< ciso
brief />
Tag Banner

All news with #threat hunting tag

75 articles

UK unveils AI-driven national Cyber Shield

🔒 The UK’s NCSC and DSIT unveiled a blueprint called Cyber Shield to deploy autonomous AI agents that detect and neutralize cyberattacks at machine speed. The plan uses cooperating “red” and “blue” agents to identify weaknesses, detect threats and progressively automate remediation while operating under organizational control. The initiative emphasizes explainable and federated AI, industry partnerships, and a staged rollout beginning with government and critical sectors.
read more →

Five new SOC roles emerging from AI evolution

🔒 The rise of AI-driven SOCs is reshaping security operations and creating new specialist roles rather than simply replacing people. Today's AI-SOC automates Tier 1 triage and is moving into Tier 2 investigation and remediation, prompting demand for skills in data engineering, agent orchestration, model training, threat hunting, and AI-savvy red teaming. Organizations will need professionals who can integrate diverse telemetry, manage agent swarms, fine-tune models, hunt adversary intent, and test AI-specific weaknesses.
read more →

Challenges and Practical Paths for Autonomous SOCs

🔒 The promise of a fully autonomous SOC—where collection, analysis, investigation, and response happen without human intervention—attracts organizations facing talent shortages and a growing threat landscape. Vendors show value in alert enrichment and noise reduction, but autonomous decision-making and response have delivered limited ROI. Real-world obstacles include poor source data quality, tool integration gaps, analyst distrust, context deficits, AI hallucinations, compliance issues, and the need for human control.
read more →

Google Security Operations: Autonomous threat containment

🛡️ Google details how Google Security Operations pairs with Google AI Threat Defense to detect, investigate, and contain AI-accelerated attacks across cloud and enterprise environments. The post explains three specialized agents — Detection Engineering, Triage and Investigation, and Threat Hunting — that translate threat intelligence into custom detections, autonomously investigate alerts, and proactively hunt stealthy compromises. These agents use diverse telemetry, simulated events, and AI-driven automation to reduce time-to-detection and speed remediation, addressing gaps where patching is impossible or delayed.
read more →

15 Tough Cybersecurity Questions Every CISO Must Answer

🔍 Security leaders outline 15 critical questions CISOs should ask to ensure security programs adapt to evolving threats and business needs. These prompts focus on demonstrating ROI, aligning defenses with critical business processes, measuring detection and response speed, and addressing AI-driven risks like nonhuman identities and automated attacks. The guidance also stresses vendor risk, shadow AI, application security for widespread coding, and preparing security for future business growth.
read more →

Most SOCs See Limited Value from First‑Wave AI

🔎 The SOC-CMM 2026 report shows rapid AI adoption across SOCs but limited perceived value: only about 10% report excellent value while 71% report some or no value. The dominant deployment pattern is the taker model—off‑the‑shelf AI bolted into existing tools—creating fragmented workflows and weak handoffs. The report argues the next wave must be architectural: AI that operates across detection, hunting, investigation, remediation, and threat intel with built‑in governance and institutional knowledge.
read more →

Cisco Live report: AI, networking, and wellbeing

🐶 At Cisco Live U.S. in Las Vegas, the author describes the conference pace, the value of quiet spaces and noise-canceling gear, and the welcome presence of therapy dogs sponsored by Splunk. Discussions at the event centered on AI from an infrastructure and security lens, including the daunting scale of data and associated defense challenges. Cisco Talos highlights expansion of its Threat Hunting program using AI-driven telemetry plus expert validation to find advanced intrusions like a recent KongTuke C2 discovery.
read more →

Balancing Cyber Product Leadership and Endurance

🔥 Tony Giandomenico of Cisco Talos discusses how endurance from Ironman training informs his approach to leading major cybersecurity product launches. He highlights rapid advances in frontier AI models, the evolving threat landscape, and the need to apply similar AI-driven speed to defensive tools. Tony explains Cisco Talos Threat Hunting, its focus on endpoint telemetry and expansion into firewalls and identity, and stresses communication, influence, and purpose as keys to sustaining focus across long careers.
read more →

Hypothesis-Driven Threat Hunting at Cisco Talos

🔍 Cisco Talos Threat Hunting adopts a hypothesis-first approach: rather than waiting for alert thresholds, analysts formulate theories about adversary behavior and search telemetry to validate them. Using AI for scale and human expertise for context, continuous hunts run across global telemetry to surface candidates that automated detection misses. Confirmed findings are reported with remediation guidance and feed back into detection tuning and product improvements.
read more →

PraisonAI Authentication Bypass Scanned by Internet

🔍 Sysdig reported that a newly disclosed authentication bypass in the open-source orchestration framework PraisonAI was probed by internet scanners about 3 hours and 44 minutes after a GitHub advisory published on May 11. The flaw stems from a legacy Flask API server that ships with authentication disabled by default, affecting versions 2.5.6 through 4.6.33 and fixed in 4.6.34. Researchers urge immediate upgrades and monitoring for the “CVE-Detector/1.0” user-agent and suspicious /api/agents and related paths.
read more →

Autonomous Purple Teaming: Closing the Exploitation Gap

🛡️ Traditional purple teaming is failing because human handoffs and siloed toolchains make detection-to-fix cycles far slower than modern attackers. The author documents a collapse in the vulnerability-to-exploit window—from 56 days in 2024 to roughly 10 hours in early 2026 across CISA KEV, VulnCheck KEV, and ExploitDB—and warns that AI-assisted adversaries can act in seconds. Autonomous purple teaming pairs automated penetration testing, Breach and Attack Simulation, and AI-powered mobilization agents to close the loop at machine speed, converting red findings into blue tests and auto-deploying low-risk fixes while keeping every step auditable.
read more →

Day Zero Readiness: Operational Gaps That Break Response

🔒 Having an incident response retainer or a pre-approved external firm is not the same as being operationally ready. Readiness requires pre-provisioned accounts, validated permissions, and practiced workflows so responders can gain immediate visibility into identity, cloud, EDR, and logs. The guide prioritizes identity-first visibility, out-of-band communications, a designated incident manager, and pre-tested activation procedures to eliminate delays that allow attackers to deepen compromise.
read more →

MuddyWater Employs Microsoft Teams for Targeted Intrusion

🔐 Rapid7 attributes a deception-driven intrusion to the Iranian-affiliated actor MuddyWater, which used Microsoft Teams social engineering to harvest credentials and manipulate MFA via live screen-sharing. Once inside, operators leveraged compromised accounts, remote-access tools like DWAgent and AnyDesk, and a trojanized WebView2 binary to maintain persistence and exfiltrate data rather than encrypt files. The campaign appears to have intentionally mimicked RaaS artefacts — including Chaos-related extortion indicators and a signed loader — to obscure state-backed motives and slow incident response.
read more →

CrowdStrike Launches Falcon OverWatch for Defender

🔍 CrowdStrike has introduced Falcon OverWatch for Defender, a managed threat-hunting service that brings continuous, expert-led hunting to Microsoft Defender environments without replacing existing endpoint protections. Running a lightweight Falcon sensor alongside Microsoft Defender, the offering combines human hunters, deep adversary intelligence, and AI-driven analytics to surface stealthy post‑exploit activity and escalate high-confidence threats. It promises AI-powered analysis at scale—up to 6.2 trillion events per day—broad visibility across millions of endpoints, and operationalized hunting patterns to improve detection and response across customers.
read more →

Small US Defense Contractors Lack Network Telemetry

🛡️ Small and mid-size US defense contractors lack the network telemetry needed to detect nation-state reconnaissance and pre-positioning operations, Team Cymru analyst Stephen Campbell warns. He says state-backed groups are increasingly targeting edge infrastructure — routers, firewalls and VPN gateways — and using living-off-the-land techniques and legitimate cloud services to evade endpoint alerts. Campbell urges firms to deploy NetFlow pattern recognition, map infrastructure, patch and segment systems, and hunt for anomalous DNS and lateral movement to uncover stealthy access.
read more →

Expanding Detection: Essential Data Beyond Endpoints

🔍 The 2026 Unit 42 Global Incident Response Report warns that adversaries are moving to exfiltration four times faster than in 2025 and are exploiting gaps created by an over-reliance on endpoint telemetry. Unit 42 found critical evidence present in logs for 75% of incidents, yet siloed systems and inaccessible telemetry prevented timely detection and response. The authors recommend a single-pane-of-glass, AI-driven SOC that centralizes logs and uses tools like Cortex XSIAM for alert stitching, ML-based scoring and unified investigations to reduce alert fatigue and close multi-surface blind spots.
read more →

Threat Source: Prioritizing Identity and Legacy Risks

🔐 Hazel Burton summarizes Cisco Talos' Year in Review and outlines five critical priorities for defenders facing an increasingly automated threat landscape. While AI and accessible exploit code have lowered the barrier for attackers, adversaries still follow predictable patterns and reuse infrastructure, producing detectable anomalies. Defenders should treat identity infrastructure as a top-tier asset, secure MFA workflows with strict verification, prioritize patching by internet exposure, hunt long-tail legacy risks, and apply enhanced monitoring to management-plane systems to focus detection on anomalous post-login behavior and reduce alert fatigue.
read more →

NCSC: Bad SOC Metrics Undermine Detection and Response

🔍 The UK National Cyber Security Centre (NCSC) cautions that many common SOC metrics are misleading and can actively harm security operations if used or reported externally. CTO Dave Chismon argues that only time to detect/time to respond (TTD/TTR) reliably demonstrates SOC effectiveness, while metrics such as ticket counts, closure times, rule counts or raw log volume create perverse incentives. He recommends red and purple team exercises to assess TTD/TTR, and suggests internal, non-public metrics — hypothesis-led hunting, strict false-positive thresholds, log coverage, tooling expertise and analyst engagement — to monitor week-by-week health without driving the wrong behaviours.
read more →

Webinar: Spotting Cyberattacks Before They Begin — Signals

🔎 Join BleepingComputer's live webinar on April 30 at 2:00 PM ET to learn how to spot early indicators of cyberattacks before they escalate. Experts from Flare Systems and threat intelligence researcher Tammy Harper will demonstrate how monitoring dark web forums, Telegram channels, vulnerability discussions, and access marketplaces surfaces actionable signals. The session will show how to separate meaningful indicators from background noise and translate intelligence into prioritized defensive actions so teams can proactively reduce risk.
read more →

Amazon CloudWatch Pipelines Adds AI-Assisted Configuration

🤖 Amazon CloudWatch pipelines now offers AI-assisted processor configuration that translates plain-language instructions into pipeline processor definitions. In the CloudWatch console, enable the AI-assisted option at the processing step, describe the transformations you need, and receive a generated processor configuration plus a sample log event to validate output before deployment. This reduces setup time and lowers the need for deep processor expertise; the feature is available at no additional cost where the service is generally available, while standard CloudWatch Logs ingestion and storage rates still apply.
read more →