TTechclick ⚡ XP 0% All lessons
Darktrace · AI NDR · Threat Visualizer & DeploymentInteractive · L1 / L2 / L3

The Darktrace Threat Visualizer — What You See and How It's Deployed

Two things every Darktrace engineer must be able to explain: what the Threat Visualizer is, and how Darktrace is physically deployed. The Threat Visualizer is the real-time graphical UI where analysts explore the network, drill into a device's pattern of life and model breaches, and pivot down to packet-level detail. Under it sits a master appliance that ingests a passive copy of traffic via SPAN/mirror or TAP — extended by probes, cSensors and osSensors. This lesson maps both.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide (2026) to the Darktrace Threat Visualizer and how Darktrace is deployed: the real-time graphical investigation UI analysts use to explore topology, pattern of life, model breaches and packet-level detail; the master appliance (physical, virtual or cloud-hosted) that ingests a passive copy of traffic via SPAN/mirror or TAP; probes for remote sites, cSensors for cloud and osSensors for hosts; how data can stay on-prem; and how to size and place sensors to capture east-west and egress traffic.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Threat Visualizer

The real-time UI analysts actually work in.

 2

Deployment

Master appliance, passive SPAN/TAP, no inline risk.

 3

Scaling coverage

Probes, cSensors, osSensors; data stays on-prem.

 4

Sizing & pitfalls

Throughput, placement, integrations, blind spots.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What is the Threat Visualizer?

Answered in Threat Visualizer.

2. How does the Darktrace master appliance get traffic?

Answered in Deployment.

3. How do you cover a remote branch with no central SPAN port?

Answered in Scaling coverage.

Most engineers think…

Most people imagine Darktrace as some magic black box you 'plug into the network' — and they can't say what they would actually click, or where the box physically sits.

In reality there are two concrete things to know. The Threat Visualizer is the real-time, graphical investigation UI you work in: it maps the whole network, lets you click any device to see its learned pattern of life and model breaches, and drill down to packet-level detail. Underneath it, Darktrace is deployed passively / out-of-band: a master appliance (physical, virtual or cloud-hosted) ingests a copy of traffic from a SPAN/mirror port or a TAP, extended by probes, cSensors and osSensors. Knowing both is what lets you investigate fast and place the deployment so it has no blind spots.

① The Threat Visualizer — what analysts actually see and do

The Threat Visualizer is Darktrace's main investigation UI — a browser-based, real-time, often 3D graphical view of your whole network: every device, the connections between them, and where anomalies are happening right now. It is where analysts live, not a back-end component you forget about.

From the map you can click into any device and see its event log and its learned pattern of life: the peers it normally talks to, the ports, the volumes and the timing. Against that context an anomaly is obvious, not just a raw log line.

From the map down to the packet

When behaviour crosses a Darktrace model, the Visualizer surfaces a model breach. You can open it and drill down — from the high-level topology, to the device, to the specific connection, all the way to packet/connection-level detail — so you can prove exactly what happened instead of guessing.

Figure 1 — Drilling down in the Threat Visualizer
The Threat Visualizer lets an analyst move from the whole-network map down to the exact packet behind a model breach.Drilling down in the Threat VisualizerTopologywhole-network mapDeviceclick any entityPattern of lifewhat is normal hereModel breachwhat broke a modelPacket detailthe exact connection
The Threat Visualizer lets an analyst move from the whole-network map down to the exact packet behind a model breach.
Two answers, every interview

When asked about Darktrace, separate the two halves cleanly: the Threat Visualizer is the real-time graphical UI you investigate in (topology ▸ device ▸ pattern of life ▸ model breach ▸ packet), and the deployment is a passive master appliance on a copy of traffic. Saying both shows you know the tool and where it sits.

Quick check · Q1 of 10 · Understand

What is the Threat Visualizer, and what do analysts do in it?

Correct: c. The Threat Visualizer is Darktrace's main investigation UI — a real-time graphical/3D map. Analysts explore the topology, click into a device to see its event log and pattern of life, inspect model breaches, and drill all the way down to the connection/packet level.
👉 So far: The Threat Visualizer is Darktrace's real-time graphical UI: explore the topology, click into a device's pattern of life and model breaches, and drill all the way to packet-level detail.

② Deployment — a master appliance on a passive copy of traffic

Here is the deployment fact that surprises people: Darktrace is passive and out-of-band. The master appliance does not sit in the traffic path. Instead it ingests a copy of traffic from a switch SPAN/mirror port or a hardware network TAP.

Because it only ever sees a copy, it adds no inline latency and cannot drop or break production traffic — the deliberate contrast with an inline IPS or firewall that sits in the path and is a potential choke point and single point of failure.

One brain, three form factors

The master appliance comes as a physical appliance, a virtual appliance, or cloud-hosted — you choose the form factor to suit the environment, and the analytics and Threat Visualizer are identical across all three. The catch to remember: passive means it only sees what is fed to it, so a SPAN/TAP that misses a segment leaves that traffic invisible.

Figure 2 — Passive master appliance vs inline IPS
The Darktrace master sees a copy of traffic and can't break it; an inline IPS sits in the path and is a choke point.Passive master appliance vs inline IPSDarktrace master (passive)Out-of-band on SPAN/TAP copyZero inline latencyCannot drop legit trafficPhysical, virtual or cloud-hostedSees east-west + egressInline IPS / firewallSits in the traffic pathCan add latencyCan block but is a choke pointUsually fixed appliance/VMMostly north-south perimeter
The Darktrace master sees a copy of traffic and can't break it; an inline IPS sits in the path and is a choke point.
🗺️
Threat Visualizer
tap to flip

Darktrace's real-time graphical/3D investigation UI — explore topology, click into a device's pattern of life and model breaches, and drill to packet-level detail.

🧠
Master appliance
tap to flip

The physical, virtual or cloud-hosted core that ingests a copy of traffic and runs the Self-Learning AI the Threat Visualizer reads from.

📡
Probe
tap to flip

A remote-site collector that captures local traffic and forwards it to the master — how one analytics core covers many distributed locations.

☁️
cSensor / osSensor
tap to flip

Cloud sensors (cSensors) reach cloud/virtual networks; host sensors (osSensors) cover individual hosts and remote workers the network feed can't see.

'It's an inline box you plug in' is wrong

The master appliance is passive and out-of-band — it runs on a copy of traffic from a SPAN/mirror or TAP and cannot break a connection or add latency. Calling it inline gets the deployment model, the latency story and the failure mode all wrong.

Quick check · Q2 of 10 · Remember

How is the Darktrace master appliance deployed on the network?

Correct: b. The master is out-of-band: it ingests a copy of traffic from a SPAN/mirror port or a network TAP, so it adds no inline latency and cannot drop or break production traffic. It is available as a physical, virtual or cloud-hosted appliance.
👉 So far: Darktrace deploys passively / out-of-band: a master appliance (physical, virtual or cloud-hosted) ingests a copy of traffic via SPAN/mirror or TAP — zero latency, nothing to break, but it only sees what's fed to it.

③ Scaling coverage — probes, cSensors, osSensors (and on-prem data)

One master can't physically tap every site, so coverage is extended. For a branch or remote location with no link back to a central SPAN port, a probe captures the local traffic and forwards it to the master — so one analytics core covers many sites.

Two sensor types fill the rest of the gaps. cSensors (cloud sensors) extend visibility into cloud and virtual environments where there is no physical SPAN port. osSensors (host/endpoint sensors) sit on individual hosts — servers and laptops — for device-level visibility, which is how you cover remote workers whose traffic never crosses your network.

Your data can stay on-prem

For privacy and compliance, the master and its learning can remain on-premises: the AI learns locally from your own environment rather than shipping raw traffic out. All of these feeds — SPAN/TAP, probes, cSensors, osSensors — drive the same Self-Learning AI and show up in the same Threat Visualizer.

Figure 3 — One master, every vantage point
SPAN/TAP, probes, cloud sensors and host sensors all feed the same master and the same Threat Visualizer.One master, every vantage pointMaster applianceSelf-Learning AISPAN / mirrorNetwork TAPProbe (remote site)cSensor (cloud)osSensor (host)Threat Visualizer
SPAN/TAP, probes, cloud sensors and host sensors all feed the same master and the same Threat Visualizer.
Figure 4 — Where coverage comes from
Each piece covers a different blind spot — together they give east-west, egress, cloud and remote-user visibility.Where coverage comes fromSPAN / TAPcore + egress on-prem trafficProberemote and branch sitescSensorcloud and virtual environmentsosSensorhosts, laptops, remote workers
Each piece covers a different blind spot — together they give east-west, egress, cloud and remote-user visibility.

▶ Watch a breach surface in the Threat Visualizer — then watch it stay invisible

How a copy of traffic becomes a model breach an analyst can drill into. Press Play for the healthy path, then Break it to see the classic blind spot.

① MirrorA SPAN port mirrors the core + egress traffic to the Darktrace master; cSensors add the cloud and osSensors add the laptops — all out-of-band, nothing on the wire is changed.
② LearnThe master's Self-Learning AI has built each device's pattern of life — its usual peers, ports, volumes and timing — across on-prem, cloud and host feeds.
③ BreachA device starts scanning internal shares and beaconing out; the behaviour deviates from its pattern of life, so a model breach fires and the device glows on the topology map.
④ Drill downThe analyst opens the Threat Visualizer, clicks the glowing device, and drills from the topology to the exact anomalous connection — proving what happened down to the packet.
Press Play to step through the healthy investigation path. Then press Break it.
Quick check · Q3 of 10 · Apply

A remote branch office has no link to your central SPAN port, and you also need cloud and remote-laptop visibility. What do you deploy?

Correct: a. A probe captures and forwards the branch's local traffic to the master; cSensors extend visibility into cloud/virtual environments with no physical SPAN; osSensors sit on hosts/laptops to cover remote workers. Together they remove the blind spots.
👉 So far: Extend coverage with probes for remote sites, cSensors for cloud and osSensors for hosts and remote workers; data can stay on-prem while the AI learns locally.

④ Sizing, placement, integrations — and the pitfalls

You size a Darktrace deployment by throughput (bandwidth) and number of devices — not by guesswork. Then you place SPAN sources, TAPs, probes and sensors so you actually capture the traffic that matters: both the east-west (internal, host-to-host) traffic where lateral movement hides and the egress (outbound) traffic where C2 and exfiltration show up.

Downstream, the deployment feeds Cyber AI Analyst (automated investigation) and Autonomous Response (containment), and integrations export detections to SIEM/SOAR/EDR so it slots into your existing SOC.

The pitfalls that cause 'why didn't it alert?'

Three classics: a SPAN/TAP that captures the wrong segments (the big one — usually mirroring only the internet uplink and missing east-west, so lateral movement is invisible); under-sizing for the real throughput/device count; and not deploying os/cSensors so cloud and remote users are uncovered.

Figure 5 — From tap to triaged incident
Sized and placed correctly, the deployment feeds investigation and response and exports to your SOC tools.From tap to triaged incidentCaptureSPAN/TAP/probe/sensorLearnpattern of lifeBreachmodel firesInvestigateCyber AI AnalystExportSIEM / SOAR / EDR
Sized and placed correctly, the deployment feeds investigation and response and exports to your SOC tools.

Vikram at Indus Manufacturing (Pune) faces this

Darktrace is live and the Threat Visualizer shows the internet-facing servers looking clean, yet a finance laptop turns out to have scanned internal file-shares and moved laterally for two weeks with no model breach ever raised.

Likely cause

The SPAN session only mirrors the internet-egress link (north-south), so the master never received a copy of the internal east-west traffic between user VLANs — that lateral movement was simply invisible.

Diagnosis

In the Threat Visualizer the finance laptop shows external/egress connections but no internal connection data for its subnet; on the switch the SPAN session sources include only the egress uplink, not the core/internal VLANs.

Threat Visualizer ▸ device ▸ Connections + switch ▸ monitor/SPAN session sources
Fix

Add the core/internal segments (user and server VLANs) to the SPAN/mirror session — or add a TAP on the core, or a probe/cSensor for that segment — so the master sees east-west traffic, then let each device's pattern of life rebuild.

Verify

Re-open the laptop in the Threat Visualizer: internal SMB/RDP connections now appear, the scanning and lateral-movement models breach, and Cyber AI Analyst stitches the internal activity into one incident you can drill into down to the connection.

Prove visibility before you trust silence

No breaches is not the same as no threats. Before calling a segment clean, confirm the master actually receives that VLAN's traffic — check the device's connection data in the Threat Visualizer and the SPAN/TAP sources on the switch. Passive tools are blind to what isn't fed to them.

Quick check · Q4 of 10 · Analyze

Darktrace is live but never raised a breach for a laptop that spent weeks scanning internal shares. The Threat Visualizer shows its egress but no internal connections. Most likely cause?

Correct: d. Passive means it only sees what's mirrored to it. If the SPAN session captures only the egress uplink, the internal east-west traffic — where lateral movement lives — never reaches the master, so no breach can fire. Add the core/internal VLANs to the SPAN, or a TAP/probe/cSensor for that segment.
👉 So far: Size by throughput and device count; place sensors to capture east-west + egress; feed Cyber AI Analyst and Autonomous Response and export to SIEM/SOAR/EDR. The classic miss is a SPAN that only mirrors the egress link.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

How does the Darktrace master appliance receive the traffic it analyses?

Correct: a. It is out-of-band: a SPAN/mirror port or TAP feeds it a copy of traffic, so it adds no latency and cannot break the live network.
Q6 · Understand

In the Threat Visualizer, what can an analyst do with a single device?

Correct: c. The Threat Visualizer lets you move from the topology map into any device to read its pattern of life, open its model breaches, and drill down to the exact connection/packet behind the anomaly.
Q7 · Apply

You need cloud visibility and coverage for remote workers' laptops whose traffic never crosses your network. What do you deploy?

Correct: d. cSensors extend visibility into cloud/virtual environments with no physical SPAN; osSensors are host sensors that report device-level activity, which is how you cover remote workers off the corporate network.
Q8 · Analyze

Why does a master appliance available as physical, virtual or cloud-hosted still give the same investigation experience?

Correct: b. The form factor only changes where the master runs; the analytics (Self-Learning AI) and the Threat Visualizer UI are identical, so you pick the form factor to suit the environment.
Q9 · Evaluate

An interviewer asks how you'd size and place a Darktrace deployment. Best answer?

Correct: c. Sizing is driven by bandwidth and number of devices; placement must capture both internal east-west traffic (lateral movement) and egress (C2/exfiltration), not just the internet uplink — otherwise you get blind spots.
Q10 · Evaluate

What is the single most common deployment blind spot to watch for?

Correct: b. The classic failure is a SPAN/TAP that only mirrors the north-south egress link. Internal east-west traffic — where lateral movement hides — never reaches the master, so it can never raise a breach for it. Mirror the core/internal segments or add a TAP/probe/cSensor.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one or two lines: what is the Threat Visualizer, and how is the Darktrace master appliance deployed? Then compare with the expert version.

Expert version: The Threat Visualizer is Darktrace's main investigation UI — a real-time graphical/3D map of the network where an analyst explores the topology, clicks into any device to read its event log and learned pattern of life, inspects model breaches, and drills all the way down to the exact packet/connection behind a breach. The deployment under it is passive and out-of-band: a master appliance (physical, virtual or cloud-hosted) ingests a copy of traffic from a SPAN/mirror port or a network TAP, so it adds no latency and can't break traffic. You extend coverage with probes for remote sites, cSensors for cloud and osSensors for hosts and remote workers, keep data on-prem if needed, and size by throughput and device count — placing sensors to capture both east-west and egress traffic.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Threat Visualizer
Darktrace's main investigation UI — a real-time graphical/3D map used to explore topology, devices, pattern of life, model breaches and packet-level detail.
Master appliance
The core Darktrace unit (physical, virtual or cloud-hosted) that ingests a copy of traffic and runs the Self-Learning AI the Threat Visualizer reads from.
Passive / out-of-band
Deployment on a copy of traffic (SPAN/mirror or TAP) — adds no inline latency and physically cannot break live traffic.
SPAN / mirror port
A switch feature that copies traffic from chosen ports or VLANs to a monitoring port for a tool to inspect.
Network TAP
A passive hardware device on a link that copies its traffic for monitoring, with no effect on the live flow.
Probe
A remote/distributed-site collector that captures local traffic and forwards it to the master appliance.
cSensor / osSensor
Darktrace's cloud sensors (cloud/virtual reach) and host-based sensors (device-level visibility, including remote workers).
Model breach
An event raised when a device's behaviour crosses the threshold of one of Darktrace's models — the thing analysts open and investigate.
Pattern of life
The learned, per-device baseline of normal behaviour you can view in the Threat Visualizer to put an anomaly in context.
East-west vs egress
East-west is internal host-to-host traffic (where lateral movement hides); egress is outbound internet traffic (where C2 and exfiltration show up). Capture both.

📚 Sources

  1. Darktrace — The Threat Visualizer: real-time investigation UI. darktrace.com
  2. Darktrace — Deployment overview: master appliance (physical/virtual/cloud), passive SPAN/mirror and TAP ingestion. darktrace.com
  3. Darktrace — Probes, cSensors and osSensors: extending coverage to remote sites, cloud and hosts. darktrace.com
  4. Darktrace — Data sovereignty: on-prem deployment and local learning. darktrace.com
  5. Darktrace — Sizing & sensor placement: throughput, device count, east-west and egress. darktrace.com
  6. Darktrace — Integrations: Cyber AI Analyst, Autonomous Response and SIEM/SOAR/EDR export. darktrace.com

What's next?

You can now read the Threat Visualizer and place the deployment. Next: models and model breaches — how Darktrace's models actually fire, what a 'breach' really means, and how to tune out false positives without going blind to real threats.

Next · All interview lessons → Practice on exam.techclick.in →