Brands

Hot News

Introducing The PEAK Threat Hunting Assistant: Agentic AI to Supercharge Your Hunt
Publish Time: 29 Jan, 2026

Threat hunting is a critical, proactive strategy to uncover hidden threats and drive security improvement, yet security teams are busy, and even the most seasoned hunters face time and resource constraints.

Hunt preparation is a particularly crucial hunting phase involving deep research into threat actors, techniques, and internal security data. However, it's often time-consuming, tedious, and, let's be honest, sometimes skipped or abbreviated. The result? Hunts that are less effective, inconsistent, and fail to deliver maximum value.

At SURGe by Cisco Foundation AI, we believe in empowering defenders with cutting-edge technology. That's why we're thrilled to announce the release of The PEAK Threat Hunting Assistant, an innovative, open-source tool designed to transform and accelerate the research and planning of hypothesis-driven threat hunts. Much like our previous work exploring agentic AI, this project is designed to experiment with the practical implementation of agents to assist security practitioners in a real-world scenario.

The Challenge: Research Overload in Threat Hunting

The PEAK Threat Hunting Framework, which we introduced two years ago, provides a structured, vendor-agnostic approach to hunting, emphasizing three phases: Prepare, Execute, and Act, with Knowledge being a crucial component of each. While the framework itself offers invaluable guidance, the initial research and planning within the "Prepare" phase can be a significant hurdle. Threat hunters must:

  • Research complex threat actor behaviors and techniques.
  • Scour public sources for the latest intelligence.
  • Dig through internal wikis, incident tickets, and threat intelligence databases.
  • Identify relevant data sources within their SIEM.
  • Determine which analysis technique(s) to use with their data to support or refute their hunting hypothesis.

This deep dive is essential for crafting effective hunt hypotheses and plans, but it can be a bottleneck, leading to fatigue and overload even before the hunt begins.

The Solution: An Intelligent, Agentic Assistant

The PEAK Threat Hunting Assistant is a game-changer for those struggling to find the time to properly research and plan their hunts. Leveraging intelligent agentic AI, it acts as your personal research analyst, gathering and synthesizing vast amounts of information to provide you with a tailored, actionable hunt plan in minutes rather than hours or days. This isn't just automation; it's about intelligent assistance that works with the human hunter.

Specifically, the PEAK Assistant uses teams of agents to assist with the following tasks:

  • Internet-based public research on threat actors, tactics, and techniques
  • Private research through your own security data to incorporate your organization's prior experiences with the subject of your hunt
  • Hypothesis generation and refinement
  • Scoping via the PEAK ABLE table
  • Automated discovery of relevant SIEM data
  • Generation of a customized step-by-step hunting plan, with sample queries and interpretation guidance built in

How it Works: Agentic AI with Human-in-the-Loop Control

At its core, the PEAK Assistant is an agentic AI system created by threat hunters for threat hunters. It goes beyond simple Large Language Model (LLM) calls and is designed around teams of cooperating agents capable of goal-directed reasoning, tool use, and automated feedback loops.

A key design principle is human-in-the-loop feedback. You can "chat" with the PEAK Assistant at any point to guide its research, clarify findings, or incorporate requirements unique to your organization. This ensures the output is always relevant and aligned with your specific hunting objectives and environment.

Flexibility: The Key to AI Success

At Cisco Foundation AI, we believe flexibility and user choice is one of the keys to successful AI deployment, and this is especially true for cybersecurity applications. The PEAK Assistant is designed to provide the maximum amount of flexibility when it comes to both model choice and data access.

Bring Your Own Models (BYOM)

Our "bring-your-own-models" approach means users can integrate their preferred LLMs, including Cisco Foundation AI's own open-source, security-focused Foundation-Sec-8b-Instruct model. This flexibility allows for fine-grained control. You can easily switch from one LLM (or one provider) to another at any time, using the same model for all agentic tasks.

You can even mix and match models from multiple providers, assigning specific LLMs for different tasks or data types. For example, some agents may benefit from more intense thought, though it may be slower and more expensive. Selecting a reasoning model for these specific tasks might make a lot of sense.

With our BYOM approach, you are free to choose whichever combination of models gives you the best results, meets your AI usage policies, and fits your budget.

User-Provided MCP Servers

The PEAK Assistant is built for data flexibility, too. Rather than code support for specific data sources and SIEMs, it relies on user-configured MCP (Model Context Protocol) servers for data operations:

  1. Internet Research:?Queries public sources for the latest threat intelligence. You provide the MCP server for internet search, ensuring you control the external data access.
  2. Local Security Data:?Crucially, the PEAK Assistant can access your internal data sources like incident tickets, hunting wikis, and private threat intelligence databases. To prevent sensitive data leakage, the PEAK Assistant uses a separate team of agents for local data access. You provide the MCP access to these local sources, maintaining strict data governance.
  3. SIEM Data Discovery and Searches:?This is where the PEAK Assistant truly shines in tailoring the hunt to?your?environment. It can query your existing SIEM to automatically identify relevant data sources and fields. This is invaluable for navigating unfamiliar environments, such as during a merger or acquisition, or for an MSSP onboarding a new customer. While you can provide "hints" with prior knowledge, the PEAK Assistant can discover these details itself.

Comprehensive and Actionable Output

The PEAK Assistant doesn't just dump raw data. It intelligently processes and presents the gathered information in structured, easy-to-digest reports:

  • Internet Research Summary Report:?This detailed report explains the threat actor or technique (in plain language), why it's used, how it works, what log sources are relevant for hunting it, and details of any published detections or previous hunts.
  • Local Data Research Report:?A separate report compiles insights from your internal data, highlighting previous interactions with threat actors, past incidents involving specific techniques, or relevant internal threat intelligence. This ensures all available knowledge is leveraged without compromising data security.
  • Custom Hunt Plan:?The culmination of the PEAK Assistant's work is a custom hunt plan, meticulously tailored to your hypothesis, your available data, and your computing environment. This plan includes step-by-step directions with real SIEM queries and clear guidance on how to interpret the outputs of each step.

Empowering Threat Hunters of All Levels

The PEAK Threat Hunting Assistant is designed for threat hunters at every stage of their career. It serves as a powerful force multiplier:

  • Elevates New Hunters:?By providing comprehensive research and structured hunt plans, it significantly improves the quality and depth of output, while teaching good hunt preparation by example.
  • Accelerates Experienced Hunters:?For seasoned practitioners, it drastically reduces the time spent on mundane research, allowing them to focus on complex analysis and strategic decision-making.

This tool ensures that every hunt starts with comprehensive, informed intelligence, transforming the often-tedious preparation into a strategic advantage.

Get Started Today

The PEAK Threat Hunting Assistant leverages agentic AI, empowering threat hunters of all levels to conduct high-quality, human-guided research quickly and easily. It transforms the often tedious "Prepare" phase into a strategic advantage, ensuring every hunt starts with a comprehensive, informed plan tailored for your exact needs.

We invite you to give The PEAK Threat Hunting Assistant a try and experience the future of hunt preparation. Your feedback is invaluable as we continue to evolve this powerful tool.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X

Foundation-sec-8B-Reasoning: The First Open-weight Security Reasoning Model Digital lifelines: How Cisco and Piramal Swasthya are reimagining healthcare in rural India
Agentic AI AI Cybersecurity Foundation AI
I’d like Alerts: