Jim Penrose, a former NSA employee who is now part of British cybersecurity firm Darktrace. The different spikes in activity (at right on monitor) give firms an idea of various cyber intrusion attempts. (Michael S. Williamson/The Washington Post)

The last time British spies and mathematicians from Cambridge University joined forces to battle a global enemy was during World War II, to crack the Germans’ Enigma code.

Seven decades later, they’ve teamed up with ex-National Security Agency agents this side of the pond to tackle the modern world’s big, unknown threat: hackers.

Darktrace, a U.K. cybersecurity company that counts Cambridge machine learning specialists and cyberintelligence experts from GCHQ and MI5 — Britain’s equivalent of the NSA — among its leadership team, is set to open its U.S. headquarters in the Washington region this month.

The private company is funded by an investment firm led by Mike Lynch, the founder of British IT giant Autonomy who became embroiled in an accounting controversy when Hewlett-Packard sought to acquire the company in 2011. Lynch denied wrongdoing and British investigators eventually closed an investigation without bringing charges.

Where Darktrace bills itself as different is in the philosophical approach it takes to protect corporate networks, informed by the government background of its team. The company’s software was designed to get ahead of an attack instead of cleaning up quickly after the fact, said Jim Penrose, a 17-year NSA veteran and Darktrace’s executive vice president of cyber-intelligence.

Darktrace’s cybersecurity software shows how a global problem (intrusion) can start with just one employee's work station. The company is looking for office space in Maryland. (Michael S. Williamson/The Washington Post)

“From the time I started at NSA, I had it drilled into my head — you need to give the action takers enough time so that they can avoid the crisis entirely,” he said. “The best work I’ve ever been involved in never became news.”

Darktrace’s flagship product is the Enterprise Immune System, so named because it mimics the behavior of the human immune system using algorithms developed by Cambridge mathematicians.

Here’s how it works: When the software is installed by a company, it acts as a sponge, learning the typical behavior of all the users in a network to establish a sense of “self.”

The software paints a picture of the company’s routine operations — what time of day employees usually come into work, the files they work with, and whether they’re using their mobile devices or workstations.

Once a baseline has been established, the software looks for anything out of the ordinary — a device that’s trying to access a lot of data, or trying to connect with too many external devices, for example. When a combination of activities looks fishy, it triggers alerts for the company’s IT department.

The idea is simple, and some U.S. companies such as Columbia, Md.-based Sourcefire (now part of Cisco Systems) and Georgia-based Lancope have similar offerings.

But this spot-the-anomaly approach is somewhat of a departure from the model of cybersecurity in the private sector, experts say.

The prevailing method is to detect an intrusion and then match it to a list of known malware out in the rest of the world — a database of bad guys, if you will.

Companies are still a long way off from being proactive about cybersecurity, said Gary Miliefsky, chief executive of SnoopWall, a mobile counterintelligence software company.

For time and cost reasons, the cybersecurity industry’s goal is to make the matching process as fast and efficient as possible, so that companies can quickly identify malware and minimize their damages.

But what to do when a sophisticated attacker develops a new strain of malware targeted at your business? (This was the case with both the Sony and Anthem hacks, experts say.)

“The industry paradigm is cleaning up well,” Penrose said. “We want to convince folks that it’s worth investing the effort in getting ahead.”

Darktrace’s business has surged since the Sony attack, said Nicole Eagan, the company’s chief executive, who also worked at Autonomy.

Most of Darktrace’s business is still Europe-centric, with 50 clients across the Atlantic and less than half that number in the United States. The two-year-old company hasn’t turned a profit yet.

But Eagan said the American market promised more opportunity. That’s why she was part of a contingent of cybersecurity executives accompanying British Prime Minister David Cameron on his recent trip to Washington, where the two countries announced the launch of a joint cyber-sharing initiative.

Darktrace is scouting locations in Anne Arundel County, not far from the NSA’s headquarters.

Ellen Nakashima contributed to this report.