DarkLight is the only patented system that embraces the human decision making process and knowledge to combat cyber threats.

DarkLight was created, tested, and proven at one of the nation's most advanced research laboratories, spanning more than four years of R&D. Our proprietary approach intelligently processes the massive data streams from your current network and security appliances through a patented formal Description Logic Reasoning Framework and Semantic Graph Analytics. Unlike all other workflow-driven or machine learning-based automation tools, this approach more effectively models normal and abnormal user and network behavior.

Our Reasoning Engine is used to interpret and analyze facts using an analyst’s unique knowledge of cybersecurity and the enterprise, including the policies and compliance requirements of the organization they are protecting. By utilizing the analyst rather than black box or statistical models, the system becomes a true force multiplier of expert experience and knowledge.

[fa icon="cogs"] The Power of a Reasoning Engine

Capturing the deductive and inductive reasoning of a human is what sets DarkLight apart. Here's how:

Description logics are expressed in formal knowledge representation languages.

One such language is the Web Ontology Language (OWL). DarkLight uses the OWL language to capture the descriptions of the things and logic in the domain of cybersecurity. By representing common sense knowledge from the cybersecurity community and the knowledge from your enterprise's cybersecurity analysts, tasks and data interpretation can be efficiently and intelligently automated. Trying to protect an enterprise from cybercrime without automation has been likened to “drinking from a firehose”. It just can't be done without getting hurt and making a mess of things.

An ontology is a formal way to describe knowledge.

Our technology uses the OWL language to form ontologies. DarkLight enables analysts to create ontologies and embed their own expertise specific to the needs of their enterprise. Ontologies contain class definitions, property definitions, and facts adhering to these definitions. By describing classes, properties, and rules in domain of expert cybersecurity, the DarkLight system can automate the tedious, complex, and overwhelming tasks of the analyst. 

Even better, industry-standard ontologies like STIX can be imported into DarkLight and used to create standardized descriptions of activities.

To demonstrate how much more valuable ontology-based systems can be versus rule-based systems, consider telling a system how to attach a fastener to a wall. 

In a rule-based system you’d specify the attributes you want the system to look for so you can choose the right tool. So for a nail you might say, “If it has a cylinder with a point on the end and a flat disc on the top, hit it with a hammer.

Soon your system is hitting nails with the hammer, but then it comes across a screw and it hits it with a hammer because it matches the rule. So you have to write another rule that says, “If the cylinder has threads on it, use a screwdriver.” You can imagine that as your system runs and finds new fasteners and variations of known ones, you have to write more and more rules.

With an ontology-based system, your fasteners ontology already knows the properties that make up the full set of nails, screw, bolts, etc. so your rule is simply, “Use the appropriate tool on the fastener.” The system can use the limited input it is given  (Hex Head, Threaded Body) to deduce the type of object it is (Bolt) and use the correct tool (Wrench).




Human Quality Data Analysis at Scale

At the core of DarkLight is the Programmable Reasoning Object or PRO.  Because the DarkLight PRO is created by the security analyst themselves, it thinks and works like a human, finding correlations and patterns between data sets — but does so at scale — rapidly evaluating the thousands or millions of events generated by your network monitoring systems, security appliances, SIEM, and any other data source. When PROs are chained together, they behave like a human’s neural network, inferring facts and identifying anomalous activity or events that would otherwise only be obvious to a team of security analysts.

Improves Knowledge Retention / Accelerates Onboarding

The DarkLight PROs can be used again and again, shared between analysts and retained as part of the institutional knowledge. It can also be used for training the next generation of analysts within your organization to speed onboarding and model the best practices and techniques of the most senior subject matter experts.

Connects the Dots in Your Enterprise Data

The more of your company's data you can add to DarkLight's reasoning engine, the better your PROs can intelligently make connections the way a human would. More than a simple lookup engine, each piece of contextual information added to the semantic graph database provides a richer definition of that employee, device, or network. You likely have several data sources that each know specific pieces of information about the entities on your network. Integrating them all into DarkLight creates a powerful resource for your analysts.


[fa icon="users"] User and Entity Based Analytics (UEBA)

Superior through Reasoning

DarkLight approaches the Cyber Security problem by allowing analysts to explicitly establish what is the "normal" user behavior baseline in the context of the enterprise business model and operations. For example, a compensation specialist working in HR should not be downloading customer data; that is not part of the employee's normal user profile or approved behavior or UEBA.

Understanding every employee, vendor and customer profile and behavior is at the heart of what DarkLight gives the internal enterprise cyber security analysts, followed by the ability to alert and act quickly.

DarkLight offers the user a means to perpetuate their know-how via our exclusive PROs. Other UEBA providers require an entity to use their machine-learned models of the user and/or its peers. The key difference is in who is making the decision about what an anomaly is.


[fa icon="meh-o"] Finds and Protects Against Insider Threat

Combating insider threat requires extreme integration with your enterprise infrastructure and business practices. DarkLight's ability to normalize your company's contextual information allows your analysts to look for and be notified of differences in patterns of behavior.


[fa icon="calendar"] Delivers Value from Day One — Gets Smarter Over Time

Deployment of DarkLight is non-disruptive to your existing processes and is easily adapted to your people, process and enterprise technology. Your analysts will find value within hours of deploying and even more benefit over time as they leverage DarkLight’s superior reasoning framework to hunt for the “one-percenters”. With DarkLight, your team’s effectiveness is leveraged and multiplied.


[fa icon="wrench"] The Analyst’s Über Assistant

  • Normalizes data feeds from existing network security and threat intelligence systems.
  • Automates the attribution and correlation of system, sensor, event, appliance, and user logs.
  • Augments the deductive and investigative skills of the Analyst. Easily create ontologies to embed their own expertise, specific to the needs of their enterprise.

The CISO’s Force Multiplier [fa icon="fighter-jet"]

  • Saves Time: In order to find disruptive or dangerous activity, the Analyst typically spends hours or days searching for these patterns, even when aided by scripts or their “toolkit”.
  • Improves Staff Effectiveness: DarkLight automates the repetitive, complex tasks of attribution and documentation.
  • Enables hunting: for the "one-percenters" that will do your organization the most harm.

Enterprise Friendly

DarkLight leverages the technology you've already invested in.  Here are a few examples...