Engineering the Future of Agentic Threat Hunting
Agentic Threat Hunting is how we use AI to dramatically accelerate threat investigations without giving up rigor. Senior researchers stay in control, but they gain a force multiplier, like having extra analysts available on demand. We build this with custom prompts, repeatable investigation playbooks and tool-connected agent workflows that keep work consistent and auditable. The result is faster understanding, faster response and better protection for users.
In a recent investigation, this approach produced a complete, publishable, evidence-backed analysis about 30 times faster than a traditional workflow, without skipping verification.
We’re building this as a repeatable capability across investigations, not an ad hoc trick.
Introducing ‘Agentic Threat Hunting’
Attackers scale by default. They automate, iterate and copy what works until defenders are forced into a permanent reaction cycle.
Defenders don’t lose because they lack intelligence or tools. Defenders lose because time is finite.
Threat hunting is not a single breakthrough moment. It’s a chain of steps and the chain breaks where time and attention run out.
Deep technical analysis is still one of the highest leverage things a security team can do. It is also one of the hardest things to scale, because it depends on expert attention and takes a great deal of time. A strong researcher can only do so many hours of careful extraction, correlation, hypothesis testing, and write-up in a day.
That bottleneck is changing.
Not because AI “does the research,” but because agentic workflows compress time. With the right operating model, a senior analyst can direct AI agents like a small team of junior researchers. Multiple threads run in parallel, while the human stays responsible for judgement, verification, and final conclusions.
That is what we mean by Agentic Threat Hunting.
This is not “using a chatbot sometimes”. It is a new operating model for how threat hunting gets done, and at Gen we are treating it like a capability we are building, evolving, and systematizing internally.
The problem we are solving: time is the limiting factor
A modern threat investigation rarely arrives as one tidy unit of work. It arrives in pieces, a suspicious sample, related variants, infrastructure breadcrumbs, partial configuration and a growing set of “maybe” links that need to be proven or discarded.
Even the best researchers lose days to work that is necessary but doesn’t deserve senior attention:
- Repeating extraction across variants
- Organizing artifacts into a structure that can be compared and revisited
- Maintaining multiple hypothesis threads without mixing assumptions into facts
- Turning raw technical detail into outputs that other teams can act on
The cost is not just speed. When time gets tight, risk increases. Steps get shortened, context gets lost and important connections can be missed.
This is the gap Agentic Threat Hunting is designed to close.
What changes: parallel work, one accountable owner
The difference with Agentic Threat Hunting is not that the model “finds the truth”. It’s that a senior researcher can run multiple investigation threads in parallel, without losing the plot.
Instead of one person doing everything serially, agents can take on defined roles that mirror how a small team works:
- one agent structures artifacts into consistent notes and a capability map,
- another maintains a living hypothesis tree, highlighting contradictions and what still needs proof,
- another drafts evidence-linked summaries for internal stakeholders while the researcher keeps investigating.
The senior researcher becomes the director, the reviewer and the owner of every conclusion. The work scales, but accountability does not move.
What stays the same: credibility, traceability and ownership of claims
If we only talk about speed, this turns into hype.
AI can sound confident while being wrong. That is not a theoretical risk, it is the default failure mode of careless use. So the core principle of Agentic Threat Hunting is simple:
Agents can accelerate work, but researchers own the claims.
In practice, that means evidence remains the source of truth, not the agent’s narrative. Every meaningful conclusion must be traceable back to artifacts and anything that cannot be traced stays a hypothesis. Confident language is not proof. Verification is not optional. Humans remain accountable for what we ship internally and what we publish externally.
This is how you get the upside of speed without sacrificing trustworthiness.
How it works in practice: two examples
Example 1: Variant wrangling without losing rigor
Malware rarely arrives as a single, well-defined specimen. It arrives as a stream of variants, each with small changes that matter.
In a traditional workflow, analysts repeat the same extraction steps across variants, then try to keep the differences straight across notes, screenshots and half-finished write-ups.
With an agentic workflow, we can delegate the repetitive passes. Agents produce consistent, structured summaries of behaviors, configuration patterns and meaningful deltas across samples. The senior researcher then focuses on the high-value part: verifying the key claims, spotting what changed and deciding what those changes imply.
Example 2: From raw technical detail to outputs people can actually use
Even when the analysis is correct, a lot of time disappears translating it into something others can act on.
While the researcher is validating evidence, agents can draft two versions of the same findings, one technical for internal response teams (actionable, precise, evidence-linked), and one plain-language for a broader audience (clear, non-technical, no unnecessary detail).
The human still owns the narrative, edits for accuracy and decides what is publishable, but translation stops being the limiting factor.
The engine behind it: playbooks, prompts and roles that work like a team
The difference between “we tried AI” and “we are building Agentic Threat Hunting” is discipline.
We are not relying on generic prompts or one-off interactions. We develop and refine prompts and playbooks that reflect how investigations actually work, including how we structure evidence, how we express uncertainty, how we separate “observed” from “inferred” and how we keep conclusions traceable back to artifacts.
Then we operationalize that into agent roles, so the work is repeatable instead of reinventing every time.
Most importantly, this is not static. We continuously evolve the approach, creating new ways to take advantage of agents while keeping the same standard of rigor. That continuous evolution matters, because threat hunting is adversarial work. Attackers adapt, and tooling must adapt too.
Why it matters: faster investigations mean better protection
Attackers will use the same force multipliers. Agentic workflows can reduce their cost of experimentation, speed up iteration and help scale campaigns that used to require more manual effort.
That is exactly why we’re investing in Agentic Threat Hunting as a disciplined capability, not a novelty. The advantage will not come from “having models.” It will come from having better workflows, stronger verification habits and faster learning loops.
When the investigative cycle is shorter, detections improve sooner, infrastructure can be identified and disrupted sooner, response teams get clarity sooner and users are protected sooner.
There is a second-order effect too. Senior researchers spend less time doing necessary but repetitive wor and more time doing what makes them senior: connecting dots, spotting patterns, and making high-stakes judgment calls.
In other words, AI compresses time, but it does not compress responsibility. That stays human.
