Most engineers think…
Most people assume any network security tool must sit inline and match a database of known-bad signatures — like an IPS or antivirus. That model is exactly what Darktrace / NETWORK is not.
Darktrace / NETWORK is an AI Network Detection & Response (NDR) product. It sits passively, out-of-band on a copy of your traffic (a SPAN/mirror port or a TAP), so it adds no latency and can never break a connection. Instead of signatures, its Self-Learning AI learns the normal 'pattern of life' for every device and user, then flags deviations — which is how it catches the novel, unknown threats a signature has never seen, including activity hiding inside encrypted traffic.
① What NDR is — and why behaviour beats signatures
The core idea: Darktrace / NETWORK is an NDR — Network Detection & Response — that watches your whole network and uses Self-Learning AI to build a behavioural baseline, a pattern of life, for every device and user. New behaviour is scored against that learned normal; a strong deviation is what raises a detection.
Contrast this with a signature tool. A signature can only match an attack that someone has already seen, named and described. A novel or unknown attack has no signature, so signature-only tools are blind to it. Because Darktrace learns your normal instead, a never-before-seen technique still stands out the moment it behaves abnormally.
Darktrace / NETWORK is also the product that brings together what used to be the separate network DETECT and Antigena (response) capabilities — one Self-Learning AI engine for detection and response across the network.
In an interview, lead with the one-liner: Darktrace learns a 'pattern of life' for every device and user, then flags deviations. That is why it catches novel, unknown threats a signature tool — which only knows what it has already seen — will miss.
Why can Darktrace / NETWORK catch a brand-new attack that has no signature?
② Passive deployment — a copy of traffic, no latency
Here is the deployment fact that surprises people: Darktrace / NETWORK is passive and out-of-band. It does not sit in the traffic path. Instead it ingests a copy of traffic from a switch SPAN/mirror port or a hardware network TAP.
Two consequences matter in an interview. First, it adds zero inline latency — the production traffic never waits on Darktrace. Second, it cannot drop or break legitimate traffic, because it only ever sees a copy. That is the key contrast with an inline IPS or firewall, which sits in the path: powerful, but a potential source of latency and a single point of failure.
The catch you must remember
Passive means Darktrace only sees what is fed to it. If a SPAN session or TAP is not configured for a given VLAN or segment, that traffic is simply invisible to Darktrace — a very common cause of 'why didn't it alert?' gaps, especially for internal east-west traffic.
Learns each environment's normal from its own traffic — no pre-loaded signatures. The engine behind every detection.
The continuously-updated behavioural baseline per device and user. Anomalies are deviations from it, which is how novel threats surface.
Runs on a copy of traffic from a SPAN/mirror port or TAP — zero inline latency and physically unable to break live traffic.
Automatically investigates and correlates detections into a single human-readable incident narrative, so triage takes minutes.
Darktrace / NETWORK is passive and out-of-band — it runs on a copy of traffic and cannot break a connection or add latency. Calling it an inline appliance gets the deployment model, the latency story and the failure mode all wrong.
How is Darktrace / NETWORK deployed on the network?
③ What it detects — including inside encrypted traffic
Because it reasons about behaviour, Darktrace / NETWORK catches the stages of an attack that signatures miss: C2 beaconing (regular, often low-and-slow callbacks to a rare external host), lateral movement (internal scanning, unusual SMB/RDP between hosts), data exfiltration (abnormal outbound transfers), anomalous credential use, network scanning/reconnaissance, and the early stages of ransomware before mass encryption.
It watches east-west (internal) traffic, not just the north-south perimeter — so an attacker who is already inside still gets seen.
Encrypted traffic without decryption
You do not need to break TLS. Darktrace analyses metadata and behaviour — who talks to whom, how often, volumes, timing, and how rare a destination is — so it can flag suspicious activity inside encrypted flows without decrypting them or sharing keys. The behaviour is abnormal even when the payload is unreadable.
No alerts is not the same as no threats. Before concluding a segment is clean, confirm Darktrace actually receives that VLAN's traffic — check the device's connection data in the Threat Visualizer and the SPAN/TAP sources on the switch. Passive tools are blind to what isn't fed to them.
▶ Watch Darktrace spot C2 + lateral movement from a passive copy
How an endpoint's quiet beaconing and internal scanning become a detection. Press Play for the healthy path, then Break it to see the classic blind spot.
A host is making rare, regularly-timed connections to an unknown external server over HTTPS. What can Darktrace do?
④ Coverage and where detections go next
Visibility spans on-prem, virtualised and cloud. Where there is no physical SPAN port to tap — cloud and virtual networks — coverage is extended by cloud sensors (cSensors), and individual machines can be covered by host-based sensors (osSensors). All of them feed the same Self-Learning AI analytics.
From detection to response
A detection is not the end of the line. It feeds Cyber AI Analyst, which automatically investigates, correlates related events, and writes an incident narrative so a human triages in minutes instead of hours. Detections also feed Autonomous Response (formerly Antigena), which can take a surgical, proportionate containing action.
The interview line: Darktrace detects from a passive copy of traffic, investigates with AI, and only then responds — that response layer is the subject of the next lesson.
Priya at Meridian Logistics (Hyderabad) faces this
A finance laptop has quietly made rare, regularly-timed connections to an unfamiliar external host and poked at internal file-shares for weeks — yet no Darktrace alert fired.
Darktrace was tapped into the data-centre north-south traffic via one SPAN session, but the user VLAN's east-west traffic was never mirrored, so the lateral movement and internal scanning never reached it.
In the Threat Visualizer the device shows external beaconing breaches but no internal connection data for that subnet; on the switch, the SPAN session's source ports don't include the user VLAN.
Threat Visualizer ▸ device ▸ Connections + switch ▸ monitor/SPAN session sourcesAdd the user VLAN(s) to the SPAN/mirror session (or add a TAP or a cSensor for that segment) so Darktrace sees east-west traffic, then let the pattern of life rebuild for those devices.
Re-check the device: internal SMB/RDP connections now appear, the lateral-movement and scanning models breach, and Cyber AI Analyst stitches the beaconing and lateral movement into a single C2 incident.
A device shows external beaconing but Darktrace never flagged its internal scanning. What is the most likely cause?
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: why is Darktrace / NETWORK called a passive, behavioural NDR rather than an inline signature tool? Then compare with the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- NDR (Network Detection & Response)
- Behavioural, network-wide threat detection and response that watches east-west and north-south traffic, not just the perimeter.
- Self-Learning AI
- Darktrace's engine that learns each environment's normal behaviour from its own traffic, with no pre-loaded signatures or rules.
- Pattern of life
- The continuously-updated behavioural baseline Darktrace builds per device and user; detections are deviations from it.
- Passive / out-of-band
- Deployment on a copy of traffic (SPAN/mirror or TAP) — adds no inline latency and physically cannot break live traffic.
- SPAN / mirror port
- A switch feature that copies traffic from chosen ports or VLANs to a monitoring port for a tool to inspect.
- Network TAP
- A passive hardware device on a link that copies its traffic for monitoring, with no effect on the live flow.
- C2 beaconing
- Regular, often low-and-slow callbacks from a compromised host to an attacker's command-and-control server.
- cSensor / osSensor
- Darktrace's cloud sensors and host-based (OS) sensors that extend visibility beyond physical SPAN/TAP points.
- Cyber AI Analyst
- Darktrace's automated investigation layer that correlates detections and produces a human-readable incident narrative.
- Autonomous Response
- Darktrace's surgical containment capability, formerly Antigena — the subject of the next lesson.
📚 Sources
- Darktrace — Darktrace / NETWORK: Network Detection & Response product page. darktrace.com
- Darktrace — Self-Learning AI and the 'pattern of life' explained. darktrace.com
- Darktrace — Deployment: passive traffic ingestion via SPAN/mirror and TAP, cSensors and osSensors. darktrace.com
- Darktrace — Detecting threats in encrypted traffic without decryption. darktrace.com
- Darktrace — Cyber AI Analyst: automated investigation and incident narratives. darktrace.com
- Industry overview — NDR vs IDS/IPS: behavioural and passive vs signature-based and inline.
What's next?
You've seen how Darktrace detects. Next: Autonomous Response (formerly Antigena) — how Darktrace takes surgical, proportionate action to contain a live threat without taking down the business, and how that 'human-in-the-loop vs autonomous' choice actually works.