Beyond the Search Bar: How the Agentic Threat Hunting Framework (ATHF) Makes Your Security Program AI-Ready
The Agentic Threat Hunting Framework (ATHF) is the memory and automation layer for your threat hunting program. It gives your hunts structure, persistence, and context – making every past investigation accessible to both humans and AI.
ATHF works with any hunting methodology (PEAK, TaHiTI, or your own process). It’s not a replacement; it’s the layer that makes your existing process AI-ready.
ATHF provides structure and persistence for threat hunting programs. It’s a markdown-based framework that:
- Documents hunts using the LOCK pattern (Learn → Observe → Check → Keep)
- Maintains a searchable repository of past investigations
- Enables AI assistants to reference your environment and previous work
- Works with any SIEM/EDR platform
- NEW: Includes AI-powered research and hypothesis generation agents (v0.3.0+)
Why ATHF Exists
Most threat hunting programs lose valuable context once a hunt ends. Notes live in Slack or tickets, queries are written once and forgotten, and lessons learned exist only in analysts’ heads. When someone asks, “Have we hunted this before?”, the answer depends entirely on who remembers.
Even AI tools start from zero every time without access to your environment, your data, or your past hunts.
ATHF changes that by giving your hunts structure, persistence, and context – turning disjointed documentation into a foundation for memory and learning.
The Problem: Memory Loss
Without structured documentation:
- Context disappears – Hunt notes scattered across Slack, tickets, and personal notes
- Queries are forgotten – Detection logic written once, never reused or refined
- Lessons don’t transfer – Knowledge exists only in analysts’ heads
- AI starts from zero – Tools can’t learn from your environment or past hunts
- Teams repeat work – “Have we hunted this before?” depends on who remembers
The Solution: Structured Memory
ATHF provides:
- Persistent hunt records – Every investigation documented in LOCK format
- Searchable history – AI can recall past hunts and lessons learned
- Contextual awareness – Environment files make AI aware of your data sources
- Knowledge transfer – New team members see what’s been tested
- Continuous improvement – Each hunt builds on lessons from the past
The Vision: Agentic Capability
As your program matures:
- Level 1: Document hunts for human memory
- Level 2: AI reads and recalls your history
- Level 3: AI executes queries and enriches findings
- Level 4: Autonomous agents monitor and act on your behalf
The goal: Build systems that remember, learn, and support human judgment with contextual recall.
Start Small
You don’t need to implement everything at once. Start by documenting one hunt in LOCK format. Add structure. Build memory. Everything else follows naturally.
Memory is the multiplier. Agency is the force. Once your program can remember, everything else becomes possible.
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
