Darktrace Review 2026: Does the AI Immune System Actually Work?

Darktrace has one of the most distinctive pitches in enterprise security. While everyone else is talking about threat intelligence feeds, signature libraries, and rules-based detection, Darktrace says it has built an AI that learns what "normal" looks like inside your organisation — and autonomously responds to anything that deviates from it, in real time, without needing to know what the threat is in advance.

The immune system metaphor is deliberately chosen: your immune system doesn't consult a list of known pathogens before responding to an infection. It learns your body, recognises when something doesn't belong, and neutralises it. Darktrace's argument is that modern cyber threats — zero-days, novel ransomware variants, insider threats, AI-generated attacks — require exactly this kind of model.

It's a compelling vision. And after fifteen years in market, with 9,000+ customers across 110 countries, Darktrace has enough real-world evidence to evaluate it honestly. This review covers the full platform as it stands in mid-2026: self-learning AI, Antigena autonomous response, network detection and response (NDR), email security, and the newer attack path modelling capability.

What Is Darktrace?

Darktrace was founded in Cambridge in 2013, spun out of research by mathematicians and intelligence analysts from GCHQ and MI5. The company went public in 2021, was taken private again by Thoma Bravo in 2024, and has continued expanding its platform while competitors have caught up on the AI marketing language if not always the substance.

The core platform comprises:

• Darktrace DETECT: Network detection and response — passively monitors all network traffic, user behaviour, device behaviour, and cloud activity to build a probabilistic model of normal behaviour across the organisation
• Darktrace RESPOND (formerly Antigena): Autonomous response that takes surgical actions — dropping a connection, throttling a device's network access, enforcing normal behaviour patterns — in real time, without waiting for human authorisation
• Darktrace / EMAIL: AI-native email security that classifies messages based on behavioural patterns rather than signature matching. Detects account takeovers, spear phishing, and business email compromise
• Darktrace / CLOUD: Extends the self-learning AI model to cloud environments — AWS, Azure, GCP, SaaS applications
• Darktrace / ENDPOINT: EDR capability extending the self-learning model to device-level behaviour
• Darktrace / OT: Operational technology and ICS/SCADA security — a significant differentiator for manufacturing, utilities, and critical infrastructure
• Cyber AI Analyst: Automated investigation and reporting capability — surfaces and contextualises incidents as human-readable reports
• Attack Path Modelling: Proactive capability that models how an attacker could move through your environment given its current configuration, before an attack occurs

The Technology: The Self-Learning AI in Practice

Unsupervised Machine Learning at Scale

The foundation of Darktrace's approach is unsupervised machine learning — specifically Bayesian probabilistic models and recursive Bayesian estimation. Unlike supervised ML systems that require labelled training data (i.e., you need examples of "attack" and "normal" to train the model), Darktrace's approach learns from your environment alone, without needing to see malicious examples first.

In practical terms, this means:

• Darktrace learns the difference between a finance director who regularly connects to Salesforce from their home IP versus a potential account takeover where the same credentials are used from an unusual location at 3am
• It understands that a DevOps engineer regularly SSH-ing to AWS instances is normal; the same behaviour from an accountant's laptop is not
• It detects early-stage ransomware indicators — a device quietly enumerating network shares, low-and-slow credential scanning — before the encryption begins

The claim that it can detect zero-day and novel threats is legitimate, because the detection isn't based on the threat itself — it's based on the deviation from normalised behaviour. This is meaningfully different from almost every other security vendor's approach.

RESPOND (Antigena) — Autonomous Response

The autonomous response capability is where Darktrace gets controversial. Security teams have deeply held instincts against automated response systems that can take actions without human approval — the risk of false positives disrupting legitimate business operations is real.

Darktrace's answer is surgical containment rather than blunt blocking. RESPOND doesn't shut down systems; it enforces what it considers the device's "pattern of life". If a laptop starts making unusual outbound connections, RESPOND doesn't disconnect the device — it limits it to the connections it was making before the anomaly started, while continuing to allow normal work to continue. The attacker's lateral movement is stopped; the user's legitimate activity is preserved.

This is more nuanced than it sounds in the pitch, and it does work reasonably well in practice. The caveat: the "pattern of life" model needs time to mature (typically 2–4 weeks of observation before RESPOND is activated), and in fast-moving or highly variable environments (DevOps teams, remote workers with irregular patterns), false positives in the first few months can be frustrating.

Cyber AI Analyst

This is one of Darktrace's genuinely impressive capabilities in 2026. The AI Analyst continuously investigates every alert, correlates events across the network, and produces written incident reports — with timelines, affected devices, recommended actions, and severity assessments — in minutes.

For organisations without large SOC teams, AI Analyst is transformative. It's doing Tier 1 and early Tier 2 analyst work automatically. The quality of the reports is good enough that human analysts can focus exclusively on the top-tier incidents that require genuine human judgment.

Attack Path Modelling

The proactive attack path modelling capability, significantly expanded in 2025 and 2026, models your environment from an attacker's perspective. It identifies which assets are most exposed, which privilege escalation paths exist, and what the blast radius of a credential compromise would be — before anyone has been attacked.

This is particularly valuable for security teams doing quarterly risk reviews, preparing for audits, or making the case to executive leadership for specific remediation investments. "Here are the three configuration changes that would eliminate the most dangerous attack paths in our environment" is a much more actionable output than a generic vulnerability scan.

Pricing

Darktrace prices primarily on the size of the environment being protected:

A mid-sized organisation of 500 employees with network, email, and cloud modules would typically pay £80,000–£150,000 annually. Enterprise-scale deployments (5,000+ users with full suite) exceed £500,000.

Darktrace requires a minimum deployment size — typically 150–200 users — below which the self-learning AI lacks sufficient behavioural data to be effective. Very small organisations are not the target market.

Darktrace vs. The Competition

Darktrace vs. CrowdStrike

These products don't directly compete — they complement each other. CrowdStrike owns the endpoint; Darktrace owns the network. Many large organisations run both. Where there is overlap is in cloud workload protection and AI-driven incident investigation, but the detection models are fundamentally different: CrowdStrike uses known threat intelligence; Darktrace uses behavioural anomaly detection.

If forced to choose between them: choose CrowdStrike for endpoint-heavy environments where you need threat intelligence context and managed detection services. Choose Darktrace if your primary concern is network-level lateral movement, insider threats, OT security, or detecting novel attacks you don't yet know about.

Darktrace vs. Vectra AI

Vectra AI is Darktrace's closest direct competitor in network detection and response. Vectra's Attack Signal Intelligence platform is built around MITRE ATT&CK framework TTPs rather than pure anomaly detection — it looks for attacker behaviour patterns rather than environmental deviations. Vectra tends to produce fewer, higher-fidelity alerts tied to specific attack techniques, which security analysts in mature SOCs often prefer.

Darktrace's advantages over Vectra: the autonomous response capability (Vectra has no equivalent), the broader platform (email, OT, cloud), and the AI Analyst for teams without deep SOC expertise. Vectra's advantage: better integration into existing SOC workflows and analyst tooling for teams that want human-controlled investigation rather than autonomous action.

Darktrace vs. SentinelOne

Limited direct competition. SentinelOne is an endpoint-first platform; Darktrace is a network-first platform. SentinelOne's Purple AI is a strong AI analyst competitor. For organisations evaluating both, the question is where their primary detection gap is — endpoint behaviour or network/lateral movement. The ideal architecture for a large enterprise often includes both.

Who It's For

Darktrace is an excellent fit if you are:

• An enterprise that has endpoint security covered and needs to close the network detection gap
• Running OT or ICS environments (manufacturing, utilities, healthcare, critical infrastructure) where legacy devices can't run endpoint agents
• Concerned about insider threats and account compromises that won't trigger signature-based detections
• A mid-to-large organisation without a large SOC team — AI Analyst significantly reduces the analyst hours required
• Running complex hybrid environments with mix of on-prem, cloud, and SaaS where a behavioural baseline across the whole estate is valuable
• Looking for autonomous response capability to reduce dwell time without building a 24/7 SOC

Darktrace is probably not the right choice if you are:

• Looking for a primary endpoint security solution — Falcon or SentinelOne will serve you better
• A small organisation under 150 users — the self-learning model needs data volume to be effective
• Running a highly variable environment (aggressive DevOps pipelines, heavily distributed remote workforce) without tolerance for early-stage false positives
• A mature SOC team that prefers analyst-controlled investigation over autonomous response — Vectra AI may be a better cultural fit
• Looking for threat intelligence context tied to named adversaries and known TTPs — Darktrace's model doesn't give you that; CrowdStrike does

How to Get Started

1. Request a free Proof of Value (POV). Darktrace offers a 30-day POV where the platform runs in passive detection mode on your network without blocking anything. After 30 days, you receive a report on what was found. This is their standard go-to-market motion and it's effective — the findings typically include at least a few genuine issues that weren't previously visible. Approach it as an honest security assessment, not a sales exercise.

2. Plan for the learning period. The first 2–4 weeks are the model training period. RESPOND should not be activated during this period. Expect to see a high volume of alerts in week one as the model calibrates — these will reduce dramatically as the baseline matures.

3. Define your RESPOND thresholds carefully. This is the most important configuration decision. Work with the Darktrace deployment team to define which autonomous response actions are appropriate for your environment. Starting with lower-impact actions (slowing connections rather than blocking them) reduces operational risk during the initial deployment.

4. Integrate with your SIEM and ticketing systems. Darktrace's API is well documented and integrates with Splunk, Microsoft Sentinel, ServiceNow, and most enterprise SIEM/SOAR platforms. Ensure these integrations are in scope from day one — AI Analyst reports are most valuable when they flow into existing analyst workflows, not a separate console.

5. Leverage attack path modelling for board reporting. The output from attack path modelling is unusually well-suited to executive and board reporting — it translates technical configuration risk into business impact language. Build this into your quarterly security review cycle from the start.

The Verdict

Darktrace's self-learning AI approach is genuinely differentiated. The unsupervised model, the autonomous response capability, and the AI Analyst represent a distinct approach to security operations that is particularly well-suited to the modern threat landscape — where novel, AI-generated attacks will increasingly outpace signature-based defences.

The platform is not without limitations. Pure endpoint coverage, threat intelligence depth, and MITRE ATT&CK-aligned detection are not Darktrace's strengths. In highly variable environments, the anomaly model requires careful tuning and a tolerance for some initial noise.

But for network-level detection and response, OT security, insider threat detection, and autonomous response, Darktrace is among the best options available. The AI Analyst capability, in particular, is a genuine operational efficiency driver for teams without large analyst headcounts.

The honest assessment: Darktrace works best as part of a layered security architecture — CrowdStrike or SentinelOne on endpoints, Darktrace on the network, with proper SIEM integration tying it together. As a standalone "replace everything" platform, it has gaps. As the network and anomaly detection layer in a mature security programme, it's excellent.

Bottom line: 4 out of 5 for organisations with a genuine network detection gap and/or OT environments. 3 out of 5 as a standalone security platform without complementary endpoint coverage.

Digital by Default helps businesses navigate enterprise cybersecurity decisions — from vendor selection to implementation strategy. If you're evaluating Darktrace or building out your network detection and response capability, [get in touch](/contact).