Darktrace has released its Forensic Acquisition & Investigation solution that provides security teams access to forensic-level data, equipping them with context to investigate threats across hybrid, multi-cloud and on-premises environments.
Cloud adoption has outpaced security operations, creating blind spots that adversaries are quick to exploit. Nearly 90% of organisations report suffering damage before they can contain cloud incidents, and 65% say investigations take three to five days longer in the cloud compared to on-premises environments, according to a survey of 300 cloud security decision makers. Traditional log-based alerts miss behaviours such as lateral movement or privilege escalation, while evidence from ephemeral assets like containers and serverless functions often disappears before it can be collected — leaving security teams struggling to respond effectively.
At the same time, attacks against cloud workloads are increasingly aggressive. New analysis of Darktrace’s Cloudypot honeypots reveals that attacks on tools like Jupyter Notebooks often arrive in sudden bursts, generating high volumes of attacks in a short period of time from a small group of persistent attackers. These findings highlight that when adversaries target the cloud, they strike quickly and at scale, leaving defenders little time to investigate before critical evidence disappears.
Darktrace / Forensic Acquisition & Investigation is an automated forensic investigation solution designed for the speed and complexity of modern cloud environments. It captures and analyses host-level evidence — including disk, memory, and logs — at the exact moment a threat is detected, even from short-lived assets such as containers or serverless workloads. These investigations can be triggered by Darktrace or by detections from existing cloud security tools.
Unlike point solutions that depend on manual snapshots or agents, Darktrace collects evidence directly through cloud APIs, ensuring investigations begin instantly, and critical data from ephemeral workloads is never lost. By preserving volatile data and reconstructing attacker behaviour in real time, the solution adds critical context to everyday investigations, enabling security teams to understand root causes quickly and shorten investigation times from days to mere minutes — a critical advantage as over 40% of organisations report suffering significant damage4 from cloud alerts that were never investigated at all.
“Cloud investigations are notoriously complex and heavily manual, with evidence scattered across fragmented logs and ephemeral assets that often disappear before they can be collected. Darktrace’s automated cloud forensics solution represents a significant innovation leveraging the speed and scale of cloud to automatically collect, preserve and investigate volatile data at the time of detection, enabling teams to investigate faster, respond more effectively, and reduce overall business risk,” said Philip Bues, Senior Research Manager, Cloud Security & Confidential Computing, IDC.
This solution represents the evolution of capabilities gained through Darktrace’s acquisition of Cado Security earlier this year, alongside continued research and development investment to expand and advance Darktrace’s cloud security portfolio.
Key capabilities of the Darktrace / Forensic Acquisition & Investigation solution include:
- Automated hybrid forensic capture: Collects host-level data, including disks, memory, logs, and artifacts the moment an alert is raised across on-premises, AWS, Azure, GCP and SaaS environments.
- Ephemeral data capture: Preserves evidence from short-lived workloads including AWS ECS, Kubernetes, and distro-less or no-shell containers, retaining critical data so that it can be investigated.
- Automated investigation with complete timelines: Automatically reconstructs attacker behaviour into unified timelines, distilling massive volumes of events into the most significant insights providing rapid clarity and root cause in minutes without manual correlation.
- Scalable response and reporting: Supports parallel investigations across multiple systems and automatically generates exportable reports to help reduce analyst workload and assist with compliance burdens.
- Rapid deployment and seamless integration: Offers flexible SaaS or on-premises deployment, and integrates with existing SIEM, XDR, CNAPP, EDR, NDR, and cloud-native tools so that any alert can trigger immediate forensic capture and investigation.
“In a cloud-first world, security teams need to be able to investigate anything, anywhere, at any time — without delay. With Darktrace / Forensic Acquisition & Investigation, what was once a highly specialized, time-consuming process is now an automated, one-click action for our team. Darktrace collects forensic-level evidence instantly, even in fast-moving cloud environments, and transforms investigative dead ends into actionable intelligence. This has drastically reduced our mean time to respond and empowered our team to shift from reactive archaeology to real-time investigation,” said Justin Dimmick, Senior Security Response Engineer, Cloudera.
