Cloud Security, AI/ML, MSSP

Darktrace Adds Automated Cloud Forensics to ActiveAI Platform

(Adobe Stock)

Darktrace has introduced an automated cloud forensics capability to help security teams investigate incidents faster across hybrid and multi-cloud environments. The new Darktrace/Forensic Acquisition & Investigation solution captures and preserves evidence the moment a threat is detected. This addresses the challenge of lost data from ephemeral workloads and lengthy manual investigations.

The system collects host-level evidence - disk, memory, logs, and related artifacts - through cloud APIs the moment a threat is flagged, either by Darktrace itself or another security tool. It captures data even from short-lived containers or serverless functions, where evidence often vanishes before it can be secured. From there, it reconstructs unified timelines that map attacker behavior and root cause without the need for manual correlation.

Max Heinemeyer, Global Field CISO at Darktrace, underscored how this automation addresses one of the biggest pain points for stretched SOC teams.

He told MSSP Alert, “SOC teams usually spend a lot of time trying to gather the right evidence data for investigations. These efforts will be drastically reduced through the automation we deliver,” he said. In his view, the benefits go beyond efficiency. By cutting out the friction of accessing live production environments during an investigation - particularly when incidents span multiple clouds—teams can focus on analysis rather than process. “We also help pre-investigate alerts and prepare timelines for easier review. This will speed up the work of analysts and allow them to better prioritize significant cases.”

That ability to front-load investigations with ready-made timelines is a shift in how analysts can approach their workload. Instead of losing hours piecing together context, SOC teams can quickly see which incidents matter most and act accordingly.

Integrating with Darktrace/CLOUD

The release is also part of a broader consolidation trend. Darktrace / CLOUD already provides detection, response, posture management, and attack-path modeling. Paired with automated forensics, the workflow becomes tighter: threats are detected, contained, and preserved for investigation in one motion.

Heinemeyer pointed out that this helps customers navigate the fragmented state of cloud security today. “Cloud security in general is quite fragmented at the moment and organizations are weighing best-of-breed point solutions against platform consolidation,” he explained. Darktrace aims to give customers flexibility: for some, consolidating multiple cloud security tools into Darktrace / CLOUD makes sense, while others integrate specific Darktrace capabilities into their existing stack.

He stressed that the value extends beyond just cloud tooling. “It is not just about consolidating in the cloud - but also across the broader SOC. It is a challenge for customers that sometimes cloud security is treated differently across tech, processes, and people than other areas of cybersecurity like traditional network security, OT security or identity security. Darktrace can help unify and automate these different streams in the SOC.”

By positioning the product this way, Darktrace is tapping into a common frustration: SOC silos. Bringing cloud forensics into the same workflows as network, OT, and identity security can help teams standardize their processes and reduce duplication of effort.

Why MSSPs Benefit

The implications for managed security providers are equally significant. MSSPs often carry the operational burden of managing dozens of customer environments, where repetitive tasks and constant evidence collection create high costs and high risk of error.

Heinemeyer acknowledged that MSSPs are under pressure to demonstrate strong cloud capabilities as more of their customers migrate workloads. “Several MSSPs are already using Darktrace/Forensic Acquisition & Investigation for exactly these use cases,” he said. For them, automated evidence capture offers more than efficiency - it becomes a differentiator. “Having an advanced capability like this, which can preserve forensic evidence, reduce the cost of investigations and scale easily, can be a competitive advantage to MSSPs.”

For providers, the ability to preserve volatile data across multiple tenants while reducing analyst workload without adding new operational overhead is especially valuable. It gives them a way to deliver faster, more consistent investigations across diverse environments and to show customers tangible improvements in response times.

Automated forensic capture changes the rhythm of investigations. Instead of spending hours chasing logs and stitching evidence together, SOC teams get what they need right when the alert fires. That cuts down the manual drag and keeps context intact. For MSSPs, the value is scale—being able to handle dozens of environments without drowning analysts in repetitive work. What Darktrace is really doing here is pulling forensics into the same lane as detection and response, so investigations shift from reactive patchwork to something faster, cleaner, and built for the cloud

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.
Suparna Chawla Bhasin

Suparna is the Senior Managing Editor for CyberRisk Alliance’s Channel Brands, including MSSP Alert and ChannelE2E. She manages content development, sharpens editorial workflows, and ensures storytelling is tightly aligned with audience needs. With a background in technology, media, and education, she combines strategic insight with creative execution.

You can skip this ad in 5 seconds