TTechclick ⚡ XP 0% All lessons
Darktrace · AI NDR · Autonomous ResponseInteractive · L1 / L2 / L3

Darktrace Autonomous Response — Surgical, Proportionate Action from the Pattern of Life

Most automated blocking is too blunt — it breaks the business, so teams switch it off. Darktrace Autonomous Response (formerly Antigena) is different: it acts from each device's learned pattern of life, doing the minimum needed to neutralise an in-progress threat in seconds while normal work keeps running. This lesson shows exactly how that surgical action works and how to roll it out safely.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live response demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Darktrace Autonomous Response (formerly Antigena, 2026): why blunt automated blocking gets disabled, how proportionate, surgical action derived from the device's pattern of life neutralises a threat without breaking the business, why it acts in seconds for ransomware and out-of-hours incidents, the human-confirmation vs fully autonomous modes, native and firewall/NAC/EDR enforcement, and how to roll it out safely alongside NDR and Cyber AI Analyst.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

The dilemma

Blunt blocking breaks business, so it gets switched off.

 2

Surgical action

Act from the pattern of life — the minimum needed.

 3

Speed, modes, enforce

Seconds, human-confirm vs autonomous, native or via firewall/NAC/EDR.

 4

Roll it out safely

Phase in autonomy, pair with NDR & AI Analyst.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Why do teams often disable automated blocking?

Answered in The dilemma.

2. What does Darktrace base its surgical action on?

Answered in Surgical action.

3. How fast does Autonomous Response act?

Answered in Speed, modes, enforce.

Most engineers think…

Most people picture automated response as 'the tool detects something bad and blocks the device'. That mental model is exactly why automated blocking gets switched off — a blunt block breaks legitimate work, so nobody trusts it to run on its own.

Darktrace Autonomous Response is different because it acts from the device's learned pattern of life. Instead of nuking the whole device, it does the minimum needed — block just the anomalous connection, or enforce what is normal for that device while stopping what isn't. Because the action is grounded in the device's own normal, it is precise enough to run autonomously and in seconds, which is what finally makes automation safe enough to leave on — even at 2am with nobody watching.

① The automation dilemma — why blunt blocking gets switched off

Everyone wants the security tool to just stop the attack automatically. The problem is that traditional automated blocking is too blunt: 'block the whole device', 'cut the user off', 'quarantine the host'. When that fires on a false positive — or on a real threat that shares a device with real work — it breaks the business. So after a few painful outages, teams quietly turn automation off and go back to manual response, which is slow.

Darktrace Autonomous Response (the capability formerly branded Antigena Network) is built to escape that trade-off. It takes targeted action to neutralise an in-progress threat without disrupting normal business. The detection layer (NDR) flags the anomaly; Autonomous Response then works out the smallest action that stops it while leaving legitimate activity alone.

Figure 1 — From anomaly to surgical action
NDR flags the anomaly, Autonomous Response computes the minimum action, enforces it, and Cyber AI Analyst explains it.From anomaly to surgical actionDetectNDR flags anomalyDecideminimum neededActsurgical actionContainthreat stoppedExplainAI Analyst triage
NDR flags the anomaly, Autonomous Response computes the minimum action, enforces it, and Cyber AI Analyst explains it.
Figure 2 — Blunt blocking vs proportionate action
Traditional automation is too blunt and gets disabled; Darktrace acts from the pattern of life, so it can stay on.Blunt blocking vs proportionate actionBlunt blockingBlock the whole deviceBreaks legitimate businessRisky, so teams disable itBack to slow manual responseProportionate actionBlock only the bad connectionEnforces the device's normalPrecise, so safe to automateActs in seconds, even at 2am
Traditional automation is too blunt and gets disabled; Darktrace acts from the pattern of life, so it can stay on.
Quick check · Q1 of 10 · Understand

Why do teams often disable traditional automated blocking?

Correct: b. Blunt automation (block the whole device, cut the user off) breaks real work when it fires, so after a few outages teams switch it off and fall back to slow manual response. Darktrace avoids this by acting precisely.
👉 So far: Blunt automated blocking breaks the business, so teams disable it. Darktrace Autonomous Response (formerly Antigena) takes targeted action to neutralise an in-progress threat without disrupting normal work.

② Proportionate, surgical action — from the pattern of life

The defining idea is proportionate, surgical action derived from the device's learned pattern of life. Darktrace already knows what normal looks like for that device, so it does the minimum needed rather than a blanket block.

The four main actions

In practice that means one of: block only the specific anomalous connection; enforce the pattern of life (allow everything that is normal for the device, stop only what isn't); block a specific port or destination; or quarantine the device — the heaviest action, used only if it is genuinely necessary. Legitimate activity keeps working throughout.

This precision is the whole point. Traditional blocking is risky because it is blunt; Darktrace's actions are precise enough to run autonomously because they are based on the device's own normal. That is what makes safe automation possible.

Figure 3 — Proportionate actions, least to most
Autonomous Response picks the minimum that neutralises the threat; quarantine is the last resort.Proportionate actions, least to mostBlock the connectionStop just the anomalous linkEnforce pattern of lifeAllow normal, stop what isn'tBlock port / destinationCut a specific channelQuarantine deviceIsolate host — last resort
Autonomous Response picks the minimum that neutralises the threat; quarantine is the last resort.
🛡️
Autonomous Response
tap to flip

Formerly Antigena Network. Takes targeted action to neutralise an in-progress threat without disrupting normal business — the actuator that stops the attack.

🧬
Pattern of life
tap to flip

The per-device, per-user model of normal that Self-Learning AI builds. The source of truth for what to allow and what to stop.

🎯
Proportionate action
tap to flip

The minimum needed — block just the bad connection or enforce normal — instead of blunt-blocking the whole device. Precision is what makes autonomy safe.

🙋
Human-confirm vs autonomous
tap to flip

Confirmation mode = an analyst approves each action. Fully autonomous = it acts on its own. Phase it in, often off-hours first.

Lead with 'minimum needed', not 'block'

In an interview, frame Autonomous Response as proportionate action from the pattern of life: it does the minimum that neutralises the threat — block one connection or enforce normal — not a blanket block. That precision is the reason it can be left running autonomously.

Quick check · Q2 of 10 · Remember

What is Darktrace's surgical, proportionate action derived from?

Correct: a. Action is computed from the device's learned pattern of life — Darktrace already knows what is normal, so it does the minimum needed (block the bad connection, enforce normal) instead of a blanket block.
👉 So far: Proportionate, surgical action comes from the device's pattern of life — do the minimum needed (block the bad connection, enforce normal, block a port/destination, or quarantine only if necessary). Precision is what makes autonomy safe.

③ Speed, modes and enforcement — how the action lands

Speed is the headline. Autonomous Response acts in seconds. That matters enormously for fast-moving attacks like ransomware, and for out-of-hours and weekend incidents when no analyst is watching the console — exactly when a manual process fails.

Modes and enforcement

You choose how much autonomy to give it. In human-confirmation mode an analyst approves each proposed action; in fully autonomous mode it acts on its own. You can phase it in — start with confirmation, then widen autonomy as trust builds, often turning on full autonomy for off-hours first.

For the action itself, Autonomous Response can enforce natively (Darktrace itself drops or limits the connection) or push the action out via integrations with firewalls, NAC and EDR — so it fits the controls you already run.

Figure 4 — One action, many enforcement paths
Autonomous Response enforces natively or pushes the same action to the controls you already run.One action, many enforcement pathsAutonomousResponse actionNative (Darktrace)FirewallNACEDRHuman-confirm modeFully autonomous
Autonomous Response enforces natively or pushes the same action to the controls you already run.
'It just blocks the device' under-sell

Saying Autonomous Response simply blocks or quarantines the host misses the point and sounds like the blunt tools teams disable. Quarantine is the last resort; the usual action is blocking the specific anomalous connection or enforcing the device's pattern of life so normal work continues.

▶ Watch ransomware get stopped surgically at 2am

How a compromised device is contained without breaking normal traffic. Press Play for the healthy path, then Break it to see the classic failure.

① CompromiseAt 2am a finance workstation starts encrypting file shares over SMB and beaconing to an unknown external host (C2).
② DetectDarktrace NDR flags the activity as a sharp deviation from the device's pattern of life — an in-progress threat.
③ Enforce normalAutonomous Response enforces the pattern of life: it blocks ONLY the malicious SMB writes and the C2 connection, leaving normal traffic alone.
④ ContainedThe spread is stopped in seconds with no analyst on shift; Cyber AI Analyst writes up the incident for Monday.
Press Play to step through the healthy containment path. Then press Break it.
Quick check · Q3 of 10 · Apply

Ransomware starts spreading at 2am on a weekend with nobody on shift. Which setting lets Autonomous Response stop it itself?

Correct: c. Out-of-hours is exactly when no analyst is watching to approve. Fully autonomous mode (commonly enabled for off-hours first) lets it act in seconds and stop the spread without a human.
👉 So far: It acts in seconds — vital for ransomware and out-of-hours. Modes: human-confirmation vs fully autonomous (phaseable). Enforcement: natively or via firewall / NAC / EDR integrations.

④ Rolling it out safely — and how it pairs up

A safe rollout is a trust dial, not a switch. Start in human-confirmation mode so the team sees the proposed actions and learns to trust them. Then enable fully autonomous action where the risk of waiting is highest — off-hours and weekends, and for high-confidence, fast-spreading threats like ransomware — before widening it across the day.

How it pairs up

Autonomous Response does not work alone. NDR detection spots the anomaly and is the trigger; Autonomous Response takes the surgical action; and Cyber AI Analyst investigates and triages afterwards, explaining what happened so the team has the story by morning.

The pitfall to avoid: deploying it but leaving it in confirmation-only mode with nobody on shift to confirm. Then a 2am ransomware breach just waits for an approval that never comes — and spreads. Match the autonomy to when humans are actually watching.

Figure 5 — A safe rollout — turning up the trust dial
Phase from confirmation to autonomy, enabling off-hours autonomy first, and pair it with NDR and Cyber AI Analyst.A safe rollout — turning up the trust dialConfirmanalyst approvesTrustreview the actionsOff-hoursautonomy at nightWidenautonomy by dayPairNDR + AI Analyst
Phase from confirmation to autonomy, enabling off-hours autonomy first, and pair it with NDR and Cyber AI Analyst.

Sneha at Meridian Logistics in Hyderabad faces this

At 2am on a Saturday a finance workstation starts encrypting file shares over SMB and beaconing to an unknown external host; by Monday several shares are partly encrypted.

Likely cause

Autonomous Response was deployed but left in human-confirmation-only mode with no autonomy for off-hours, so the recommended action sat waiting for an approval that never came.

Diagnosis

The model breach and the proposed Autonomous Response action are both visible, timestamped 02:01 — but the action status is 'pending confirmation' and autonomy is disabled outside business hours.

Darktrace ▸ Model breach ▸ Autonomous Response ▸ action status & autonomy schedule
Fix

Enable fully autonomous mode for the off-hours / weekend window and for high-confidence ransomware-type breaches, so it can enforce the device's pattern of life immediately — blocking the malicious SMB writes and the C2 connection while leaving normal traffic alone.

Verify

Re-test with a controlled out-of-hours simulation: the action fires in seconds with no analyst, the malicious connections stop, normal traffic continues, and Cyber AI Analyst produces the investigation summary for Monday review.

Prove it with an out-of-hours test

Don't assume autonomy is on when it counts. Run a controlled simulation during the off-hours window and confirm in the console that the action fires in seconds with no analyst, the threat is contained, and Cyber AI Analyst produces the investigation. That single test answers 'will it actually act at 2am?'.

Quick check · Q4 of 10 · Analyze

What is the classic pitfall when rolling out Autonomous Response?

Correct: d. If it is left confirmation-only and no analyst is watching, a 2am breach just waits for an approval that never comes and spreads. Match autonomy to when humans are actually available — enable off-hours autonomy.
👉 So far: Roll out as a trust dial: confirmation first, then autonomy off-hours, then widen. Pair it with NDR (the trigger) and Cyber AI Analyst (the follow-up). Don't leave it confirmation-only with nobody on shift.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Darktrace Autonomous Response was formerly branded as what?

Correct: b. Autonomous Response is the capability previously called Antigena Network (later also RESPOND). Cyber AI Analyst is the separate investigation/triage capability it pairs with.
Q6 · Understand

Which statement best captures proportionate, surgical action?

Correct: a. Proportionate action means the minimum that neutralises the threat — block the bad connection, enforce the pattern of life, block a port/destination — so legitimate activity keeps working. Quarantine is a last resort, not the default.
Q7 · Apply

An interviewer asks why Darktrace can run automation autonomously when other tools' blocking gets disabled. Best answer?

Correct: b. Precision from the learned pattern of life is the key: actions are grounded in the device's own normal, so they neutralise the threat without breaking the business — which is what makes leaving autonomy on a safe choice.
Q8 · Apply

You want Autonomous Response to use the firewall and EDR you already run. Is that possible?

Correct: c. Autonomous Response can enforce natively (drop/limit the connection itself) or push the action out through integrations with firewalls, NAC and EDR, so it fits existing controls.
Q9 · Analyze

Why is speed (acting in seconds) so important for Autonomous Response?

Correct: d. Ransomware and similar threats spread in seconds, frequently out-of-hours or on weekends. Acting in seconds with no human needed is what stops the spread before damage is done — a manual process would be too late.
Q10 · Evaluate

What is the safest way to roll Autonomous Response out?

Correct: c. Treat autonomy as a trust dial. Start in confirmation mode so the team trusts the actions, then enable full autonomy for off-hours/weekends and high-confidence threats first, then widen — and pair it with NDR and Cyber AI Analyst.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why can Darktrace leave automated response switched on when most teams have to switch theirs off? Then compare with the expert version.

Expert version: Because Darktrace Autonomous Response acts from each device's learned pattern of life and takes the minimum action needed — block just the anomalous connection, or enforce what is normal — rather than a blunt block of the whole device. That precision means a real threat is neutralised in seconds without breaking legitimate work, so the business outage that makes teams disable other tools simply doesn't happen. It runs in human-confirmation or fully autonomous mode, enforces natively or via firewall/NAC/EDR, and pairs with NDR detection and Cyber AI Analyst — which is exactly why you can trust it to act at 2am with nobody watching.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Autonomous Response
Darktrace capability (formerly Antigena Network / RESPOND) that takes targeted action to neutralise an in-progress threat without disrupting normal business.
Pattern of life
The per-device, per-user model of normal behaviour built by Darktrace Self-Learning AI; the source of truth for what to allow and what to stop.
Proportionate / surgical action
Doing the minimum needed to stop a threat — block one connection or enforce normal — instead of blunt-blocking the whole device.
Enforce pattern of life
An action mode that allows a device's normal traffic while stopping only the anomalous parts.
Human-confirmation mode
A mode where an analyst approves each proposed Autonomous Response action before it executes.
Fully autonomous mode
A mode where Autonomous Response acts on its own, in seconds, without waiting for human approval.
Quarantine
A heavier action that isolates a device from the network; used only when genuinely necessary, not as the default.
NDR
Network Detection and Response — the detection layer that flags the anomaly Autonomous Response acts on.
Cyber AI Analyst
Darktrace's automated investigation and triage that explains an incident after the action is taken.

📚 Sources

  1. Darktrace — Autonomous Response product overview. darktrace.com
  2. Darktrace — Antigena Network / RESPOND: network autonomous response. darktrace.com
  3. Darktrace — Self-Learning AI and the device 'pattern of life'. darktrace.com
  4. Darktrace — Stopping ransomware in seconds with Autonomous Response. darktrace.com
  5. Darktrace — Autonomous Response integrations with firewalls, NAC and EDR. darktrace.com
  6. Darktrace — Cyber AI Analyst: automated investigation and triage. darktrace.com

What's next?

Got how the action works? Next, go deep on Cyber AI Analyst — Darktrace's automated investigation and triage that explains what happened, stitches the events into one incident, and writes the analyst's report for you.

Next · All interview lessons → Practice on exam.techclick.in →