I’ve been in cybersecurity for roughly 15 years, and throughout that time I’ve worked in network security, endpoint security, threat intelligence, and threat hunting. I’ve worked for vendors, helping clients implement products and develop workflows and processes. I’ve also worked for large organizations, gaining experience and knowledge around the challenges they face on a daily basis. The breadth of my experiences has provided me with an excellent foundation for building threat hunting techniques, processes, and eventually programs. My most recent role was at a large organization, working with a team to revamp their threat hunting operations.
Over those 15 years, threat hunting has undergone changes in definition, scope, tooling, and even skill levels. However, at its core threat hunting still remains a proactive effort to identify malicious activity that has bypassed current security monitoring and controls. Though the source, volume, and structure of the data has changed over time, the need for human threat hunters to collect and analyze that data has not. From NSM to EDR to SaaS, no matter the source it still required a human to determine the intent behind the activity uncovered in the logs. As I’ve worked with threat hunting programs in multiple organizations, the challenges I observed typically revolved around these 3 points:
I once considered myself an “old man who yells at the cloud” when it comes to AI and its role in cybersecurity. I’ve been slow to accept it, even slower to leverage it, and very wary of the claims made about its utility. I’ve been around long enough to remember sayings such as “NSM is dead”, “The end of SIEM”, and many other acronyms meeting their demise. So when I initially connected with Nebulock regarding what is now my current role, I was a little suspicious. Their goal of augmenting threat hunting for small to medium sized organizations aligned with my desire to see more folks being proactive in their security programs, but I wondered about the longevity, practicality, and effectiveness of leveraging AI in this space.
Having been here for a little over 6 months I can say with relative certainty that those concerns have been addressed. Working with younger folks who actively embrace AI tools like Claude, ChatGPT, and Perplexity has taught me that these tools do have a place in cybersecurity. Nebulock has also focused its work to support and enable threat hunters, not replace them. This goal was, and still is, very important to me. Because we face human adversaries leveraging their own tools to access, persist, and impact targets, it is imperative that we do not discount the need for humans on the defensive side. Nebulock is building a platform to enable threat hunters to augment their work with AI agents via:
These agents will assist humans in closing the loop from hunt idea to coverage strategy in a timely and efficient manner. Instead of repeating hunts at long intervals, forcing hunters to duplicate work by re-learning the context of the hunt, the Nebulock platform allows them to quickly validate hunt hypotheses and deploy them as triggers to ensure continuous coverage. The Nebulock platform seeks to address the pain points from above with the following:
| Problem | Nebulock Solution |
| Not enough experienced folks on the team to conduct threat hunting in a timely manner at scale | By shortening time to collect, enrich, and present data threat hunters can conduct more frequent hunts at a regular cadence |
| Overwhelming amounts of data from a variety of sources, often including new sources unfamiliar to the threat hunters | AI agents can efficiently summarize datasets, including new sources, to accelerate threat hunters integrating unfamiliar data |
| Lack of established processes for distributing analysis and retaining knowledge | Storage of hunt outputs in a structured knowledge system that seeks to continuously improve by training agents to identify malicious patterns |
Ultimately, my decision to join Nebulock wasn't just about a job; it was about joining a great team in working towards a mission I care deeply about. In the last 6 months I’ve spent time with design partners, working closely with them to understand their needs and integrate their feedback into the platform. These conversations have underscored the necessity for threat hunting, and a platform that will empower organizations to achieve a proactive security posture with their existing resources. I’m excited for what the future holds for the Nebulock team and our customers!