Hacking “Analytical Amnesia”: How the ATHF Framework Gives AI a Memory for Threat Hunting
A new open-source project has emerged in the threat-hunting ecosystem, aiming to address one of the discipline’s most persistent pain points: the loss of context once an investigation is over. The Agentic Threat Hunting Framework (ATHF) presents itself as a “memory and automation layer” for threat-hunting programs. Rather than imposing a new methodology, it helps organize work so that past hunts, findings, and queries remain accessible—to both human analysts and AI assistants.
The creators of ATHF start from a familiar scenario: the hunt is finished, but the knowledge has scattered across Slack threads, ticketing systems, and analysts’ personal notes. SIEM or EDR queries are written once and forgotten, conclusions live only in people’s heads, and when team members change, hard-earned experience is often lost. With AI tools, the problem is even more pronounced: without “memory” of your environment and prior investigations, they are forced to start from scratch every time. ATHF seeks to close this gap by offering a simple documentation format and systematic cataloging of hunts, making them searchable, reviewable, and reusable.
At the core of the project is a Markdown-based approach. Hunts are written as clear, human-readable documents and stored in a repository that gradually evolves into a knowledge base. To ensure consistency, ATHF introduces the LOCK template (Learn → Observe → Check → Keep): first, context is gathered from threat intelligence, alerts, or anomalies; next, a hypothesis about adversary behavior is formulated; then the hypothesis is tested through targeted queries; and finally, results and lessons learned are recorded. The structure is intentionally simple enough for everyday use, yet formal enough for an agent or assistant to “understand” it and propose more precise checks based on historical records.
ATHF also defines five “maturity levels” of agentic threat hunting—from level zero, where everything lives in chats and fragmented notes, to advanced stages in which AI not only reads hunt histories but executes queries via integrations and, eventually, monitors and responds autonomously. The authors emphasize, however, that most teams will find the first two levels sufficient: starting with basic documentation and search across prior investigations. More advanced, fully agent-driven scenarios are optional and require time and effort to implement.
For those who want more than plain Markdown files, the project includes a CLI tool. It can be installed from PyPI as the agentic-threat-hunting-framework package, after which a workspace is initialized with athf init. From there, analysts can create new hunts, link them to MITRE ATT&CK techniques, and specify target platforms. The CLI also supports listing hunts, searching their contents, validating entries, and viewing statistics and ATT&CK coverage. At the same time, ATHF supports a “zero-install” approach: teams can simply clone the repository and start documenting hunts using the template, optionally configuring a file that describes their environment and data sources to provide context for assistants.
A key message of ATHF is that it is not an attempt to replace analysts or to “automate everything.” Instead, the authors argue that memory is a force multiplier. When organizations stop losing knowledge to staff turnover and forgotten notes, and when AI gains context about past investigations and environmental specifics, it evolves from a guesswork chatbot into an assistant that genuinely amplifies expert capabilities. As an illustration, the repository includes an example hunt that uncovered a macOS infostealer collecting Safari cookies via AppleScript, highlighting the value of behavioral signals over purely signature-based detection.
The project is published on GitHub under the MIT license and, according to its description, is designed to work with any SIEM or EDR and alongside methodologies such as PEAK or TaHiTI. Its overarching message is deliberately pragmatic: start small—document a single hunt, give it structure, and gradually build a program “memory” that will, over time, begin working for the team itself.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
