The dwell time that once gave defenders room to catch up to stealthy threats is shrinking. Frontier AI models like Anthropic’s Mythos and OpenAI’s GPT-5.5-Cyber are changing what defenders and attackers can find, connect, and act on. Attackers have already been using AI to move faster across every phase of an intrusion: automating reconnaissance, accelerating lateral movement, and adapting their behavior in near real time.
At the same time, most breaches don’t start with an explosion. They start with an easily overlooked signal: a login at an odd hour, a process that runs for eleven seconds and exits cleanly, a firewall connection that looks almost like the thousand legitimate ones before it. The attacker isn’t trying to avoid your detection tools. They’ve already studied them. They know the thresholds. They stay under them on purpose.
This is the problem that traditional security operations weren’t built to solve. Alert-driven defense assumes the attacker will make enough noise to trip a wire. The most capable adversaries today have moved past that. They operate in the space between alerts, often hiding behind trusted processes, tools, and identities. Because they move patiently in ways most security teams aren’t structured to match.
That gap is exactly why Cisco Talos is expanding its threat hunting program.
The gap detection leaves behind
Threat hunting isn’t a new concept, but for most organizations it’s remained aspirational. Building an internal hunting capability requires experienced analysts, mature tooling, and enough institutional knowledge to know what “normal” actually looks like in your specific environment. That’s a significant investment, and most security teams are already stretched thin keeping up with the alert queue.
Correlation and unparalleled attention to security details are key
Stealthy tradecraft is only part of the problem. Detection has structural limits worth being honest about. Automated detection fires when confidence is high enough to justify interrupting an analyst. That’s the right call, but it means a whole class of signals never meets that bar. New techniques exist in the wild before threat intelligence catches up and makes it into production rules. Configurations shift: a rule gets loosened during troubleshooting, a sensor goes offline, a policy change creates a gap. These aren’t failures. They’re realities of operating at scale. But they create windows that a determined adversary can move through quietly.
You can’t out-react an adversary who is already inside and deliberately staying quiet. At some point, you have to go looking.
Hunting starts before a signal exists, detecting through correlation
Cisco Talos, our leading global threat intelligence organization, covers the global attack surface with visibility across 46 million sensors across 193 countries daily. The Cisco Talos Threat Hunting program takes this expansive context and mixes it with their deep knowledge of Cisco products and security processes to help keep you secure. The program, originally centered around endpoint technology will expand to hunt coverage to two additional: network traffic through Cisco Firewall, and identity activity through Cisco Duo and Cisco Identity Intelligence.
The program uniquely offers threat hunting capabilities across three Cisco products. That’s not incidental. Talos has deep familiarity with how each one generates telemetry: the specific fields, the edge cases, the ways certain behaviors present in the data. When the hunting logic is built by people who understand the telemetry at that level of detail, the signal quality is fundamentally different.
Most organizations already aggregate data across these domains. A SIEM or XDR brings the logs together, and modern XDR platforms increasingly use frontier AI models to auto-triage and correlate events. That’s a genuine capability, and it’s getting better. But even the most sophisticated auto-triage is fundamentally responding to signals that have already been generated, prioritizing and connecting what has surfaced. Hunting starts before a signal exists. It begins with a hypothesis: given what we know about how a specific threat actor operates, what would their activity look like in this telemetry, and is it there? That’s a different posture, not a competing one. A suspicious authentication in Duo, unusual lateral movement in firewall telemetry, and an anomalous process on a server may each sit below any automated response threshold individually. Hunted together with purpose-built logic and deep knowledge of how each Cisco product generates data, they tell a coherent story about an intrusion in progress.
Operating beyond the alert queue
Talos analysts design the hunting hypotheses, the questions being asked of the data, grounded in real intelligence: what techniques active threat groups are using, what’s showing up in our incident response work, and what we’re observing across global telemetry. That knowledge comes from years of tracking specific adversaries, with human experts working from AI-driven intelligence.
Talos analysts translate those hypotheses into hunts. The AI-driven engine then executes them continuously, 24 hours a day, at a volume no analyst team could replicate manually. Its job is to surface weak signals, including those below the automated detection threshold or in the gap before a new indicator reaches production rules.
Then a Talos analyst looks. They investigate, apply context, correlate across sources, and make a determination. If Talos believes it’s something real, the customer gets a notification. Not a raw alert, but a written finding: what was observed, why it matters, how it maps to known adversary techniques, and what to do about it. A CISO reading it at 7am shouldn’t have to reverse-engineer what happened. They should be able to read it and make a decision.
All these outcomes will be visible through a dedicated threat hunting portal inside Cisco Security Cloud Control, a single place to track validated findings, review hunting activity metrics, and access contextual intelligence including links to Talos blogs and non-public threat bulletins not available outside the platform. Customers also receive a private quarterly threat brief directly from Talos, a closed-door look at what the team has observed across the global threat landscape. Not a public report, not a marketing summary. The kind of direct intelligence access most organizations simply don’t have.
What partnering with us looks like for your team
For lean security teams, this delivers a hunting capability that would otherwise require significant internal investment to build. For mature SOC organizations, it covers ground your analysts aren’t currently covering or works side-by-side with your team. Whether focused on signals below the detection threshold, gaps that open during normal operations, or techniques too new to have a rule yet, it operates beyond the alert queue. With reporting and communication directly from the Cisco Talos Threat Hunting team, a true partnership builds over time to strengthen awareness of your organization’s environment and the skill sets required to address complex threats.
The threat hunting program expansion isn’t a response to a trend it’s a response to a specific reality: attackers are harder to see, attacks are multi-dimensional and, thanks to frontier AI, faster to act. The operations model most organizations run wasn’t designed for both at once. If that gap is one you’re thinking about, it’s worth a conversation with your Cisco account team, or further exploring what’s possible with Cisco Talos.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
