Darktrace

1.1 Identity, footprint, and operating model

Darktrace is a Cambridge, United Kingdom-based cybersecurity company that says it has been building an AI-native security model since 2013. Its current company page positions the business as a global cybersecurity AI vendor and lists its main operating footprint across Cambridge, New York, London, and Singapore, with core research carried out in Cambridge and a second R&D centre in The Hague. That combination of UK research roots and global go-to-market presence matters because it anchors both Darktrace's technical identity and its long-standing claim to be a differentiated European cyber-AI platform rather than a single-product appliance vendor. The current platform framing is broad: Darktrace says its ActiveAI Security Platform covers cloud, email, identities, operational technology, endpoints, and network security, supported by more than 200 patents and pending applications. The same page also states the company serves 10,000 customers in 110 countries, works with hundreds of partners, and has deep alliances with AWS and Microsoft. Those scale markers imply that Darktrace is no longer simply an NDR specialist; it now presents itself as a multi-surface, enterprise-grade AI security platform with a global customer base and hyperscaler alignment. One important overlay is disclosure posture. Darktrace's investor-relations site now explicitly says the company is a Thoma Bravo-owned historical archive rather than an active public-market reporting surface. That means current operating facts are now disproportionately sourced from company marketing pages and the last public trading update, not from ongoing public-company filings. For diligence purposes, the headline identity is strong and coherent, but the evidence base for current metrics is thinner after the October 2024 take-private.[CO001, CO003, CO004, CO005, CO006, CO007]

1.2 Founders, leadership, and governance transition

Darktrace's publicly confirmed founding bench is strongest around Nicole Eagan and Jack Stockdale, both of whom still appear on official profile pages. Nicole Eagan is listed as Co-Founder and Strategic Advisor, while Jack Stockdale is listed as founding CTO and the executive responsible for the Bayesian models and AI algorithms that underpin the platform. Those two profiles, combined with Summit Partners' historical account of Cambridge signal-processing and GCHQ-linked origins, support a real technical founding story even though public sources do not fully settle the entire founding roster or initial equity split. The larger current issue is leadership continuity. Investegate and Business Chief confirm that co-founder Poppy Gustafsson stepped down as CEO in September 2024 and Jill Popelka succeeded her. Darktrace and Thoma Bravo then confirmed a second transition on 27 January 2026, when Popelka stepped down and board chairman Charles Goodman became interim CEO while the board launched a permanent CEO search. This sequence compresses two CEO transitions into roughly sixteen months, increasing governance and execution sensitivity during the first full private-equity ownership cycle. Companies House records show that director changes continued into March 2026, but public sources still do not provide a fully transparent private-company board and committee picture. That matters because Darktrace is now judged on sponsor-backed execution rather than public-market narrative management. The immediate takeaway is that Darktrace retains strong technical founding continuity, but its top-layer operating leadership is in transition and deserves direct diligence on succession planning, decision rights, and sponsor-board alignment.[CO010, CO011, CO012, CO013, CO014, CO015]

1.3 Capital structure and private-market reset

The defining capital event for Darktrace is the Thoma Bravo take-private. Darktrace and Thoma Bravo both say the transaction completed on 1 October 2024, valued the company at approximately $5.3 billion, and paid shareholders $7.75 per share in cash. Thoma Bravo also said Darktrace ceased trading on the London Stock Exchange and would delist from the FTSE 100. That deal is the cleanest current valuation anchor available and is the correct reference point for today's stage classification: Darktrace is now a PE-backed private cybersecurity platform company. The final broad public operating snapshot immediately before the take-private came from the FY2024 trading update. Financial Times Markets and Quartr both reproduce the key figures: $782.2 million of ARR, at least $689.5 million of revenue, 9,735 customers, 6.3% gross ARR churn, and 106.6% net ARR retention at 30 June 2024. Those metrics imply a scaled, profitable-growth software asset entering private ownership with material customer breadth and improving retention economics. What public sources do not provide is equally important. The exact post-close cap table, Thoma Bravo ownership percentage, management rollover, and lifetime primary capital raised are not disclosed in the materials reviewed here. Because the IR site is now an archive, new financing disclosures are unlikely absent a fresh transaction. For diligence, Darktrace therefore looks like a high-quality sponsor-owned platform with a strong final public snapshot, but one where ownership mechanics and current cash-generation detail now sit behind the private wall.[CO018, CO019, CO020, CO021, CO022, CO023]

1.4 Milestones from founding to platform expansion

Darktrace's public milestone record shows a company that moved through three visible phases: technical formation in Cambridge, public-market scale-up, and then post-take-private platform expansion. The company's current materials emphasize long-duration R&D investment, a patent estate of more than 200 filings, and a multi-surface security platform rather than a single network product. Summit Partners' history reinforces that the original wedge was a novel AI approach built from Cambridge signal-processing talent and government-intelligence-adjacent expertise. The most important post-take-private strategic move disclosed so far is the January 2025 proposed acquisition of Cado Security. Darktrace said Cado would extend cloud investigation and response coverage across multi-cloud, container, serverless, SaaS, and on-premises environments. By September 2025, Darktrace launched automated forensics capabilities and explicitly linked that release to the Cado acquisition, arguing that investigation times could fall from days to minutes. This is strategically relevant because it shows Thoma Bravo-era capital being directed toward deeper cloud investigation workflows, not merely incremental module refreshes. Responsible-AI messaging also continued after the take-private. Darktrace published a 2025 whitepaper describing its responsible-AI framework, which it said aligns with NIST AI RMF, the EU AI Act, and OECD AI principles. That does not remove commercial or governance risk, but it does indicate that Darktrace is still investing in the institutional scaffolding required for enterprise AI adoption. Overall, the milestone picture is of a company using private ownership to extend platform depth while trying to preserve the AI credibility built in its public era.[CO007, CO009, CO013, CO027, CO028, CO029]

1.5 Adverse checks, litigation, and disclosure gaps

Darktrace still carries reputational baggage that matters even after the take-private. City A.M. documented renewed short-selling pressure in 2023, while Yahoo Finance reported that Mike Lynch's death in 2024 revived scrutiny of the company because of his historic association with Darktrace and the broader Autonomy saga. CNBC separately reported that EY's review found only a small number of contract errors and inconsistencies and nothing material to Darktrace's financial statements, which is helpful, but it does not erase the market memory created by the short-seller campaign. Legal exposure also deserves monitoring. PacerMonitor shows that Gatekeeper Solutions v. Darktrace moved from Texas Eastern to the Northern District of California in December 2025, and PatSnap later reported that the matter was dismissed with prejudice in early 2026 with each side bearing its own costs. That outcome appears favorable, but the existence of a patent suit still reinforces the need to diligence Darktrace's IP posture and litigation reserve assumptions. The more immediate diligence flags are around current-data quality. Darktrace's about page still features a quote attributed to “Poppy Gustafsson OBE, CEO” despite her September 2024 departure, while Tracxn's April 2026 employee estimate of 2,591 conflicts with Darktrace's 2,300+ website figure. Neither issue breaks the core investment case, but both signal a post-take-private disclosure environment where facts can lag or diverge. Before underwriting valuation or leverage assumptions, an investor should directly reconcile headcount, board composition, and sponsor ownership rather than relying on public summaries alone.[CO033, CO034, CO035, CO036, CO037, CO038]

2.1 Market Boundary, Included Spend, and Substitutes

Darktrace’s economically relevant market is not total security spend and it is not limited to a legacy NDR appliance budget. Current product pages show a platform centered on network, identity, cloud, and email detection plus AI-led investigation and targeted autonomous response, which means the included spend pool is telemetry-led detection and response across those surfaces rather than generic firewalls, GRC suites, pure IAM administration, or consulting-heavy services. The network page still makes the core boundary clear: Darktrace positions NDR as complementary to EDR, SIEM, and firewall stacks, which implies the company often wins as an additive or displacement layer inside an existing security architecture rather than as a full control-plane replacement. Adjacent spend matters because Darktrace can also reach the same demand through partners, MSPs, and MSSPs that package network and email monitoring into managed services. The practical boundary therefore runs from narrow NDR into a broader AI-led detection-and-response workflow, while the main status-quo substitutes remain SIEM-first detection, endpoint-centric bundles, legacy email gateways, and manual SOC triage. TM001 captures that spend boundary and its exclusions.[CM001, CM002, CM003, CM004, CM005, CM006]

2.2 Multi-Lens Sizing: Broad TAM, Constrained SAM, Unverified SOM

Published market numbers support multiple valid lenses, not one clean TAM. MarketsandMarkets places the AI-in-cybersecurity market at $25.53 billion in 2026 growing to $50.83 billion by 2031, while its XDR view puts a narrower platform budget at $7.92 billion in 2025 and $30.86 billion by 2030. Mordor provides the tightest heritage wedge for Darktrace’s roots, sizing network traffic analysis at $4.91 billion in 2026 and $8.29 billion by 2031. Those figures are not additive: the AI-cyber number contains overlap with XDR, cloud, and identity budgets, while NTA/NDR is a sub-segment rather than a separate pool that can simply be stacked on top. The most defensible public SAM is therefore an evidence-constrained synthesis around the Darktrace-covered surfaces — roughly $8 billion to $12 billion — rather than the entire broad AI-cyber TAM. Any SOM estimate is weaker, because public post-take-private revenue and segment-mix data are missing. FM001 and FM002 preserve that boundary sensitivity instead of forcing a false point estimate.[CM009, CM010, CM011, CM012, CM013, CM014]

2.3 Buyer, User, Payer, and Adoption Path

Darktrace’s public materials suggest the primary economic buyer is still a security executive or board-exposed security budget owner, but the operational champion is usually closer to the SOC and identity or cloud operations teams. The company’s customer evidence clusters around colleges, hospitals, industrial manufacturers, councils, and other organizations with meaningful operational continuity risk, while the network page explicitly targets SMB, enterprise, government, and critical infrastructure. That implies a buyer map led by enterprise and regulated accounts, not consumer or very small business. The adoption path is also multi-track: partners and MSSPs can package Darktrace into MDR-style offerings, while direct deployments often start with a proof of value, then expand into email, identity, or cloud once teams trust the workflow impact. Identity deployments appear especially cross-functional because Darktrace ties them to SSO, AD, and account-control actions. In practice, the user is the analyst or responder, the evaluator is the security-operations or detection-engineering lead, and the payer can sit with the CISO, CIO, or a shared security-platform budget depending on whether the buying trigger is threat pressure, compliance, or tool consolidation. TM003, FM003, and FM004 map those relationships.[CM017, CM018, CM019, CM020, CM021, CM022]

2.4 Growth Drivers and Adoption Constraints

The demand case is credible. IBM says the global average cost of a data breach is $4.4 million and that organizations using AI extensively in security see $1.9 million of savings, while CrowdStrike reports a 29-minute average eCrime breakout time, an 89% rise in attacks from AI-enabled adversaries, and a 42% increase in zero-days exploited before disclosure. Darktrace’s own cloud and identity pages reinforce why buyers care: only 23% of organizations in its cited CSA survey report full cloud visibility, 79% report at least one cloud breach in the last 18 months, and identity breaches remain slow to resolve. Regulation amplifies this pressure, as NIS2 expands obligations across 18 critical sectors and the SEC’s cyber rules push public companies toward faster incident disclosure and documented governance. The constraint side is equally important. The AI Act adds human-oversight and high-risk-system obligations just as autonomous response becomes part of the sales pitch, while platform vendors such as Palo Alto continue to steer budgets toward broader suites. Darktrace also positions its NDR layer as complementary to SIEM, EDR, and firewalls, which supports adoption but also limits simple rip-and-replace economics. TM004 separates the macro growth tailwinds from the underwriting risks.[CM024, CM025, CM026, CM027, CM028, CM029]

2.5 Diligence Gaps and Contradictory Estimates

Two contradictions should remain explicit. First, public market estimates vary because they describe different boundaries: a $25.53 billion AI-cybersecurity lens, a $7.92 billion XDR platform lens, and a much narrower $4.91 billion NTA/NDR wedge all coexist, and additive math would overstate Darktrace’s true opportunity. Second, the company is selling a broad AI-led platform story into a buyer base that still evaluates substantial portions of the product through a narrower NDR or workflow-augmentation lens. Several diligence gaps remain material. The strongest adverse source in the discovery pack — an Omdia piece on 2022-2026 NDR market dynamics — returned 404 during this run, so the most direct public evidence on specialist renewal pressure could not be revalidated from primary text. Independent, current review evidence on pricing, false positives, and renewal friction is also thin in publicly retrievable form, and private-company disclosure means current SOM cannot be verified from 2025-2026 revenue data. For valuation work, that means boundary discipline and management-side cohort evidence matter more than any single published TAM headline.[CM015, CM016, CM034, CM038, CM039, CM040]

3.1 Competitive landscape and substitution map

Darktrace competes in a market that is wider than standalone NDR and narrower than “all cybersecurity.” The direct peer set is still recognizable: Vectra, ExtraHop, and to a lesser extent Corelight all compete for the same network-led detection budget, while PeerSpot's May 2026 snapshot shows Darktrace, Vectra, and ExtraHop clustered in one shrinking mindshare pool rather than in separate categories. Darktrace's own last public scale point remains meaningful at $782.2 million of ARR and 9,735 customers, but that footprint is now visibly smaller than the multibillion-dollar public suite vendors that increasingly define enterprise SOC buying. [CP001][CP026][CP027] The more important strategic rivals are the platform incumbents that can redirect the budget conversation upward. CrowdStrike ended FY2026 at $5.25 billion of ARR, SentinelOne ended FY2026 above $1.1 billion of ARR, and Palo Alto Networks exited fiscal 2025 at $5.6 billion of Next-Generation Security ARR. Microsoft Sentinel, Cisco XDR plus Splunk, and IBM QRadar also matter because they anchor the status quo and the incumbent data plane. In practice, Darktrace is no longer just fighting another NDR appliance; it is fighting the broader claim that security teams should buy one operating platform for endpoint, identity, log, and response workflows. [CP004][CP007][CP009][CP011][CP015][CP016][CP017][CP018][CP044] That broader map also includes adjacent and substitute paths. Nozomi owns the OT-heavy flank, Corelight represents the open-NDR and internal-build tendency, and Google's Wiz acquisition extends a multicloud security platform into adjacent detection and response territory. Omdia's 2026 view is the key adverse evidence: standalone NDR has seen more non-renewal and replacement as unified XDR platforms gained share. The correct landscape therefore spans direct peers, incumbents, adjacent specialists, manual-SIEM status quo, internal build, and likely entrants that can widen their control plane faster than Darktrace can. [CP018][CP032][CP033][CP035][CP039][CP040][CP044][CP048]

3.2 Competitor profiles, scale, and strategic direction

The profile table makes the central scale asymmetry explicit. CrowdStrike, Microsoft, Palo Alto Networks, and Cisco/Splunk compete from positions of disclosure depth, partner leverage, and larger software revenue bases than Darktrace can currently match in public. CrowdStrike's FY2026 results and Falcon platform language show the clearest version of this model: a unified contract and telemetry foundation that can expand from endpoint into identity, SaaS, and broader AI protection. Palo Alto uses the same logic from the SIEM side through XSIAM, while Cisco extends from network infrastructure into Splunk-based TDIR. [CP004][CP005][CP006][CP009][CP010][CP014][CP015][CP016] The direct specialists are more nuanced. Vectra remains the closest like-for-like rival because it markets behavioral detection across network, identity, and cloud, cites 39 AI patents, and still leans on Gartner and GigaOm recognition to prove category leadership. ExtraHop remains a real peer in buyer evaluation sets even without public financial disclosure, while Corelight matters because it commercializes an open-NDR approach for organizations that would rather own the telemetry and analytics layer themselves. Nozomi sits adjacent rather than directly substitutive: its OT and IoT depth matters most when critical infrastructure, industrial networks, or operational-resilience mandates dominate the buying motion. [CP019][CP022][CP024][CP025][CP026][CP027][CP035][CP036][CP037][CP039] Darktrace's own position is therefore awkward but still valuable. It is larger and broader than most private pure-play NDR peers, but it is less disclosed and less contractually entrenched than the platform vendors. It differentiates on self-learning AI, anomaly-led detection, and response automation, yet it increasingly sells into accounts where the real procurement decision is whether another specialist deserves budget on top of Microsoft, CrowdStrike, Palo Alto, Cisco, or IBM. That makes strategic direction as important as current feature parity: the winner is often the vendor that best controls the buyer's existing operating model, not the one with the single best anomaly story. [CP001][CP002][CP003][CP019][CP041][CP045]

3.3 Capability, pricing, GTM, and trust posture

Darktrace's capability case is strongest where buyers value behavioral network depth and response that acts on local baselines rather than just correlated alerts. Its current AI-security page still frames the product against signature- and rule-based approaches, and TrustRadius reviewers confirm that Darktrace learns an environment for a few weeks before moving into fuller identification and automated action. Vectra is the closest competitor on that same behavioral-detection narrative, while Corelight represents the opposite philosophy: open telemetry and open analytics instead of a closed self-learning AI engine. [CP002][CP003][CP019][CP030][CP031][CP039] The commercial posture is more mixed. Microsoft is the only vendor in the retained set that clearly publishes pricing mechanics through commitment tiers and data-lake versus analytics pricing, which gives it a structural advantage in budget conversations. CrowdStrike, Palo Alto, Cisco/Splunk, Darktrace, and Vectra mostly appear through enterprise packaging language, review evidence, or bundle proxies rather than public price books. Review data suggests Vectra can land below Darktrace on price in some deals even as both are seen as expensive enterprise products, while Darktrace reviewers call out annual price increases and the need for negotiation. Trust posture also diverges: CrowdStrike, SentinelOne, Palo Alto, Microsoft, Cisco, and IBM publish current operating metrics and roadmap language regularly, whereas Darktrace is now judged through a thinner private-company disclosure surface. [CP004][CP006][CP007][CP009][CP011][CP013][CP015][CP016][CP028][CP029][CP030] That disclosure gap matters because trust is part of competition in regulated accounts. Suite vendors can pair product claims with quarterly disclosures, public breach narratives, partner ecosystems, and migration offers. Darktrace can still win on product experience or autonomous response, but it cannot currently match the same public evidence density around scale, current contracts, or attach rates. In a market moving toward platform rationalization, the buyer often interprets “trust” as disclosure, migration certainty, and commercial predictability as much as technical efficacy. [CP018][CP030][CP041][CP043][CP045][CP046]

3.4 Switching costs, lock-in, multi-homing, and distribution power

Darktrace does have real switching costs, but they are not the same as suite-vendor lock-in. TrustRadius reviewers describe a learning period before Darktrace reaches full identification mode, and they also describe automated actions once baselines are established. That means a replacement requires more than removing a sensor: a customer would need to retrain a different system and rebuild the response logic operators now trust. This is real embedded value, especially where autonomous or semi-autonomous response is turned on. [CP030][CP031][CP042] The problem is that Darktrace is usually multihomed rather than monopolistic. Microsoft Sentinel is designed to ingest broad third-party data, Cisco XDR sells open integrations and network-led defense, and Splunk remains a unified TDIR control plane. Darktrace therefore tends to coexist with SIEM, endpoint, and identity tooling rather than replace it outright. Multi-homing reduces rip-and-replace risk but also caps wallet share and makes platform-consolidation stories dangerous: Microsoft can exploit existing contracts, CrowdStrike can widen through Falcon Flex, and Palo Alto can intercept QRadar migrations before a specialist is even in the final procurement set. [CP011][CP012][CP014][CP016][CP018][CP043] Distribution power is the clearest asymmetry in the chapter. Cisco now owns Splunk, IBM is explicitly steering SaaS migrations toward XSIAM, Microsoft already sits in identity and log budgets, and CrowdStrike increasingly sells platform expansion rather than standalone modules. Darktrace still has partner reach, but it is the smaller control plane in this comparison. Its best defense is to become operationally indispensable enough that buyers keep it even when they consolidate. If that indispensability is weak, Darktrace risks becoming a respected second signal inside someone else's security operating stack. [CP006][CP018][CP020][CP021][CP043][CP045]

3.5 Moat durability, commoditization risk, and adverse evidence

Darktrace's moat is durable only if self-learning detection plus response automation stays materially better than “good enough” platform alternatives. That moat is not fake: the product still presents a differentiated model, Vectra remains the closest pure-play rival rather than a suite incumbent, and review evidence suggests Darktrace becomes sticky once workflows are tuned. But the market is moving in the wrong direction for any specialist that cannot prove superior outcomes repeatedly. Omdia's evidence of standalone NDR non-renewal is the most important disconfirming data point in the retained set. [CP002][CP031][CP032][CP041][CP042][CP046] The second risk is AI commoditization in buyer perception. CrowdStrike, Microsoft, Palo Alto, and Darktrace all now market AI-driven investigation and response. Even if the architectures differ, the messaging gap has narrowed dramatically. Microsoft is pushing Security Copilot into identity triage, Palo Alto is selling an agentic SOC, CrowdStrike sells Charlotte AI and a unified AI-native platform, and Google plus Wiz is building a cloud-security control plane with Google Security Operations behind it. In that context, “we use AI” is no longer a moat by itself; Darktrace has to defend a narrower claim around response quality, anomaly precision, and analyst time saved. [CP005][CP010][CP034][CP040][CP041][CP047] The adverse evidence is therefore not a single fatal flaw but a stack of pressures. PeerSpot shows the direct-peer NDR cohort losing mindshare, review data flags pricing and tuning friction, and bundle vendors now have clearer commercial routes to absorb network detection into broader contracts. The moat still exists, especially in organizations that value autonomous response or do not trust suite-vendor “good enough” network analytics. But its durability looks medium rather than ironclad, and the bearish case is easy to state: if Darktrace becomes additive rather than indispensable, platform consolidation will compress both growth and pricing power. [CP026][CP028][CP029][CP032][CP034][CP043][CP045][CP046][CP047]

3.6 Exhibits

4.1 Revenue model, pricing mechanics, and go-to-market motion

Darktrace's public revenue model is still best understood as recurring enterprise cybersecurity software sold through negotiated contracts, not through transparent self-serve pricing. The strongest public anchors are the operating metrics Darktrace chose to disclose as a public company: ARR, revenue, customer count, retention, and RPO. In the last full public snapshot, ARR reached $782.2 million and revenue was at least $689.5 million at 30 June 2024, while H1 FY2024 RPO was already $1.254 billion. Management repeatedly described the model as being underpinned by multi-year contracts, which matters because it explains why ARR, backlog, and revenue convert more slowly but with better visibility than one-off transactional sales. Official buying surfaces also point to a sales-assisted motion. The Network product page pushes prospects toward evaluation in their own environment, the Contact page routes buyers into sales and support channels, and the partner page describes VAR, MSP/MSSP, consultancy, and distributor routes. The same partner page advertises a 30-day Proof of Value for consultancy partners, implying a meaningful pre-sales motion and non-trivial acquisition cost even though the company does not publish CAC or payback. What the public record does not disclose is equally important: there is no visible official price card, no module-level revenue mix, no direct-versus-channel split, and no realized discount data. Public investors could underwrite the existence of a high-quality recurring model; they could not fully underwrite pricing power by SKU.[CI001, CI002, CI003, CI004, CI010, CI011]

4.2 Unit economics, gross-margin drivers, and sales-efficiency proxies

Darktrace's public unit-economics disclosure is good on output metrics and weak on input metrics. On the output side, the company disclosed consistently high gross margins of 89.2% in FY2022, 89.8% in FY2023, and 89.3% in H1 FY2024; it also generated $99.5 million of free cash flow in FY2022 and $93.8 million in FY2023. Those are strong software-like economics and explain why Darktrace could enter private ownership from a position of operating strength rather than rescue financing. H1 FY2024 adds more nuance: revenue grew 27.4% year over year, adjusted EBITDA margin reached 25.6%, and RPO surpassed $1.25 billion. Publicly, that is a robust combination of backlog, conversion, and high gross profit. The caveat is that cost structure moved in ways that make historical margins non-trivial to extrapolate. Darktrace said H1 FY2024 S&M and G&A fell as a share of revenue, but also noted that some customer success manager and channel partner costs were reclassified into S&M, while R&D cash employment costs increased 15.3%. Earlier FY2023 disclosures also explained that commission plans shifted to paying 100% of sales commissions upfront, temporarily increasing cash outflows and resetting adjusted EBITDA presentation. That makes the public record good enough to infer strong gross economics, but not good enough to model fully loaded CAC, sales productivity, channel take-rates, or sponsor-era contribution margin. The best public proxy is therefore directional: ARR per customer was roughly $80 thousand at June 2024, revenue per employee was roughly $287 thousand to $300 thousand depending on which headcount snapshot is used, and retention remained above 100%, but the classical SaaS efficiency inputs are still private.[CI003, CI006, CI010, CI011, CI013, CI014]

4.3 Capital adequacy, sponsor leverage signals, and public-versus-private visibility

Company Overview covers Darktrace's historical financing chronology; the relevant Financials question is what public evidence remains after the October 2024 take-private. The official acquisition materials are clear on headline consideration: the scheme became effective on 1 October 2024, Bidco took ownership of the whole issued share capital, and shareholders were entitled to $7.75 per share in cash in a transaction valued at about $5.3 billion. Regulatory notices then showed court sanction, effectiveness, FTSE deletion, and exchange cancellation. Those facts are sufficient to anchor valuation context and prove that public-market disclosure ended at the point of delisting. The more interesting post-close signal is leverage. Companies House filing history shows that full accounts for the year to 30 June 2025 were filed in March 2026, and that a December 2025 MR01 charge was registered. The charge PDF identifies Goldman Sachs Bank USA as the secured party and says the instrument contains fixed charges, a floating charge over all the property or undertaking of the company, and a negative pledge. That is the strongest public signal in this chapter that sponsor-era financing includes secured obligations rather than pure equity ownership. But it still stops well short of what an investor needs: the reviewed public documents do not reveal debt principal, pricing, amortisation, covenant ratios, unrestricted cash, or runway. Even the 2025 accounts PDF fetched successfully but did not yield machine-readable financial text in this run, so the existence of accounts is public while their extracted contents remain practically unavailable. The result is a public record that confirms leverage and filings exist, but not one that makes current liquidity underwriteable.[CI001, CI009, CI023, CI024, CI025, CI026]

4.4 Financial verdict, revenue-quality scrutiny, and diligence blockers

Darktrace screens well on revenue quality and less well on public underwriteability. The positive case is tangible: a recurring multi-year contract base, RPO over $1.25 billion in H1 FY2024, gross margins around 89%, positive free cash flow before the buyout, and a final public ARR snapshot of $782.2 million. Those are not the markers of a financially fragile vendor. They suggest Darktrace entered private ownership with meaningful scale, high gross profitability, and the capacity to self-fund a meaningful portion of operating investment. The caution is that the remaining unknowns are precisely the ones that matter most under sponsor ownership. July 2024 deal restrictions removed final FY2024 EBITDA and FY2025 guidance from the public record. The December 2025 Goldman charge confirms secured financing but not its size. Public sources also do not disclose realized pricing, direct-versus-channel mix, current net retention, cash, debt service, or covenant headroom. Revenue-quality scrutiny is also not fully dead: EY's 2023 review examined channel contracts, marketing spend, contract opt-outs, appliance deployments, deferred-revenue-related controls, ARR calculation, and third-party relationships, and concluded the identified errors were not material; yet Yahoo and The Register show that the accounting and Mike Lynch overhang still shape outside perception. The correct verdict is therefore favorable on historical software economics but incomplete on present-day leverage and liquidity. A serious underwriting process still needs current management accounts, debt papers, quote-to-cash extracts, and a cohort-level retention and gross-margin bridge before treating the sponsor-era capital structure as understood.[CI003, CI004, CI009, CI011, CI023, CI029]

5.1 Customer workflow definition

Darktrace's current product is best understood as a cross-surface AI security workflow, not a point NDR appliance. The ActiveAI Security Platform groups NETWORK, EMAIL, CLOUD, OT, IDENTITY, ENDPOINT, and the new SECURE AI module inside one operating surface, then layers Cyber AI Analyst, Forensic Acquisition & Investigation, Attack Surface Management, Proactive Exposure Management, Incident Readiness & Recovery, and Adaptive Human Defense on top. That breadth matters because the buyer promise is to reduce tool handoffs: collect behavior from multiple environments, investigate automatically, respond surgically, recover faster, and then harden the environment. Official pages and the 2024 ActiveAI launch coverage imply a customer path of detect, investigate, respond, recover, and harden. Cyber AI Analyst is the investigation engine, Autonomous Response is the action layer, FAI and services help recover and understand scope, and PREVENT or ASM features feed pre-breach hardening. Darktrace's roughly 10,000-customer installed base suggests this workflow is commercially real, but the newest extension—SECURE AI—still has thinner public technical proof than the network, cloud, email, and endpoint surfaces.[CE001, CE002, CE003, CE004, CE005, CE006]

5.2 Module map and maturity

Module breadth is real, but maturity is uneven. NETWORK, EMAIL, CLOUD, IDENTITY, ENDPOINT, and OT all appear as current platform modules, while SECURE AI is explicitly marked new and aimed at AI-agent, prompt, and shadow-AI risk. Cross-platform products such as Cyber AI Analyst, Forensic Acquisition & Investigation, Attack Surface Management, Proactive Exposure Management, Incident Readiness & Recovery, and Adaptive Human Defense work more like workflow overlays than standalone control planes. That packaging gives Darktrace more room to expand inside an account without abandoning its AI-led security identity. The maturity signal is strongest in the legacy detection surfaces and the analyst workflow. OT has gained more explicit attack-path and zero-trust language, and FAI appears to be the post-Cado expansion wedge into cloud forensics. SECURE AI is strategically important because it extends the franchise into AI governance, but public evidence today emphasizes risk framing and launch messaging more than deeply documented architecture, deployment references, or quantified adoption.[CE001, CE005, CE006, CE011, CE013, CE014]

5.3 Architecture and dependency map

Darktrace's public architecture is telemetry-led and integration-heavy. AWS materials describe cloud deployment via lightweight host agents or traffic mirroring plus API logs, while the integrations surface ties Darktrace into Azure Sentinel, Splunk, ServiceNow, Microsoft Graph Security API, AWS Lambda, Slack, Jira, Okta, Palo Alto, and Xage. Cyber AI Analyst sits above those feeds, correlating Darktrace alerts and third-party signals into investigations, while Autonomous Response and partner actions enforce policy or containment. That makes the architecture flexible, but it also concentrates dependency risk. Product value depends on customers exposing the right telemetry, maintaining identity, cloud, firewall, and ticketing integrations, and deciding how much automated response they permit. The FAI or Cado layer and the third-party SDK show a real automation and investigation surface, yet the retained public material still stops short of giving buyers a detailed reference architecture, resilience SLOs, or hard proof of how every module behaves when integrations degrade.[CE009, CE010, CE015, CE017, CE018, CE019]

5.4 Deployment, integration, reliability, and support

Deployment appears faster in cloud-centric environments than in classic network-only rollouts. Darktrace says CLOUD can deploy from the cloud in five minutes and supports multi-tenant, hybrid, and serverless estates, while ENDPOINT works alongside an existing EDR rather than replacing it. At the same time, practitioner evidence still describes a learning period before anomalies settle, plus topology constraints when Autonomous Response depends on network position or firewall integrations. In other words, the product is not operationally heavy in the old appliance sense, but it still asks customers to do real telemetry and response design. The service layer partially offsets that burden. Darktrace now sells 24/7/365 follow-the-sun SOC support, MDR, and triage assistance across network, cloud, SaaS, and OT. That makes the platform easier to consume for lean teams, but it is not a substitute for integration quality. Public review sources remain mixed on pricing, support responsiveness, and integration maturity. Buyers should therefore treat Darktrace as deployable and scalable, but not frictionless.[CE011, CE012, CE017, CE018, CE022, CE031]

5.5 Differentiation, IP, data, and roadmap

Darktrace's differentiator is the combination of self-learning behavioral analytics, broad surface coverage, and automated investigation rather than a single standalone detector. The 2024 ActiveAI launch note shows the company deliberately broadening from reactive detection toward prevention, attack-path analysis, investigations, and recovery inside one AI architecture. Cyber AI Analyst's productivity framing, the OT or Xage zero-trust extension, and the Cado-backed FAI expansion all point in the same direction: Darktrace wants to be an AI-led orchestration layer around a customer's existing stack instead of only another sensor. Public moat evidence is good but not complete. There is at least one retained patent source around anomaly-detection methods, a broad recognition page spanning Gartner and other analyst firms, and a third-party SDK showing that the API surface is usable enough for external tooling. But independent benchmark proof remains thin. The newest roadmap signal—SECURE AI and the 2026 AI-agent survey—shows Darktrace chasing a credible new problem set, yet public evidence has not caught up to prove how durable that edge will be against platform incumbents.[CE006, CE025, CE027, CE028, CE029, CE030]

5.6 Trust, security, privacy, and quality controls

Darktrace's trust surface is meaningfully stronger than a generic marketing page. The Trust Centre lists ISO 27001, ISO 27018, ISO 42001, and Cyber Essentials artifacts, and the 2026 AI-security blog ties ISO 42001 to responsible AI management. That matters because Darktrace is asking customers to trust automated investigation and response, plus newer AI-governance products, so formal control evidence is part of the product story rather than a side note. The trust surface is also supported by named support engineers and a customer portal for compliance questions. The main risk is not the absence of any control story; it is the gap between control messaging and deployment reality. The cloud case study shows Autonomous Response can block live SSH exfiltration, but it also documents a 718 GB exfiltration and ransomware detonation when response was not configured on affected devices. The federal page proves government ambition, yet the retained source set does not prove FedRAMP or CMMC status. Product trust is therefore good enough for serious enterprise diligence, but not complete enough to skip follow-up questions on configuration defaults, federal authorizations, and independent performance benchmarks.[CE023, CE024, CE026, CE034, CE035]

5.7 Exhibits

6.1 Customer base segmentation and buyer profile

Darktrace's retained customer evidence points to a recurring enterprise and regulated-market buyer rather than a consumerized or SMB-led motion. The decision-maker is usually senior security or IT leadership: current stories quote a CISO at Technologent, a CTO at Lake Macquarie City Council, a CIO at Okayama Kyokuto Hospital, and security or IDS leaders at Cogne and NCG. Day-to-day usage then sits with lean security teams, analysts, or partner SOCs who need continuous visibility across network and email workflows. That split matters because it supports a pricing center of gravity closer to upper-midmarket and enterprise security budgets than to low-touch departmental spend. The vertical and geography mix also looks diversified enough to matter. Current named references span healthcare, education, local government, industrial manufacturing, logistics, beverages, and a reseller-customer hybrid, while company materials explicitly market into financial services, healthcare, government and defense, education, manufacturing, and retail. Geography in the retained proof set spans North America, the UK, continental Europe, Japan, and Australia. Channel is part of the story, not an afterthought: Darktrace openly sells through VAR, MSP/MSSP, consultancy, and distributor routes and maintains a separate federal affiliate for US public-sector work. The gap is economic rather than categorical, because public sources still do not disclose revenue mix by segment, region, or channel.[CU001, CU002, CU003, CU004, CU005, CU006]

6.2 Adoption trajectory and public scale signals

Darktrace's last public reporting window shows real scale, but also a growth profile that is now partially frozen in time. Customer count rose from 7,437 in FY2022 to 8,799 in FY2023, 9,232 at H1 FY2024, and 9,735 at FY2024. ARR over the same span moved from roughly $514 million to $628 million, then $702 million at H1 FY2024 and $782 million at FY2024. That combination implies both continued new-logo acquisition and better monetization of the installed base, with average ARR per customer increasing from about $69,000 in FY2022 to about $80,000 by FY2024. The trend is not explosive by late-stage security-software standards, but it is hard to dismiss as superficial logo inflation. The adoption caveat is freshness. Current company pages now say 10,000 customers, which only implies about 265 net adds versus the last audited-style public baseline. Darktrace's own FY2024 update also said it still drove significant new ARR from existing customers, suggesting the commercial model remained expansion-capable even as headline growth moderated. But after the take-private, the public record stops giving investors the quarter-by-quarter customer and retention bridge they would normally want. So the evidence supports a large and still-growing installed base, while also confirming that the pace and quality of growth after June 2024 are no longer externally visible.[CU015, CU016, CU017, CU018, CU019, CU020]

6.3 Named customer proof and evidence quality

Darktrace's strongest current customer proof is the 2026-era customer-story set rather than its older public-company marketing. The retained stories are clearly production-stage, not speculative pilots: Technologent runs Darktrace internally while also reselling it; Biomerics describes email-threat prevention in a regulated manufacturing setting; NCG uses the platform across seven colleges; Okayama Kyokuto Hospital expanded from proof of value into full monitoring for clinical operations; Cogne shows network, OT, and email usage in a 24/7 industrial setting; CCBN ties Darktrace / EMAIL to a million-plus monthly emails; and Tokai Kyowa operates autonomous response in a logistics environment with only two security staff. That breadth gives real confidence that Darktrace is paid and used across materially different operational environments. Proof quality is still uneven. Several stories include quantified or highly specific outcomes: NCG says investigations fell from weeks to minutes, Cogne discloses traffic, IP, investigation, and hours-saved metrics, and Tokai Kyowa publishes an explicit 80% anomaly-response threshold. Others are more qualitative, emphasizing earlier detection, less analyst strain, or better resilience. Independent review platforms corroborate live product use and recurring complaints, but they do not independently verify the headline customer-story outcomes. The result is a proof set that is commercially credible and fresh, yet still mostly company-mediated rather than independently reproduced.[CU004, CU006, CU007, CU008, CU009, CU010]

6.4 Retention, satisfaction, and durability

Public durability evidence is solid up to the take-private and thin after it. Across the last four public checkpoints, Darktrace reported gross ARR churn of 6.5%, 6.8%, 6.6%, and 6.3%, with net ARR retention of 105.5%, 104.7%, 105.0%, and 106.6%, respectively. Those figures show a business that kept net retention above 100% throughout the period while slowly improving gross churn back toward the mid-6% range. H1 FY2024 RPO of $1.254 billion, explicitly tied to multi-year contracts, reinforces that Darktrace had real contractual visibility rather than purely short-term transactional demand. Independent satisfaction evidence is positive but not clean. PeerSpot and TrustRadius users consistently praise detection, autonomous response, and support, which supports the idea that deployed customers find real operational value. At the same time, those same review surfaces repeatedly mention high pricing, licensing inflexibility, false positives, tuning effort, and interface complexity. Historical G2 reviews show the same themes existed long before the take-private. The net judgment is that Darktrace looked durable on reported metrics through FY2024, but the public record does not let an investor confirm whether that durability persisted into FY2025 and FY2026 because no current cohort, renewal, or churn bridge is public.[CU033, CU034, CU035, CU036, CU037, CU038]

6.5 Expansion paths and concentration risk

The clearest expansion path is module-led rather than seat-led. Current customer proofs usually start with network or email visibility and then extend into autonomous response, OT visibility, board reporting, or managed services. Darktrace's own FY2024 update said existing customers still contributed significant new ARR, and the partner program shows how proof-of-value, reseller support, and MSSP packaging help move accounts from initial deployment into wider adoption. Technologent is especially revealing because it is both a channel partner and a user, which shows how commercial expansion can happen through ecosystem credibility as well as direct product upsell. The harder question is concentration, and public evidence does not answer it. No retained source discloses top-customer share, contract length, or cohort retention, so it is impossible to prove whether Darktrace's customer base is broadly diversified in revenue terms or merely broad in logo count. Public-sector motion is also visible but not quantifiable: Darktrace Federal exists, government resources exist, and procurement searches can be run, yet the retained public procurement pages still do not provide a clean award-level concentration picture. Add the post-buyout disclosure drop-off and an adverse reminder that reputational scrutiny can still surface in diligence, and the result is a credible expansion story paired with a still-open concentration question.[CU003, CU005, CU024, CU026, CU043, CU044]

7.1 Severity ranking and thesis-break framing

Darktrace’s highest residual risks are not that the company lacks product breadth or customer proof; they are that sponsor-era opacity makes it materially harder to know whether growth quality, governance quality, and product quality are still strong enough to support a leveraged private-equity ownership structure. The public record now points to three issues at the top of the stack. First, the 2023 accounting attack is no longer a live fraud thesis after the EY review, but the open record still does not show a public FCA or FRC closure. Second, post-buyout financial and governance visibility is far thinner: the IR site is now archival, while the clearest live financing evidence is a December 2025 Goldman Sachs charge containing fixed-charge, floating-charge, and negative-pledge language. Third, operational quality remains a real underwriting variable because reviews still flag pricing escalation, tuning effort, and interface complexity even while Darktrace pushes deeper into cloud forensics, AI protection, and broad partner integrations. The chapter’s thesis-break criteria therefore center on formal regulatory action, covenant stress, another CEO reset, or private operating data showing that net retention has fallen below 100%.[CR001, CR003, CR005, CR024, CR025, CR026]

7.2 Regulatory / legal risk

Darktrace’s legal and regulatory exposure is meaningful but not obviously existential from the evidence reviewed. The key legacy issue remains the 2023 short-seller attack: Reuters and later UK accounting coverage show that Darktrace hired EY after Quintessential Capital Management attacked the company’s financial reporting, and the later public summary said EY found no evidence of fraud while identifying only a small number of errors and inconsistencies. That materially lowers immediate fraud risk, but it does not fully close the file because Darktrace said it would provide the results to the FCA and FRC rather than publish the report, and the reviewed 2026-period public materials still do not show a formal regulator closure. The second legal issue is IP: PacerMonitor confirms the Gatekeeper patent case transferred to Northern California, and PatSnap reports a February 2026 dismissal with prejudice. That is a favorable outcome, but it also demonstrates that Darktrace is now large enough to attract patent assertions. Finally, Darktrace’s AI-native monitoring model sits under a tightening policy perimeter: the EU AI Act, NIS2, UK ICO AI guidance, and the FCA’s AI governance framing all increase the cost of being a trusted cyber-AI vendor for regulated customers.[CR001, CR002, CR003, CR004, CR005, CR006]

7.3 Operational / quality / security risk

Operational risk at Darktrace is driven less by a confirmed public breach history and more by the combination of automation, breadth, and customer-specific tuning. Review evidence is consistent on that point across multiple surfaces. TrustRadius users describe confusing dashboards, hard tuning, and contract pricing that escalates annually; PeerSpot reviewers add interface complexity, integration demands, and complaints about false-positive management; older G2 reviews show that the same need for tweaking has been visible for years rather than being a one-off complaint. Those frictions matter because Darktrace is not standing still technologically. The company is simultaneously expanding into cloud investigation and response through Cado, adding automated forensics into the ActiveAI platform, and marketing responsible AI controls across a fast-moving attack surface. That broadens the moat, but it also broadens the number of product surfaces that must work reliably. Without fresh post-buyout cohort, incident, or support-metrics disclosure, investors have to assume that misconfiguration, poor tuning, or weak release discipline could transmit directly into renewal pressure and higher service costs.[CR024, CR025, CR026, CR027, CR028, CR029]

7.4 Partner / dependency risk

Darktrace’s ecosystem helps it land in large environments, but it also creates multiple ways for outside parties to capture value or create failure points. The company’s own materials say it has deep alliances with AWS and Microsoft, while the technology-partners catalog shows integrations touching AWS Lambda, Microsoft Graph Security API, Azure Sentinel, Splunk, ServiceNow, Okta, and other externally controlled systems. That is strategically useful, yet it means product quality is partly hostage to API stability, partner priorities, and competitive overlap with the same firms Darktrace relies on. The go-to-market side carries a similar pattern. Darktrace openly routes distribution through VARs, MSPs, MSSPs, consultancies, and distributors, so partner effectiveness directly affects proof-of-value motion and managed-service expansion. The federal affiliate and specialist OT partnerships extend reach further, but they also create more nodes where qualification, certification, or roadmap drift can slow commercial execution. Sponsor and lender dependence belong in the same risk family: Thoma Bravo controls strategic timing, and the Goldman Sachs charge shows the capital structure is no longer a clean public-equity story.[CR018, CR020, CR021, CR022, CR029, CR035]

7.5 Financial / model risk

Financial-model risk is one of the most important Darktrace questions precisely because the open record is now incomplete. The acquisition price is clear: Thoma Bravo’s public materials pegged the transaction at about $5.3 billion and $7.75 per share. What is not clear is how much leverage now sits on the business, what its covenants require, or whether current ARR, churn, and free-cash-flow conversion still look healthy enough to support that structure. The IR site explicitly tells investors it is only a historical archive, and the Companies House trail only confirms that 2025 accounts were filed and that a December 2025 Goldman Sachs charge exists. The MR01 document is informative but still partial: it confirms secured debt with fixed-charge, floating-charge, and negative-pledge features, yet discloses no principal, rate, maturity, or covenant thresholds. That leaves investors dependent on proxy signals. Review sites still show pricing friction and operator burden, which may be tolerable in a net-retention-above-100 business but become dangerous fast if sponsor-era growth re-acceleration fails. The leverage thesis therefore depends on private operating data that public sources can no longer provide.[CR024, CR025, CR026, CR031, CR032, CR033]

7.6 People / execution risk and mitigation

Execution risk at Darktrace is concentrated in leadership churn, key-person depth, and disclosure discipline. Public transition notices and later reporting show a compressed succession path: Poppy Gustafsson stepped down in September 2024, Jill Popelka then stepped down in January 2026, and Charles Goodman became interim CEO while the board searched for a successor. BusinessCloud’s adverse framing makes the sponsor-control issue explicit by describing Popelka as having been forced out by the private-equity owner after only sixteen months. At the same time, core technical credibility is still heavily identified with founding CTO Jack Stockdale, whose profile explicitly ties him to the Bayesian models and AI algorithms underpinning the platform. That does not mean Darktrace lacks bench strength, but it does mean the investment case is still unusually sensitive to a small number of people. The current public record adds a softer but important warning sign: the company page still labels a Poppy quote with the title “CEO,” while other pages use slightly different employee counts. None of that proves operational failure, but it does show that post-buyout governance and information hygiene require active diligence rather than passive trust.[CR019, CR034, CR036, CR037, CR038, CR039]

8.1 Investment thesis and anti-thesis

Darktrace still has a credible investment case because the last fully disclosed operating snapshot was strong enough to look like a scaled, profitable cyber platform rather than a speculative AI story. By June 2024, the company had reached $782.2 million of ARR, at least $689.5 million of revenue, 89.3% gross margin, 106.6% net ARR retention, and 9,735 customers; current company materials still point to roughly 10,000 customers, 110 countries, and more than 2,300 employees. The pro case is that Thoma Bravo bought a real platform with category breadth, cloud-forensics expansion through Cado, and enough retention quality to earn a future exit at a higher value. The anti-thesis is that the attributes that made Darktrace sponsorable are now hidden behind private ownership. The public record shows leverage, two CEO transitions in the sponsor transition window, residual accounting-overhang discount, and an Omdia view that standalone NDR renewals have been pressured by XDR platform consolidation. That leaves Darktrace in the investable-but-not-priceable bucket: strategically relevant, but not investable at high conviction without fresh private data.[CV001, CV004, CV005, CV006, CV007, CV013]

8.2 Current financing and entry discipline

The cleanest valuation anchor is still the October 2024 sponsor entry. Using the last public FY2024 numbers, Thoma Bravo paid about $5.3 billion, which implies roughly 6.8x ARR and 7.7x revenue. That does not look reckless relative to Darktrace's disclosed economics: the business was growing, gross margin was still near 90%, and retention remained above 100%. The problem is everything that happened after closing. Companies House confirms that FY2025 statutory accounts were filed, but the open-web extraction is effectively blank. The December 2025 MR01 filing also proves leverage exists and names Goldman Sachs Bank USA as the secured lender, yet the public record still does not disclose principal, pricing, maturity, or covenant levels. Entry discipline therefore has to be simple. A new investor should treat the 2024 sponsor price as a fair-value ceiling until management provides a current ARR bridge, updated retention, current EBITDA / FCF, and the debt package. Without those items, higher pricing would mean paying up for opacity rather than paying for proven improvement.[CV001, CV002, CV003, CV004, CV005, CV008]

8.3 Comparable analysis and valuation stance

The comparable exercise supports Darktrace as fairly valued at sponsor entry, not obviously cheap. Public cyber leaders trade far above Darktrace's 2024 entry mark on simple market-cap-to-revenue proxies: CrowdStrike sits near 38.7x revenue, Palo Alto near 23.1x, and SailPoint near 10.0x. Those numbers make Darktrace's 7.7x revenue entry look conservative, but only in a superficial way. The public peers have fresher disclosure, stronger public-liquidity value, and less sponsor-era opacity. SailPoint is the best sponsor precedent: Thoma Bravo bought it for about $6.9 billion in 2022, and it now carries a public market capitalization above $10 billion, showing that Thoma Bravo can re-rate a scaled security asset over a multi-year hold. Even so, Darktrace is not SailPoint. Its direct category is under more platform pressure, its current debt is unknown, and its governance path is visibly less settled. That is why the chapter lands on a fair stance near the 2024 entry price rather than an attractive stance today.[CV023, CV024, CV025, CV026, CV027, CV028]

8.4 Scenario analysis and return logic

The scenario range is wide because Darktrace can plausibly grow into a much higher exit value, but the variance is dominated by hidden sponsor-era variables. In the bull case, Darktrace compounds ARR above $1.1 billion by 2029, keeps net retention comfortably above 105%, monetizes Cado and cloud forensics, and benefits from a more open cyber IPO or strategic-buyer market; that can support roughly $11-14 billion of value and a little more than 2x gross value on the 2024 entry. In the base case, ARR grows toward roughly $1.0 billion and exits around 8-10x ARR, producing about $7.5-9.5 billion. In the bear case, NDR platform pressure intensifies, net retention slips below 100%, debt constrains investment, and governance uncertainty persists; value can compress toward $4-6 billion, which is near or below entry. The weighted lesson is that Darktrace still has upside, but the current public record cannot show enough edge to buy into that upside confidently.[CV013, CV014, CV015, CV016, CV023, CV024]

8.5 Exit readiness, thesis-break triggers, and final diligence asks

Darktrace is large enough to have real exit optionality, but not transparent enough to be called exit ready on public evidence alone. The positive case is obvious: the company has public-market history, a near-10,000-customer footprint, sponsor backing, and a product narrative that still spans network, cloud, email, identity-adjacent workflows, and automated forensics. The negative case is equally obvious: the public does not know the debt quantum, the FY2025 accounts are practically unusable in open extraction, and the company has already gone from Poppy Gustafsson to Jill Popelka to interim CEO Charles Goodman within the transition to private ownership. Those are not automatic deal-killers, but they are enough to define hard thesis-break rules. The recommendation upgrades only if management can show clean sponsor-era compounding, a non-threatening leverage profile, stable leadership, and an exit path that looks more like a disciplined re-rating than a forced liquidity event. Until then, diligence should focus on debt documents, current ARR quality, cap-table economics, and cloud attach-rate proof.[CV008, CV009, CV010, CV011, CV015, CV016]

8.6 Exhibits