I’m involved with SOC related AI conversations every week. The most common ask is how to connect the dots between what is possible and how the current state of the SOC can move forward with using AI. Answers like “buy this” or “AI will just do this” are not real. A better answer is looking at what you want to accomplish and identify crawl, walk, and run options for adopting AI into your SOC. For this post, I’ll look at threat hunting.
Threat hunting is all about researching an always changing hypothesis for where threat actors could exist. I found this post HERE about adopting AI into a threat hunting practice speaks to the crawl to walk. It gives very tactical recommendations for converting manual efforts to build and research a threat hunting hypothesis into AI prompts or Agentic workflows. These specific recommendations are not bad.
1. Treat Hypotheses Like Code
Start writing down your hunt hypotheses in structured form. Track them. Version them. Iterate. Use a doc, a repo, a Notion board—whatever. The point is: make your thinking explicit so it can be scaled and handed off to an agent later.
2. Start Pairing with AI
Use LLMs to accelerate the boring stuff. Have them:
- Draft hunt ideas from threat intel reports
- Suggest Splunk queries based on behaviors
- Summarize investigation findings
You’re not just saving time, you’re training the AI how you think.
3. Fix Your Data Access
Agentic systems are only as good as the data they can reach. If your telemetry lives in 9 different tools with no correlation layer, you’ve already lost. Start building a unified view now. Via a SIEM, data lake, or even APIs.
4. Automate the Repetitive, Keep the Creative
Look at where your team spends time on rinse-and-repeat investigations. Those are prime candidates for autonomy. Use automation for triage and enrichment so your humans can focus on strategy and weirdness.
5. Set Guardrails Before You Scale
Don’t wait until something breaks. Define what your agents can do without approval. Set escalation paths. Build trust by reviewing decisions together. Autonomy works best when the humans stay in the loop. On purpose.
Check out the full post HERE. I’ll post my thoughts on applying AI and agentic workflows into other SOC services such as vulnerability management and incident response in future posts.