Carbon Black

One solution for continuous endpoint recording, live response & remediation

Carbon Black is the industry’s only endpoint threat detection and incident response solution for SOC and incident response (IR) teams that combines continuous recording and live response capabilities to prepare organizations for a data breach, instantly isolate endpoint threats, terminate ongoing attacks, and remediate threats at the moment of discovery.

Carbon Black

Carbon Black reduces the cost and complexity of traditional incident response by replacing reactive “after-the-fact” manual data acquisition with proactive continuous monitoring and recording of all activity on endpoints and servers. Responders can now dramatically reduce the dwell time of targeted threats with instant attack intervention and remediation of advanced threats. Top IR firms and managed security service providers (MSSP) have made Carbon Black a core component of their detection and response services.

Carbon Black Diagram of Capabilities

Always-on endpoint sensor for continuous monitoring & recording

Carbon Black is the only response solution with a real-time endpoint sensor that continuously records and maintains the relationships of every critical action on every machine, including all file executions, file modifications, registry modifications, network connections and a copy of every executed binary. This enables responders to immediately “roll back the tape” to understand root cause, lateral movement and deleted payloads. Carbon Black’s always-on sensor also has robust coverage of all major operating systems such as Windows, Mac OS X and Linux.



Instant, aggregated threat intelligence for threat prioritization & attack classification

Through the Bit9 + Carbon Black Threat Intelligence Cloud, only Carbon Black can automate and apply comprehensive threat intelligence—from a combination of public, custom, third-party, and proprietary providers—over its continuously recorded endpoint visibility for immediate consumption of real-time threat feeds to reduce alert fatigue, accelerate threat discovery and classify attacks instantly. Carbon Black also now leverages the recent enhancements to the Threat Intelligence Cloud by integrating a variety of new threat feeds—developed and published by the Bit9 + Carbon Black Threat Research Team—for automatic consumption by SOC and IR teams to improve the discovery of emerging threats.


Carbon Black Watchlist

Carbon Black watchlists for real-time customized detection

With Carbon Black’s watchlists, you can build custom detection events—tailored for your business—based on threat intelligence and continuous data collection to detect entire attack processes in real time.


Carbon Black Kill Chain

Complete kill chain analysis for instant root cause investigation

Carbon Black delivers an unmatched ability to instantly understand root cause—through a recorded history of the relevant changes at the endpoint and attack visualization—to enable responders to immediately investigate and recover at the moment of discovery.


Carbon Black Endpoint Isolated

One-click endpoint isolation for attack quarantining & containment

Responders can now instantly disrupt active intrusions by quarantining and isolating one or multiple endpoints from the network while still maintaining an active connection with the Carbon Black server enabling IR teams to perform more conclusive and surgical investigations.


Carbon Black Live Response

CB Live Response for endpoint threat inspection, termination & remediation

With the addition of CB Live Response, responders can now understand the current state of an endpoint, perform remote live investigations, intervene with ongoing attacks, and instantly remediate endpoint threats. This enables incident responders to “look” and “touch” endpoints to take immediate action during an investigation—even while the endpoint remains isolated from the rest of the network.


Carbon Black Dashboard

KPI dashboards for instant endpoint insight

With Carbon Black’s dashboards, security teams now gain instant insight into key endpoint and incident response performance indicators across their entire environment. This enables organizations to understand and articulate the state of their endpoint detection and response capabilities.



Robust security ecosystem integration for best-of-breed detection & response

Through Carbon Black’s open API, security teams receive an unmatched ability to both “pull in” third-party security solutions and threat intelligence as well as “push out” Carbon Black’s continuous endpoint visibility, customizable detection and rapid response techniques to third-party or homegrown security products.

Supported Operating Systems

Video: Carbon Black Version 5.0
Carbon Black 5.0: The Industry's Most Complete IR Solution

451 Research report:
“We’ve received a steady stream of positive commentary about [Carbon Black] from

View Now

Info Graphic:
Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds

View Now

Data Sheet:
Carbon Black 5.0

View Now

Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds

Download now

White paper:
Advanced Threat Hunting with Carbon Black

View Now

Endpoint Threat Detection, Response and Prevention for Dummies

View Now

SANS: Automation in the Incident Response Process

Download Now
Bit9 + Carbon Black