Darktrace Launches Automated Forensics for the Cloud Era

Darktrace is betting that automation can finally close one of cloud security’s most painful gaps: forensic investigations. The UK-based cybersecurity firm recently unveiled Darktrace / Forensic Acquisition & Investigation, a tool designed to shrink investigation timelines from days to minutes by collecting and preserving volatile evidence the moment an attack is detected.

The rollout comes against a backdrop of worsening cloud security statistics. Nearly nine in ten organizations in the US and UK report suffering material damage before they could contain cloud incidents, according to recent survey data. Investigations in the cloud routinely take several days longer than on-premises cases, largely because evidence from containers or serverless workloads disappears before analysts can capture it.

Darktrace’s new product aims to change that. It automatically captures memory, disk, and log data across cloud and hybrid environments at the exact moment an alert is raised. Evidence can be pulled from ephemeral resources such as Kubernetes pods or AWS ECS tasks and fed into a timeline that reconstructs attacker behavior. The company says this reduces the need for manual correlation and eliminates investigative dead ends.

Philip Bues, senior research manager for cloud security at IDC, called the approach “a significant innovation,” noting that it leverages the scale of cloud platforms themselves to “automatically collect, preserve and investigate volatile data at the time of detection.”

The technology builds on Darktrace’s acquisition of Cado Security earlier this year, expanding its footprint beyond AI-driven detection into automated response and investigation. The company emphasizes that the solution integrates directly with cloud APIs, avoiding reliance on agents or snapshots that often miss fleeting assets.

Early users say the speed matters. “With Darktrace / Forensic Acquisition & Investigation, what was once a highly specialized, time-consuming process is now an automated, one-click action for our team,” said Justin Dimmick, senior security response engineer at Cloudera. He added that the system “drastically reduced our mean time to respond and empowered our team to shift from reactive archaeology to real-time investigation.”

The new tool is available as a standalone product or as part of the broader Darktrace ActiveAI Security Platform. It is particularly powerful when paired with Darktrace / CLOUD, the company’s detection and response suite. Together, the two products combine real-time threat monitoring with forensic evidence capture, giving analysts a single workflow from detection through remediation.

For customers, the value lies in unifying visibility, response, and investigation. Andrea Carriero, head of infrastructure and security at papernest, said the pairing gave her team “full-spectrum visibility and a way to cut through noise so our team could focus on real risks.”

Connie Stride, senior vice president of product at Darktrace, framed the launch as a way to restore balance between innovation and security. “Cloud adoption has unlocked extraordinary opportunities for innovation but has also created new challenges and blind spots for security teams,” she said. By folding automated forensics into the company’s AI-driven platform, Darktrace hopes to give defenders the same speed and scale that attackers already exploit.

The product is available immediately, with both SaaS and on-premises deployment options.