reference deployment

Darktrace vSensor on AWS

Deploy self-learning AI to detect security issues in VPC traffic

This Quick Start deploys Darktrace vSensor virtual threat detection on the Amazon Web Services (AWS) Cloud. Darktrace analyzes raw data from mirrored virtual private cloud (VPC) traffic to identify threats. 

Amazon VPC traffic mirroring copies traffic from Amazon Elastic Compute Cloud (Amazon EC2) instances you want to monitor. A Network Load Balancer distributes mirrored traffic to Darktrace vSensor probes deployed in private subnets. Darktrace vSensors extract metadata from the mirrored traffic and store it in an Amazon Simple Storage Service (Amazon S3) bucket. Your existing Darktrace deployment analyzes the metadata using Darktrace's Enterprise Immune System to build metrics for identifying threats.

In addition, vSensor probes integrate with Darktrace osSensors. You can configure osSensors after deployment to capture data from virtual machines, containerized applications, and legacy Amazon EC2 instance types that do not support traffic mirroring.


This Quick Start was developed by Darktrace in collaboration with AWS. Darktrace is an AWS Partner.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • This Quick Start sets up the following:

    • A highly available architecture that spans two Availability Zones.
    • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets, Linux bastion hosts in an Auto Scaling group managing inbound Secure Shell (SSH) access to Darktrace vSensor instances in the private subnets.*
    • In the private subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access to Darktrace vSensor instances.
      • An Auto Scaling group of Darktrace vSensor probes hosted on Amazon EC2 instances. 
    • Amazon VPC traffic mirroring to send mirrored traffic to a Network Load Balancer.
    • A Network Load Balancer to distribute traffic to Darktrace vSensor instances.
    • Amazon CloudWatch to provide the following:
      • An alarm to invoke dynamic scaling of the Darktrace vSensor Auto Scaling group.
      • Logs to collect metrics from Darktrace vSensor EC2 instances.
    • An Amazon S3 bucket to store packets captured by Darktrace vSensor.

    *  The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To deploy Darktrace vSensor, follow the instructions in the deployment guide. The deployment process takes about 30 minutes and includes these steps:

    1. Sign in to your AWS account. If you don't have an account, sign up at
    2. Choose one of the following options to launch the Quick Start. Before you create the stack, choose the AWS Region from the top toolbar.
    3. Test the deployment. 

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. A valid Darktrace license is required for this deployment. A free 30-day trial is available.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information about the report, see What are AWS Cost and Usage Reports?