惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
aimingoo的专栏
aimingoo的专栏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Tailwind CSS Blog
J
Java Code Geeks
博客园_首页
Google Online Security Blog
Google Online Security Blog
Hugging Face - Blog
Hugging Face - Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
Intezer
P
Palo Alto Networks Blog
V
Vulnerabilities – Threatpost
雷峰网
雷峰网
O
OpenAI News
SecWiki News
SecWiki News
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
美团技术团队
N
News | PayPal Newsroom
Project Zero
Project Zero
Forbes - Security
Forbes - Security
IT之家
IT之家
A
Arctic Wolf
WordPress大学
WordPress大学
Jina AI
Jina AI
T
Tor Project blog
博客园 - 三生石上(FineUI控件)
S
Secure Thoughts
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
博客园 - 聂微东
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Privacy International News Feed
Cloudbric
Cloudbric
G
GRAHAM CLULEY
博客园 - 叶小钗
H
Hacker News: Front Page
腾讯CDC
量子位
Help Net Security
Help Net Security
人人都是产品经理
人人都是产品经理
C
Cyber Attacks, Cyber Crime and Cyber Security
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
宝玉的分享
宝玉的分享
爱范儿
爱范儿
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
C
CERT Recently Published Vulnerability Notes

Darktrace Blog

Why behavioral AI is the answer to Mythos 7 MCP Risks CISO’s Should Consider and How to Prepare How To Secure AI And Find The Gaps In Your Security Operations 92% of Security Pros Concerned About AI Agents Darktrace Launches Unified Security Awareness Training and Messaging Security Darktrace Identifies Encryption in a World Leaks Ransomware Attack NetSupport RAT: Why Legitimate Tools Are as Damaging as Malware What the Darktrace Annual Threat Report 2026 Means for Security Leaders CVE-2026-1731: How Darktrace Sees the BeyondTrust Exploitation Wave Unfolding AppleScript Abuse: Unpacking a macOS Phishing Campaign Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access Medusa Ransomware 2025: RMM Abuse in Ransomware Campaigns How a Leading Bank is Prioritizing Risk Management with Darktrace A framework for securing AI in the enterprise The Year Ahead: AI Cybersecurity Trends to Watch in 2026 Phishing attacks surge by 620% in the lead-up to Black Friday How to Manage Risk in Amazon Bedrock Vo1d Botnet Exposed: How Darktrace Detected a Global Android Threat Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack with Darktrace Darktrace delivers the next evolution of unified and proactive NDR Salty Much: Darktrace’s take on a recent Salt Typhoon intrusion Akira SonicWall Campaign Uncovered Detecting Vendor Compromise and Trusted Relationship Abuse with Darktrace Industry-First Automated Cloud Forensics ShadowV2: An emerging DDoS for hire botnet SEO Poisoning and Fake PuTTY sites: Darktrace’s Investigation into the Oyster backdoor Why Unifying Email and Network Security Is Critical for Modern Cyber Defense What is a VPS and How Do Attackers Abuse Virtual Servers? Investigating the Ivanti Endpoint Manager Mobile Vulnerabilities 2025 Cyber Threats: A Mid‑Year Review AI Analyst in Action: 4 Real-World Investigations using AI Investigations AI Maturity Model: A Roadmap for Security 5 Core Capabilities for Cloud Forensics and IR Wallet Drainers: How Scams Steal Funds Top Eight Threats to SaaS Security and How to Combat Them Darktrace Tracks CVE‑2025‑31324 Activity UK Cyber Bill: What CISOs Need to Know Unpacking ClickFix: Darktrace Detection Insights Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response Evaluating Email Security: How to Select the Best Solution for Your Organization AsyncRAT Exposed: Signals and Mitigations Anomaly-Based Threat Hunting: Darktrace's Approach in Action Darktrace Tracks SocGholish to RansomHub How NDR and Secure Access Service Edge (SASE) Work Together to Achieve Network Security Outcomes Force Multiply Your Security Team with Agentic AI: How the Industry’s Only True Cyber AI Analyst™ Saves Time and Stop Threats Why Data Classification Isn’t Enough to Prevent Data Loss Email bombing exposed: Darktrace’s email defense in action Global Technology Provider Transforms Email Threat Detection with Darktrace Survey findings: How is AI Impacting the SOC? Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats New Threat on the Prowl: Investigating Lynx Ransomware Why Darktrace / EMAIL Excels Against APTs RansomHub’s Rise: RaaS Market Insights CNAPP Alone Isn’t Enough: Focusing on CDR for Real-Time Cross Domain Protection Reimagining Your SOC: How to Shift Away From Reactive Network Security RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal Why AI-powered Email Protection Became Essential for this Global Financial Services Leader Agent vs. Agentless Cloud Security: Why Deployment Methods Matter Defending AITM Phishing and Mamba Attacks Breaking Down Nation State Attacks on Supply Chains Darktrace is Positioned as a Leader in the IDC MarketScape: Worldwide Network Detection and Response 2024 Vendor Assessment Protecting Your Hybrid Cloud: The Future of Cloud Security in 2025 and Beyond Phishing Attacks Surge Over 600% in the Buildup to Black Friday Why Artificial Intelligence is the Future of Cybersecurity Darktrace Leading the Future of Network Detection and Response With Recognition from KuppingerCole AI and Cybersecurity: Predictions for 2025 Navigating Buying and Adoption Journeys for AI Cybersecurity Tools How Darktrace won an email security trial by learning the business, not the breach Introducing Real-Time Multi-Cloud Detection & Response Powered by AI From Call to Compromise: Darktrace’s Response to a Vishing-Induced Network Attack Business Email Compromise (BEC) in the Age of AI How AI can help CISOs navigate the global cyber talent shortage What you need to know about FAA Security Protection Regulations 2024 Introducing ‘Defend Beyond’: Our promise to customers in the face of evolving threats How Darktrace’s AI Applies a Zero-Trust Mentality within Critical Infrastructure Supply Chains Darktrace Releases 2024 Half-Year Threat Insights Safelink Smuggling: Enhancing Resilience Against Malicious Links CDR is just NDR for the Cloud... Right? Qilin RaaS: Darktrace Detection Insights Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks Safeguarding Distribution Centers in the Digital Age Darktrace Investigation Into Medusa Ransomware Exploring the Benefits and Risks of Third-Party Data Solutions Strategies to Combat Microsoft Teams Phishing Attacks Lost in Translation: Darktrace Blocks Non-English Phishing Campaign Concealing Hidden Payloads How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC The Rise of Alternative Access in Cloud Attacks The State of AI in Cybersecurity: How AI will impact the cyber threat landscape in 2024 Moving Beyond XDR to Achieve True Cyber Resilience with Darktrace ActiveAI Security Platform The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners Balada Injector: Darktrace’s Investigation into the Malware Exploiting WordPress Vulnerabilities Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace / EMAIL Utilizing AI Security Against Phishing Campaigns AI Function Assistance to Humans in Cyber Crises How Darktrace SOC Thwarted a BEC Attack Understanding Email Security & the Psychology of Trust Breaking Down "ICES": An Umbrella Term With Wide Variety Boosting Security Posture with Email Integration Enhancing Darktrace with Microsoft Defender Flexible Deployments for Enhanced Email Security
Why API + Journaling Delivers Faster, SLA-Backed Email Security for Microsoft 365
Carlos Gray · 2025-11-04 · via Darktrace Blog

Darktrace / EMAIL offers flexible deployment options, seamlessly integrating with Microsoft 365 and other native providers to protect against advanced threats across email and collaboration channels. Gartner analysts recommend API-based integrations for modern email security and customers consistently rate these approaches highly on Gartner Peer Insights.

But not all API integrations are equal. This blog explores an option uniquely offered by Darktrace: API + Journaling, and why it matters for speed, reliability, and resilience.

API + Journaling: What it is and why it’s different

Most Integrated Cloud Email Security (ICES) solutions rely on API-only ingestion, which:

  • Subscribes to Microsoft Graph change notifications
  • Fetches and analyzes messages after delivery
  • Quarantines or retracts malicious messages post-inbox

This works, but introduces notification latency. Microsoft Graph aims for near-real-time delivery, but practical delays can range from seconds to minutes, especially under load or retry conditions. Even a one-second delay matters when email is your most critical communication channel.

API + Journaling solves this.

By adding journaling in Microsoft 365, Darktrace receives a copy of the raw email while it’s still in the transport pipeline – before it hits the inbox. That means:

  • Analysis runs in parallel with Microsoft’s native defenses
  • Detection decisions happen pre-delivery, not after
  • Latency is dramatically reduced, and long-tail delays are eliminated

A modern, security-relevant approach

While journaling was originally introduced in Microsoft Exchange for compliance and archiving, it has evolved into a mature, well-documented feature that is widely used for both compliance and security monitoring. Microsoft’s own documentation recognizes journaling as a supported, secure, and configurable mechanism for message capture. In modern ICES deployments, journaling is leveraged not just for archiving, but for real-time, pre-delivery analysis, enabling faster detection and response to threats.

What I appreciate most is the simplicity of setting it up and configuring it."

Latency advantage: Measured in real environments

Our measurements across real customer deployments confirm the performance gap between API-only and API + Journaling deployments when evaluating the time taken to receive a single email:

Metric API-only API + Journaling Improvement
Median 1.31 s 0.53 s ~2.5×
Mean (trimmed) 1.98 s 0.57 s ~3.5×
Mean (raw) 21.88 s 0.75 s ~30×

The bottom line?

API + Journaling consistently cuts detection latency by 2–3x in typical scenarios and mitigates long-tail delays by up to ~30x – a critical advantage when every second counts. That could be the difference between actioning an email before a user sees it within their inbox or after, avoiding user confusion and erroneous email notifications that disappear by the time they go into Outlook.

Their Proof of Life, learning your environment and user behaviour and the things it has automatically noted were amazing. There has not been a single case of phishing in our organization since its deployment."

And speed isn’t the only benefit

API + Journaling doesn’t only benefit email users in terms of delivery speed. It also offers:

  • Robustness backed by SLAs: Journaling leverages Microsoft 365’s Exchange Online transport pipeline, which operates under Microsoft’s financially backed 99.9% availability SLA. API notifications, by contrast, are best-effort and carry no latency guarantee
  • Resilience against API throttling: Journaling avoids variability from Graph webhook delivery and retries
  • Defense in depth: Parallel analysis with native security reduces exposure windows and strengthens posture

Flexible deployment, clear recommendation

Darktrace / EMAIL supports multiple integration patterns, including API-only for environments where journaling isn’t feasible. API-only deployments remain a flexible option for organizations with specific requirements or constraints. However, for those prioritizing speed, reliability, and SLA-backed assurance, API + Journaling is our recommended approach.

All integration styles have trade-offs, and the right choice depends on your organization’s needs and constraints. Darktrace’s integration with Microsoft 365 is fully supported and aligns with Microsoft’s best practices for ICES vendors. Our approach delivers both operational efficiency and enhanced detection, as validated by customer results and independent analyst recognition. We recommend API + journaling for organizations seeking the best balance of speed, clarity, and resilience.

Ready to accelerate your email threat detection? Contact us to get a demo and we’ll walk you through our deployment options.

Journaling Myths & Facts: FAQ

Q: Is journaling slow, outdated, or risky compared to API-only approaches?
A: No. Journaling is a mature, well-documented Microsoft feature, widely used for compliance and security monitoring. When implemented with proper controls, journaling is secure and compliant. Data is isolated, access-controlled, and never shared across customers. Importantly, journaling does not “move” the original email out of Microsoft 365; it simply creates a copy for analysis, leaving the original message flow intact. Pre-delivery journaling enables parallel analysis with native security, reducing risk, not increasing it.

Q: Is it true that Microsoft does not recommend using Journaling and/or post-delivery actions?  
A: No, Microsoft clearly states that they do not recommend these methods for security benchmarking specifically. However, as a deployment method, it is a perfectly valid approach with more consistent delivery times than relying on APIs exclusively.  

Q: Does API + Journaling create fragmented visibility or complicate investigations?
A: Other solutions may create duplicated visibility but Darktrace’s deployment ensures message IDs are preserved, maintaining operational clarity and traceability for SOC teams. Our integration is designed to avoid message duplication and supports unified investigation workflows. API + journaling is unique in providing both speed and clarity, with proven customer outcomes such as reducing malicious messages to zero in large enterprise environments.

Q: Is journaling secure and compliant?
A: Yes. Journaling data is isolated, access-controlled, and never shared across customers. Microsoft provides clear guidance on secure journaling configurations and compliance best practices.

Q: Does journaling mean there is no internal or lateral email monitoring?
A: Darktrace can be configured to capture internal, external, or all messages, ensuring full visibility for compliance and threat detection.

Q: What if my organization can’t use journaling?
A: Darktrace / EMAIL still supports API-only deployments, providing flexibility for organizations with unique requirements.

References

Microsoft Online Services SLA (Exchange Online)

Configure Journaling in Exchange Online

Journaling in Exchange Online

Microsoft Graph API Change Notifications

Thanks for signing up!

Look out for your first newsletter, coming soon.

Oops! Something went wrong while submitting the form.

More in this series

Securing sporting events in 2026

When you walk into a stadium on game day, you are entering a small smart city. Ticketing, turnstiles, payments, public Wi-Fi for tens of thousands of fans, CCTV, lighting, even the HVAC all run on connected systems. The experience for fans has become unmatched, but that dependency has created a much larger attack surface than people may realize.

Our latest threat research backs that up. In the past year, a survey that Darktrace commissioned found that 84% of respondents from professional sports organizations had at least one cyber incident, and 57% were hit more than once. For a sector that relies on the impact of the live moment, those numbers translate directly into operational risk.

Why sports is a target for cyber attacks

Sport is a highly visible target with fixed timelines, so attackers know exactly when disruption will have the most impact. It also holds valuable data, athlete medical records, contracts, sponsorship deals, which carry financial, reputational, and regulatory risk if exposed. At the same time, delivery depends on a wide set of third parties: ticketing providers, broadcasters, cloud services, stadium technology. Any of those connections can become an entry point. Put visibility, timing, data, and dependency together, and you get an environment where even a small foothold can turn into a visible, time-critical incident.

How attackers target email and identity

Email and identity remain the front door. From October 2025 through March 2026, Darktrace / EMAIL™ detected more than 116,000 phishing emails aimed at sports organizations across our customer base, and our sports customers received 19% more phishing emails than organizations in other sectors. The numbers tell the story:

BY THE NUMBERS

  • 21% of phishing emails were aimed at VIPs.
  • 37% used novel social engineering.
  • 84% of malicious emails passed DMARC authentication

A large proportion of these emails passed authentication checks, which means traditional security controls are no longer a reliable barrier. Attackers are not relying on spoofed domains – they're using legitimate infrastructure and trusted platforms. Behavior matters. Once an account is compromised, the behavior shifts quickly. Login patterns change, inbox rules are created to hide responses, and accounts start being used for internal discovery or further phishing. These aren’t high-noise events. They sit in normal workflows, which is why they’re often missed.

Ransomware tells a similar story. In one case inside a sports deployment, attackers had quietly been moving data to an outside server for a full two weeks before they triggered encryption. By the time the ransom note appeared, the outcome was already set. That sequence shows up consistently is access first, movement next, disruption last. If detection starts at encryption, it’s already too late.

Why AI is an emerging blind spot in sports

The increasing adoption of AI is expanding the potential attack surface. 72% of the security professionals we surveyed expect AI to increase their cyber risk over the next year, and yet 35% are already using or planning to use it in stadium operations, the most critical functions to protect. In addition to prompt injection and AI build risks, shadow AI is becoming a more immediate issue. Staff are already putting sensitive data—performance metrics, scouting reports, contracts, health data—into tools with little or no governance. The upside is clear, but so is the exposure—and it is happening before most organizations have any visibility or control. At the same time, attackers are using the same technology to scale phishing and social engineering. The net effect is simple: more exposure, at higher speed.

How can cybersecurity professionals prepare

Across high profile events, Darktrace’s experience shows that effective cyber defense includes preparation, real‑time visibility, and the ability to respond dynamically and decisively when timing, complexity, and public exposure converge.

There are a few strategic implications for cybersecurity teams:

  • Get behavioral visibility across IT and OT, not just corporate systems.
  • Treat identity as your control plane. Most attacks in this sector start with credentials, not malware. MFA with behavioral detection helps solve that challenge.
  • Control third party and AI access the same way you control your own environment.
  • Rehearse response for live conditions, where decisions happen in minutes. Detection and response need to account for non-ideal conditions when engineers are under pressure and time constrained. In sport, timing is what turns small issues into major incidents. The same activity that would be manageable midweek becomes critical during a live event.

Why 2026 raises the cybersecurity stakes for sports

With the 2026 World Cup about to stretch across three countries and dozens of host cities, the attack surface is wide and the schedule is unforgiving.

Geopolitical signaling is raising the threat profile further. Previous international sporting events have demonstrated that nation‑state actors use the cyber domain to signal intent, influence narratives, or retaliate symbolically. In the context of the 2026 World Cup, Russia’s continued exclusion from international sport, the ongoing conflict in Ukraine, US defensive support to Ukraine, and Iran’s likely participation in the tournament introduce additional motivations for state‑aligned and non‑traditional affiliated actors to operate below the threshold of armed conflict. This doesn’t require new techniques—just the right timing and visibility.

In practice, this comes down to preparation: knowing what normal looks like across IT and OT, controlling third-party access, and spotting when behavior shifts.

In sport, disruption does not build slowly—it happens in real time and in public. By that point, the groundwork has already been set, long before the whistle goes.

About this research

Findings are based on Darktrace threat-research telemetry across sports-sector customer deployments (Q4 2025–Q1 2026) and a survey of 875 IT cybersecurity professionals in the US, UK, Australia, and Germany, fielded by Opinion Matters between May 28 and June 3, 2026. Read the full report for complete methodology, incident analysis, and strategic recommendations.

[related-resource]

Continue reading

About the author

Nathaniel Jones

VP, Security & AI Strategy, Field CISO

Stadium and large public venue operators are confronted with a unique set of cyber security challenges. Often described as a ‘honeypot’ for cyber-criminals, the sports and entertainment industry is an attractive target for threat actors for three main reasons:

  • Modern sports organizations process sensitive and highly valuable data at scale;
  • Sporting events are highly visible and time-critical, operating in front of live audiences with no room for error;
  • Sports organizations rely on sprawling vendor ecosystems and supply chains to deliver broadcast, commerce, fan engagement services, and more.

In a recent Darktrace-commissioned survey, 84% of professional sports organizations reported at least one cyber incident in the past year, and 57% were hit more than once [1]. The potential ramifications of cyber disruption during a large-scale sports event cannot be overstated. A momentary lapse in access to power could bring TV broadcasts to a halt; disruption to access controls could restrict fans from entering the grounds; CCTV outages could increase the risk of criminal behavior and physical injuries. If data is not reliable and stadium machines are outputting the wrong metrics, a venue could become dangerously overcrowded. The barrier between the cyber and physical worlds has long dissolved – cyber-attacks threaten human safety.

In this blog, I explore the key challenges of stadium cyber security and explain the unique capabilities of Self-Learning AI that led me to adopt Darktrace as a head of ICT and cyber security for international venues and events. Over my career I have helped secure football and rugby World Cups, World Athletics Championships and more than 500 events ,and the lessons from each have only sharpened my conviction in this approach.

The access paradox

The biggest challenge lies in the paradox of securing a site where various internal services are provided to a large number of unknown and unmanaged users, suppliers and devices. When it’s game time, or ‘D-Day’, you see a huge influx of thousands of people, each with their own devices, needing to connect to your network and your infrastructure. The floodgates are opened. But certain parts of your digital environment need to remain protected: your sensitive employee and customer data, your critical OT systems. I liken this to opening the door to your home, and letting the entire town come in and wander around. But you still need to secure your master bedroom.

A multitude of different actors must be able to work on-site to provide services or content during the event. Broadcasters, staff and suppliers need to have access to manage the show, and all these people need to access or interact with the IT infrastructure. In many ways, these additional bodies are already inside the perimeter and could host unknown malicious threats.

This year, the paradox is wider than ever. A tournament spread across hundreds of suppliers and vendors means the foothold an attacker needs may already belong to a trusted partner – a single compromised supplier can become the doorway to everything else. And the adversary is no longer working alone: generative AI now lets attackers probe and weaponize vulnerabilities across thousands of software dependencies at a speed no human team could match, turning the access paradox from a manageable risk into a fast-moving target.

Achieving this balance between accessibility and security requires a shift in mindset from perimeter-based security to one that can detect and respond to threats on the inside. The complexities involved requires technology that can identify malicious behavior in real time based on the wider context of an incident. A particular behavior or connection may be benign in one context and yet critically disruptive in another — tools and technology must be able to discern between the two.

This is why I considered Darktrace’s Self-Learning AI a suitable fit: rather than defending at the perimeter, it focuses on detecting and responding to malicious activity already inside. Because it learns the unique ‘patterns of life’ of its surroundings, it can detect subtle deviations that indicate a threat and initiate a targeted response – without relying on pre-programmed rules and playbooks.

IT/OT convergence

The second key challenge is the issue of IT and OT convergence. Typical stadiums and arenas consist of a wide range of Industrial Control Systems (ICS).

This involves a complex and messy array of switches, cables, CCTV cameras, as well as devices and technologies being brought in by the media and the press, and all these IT and OT components are now interconnected, which means these technologies now have Internet Protocol (IP)-based threats to manage. The same challenges that the corporate infrastructure for stadium management faces in cyber security are therefore also now an issue for ICS security.

This challenge cannot be addressed by viewing IT and OT security in isolation — these two environments are linked because of the analogue migration to IP. A unified approach is required to detect and respond to threats that start in IT before moving to industrial systems.

The stakes are physical. CCTV, Access Control, Public Annoucement system, lighting and the giant screens are all now running over IP, and a disruption to any of them can force a venue to halt play on safety grounds. Scale compounds the problem. At the Qatar 2022 World Cup, eight stadiums were purpose-built to a single technical standard, which made the digital environment relatively uniform to defend. The 2026 tournament is the opposite: dozens of host venues across three countries, each with its own operator, its own contractors and its own legacy systems.This creates a far more fragmented and unpredictable estate to secure.

In addition, cyber security technology must be able to deal with complexity. Darktrace’s AI thrives in the most complex environments, with more data points adding more context to inform the AI’s decision making. It covers OT and IT with a single, unified AI engine, that can also detect and respond across cloud infrastructure, SaaS applications, email systems and endpoints. It is ready to adapt to the messy, interconnected systems that make up large stadiums’ digital infrastructure.

The time factor

Finally, the nature of stadium events means that timing is critical and puts enormous pressure on the organizers and operators. ‘D-Day’ cannot be replayed or postponed, and so if cyber disruption occurs during the event, every minute is crucial. You cannot reschedule a World Cup final or move an opening ceremony; the date is fixed, the world is watching, and there is no second take.

There is consequently a strong emphasis on two key metrics

  • Mean Time To Know (MTTK) — how long it takes the security team need to be aware of an incident; and
  • Mean Time To Restore (MTTR) — how quickly a team can act to contain the threat.

It is perhaps more imperative in stadium event management than anywhere else that these two metrics be minimized.

This leads to the third criteria in assessing cyber security technology: does it help with response? And critically, can that response be nuanced and targeted, able to contain that threat without causing further disruption?

To this end, Darktrace’s Autonomous Response takes machine-speed action to contain cyber-attacks, when humans are too slow to react or aren’t around at all. It’s powered by Darktrace’s AI, so it has a nuanced and continuously updating understanding of what’s ‘normal’ across IT and OT systems. This means its response actions are targeted: designed to eliminate the threat, but not at the cost of disruption. Crucially, this enables responses that are surgical rather than blunt. For example, taking an entire server offline to stop a ransomware attack can cause more disruption than the attack itself, so the real value lies in neutralizing the malicious activity precisely — containing the threat without taking down the systems the event and business depends on.

Depending on the nature and severity of the threat, the technology can block specific malicious connections by enforcing the normal ‘pattern of life’ of a device or account. When every second counts, this is the speed and granularity that you need in a cybersecurity technology.

Darktrace can be deployed across every area of the digital enterprise, including network, email, cloud and SaaS environments with the same self-learning approach, stopping anomalous behaviors that point to account takeover and other cloud-based threats. Earlier this year, we announced that Darktrace is also extending its behavioral approach to help businesses deploy and scale AI securely by understanding how these AI systems and agents behave, interact with other systems and humans, and evolve over time. This is critical because 72% of cybersecurity professionals at sports organizations believe AI will increase their cyber risk over the next 12 months [2].

Wherever it is deployed, Darktrace allows the stadium operator to focus on the vital part of the game and offers real-time protection without any modification in the network topology or infrastructure.

An adaptive defense

Cyber-criminals are constantly developing their approach in an attempt to evade security tools trained to look for specific hallmarks of an attack. As they get creative and continuously experiment with new tactics and techniques, the human operators using these tools are forced into a constant state of catch up.

An AI-based approach that learns an organization and its normal behavior patterns from the ground up puts an end to this game of ‘cat and mouse’, shifting the balance in favor of the defenders and allowing them to stay ahead of the threat. This matters more than ever, because adversaries are now using AI to scale their attacks. If you do not have AI working to protect you against malicious AI, you are already at a disadvantage.

With a nuanced understanding of what’s ‘normal’ for the business, unified IT/OT coverage, and an Autonomous Response solution that takes immediate, surgical action, the playing field is leveled, and large stadium and events operators can focus on delivering the best possible experience for attendees, digital viewers, partners and performers.

[related-resource]

References:

[1] [2] Darktrace: Cybersecurity in Global Sport, June 2026. Findings based on survey of 875 IT cybersecurity professionals based in the US, UK, Australia and Germany, working in professional sports organizations (including clubs, societies & sporting bodies) employing 10+ people. The survey was fielded between May 28, 2026 and June 3, 2026 by independent market research agency, Opinion Matters.

Continue reading

About the author

Karim Benslimane

VP, Field CISO