I value that the product detects anomalous network behavior beyond static rules, for example endpoints connecting to previously unseen domains or IP addresses or showing unusual communication patterns. During our POC, it surfaced concrete misuse on the guest Wi-Fi (including access to illegal football streaming services), which demonstrated practical detection value. The option for a local appliance is a clear advantage for privacy and governance, because telemetry can be processed on-premises and sensitive data can remain under the organization's control. I also appreciate the ability to tune thresholds and create custom alerts, as well as the integration benefits across the Darktrace ecosystem-using Network together with Identity and Email typically improves investigation context and confidence. Finally, the active response capability is distinctive: when configured, it can attempt to terminate suspicious sessions by injecting TCP FIN packets for the relevant connection/port, supporting rapid containment while the alert is validated.
April 1, 2026
As mentioned previously I have a strong dislike of the UI, I find tuning models to be quite tricky and I also found that sometimes picking up device DNS can be inaccurate so you have to rely more on IP addresses than DNS names
March 24, 2026