COMMENTARY: Threat hunting has always done work that detection engineering cannot. Detections answer a known question repeatedly: did this pattern occur?Hunting asks open-ended questions we didn't have an answer to in advance, and it's how teams surface unknown unknowns, validate whether a new IoC is present in their environment, and test hypotheses about emerging APT activity that wouldn't trip standard detections by design.Mature security programs treat these as complementary disciplines. Detections handle the known patterns at scale. Hunting handles the investigations that require judgment, context, and the willingness to follow a thread without knowing where it ends.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
The threats that produce the largest business impact, insider abuse, slow credential exploitation, supply chain compromise, the kinds of incidents that drive material losses, are usually surfaced by hunting rather than by detection. They unfold in patterns specific to a given environment, and they require someone hunting with a hypothesis to find them.The bandwidth problemThe constraint has always been bandwidth. Hunting requires the most experienced people on the team, working the hardest problems, with broad access to data across your environment. The teams that hunt continuously are the ones that can justify a dedicated hunting program. Everyone else hunts when they can: after a major incident, around a vendor advisory, in the gaps between higher-priority work.The result is uneven across the industry. Well-resourced security organizations sustain hunting as an ongoing function and find things their peers do not. Most organizations run formal hunts a few times a year, if at all. The asymmetry traces directly to staffing. Hunting is expensive precisely because it pulls your most senior analysts off the work that already justifies their time, and most security leaders cannot trade one for the other indefinitely.What changes with AI agents is the bandwidth equation. An agent with access to our security data lake, enrichment sources, and threat intelligence can run the kind of hypothesis-driven investigation a senior hunter does, on a rolling basis, without requiring a person to initiate the work. I think of this as continuous agent hunting: deploying agents to independently scan telemetry, form and test hypotheses, and surface findings as they emerge.The mechanism is a hunting scope, a structured prompt that gives the agent a threat model, criteria for distinguishing risky from routine, and the enrichment steps it needs to make a confident assessment. An IAM scope, for example, does not describe a malicious pattern. It teaches the agent what normal IAM activity looks like in your environment, which role changes warrant scrutiny, and how to correlate them with identity context. From there, the agent can connect a sequence of events no individual rule would have flagged, such as a console-driven role change paired with an access review flag and a new cross-account trust policy.In this model the alert queue carries two streams. Deterministic alerts from rules that matched known patterns, and probabilistic findings from agents that noticed something worth investigating. Both feed the same downstream work. The difference is that the second stream covers categories of investigation your team has never had the bandwidth to run continuously.The architecture is a precondition. A queryable security data lake, a curated layer of security-relevant signals, and agent-accessible enrichment and threat intelligence. Without those foundations, agents have nothing to reason against, and the bandwidth advantage never materializes.What this means for riskThe leadership case for this is straightforward. The threats that drive the most material business risk rarely fit rule patterns, and they are not what a sporadic, scheduled hunting program is going to catch in time. Continuous agent hunting brings that category of investigation into routine practice rather than reserving it for the moments after something has already gone wrong. Mean time to discovery shortens. Dwell time on the highest-impact threats comes down. The investigations a senior hunter would run if you could staff for them now run continuously, against the parts of your environment where real risk accumulates.The longer agents observe routine activity, the sharper they become at distinguishing it from genuine anomaly. The signal quality of their findings improves as they build a working understanding of our environment, and the value of the program grows the longer it runs. For teams operating under continuous monitoring requirements, the same activity also produces a defensible audit trail that ongoing investigation is actually happening, not just that logs are being retained.Most security teams today are deploying agents in a narrower role: triaging alerts that humans wrote, accelerating the work analysts were already doing. The productivity gains from that are real, but it's the foundation rather than the destination. The teams investing now in queryable data lakes, structured security signals, and agent-accessible enrichment are building the architecture for a different kind of program, one where coverage expands continuously rather than scaling with headcount, and where the hardest investigative work gets attention regardless of whether your most senior analyst happens to have time this quarter.The constraint was never expertise or model capability. It was bandwidth, and the architecture to support it. Removing that constraint changes what a security program can cover, who gets to do this work, and how confidently we can answer the question our board keeps asking: how would we know if it was happening right now?Jack Naglieri, chief executive officer, Panther SecuritySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
The threats that produce the largest business impact, insider abuse, slow credential exploitation, supply chain compromise, the kinds of incidents that drive material losses, are usually surfaced by hunting rather than by detection. They unfold in patterns specific to a given environment, and they require someone hunting with a hypothesis to find them.The bandwidth problemThe constraint has always been bandwidth. Hunting requires the most experienced people on the team, working the hardest problems, with broad access to data across your environment. The teams that hunt continuously are the ones that can justify a dedicated hunting program. Everyone else hunts when they can: after a major incident, around a vendor advisory, in the gaps between higher-priority work.The result is uneven across the industry. Well-resourced security organizations sustain hunting as an ongoing function and find things their peers do not. Most organizations run formal hunts a few times a year, if at all. The asymmetry traces directly to staffing. Hunting is expensive precisely because it pulls your most senior analysts off the work that already justifies their time, and most security leaders cannot trade one for the other indefinitely.What changes with AI agents is the bandwidth equation. An agent with access to our security data lake, enrichment sources, and threat intelligence can run the kind of hypothesis-driven investigation a senior hunter does, on a rolling basis, without requiring a person to initiate the work. I think of this as continuous agent hunting: deploying agents to independently scan telemetry, form and test hypotheses, and surface findings as they emerge.The mechanism is a hunting scope, a structured prompt that gives the agent a threat model, criteria for distinguishing risky from routine, and the enrichment steps it needs to make a confident assessment. An IAM scope, for example, does not describe a malicious pattern. It teaches the agent what normal IAM activity looks like in your environment, which role changes warrant scrutiny, and how to correlate them with identity context. From there, the agent can connect a sequence of events no individual rule would have flagged, such as a console-driven role change paired with an access review flag and a new cross-account trust policy.In this model the alert queue carries two streams. Deterministic alerts from rules that matched known patterns, and probabilistic findings from agents that noticed something worth investigating. Both feed the same downstream work. The difference is that the second stream covers categories of investigation your team has never had the bandwidth to run continuously.The architecture is a precondition. A queryable security data lake, a curated layer of security-relevant signals, and agent-accessible enrichment and threat intelligence. Without those foundations, agents have nothing to reason against, and the bandwidth advantage never materializes.What this means for riskThe leadership case for this is straightforward. The threats that drive the most material business risk rarely fit rule patterns, and they are not what a sporadic, scheduled hunting program is going to catch in time. Continuous agent hunting brings that category of investigation into routine practice rather than reserving it for the moments after something has already gone wrong. Mean time to discovery shortens. Dwell time on the highest-impact threats comes down. The investigations a senior hunter would run if you could staff for them now run continuously, against the parts of your environment where real risk accumulates.The longer agents observe routine activity, the sharper they become at distinguishing it from genuine anomaly. The signal quality of their findings improves as they build a working understanding of our environment, and the value of the program grows the longer it runs. For teams operating under continuous monitoring requirements, the same activity also produces a defensible audit trail that ongoing investigation is actually happening, not just that logs are being retained.Most security teams today are deploying agents in a narrower role: triaging alerts that humans wrote, accelerating the work analysts were already doing. The productivity gains from that are real, but it's the foundation rather than the destination. The teams investing now in queryable data lakes, structured security signals, and agent-accessible enrichment are building the architecture for a different kind of program, one where coverage expands continuously rather than scaling with headcount, and where the hardest investigative work gets attention regardless of whether your most senior analyst happens to have time this quarter.The constraint was never expertise or model capability. It was bandwidth, and the architecture to support it. Removing that constraint changes what a security program can cover, who gets to do this work, and how confidently we can answer the question our board keeps asking: how would we know if it was happening right now?Jack Naglieri, chief executive officer, Panther SecuritySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
