Business & Technology
How does AI improve the speed of threat hunting?
The introduction of LLM-powered AI SOC platforms is democratising threat hunting by breaking down the technical barriers that have historically limited access to it for senior analysts.
By allowing analysts to translate intent into platform-specific queries using natural, non-technical language, AI eliminates the need for specialised knowledge like Python scripting or proprietary query languages.
Now we know that artificial intelligence can accelerate threat hunting and open it up to a wider set of team members, but exactly how does it achieve this transformation? This article covers exactly how.
Applied to the threat hunting process, AI can:
- Automate evidence gathering
- Suggest where threats can be hunted
- Translate intent into queries
- Provide a reasoning layer that wasn’t there before
- Enable complex, always-on threat hunting
Threat hunting isn’t good enough if it is sporadic, subjective, or based on human timelines: adversaries are attacking at the speed of machines, and AI-enabled ones at that.
Weaving AI deeply into modern threat hunting practices will now only “speed things up,” but change the threat hunting expectation from an occasional benefit to a constant, standard practice.
1. Automating Evidence Gathering (& Saving SOC Cycles)
At the start of a threat hunt, one looming barrier stands in the way: gathering evidence. For the typical SOC, this means toggling between a half dozen tools, taking screenshots, and compiling the case.
With AI, security operations automation becomes a reality. As leading AI SOC platform company Prophet Security explains, “Once a hunt starts, [an AI SOC solution] pulls logs, events, and metadata from integrated sources without requiring the analyst to query each one manually.”
Without the use of AI, this process can take up to an hour with manual investigative querying processes alone: across SIEM, EDR, email, IAM, etc. With AI, that timeline is reduced to less than 20 minutes.
2. Suggesting Threat Hunts: Getting to What Matters
However, before evidence can even be gathered, analysts need to know what they’re hunting: the hypothesis.
Not all SOCs are equipped with the same technical expertise or the same amount of time to do a hunt. The status quo is that threat hunting is currently a proactive measure; something done to stay ahead of threats missed by detection rules and done as a hygienic best practice. Otherwise, threat hunting is a strictly reactive procedure as part of the incident response process, and typically done in response to a recent breach or an upcoming audit.
Either way, feeling ahead of the game or behind it still makes threat hunting seem “special.” The end goal is to make it seem standard.
And neither scenario leaves hunters with all that much time to carefully choose where to start, or what to pursue. With so many possible signals, any one of them could lead to a wider issue – or to a dead end. Getting hours into a hunt only to realise the road leads nowhere is a waste of time and money, and every threat hunter knows the feeling.
AI can suggest the threats worth hunting before anyone even starts looking at the signals. By ingesting telemetry from across all integrated tools (EDR, identity logs, network traffic, SIEM), it creates a baseline of normal behaviour.
When something deviates from normal behavior, it can go one step further by mapping to known attacker techniques (MITRE ATT&CK), and then form a hypothesis about what could be wrong.
Most importantly, not all hypotheses are created equal. AI knows this. It ranks hypotheses by criticality (asset criticality, privilege level, likelihood) and presents hunters with a ranked list: not a best-guess, intuition-inspired direction.
Then, all analysts have to do is ask the right questions.
3. Translating Intent into Queries: No Coding Required
Currently, when analysts want to query systems, they have to speak the respective language. With AI, Large Language Models (LLMs) do this technical heavy lifting for threat hunters. In an AI SOC, even a junior analyst can type in a simple request:
“Where else across the environment was this (flagged) IP seen?”
And AI will use natural language processing to translate the plain-language question into platform-specific query languages (SQL, SPL, KQL): no technical interface required. No manual coding. This not only makes “every analyst a threat hunter,” thereby speeding up how many threat hunts can be performed, but it also makes each hunt faster.
Senior analysts can skip the long lines, the reviewing and editing, and the technical learning curves to searches; instead, they can focus on the actual “thinking” part of threat hunting.
Increasingly, AI is doing even that, too.
4. Providing Additional Reasoning, At Machine Speed
Automation-only tools (SOAR, XDR) may correlate events, but the best AI SOC platforms tell analysts why they happened. Agentic AI is behind that.
By providing an additional reasoning layer, analysts can move more quickly and confidently through hunts, having a built-in backup “brain” at each step.
Agentic AI constructs dynamic attack narratives, building an attack graph across users, hosts, processes, and network connections. It processes and correlates context, tying it into the broader story.
After mapping to MITRE ATT&CK, it can show analysts:
- A timeline of the attack
- A likely attack path
- Any missing steps
These missing steps are where threat hunters fill in. It takes teams from raw logs to the structured intent of the attacker, bypassing hours of analysis, toggling, and piecing together clues along the way.
Now, instead of “Suspicious PowerShell execution” alerts, teams get something like: “Suspicious PowerShell on a domain controller by a rarely used admin account after anomalous login.”
Starting there means starting with a significant head start.
5. Enabling Complex, Always-On Threat Hunting for Max Coverage
Another reason threat hunting with AI is faster than threat hunting without it, is that AI never tires. In traditional setups, humans are the head, foot, and tail of threat hunts. They might operate automated tools, but things don’t happen until they’re at the controls.
While most SOCs run 24/7, small teams and even large enterprises understand how hard (and costly) that can be. Your 3 am threat hunting team is not going to be as sharp, savvy, or awake as your 9 am team.
Or, as AI.
AI-enabled threat hunting through an AI SOC means vigilance that never sleeps, tires, or makes mistakes out of exhaustion. Mental powers are never taxed, and help surface signals that may otherwise be overlooked.
Speed Becomes Consistency
AI makes threat hunting faster. And when things are done faster, they can be done more often.
This benefits large enterprises, who, even at their best, may only conduct threat hunting once a week (or once a day for elite achievers).
This benefits mid-tier organisations that hover somewhere between quarterly threat hunts and even-based threat hunts: trying to stay on top of things but having to split analysts between proactive activities and daily tasks.
And it benefits the smallest companies that struggle to even staff a SOC, much less a SOC full of experienced threat hunters.
For all these teams, AI gives them something they never had: round-the-clock threat hunting, done at machine speed, and proactive security that comes standard.
The Takeaway: At a time when AI-driven threats never sleep, AI-driven threat hunting is more than a nice recommendation. It is the new norm for organisations that understand AI attackers aren’t playing by traditional detection rules, and that they will increasingly be found only via ongoing, AI-powered threat hunts.
Las Iguanas, which runs 44 sites across the country but none currently in Oxfordshire, had warned it would “inevitably enter administration” if the deal was not sanctioned.
It previously operated an Oxford branch in Park End Street, which closed back in June 2017, leaving the county without any of the group’s Latin American-themed restaurants.
The chain is owned by Iguanas Holdings Ltd, a subsidiary of The Big Table Group, which also sits behind several familiar high-street brands including Frankie & Benny’s, Bella Italia and Banana Tree.
READ MORE: Staff ‘gutted’ as UK giant cuts thousands of jobs amid £800m administration
In May, the company confirmed it had gone to court to seek approval for a restructuring plan intended to deal with its heavy debt pile.
At the time, bosses said that, without the move, the business would not be able to continue trading and would be forced into administration.
The court has now backed the plan, allowing around £37 million of debts to be cancelled or compromised and giving the chain a financial lifeline.
As part of the rescue, The Big Table Group is injecting £3 million of new funding into the business as part of a wider turnaround strategy.
READ MORE: UK food supplier giant falls into administration owing £1.5m debt
The deal also paves the way for reduced rents at certain sites and agreements with landlords on some outstanding sums, easing pressure on the company’s day‑to‑day cash flow.
Mr Justice Meade approved the scheme at a hearing in London, clearing the way for the restaurant operator to avoid collapse and continue trading.
The group has stressed that the restructuring relates only to the legal entity that holds the chain’s property leases and related costs, and does not involve the wider Big Table business, its suppliers, its employees or any of its other brands.
All 44 restaurants are continuing to operate as normal while the rescue plan is implemented, with the company presenting the deal as a way to secure the long‑term future of the brand and safeguard sites and jobs.
SSEN Transmission has joined the European Network for Cyber Security as an Information & Knowledge Sharing member, bringing a major UK electricity transmission operator into a European cybersecurity network for critical infrastructure.
The membership gives SSEN Transmission access to ENCS research, technical documentation and knowledge-sharing with European transmission and distribution system operators. Key areas include testing, operational technology security operations and the development of cybersecurity practices for grid infrastructure.
SSEN Transmission operates the high-voltage electricity transmission network across the north of Scotland. Its network covers more than a quarter of the UK’s land mass and includes substations, overhead lines, underground cables and subsea cables.
The decision comes as cyber threats to essential services face growing scrutiny from governments and operators. The UK National Cyber Security Centre reported 204 nationally significant cyber incidents in the year to August 2025, up 130% on the previous year, including cases affecting critical infrastructure.
Shared concerns
ENCS is a non-profit membership organisation that works with critical infrastructure groups and security specialists across Europe. Founded in 2012, it supports members through applied research, technical security requirements, testing, education and training.
Its network includes transmission system operators, distribution system operators and regulators. By joining as an Information & Knowledge Sharing member, SSEN Transmission is entering a forum focused on common cybersecurity issues across energy networks, rather than a bilateral arrangement with a single partner.
That matters because electricity operators increasingly face similar challenges across borders, especially in the operational technology environments that underpin power networks. Utilities must also respond to a regulatory climate in the UK and EU that places greater emphasis on secure systems and formal cybersecurity practices.
“Cybersecurity is a shared challenge across Europe’s energy sector, and collaboration is fundamental to staying ahead of evolving threats,” said Anjos Nijk, Managing Director of ENCS.
“Across both the UK and EU, regulatory frameworks place clear requirements on investment in robust security practices and secure systems. We are pleased to welcome SSEN Transmission to ENCS and strengthen cooperation across the sector,” Nijk said.
Cross-border work
For SSEN Transmission, the arrangement broadens the expertise available to its operational technology and cyber teams. The company is in the middle of a wider investment and build-out programme tied to the electricity network in northern Scotland, where infrastructure upgrades are closely linked to reliability and the transmission of power over long distances.
Operational technology security has become a particular concern for energy operators because these systems control physical assets and industrial processes. Disruption in these environments can have consequences beyond data loss, affecting electricity flows and service continuity.
Participation in the ENCS network will help the UK operator look beyond domestic peers and compare approaches with companies across Europe. That includes exchanging practical experience on security operations and learning from work already carried out elsewhere in the sector.
“Joining ENCS provides an opportunity to collaborate with peers across Europe at a time when regulatory expectations around energy network cybersecurity continue to evolve. With the growth journey that SSEN Transmission is undertaking, it is vital that we look beyond our UK peers to ensure we are tapping into best practice across the continent to solve the shared problems and escalating cyber threats we face as operators of essential services,” said Iain Dougan, Head of Operational Technology and Cyber at SSEN Transmission.
The announcement also points to closer links between UK and European operators on cybersecurity despite differing national systems and regulatory structures. Grid operators often face the same technical risks in industrial control systems, supply chains and field equipment, making sector-wide exchanges valuable even when assets remain nationally owned and managed.
For ENCS, adding a large British transmission operator extends its reach into a strategically significant part of the European energy system for electricity transmission and offshore network development. For SSEN Transmission, the membership places it inside an established network focused on the cybersecurity of critical energy infrastructure.
The backdrop remains a rise in serious cyber incidents affecting organisations that run essential services, with the UK recording 204 nationally significant cases in the year to August 2025.
Kirtlington Community Shop and Cafe is currently under construction, after a community share offer running since 2020 raised the funds for the purpose-built business in the village west of Bicester.
Already the project is gaining recognition, as it has been shortlisted as a finalist for the Rural Community Business Awards 2026.
READ MORE: Oxford congestion charge hits hospitality hardest, survey shows
The annual awards, sponsored by Lands Improvement and hosted by Woodstock-based charity Plunkett UK, have named the rural businesses in the ‘One To Watch’ category.
Celia Hawkesworth, chair of the management committee for the new shop, said: “We’re thrilled to be one of the finalists in the ‘One To Watch’ category.
“We’ve been working hard on this project since 2020, and it’s an honour to be recognised alongside the best community-owned businesses when we’ve barely got started.
“Exciting times are ahead as we work towards opening our new shop and cafe later in the summer.”
Locals came together after the village’s shop closed in 2020, and since then successfully raised £233,500 towards the £275,000 target funds needed for the project.
This includes £180,000 raised through a community share offer, meaning villagers have personally invested in the scheme.
READ MORE: Police at ‘unauthorised encampment’ of caravans in Oxford park
A ground-breaking ceremony was held on April 10 this year to mark the beginning of construction of the much-wanted community shop and cafe.
The new shop and cafe, designed to bring services ‘back to the heart of the community’, will be housed in a purpose-built, energy-efficient building next to the village hall.
Plunkett UK, a national charity which supports people in rural areas to set up and run a wide range of businesses in community ownership, provided the village group with ‘invaluable’ advice, according to the committee chair.
The charity’s vision is to create resilient, thriving and inclusive rural communities by extending the number of democratic, community-owned business from the more than 850 already operating in the UK.
Its rural community business awards celebrates businesses that contribute to their areas across nine different categories, from the ‘going green’ award to ‘team spirit’ and ‘young person’.
READ MORE: Listed village pub near Banbury up for sale after 13 years
Sarah Benn, Relationships Team Leader at Plunkett UK, said: “It has been inspiring to see so many people nominate their local community-owned businesses, truly emphasising the significant role they play in their communities.
“We celebrate the considerable impact each one is making it its local area and we are looking forward to next month’s awards event when the winners are announced.”
The award ceremony will take place at The Royal Society of Chemistry in London on Thursday, July 2.
The Kirtlington Community Shop and Cafe is expected to open later in the summer.
-
Crime & Safety4 weeks agoWhat happens to Halifax customers if Lloyds makes changes?
-
Oxford News4 weeks agoActor steps down from major role in new Harry Potter series
-
Crime & Safety4 weeks agoOxfordshire bridge closure comes as management ‘weaknesses’ found
-
UK News4 weeks agoBurnham seeks to calm markets by committing to fiscal rules
-
UK News4 weeks agoGlass deposit scheme 'risks major problems' for retail industry
-
UK News4 weeks agoEx-minister Shapps quits aerospace firm over rule concerns
-
Crime & Safety4 weeks agoRyan Bridge speaks of London arrest after Oxford incident
-
Crime & Safety4 weeks agoOxfordshire man accused of sexual offences 40 years ago