darktrace. “Integrating pioneering forensic capabilities into the platform combines cloud detection, autonomous response, and automated forensics in one place. It offers forensic clarity within minutes, access to essential data before it disappears, and enables any team to respond decisively.”
Availability. Darktrace / Forensic Acquisition & Investigation, its integrations within the ActiveAI Security Platform, and new features in Darktrace / CLOUD are available from the moment of announcement. The company has also scheduled an Innovation Launch on October 9th to detail its vision for cloud security.
What this means for a CISO (and their team)
- Lower MTTR: reducing investigation time from days to minutes isn’t just incremental savings; it’s changing outcomes.
- Coverage of short-lived resources: containers and functions leave traces when it matters—at alert time.
- Less archaeology, more response: unified timelines and ready-to-audit reports reduce manual log correlation work.
- Coexistence with current stacks: any alert can trigger an acquisition — no need to overhaul existing systems to add automated forensics.
- Custody options: SaaS or on-premises, depending on regulation and risk appetite.
Conclusion: from firefighting to proactive investigation
Cloud security demands teams stop late-stage archaeology and start investigating with the clock on their side. Darktrace / Forensic Acquisition & Investigation aims precisely to do this: capture volatile data when it matters, automate core evidence reconstruction without manual work, and close the loop with detection and response under one roof. In a world where cloud accelerates innovation and attackers shorten windows, turning days into minutes can be the difference between containing an incident and suffering impactful damage.
FAQs
What is cloud automated forensics, and how does it differ from manual snapshots?
Automated forensics captures disk, memory, and logs at detection time using cloud provider APIs, even in ephemeral assets. Unlike manual snapshots (or agent-based methods), it doesn’t depend on the resource remaining alive or someone initiating the process in time; it preserves volatile evidence and reconstructs attack timelines automatically.
How does Darktrace investigate short-lived container and serverless incidents?
The system is designed to capture evidence from ephemeral loads (e.g., AWS ECS, Kubernetes, distro-less/no-shell containers), ensuring evidence persists beyond the resource lifecycle. This preservation enables analysis of lateral movements, privilege escalations, or credential abuse even after the asset no longer exists.
Does it integrate with my SIEM/XDR/CNAPP, or do I need to replace tools?
It can operate independently or integrate with the ActiveAI Security Platform. In either case, it can listen to alerts from existing tools (SIEM, XDR, CNAPP, EDR, NDR, native cloud services) and trigger immediate forensic acquisition without retooling your stack.
What concrete benefits does it offer over traditional cloud investigation times?
The goal is to reduce investigation from days to minutes: instant evidence capture, automatic timelines with root cause, exportable reports, and parallel investigations. This results in less MTTR, less damage from uninvestigated alerts, and a greater ability to contain swiftly while preserving evidence for remediation and compliance.
via: darktrace