How does DarkBytes Detect Threats?


DarkBytes Detect, the technology that is used for Threat detection, is a general purpose security analytics platform and is not limited to one way of detecting Threats. Instead, the platform employs many techniques to classify and prioritize Threats with a "use right tool for the job" mentality.


At a high-level, the DarkBytes cloud has "workers" which expects results from Scheduled Queries. When a result is generated from the Host Sensor, it is immediately sent to the cloud and processed by workers.

Each worker has a unique algorithm to classify an individual Query result as a Threat.


For example, one worker will take all hashes and check if they are known malware in VirusTotal. This works very well for detecting known malware but is quite bad at detecting unknown malware. As a result, there is another worker that analyzes behaviors such as process tree execution which is much harder for malware to bypass. In addition, there is a worker that leverages machine learning models to classify unknown malware as malicious or benign.

More worker algorithms are added to Detect on a weekly basis. This rapid evolution of security analytics is key to staying ahead of the adversary.