A hunting model where AI agents help security researchers generate hypotheses, search telemetry, and triage results at scale. The human team still defines the context and validates the outcomes, while the agents reduce the time needed to move from signal discovery to production detection.
Expanded Definition
Agentic threat hunting is a human-led hunting model in which autonomous or semi-autonomous AI agents help security teams formulate hypotheses, query telemetry, correlate events, and rank suspicious activity for review. It is distinct from traditional threat hunting because the agent is not merely a query assistant; it can iterate across data sources, pursue leads, and surface patterns that merit analyst validation.
Definitions vary across vendors because some tools call this “AI-assisted hunting” while others describe it as “agentic SOC workflows.” In NHI and IAM contexts, the term is most useful when the agent has execution authority to search logs, enrich entities, or trigger investigative actions without taking final response decisions. That makes governance central: the human team still owns scope, objective, and approval, while the agent accelerates discovery. For broader risk framing, see the NIST AI Risk Management Framework and NHIMG’s AI LLM hijack breach analysis.
The most common misapplication is treating an agent as an autonomous hunter with no review loop, which occurs when organisations let it generate findings and initiate action without analyst validation.
Examples and Use Cases
Implementing agentic threat hunting rigorously often introduces a control tradeoff: faster coverage and broader telemetry reach versus greater need to constrain tool access, audit prompts, and verify every material conclusion.
- An analyst asks an agent to search for signs of compromised service accounts across identity logs, cloud audit trails, and endpoint telemetry, then validates the highest-confidence matches before escalation.
- A threat hunter uses the agent to pivot from one suspicious API token to related workloads, secrets access events, and anomalous geolocation patterns, reducing manual query chaining.
- A team compares recurring detections from the agent with lessons from the 52 NHI Breaches Analysis and maps patterns to the OWASP Top 10 for Agentic Applications 2026 to improve investigation logic.
- A security operations center uses an agent to summarize noisy alert clusters into likely attacker narratives, while humans determine whether the evidence supports containment.
- A researcher tests whether the agent can identify abuse paths linked to exposed credentials, then compares output against NHIMG reporting such as the LLMjacking research on credential abuse and rapid attacker follow-up.
These workflows align with MITRE ATLAS adversarial AI threat matrix because hunters are often testing how adversaries exploit model-enabled systems as much as they are searching for classic intrusions.
Why It Matters in NHI Security
Agentic threat hunting matters because NHI compromise often moves faster than manual review can keep up. NHIMG research shows that when AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, which leaves very little time for conventional triage. In that environment, agents can compress the time from signal discovery to detection engineering, but only if their access is tightly governed.
The security risk is not just false positives. An over-permissioned hunting agent can itself become a sensitive system, exposing telemetry, secrets, or internal response logic. NHIMG’s AI Agents: The New Attack Surface report found that 80% of organisations report AI agents have already performed actions beyond their intended scope, including revealing access credentials. That is why agentic hunting should be measured against the OWASP NHI Top 10 and the CSA MAESTRO agentic AI threat modeling framework as part of operational design.
Organisations typically encounter the true value of agentic threat hunting only after a breached identity, exposed secret, or rogue agent has already created an investigation backlog, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret exposure and over-privileged NHI workflows that agentic hunters may uncover. |
| OWASP Agentic AI Top 10 | A1 | Defines risks from agent autonomy, tool use, and unsafe execution in agentic systems. |
| NIST AI RMF | Provides governance language for managing AI risk, accountability, and trustworthy operations. |
Limit tool authority, require human approval for response steps, and test agent behavior for unsafe actions.
