The Hunter’s Paradox: Is it time to embrace automated threat hunting?

The Hunter’s Paradox: Is it time to embrace automated threat hunting?
The article argues that AI should be allowed to drive some threat hunts because humans can no longer keep up with the volume and velocity of security data, but only under strict guardrails. It reframes threat hunting as a reasoning-driven process, while keeping humans responsible for strategy, creativity, and deciding which hunts matter. #Sqrrl #PEAK #LLM

Keypoints

  • Humans alone cannot scale to the current volume, velocity, and capacity demands of threat hunting.
  • The author describes this as the “Hunter’s Paradox”: AI is needed, but AI cannot be fully trusted.
  • Attackers routinely rely on deception, which is especially problematic for LLMs and other AI systems that may trust misleading data.
  • The traditional threat hunting definition from Sqrrl and PEAK centered humans, but the author now argues the real core is reasoning.
  • AI should be allowed to drive only carefully selected hunts with tight focus, strict access controls, auditability, and graduated autonomy.
  • Humans should keep control of hunt strategy, prioritization, and creative analysis because AI tends to miss novel attacker behavior.
  • The article concludes that AI-driven hunting is likely necessary, but the field must experiment and share lessons learned.

MITRE Techniques

  • [T1056 ] Input Capture – The article mentions prompt injection as a way attackers can manipulate AI behavior by inserting malicious instructions into content the model reads (‘an attacker slips instructions into something the AI will read’).
  • [T1566 ] Phishing – Deception is described as foundational to attacker tradecraft, including phishing used to make victims believe lies (‘Every phish … is a lie that has to be believed in order to work’).
  • [T1190 ] Exploit Public-Facing Application – The article notes that exploits are part of the attacker deception model used to bypass defenses (‘every exploit … is a lie that has to be believed in order to work’).
  • [T1027 ] Obfuscated Files or Information – The discussion of deceptive attacker data and misleading telemetry maps to hiding true intent through deceptive or misleading content (‘attackers lie and cheat constantly’).
  • [T1499 ] Endpoint Denial of Service – The mention of quarantining an endpoint and avoiding harmful automation reflects the risk of disruptive defensive actions, though not as an attacker technique (‘Maybe you let it quarantine a user endpoint’).

Indicators of Compromise

  • [Framework / document names ] threat-hunting methodology references – Sqrrl, PEAK
  • [Time references ] historical context for the framework and field evolution – 2015, 2023
  • [Platform / data source names ] security tooling and telemetry context – SIEM, GitHub


Read more: https://blog.talosintelligence.com/the-hunters-paradox-is-it-time-to-embrace-automated-threat-hunting/