Machine learning cybersecurity firm Darktrace PLC today announced the launch of Darktrace/Forensic Acquisition & Investigation, an automated forensics tool designed to cut investigation times from days to minutes by capturing forensic-level evidence the moment a threat is detected.

The new solution seeks to address the issue where cloud adoption has exploded in recent years but security operations have struggled to keep pace. According to a survey undertaken by Darktrace, nearly 90% of organizations report suffering damage before they can contain cloud incidents and 65% say investigations take three to five days longer in the cloud than in on-premises environments.

Darktrace argues that traditional log-based alerts miss behaviors such as lateral movement or privilege escalation, while evidence from ephemeral assets like containers and serverless functions often disappears before it can be collected, leaving security teams struggling to respond effectively.

Attacks against cloud workloads are increasingly aggressive. Analysis of Darktrace’s Cloudypot honeypots shows that attacks on tools like Jupyter Notebooks often arrive in sudden bursts, generating high volumes of attacks in a short period of time from a small group of persistent attackers.

Darktrace/Forensic Acquisition & Investigation tackles these issues with an automated forensic investigation solution designed for the speed and complexity of modern cloud environments. The solution captures and analyzes host-level evidence, including disk, memory and logs, at the exact moment a threat is detected, even from short-lived assets such as containers or serverless workloads.

Under the hood, the solution reconstructs attacker behavior into unified timelines, giving security teams clear root-cause analysis without the need for manual correlation. It supports parallel investigations across multiple systems and generates exportable reports to reduce analyst workloads and ease compliance requirements.

Notably, the capabilities build on technology from Darktrace’s acquisition earlier this year of Cado Security Ltd., integrating Cado’s expertise into the broader Darktrace ActiveAI Security Platform.

Key features of the new Darktrace’s new Forensic Acquisition & Investigation solution include automated hybrid forensic capture that collects host-level data the moment an alert is raised across cloud, software-as-a-service and on-premises environments, including disks, memory, logs and other artifacts, ensuring investigators have immediate access to critical evidence.

Darktrace/Forensic Acquisition & Investigation integrates natively with existing security information and event management, extended detection and response, cloud-native application protection platform, endpoint detection and response, network detection and response and cloud-native security tools to enable any alert to trigger instant forensic capture and investigation.

“Cloud adoption has unlocked extraordinary opportunities for innovation but has also created new challenges and blind spots for security teams,” said Connie Stride, senior vice president of product at Darktrace. “By bringing pioneering forensic technology into the Darktrace platform, we’ve combined industry-leading cloud detection, autonomous response and automated forensics in one place.”

Stride added that the feature set “transforms how organizations can defend the cloud – delivering forensic-level clarity in minutes, ensuring access to essential data before it disappears, and empowering every security team to respond decisively against modern cloud threats.”

Image: SiliconANGLE/Reve