Before You Sign the Renewal
Darktrace contracts are significant investments. Annual licensing fees for mid-sized deployments typically run six figures. Before you sign the renewal, you should have clear, quantified answers to five questions about your deployment's actual detection capability.
These are not gotcha questions. They are legitimate technical inquiries that any vendor should be able to answer for a specific deployment. If your vendor provides vague or evasive responses, that tells you something important about whether they truly understand your coverage.
Question 1: What Is Your Encrypted Tunnel Detection Rate?
Why it matters: The majority of modern command-and-control traffic uses encrypted channels. If Darktrace cannot detect encrypted tunnels carrying adversary traffic, a significant portion of the attack lifecycle is invisible to your detection infrastructure.
What to listen for: A good answer includes specific detection rates for different encrypted tunnel types: standard HTTPS C2, mTLS-based tunnels, DNS-over-HTTPS and custom encryption. It should also acknowledge whether your deployment includes SSL/TLS interception, because without it, encrypted payload inspection is not possible.
Red flag answers: "Our AI detects anomalous encrypted connections." This is too vague. Anomalous by what measure? Connection timing? Destination IP? Certificate characteristics? Without specifics, you cannot evaluate whether the detection is meaningful.
Ask for data from your deployment. Not from a lab environment. Not from a demo. From your production network. If they cannot provide deployment-specific detection rates, they do not know how your deployment performs.
Question 2: How Long Does Baselining Take for New Devices?
Why it matters: New devices have no behavioral baseline. During the baselining period, Darktrace is learning what normal looks like rather than detecting anomalies. This creates a window where a new device, whether it is a legitimate addition or a rogue attacker device, operates with reduced detection coverage.
What to listen for: A specific timeframe (typically two to four weeks) and an explanation of what reduced-confidence detection looks like during that window. The vendor should also explain how new devices in different network segments (servers versus workstations versus IoT) are handled differently.
Red flag answers: "Darktrace immediately begins monitoring new devices." Monitoring and detection are different things. Monitoring means observing. Detection means identifying anomalies against a baseline. Without a baseline, anomaly detection accuracy is significantly lower.
Follow up with: "If I plug an unknown device into our network right now, what specifically will Darktrace alert on within the first hour? The first day? The first week?"
Question 3: Can Your Platform Detect MAC Spoofing with Legitimate Vendor Prefixes?
Why it matters: MAC spoofing is trivial for any attacker with physical or adjacent network access. If the attacker uses a MAC address with a legitimate vendor prefix (matching your existing device population), the spoofed device blends with known hardware types.
What to listen for: An explanation of how Darktrace distinguishes between a real Dell workstation and a rogue device spoofing a Dell MAC address. The answer should reference additional identification methods beyond MAC address: DHCP fingerprinting, OS stack fingerprinting, behavioral patterns and certificate characteristics.
Red flag answers: "We track all devices by MAC address." That is the problem, not the solution. If device tracking relies primarily on MAC addresses and an attacker clones a valid MAC, the tracking is undermined.
Ask for a specific scenario: "If an attacker plugs a Linux device into our network and spoofs the MAC address and hostname of an existing Windows workstation, how does Darktrace distinguish the two?"
Question 4: How Does Darktrace Handle Identity Rotation?
Why it matters: Attackers who compromise multiple credentials rotate between them during an operation. This spreads malicious activity across multiple user identities, keeping each individual identity's behavior within normal parameters. The aggregate activity is malicious but no single identity's activity is anomalous.
What to listen for: An explanation of how Darktrace correlates activity across multiple user identities to a single source device or attack pattern. The answer should describe cross-identity behavioral analysis, not just per-identity anomaly detection.
Red flag answers: "Darktrace monitors user behavior and detects anomalous access patterns." This describes per-identity monitoring. The question is about cross-identity correlation. If Darktrace monitors each identity independently, identity rotation defeats the behavioral model because each identity behaves normally.
Push for specifics: "If an attacker uses three different compromised accounts over four hours, each accessing different file shares, how does Darktrace connect those three sessions as a single attack?"
Question 5: Has This Deployment Been Independently Validated?
Why it matters: Vendor self-assessments demonstrate baseline functionality. They do not validate detection against real adversary techniques in your specific environment. Independent validation eliminates the vendor's conflict of interest and provides an unbiased assessment of detection capability.
What to listen for: A reference to third-party validation results, independent red team engagement reports or security tool assessment documentation from a party other than Darktrace. The vendor should welcome independent validation as evidence that their tool performs well.
Red flag answers: "We do not recommend third-party testing of our platform." Any vendor that discourages independent validation is protecting their sales position, not your security. A tool that works well has nothing to fear from independent testing.
If the deployment has not been independently validated, that is your answer. You are paying for a tool you have never tested.
What Happens When the Vendor Cannot Answer
If your Darktrace vendor cannot provide specific, deployment-level answers to these five questions, you have two options:
Option 1: Accept the uncertainty. Continue paying for the deployment and trust that it works based on vendor marketing, general detection claims and dashboard metrics. This is what most organizations do. It is also the reason most organizations discover detection gaps only after a breach.
Option 2: Test it. Commission an independent validation that answers every one of these questions with empirical data from your production environment. You will know exactly what your Darktrace deployment detects, what it misses, how quickly it alerts and where the gaps are.
At Sherlock Forensics, ShadowTap validation answers all five of these questions through controlled adversary simulation in your environment. We test encrypted tunnels, new device baselining, MAC spoofing, identity rotation and every other detection category that matters.
If your vendor cannot answer these questions, we can. By testing it.