Full Report
AI helped send weekly threat signal count from 80 million to 400 billion, then helped response time shrink from two days to 30 minutes Australia’s Commonwealth Bank built its own agentic AI threat hunting tools, because vendors are too slow to develop tools that can cope with emerging AI-powered threats, according to General Manager of Cyber Defence Operations Andrew Pade.…
Analysis Summary
# Best Practices: Agentic AI for Threat Hunting & Hyper-Scale Defense
## Overview
These practices address the exponential growth of threat signals (from millions to hundreds of billions) and the need to reduce response times from days to minutes. They focus on moving beyond "automation on steroids" toward **Agentic AI**—tools that can ingest research, hypothesize risks, and conduct complex analysis across hybrid environments (Legacy, On-Prem, SaaS, and Cloud).
## Key Recommendations
### Immediate Actions
1. **Bridge the Talent Gap:** Establish a collaborative task force between your Data Science teams and Frontline Security Analysts. Do not "throw problems over the fence"; co-design tools where security defines the outcome and data science builds the model.
2. **Audit Red Team Reporting:** Review current human-authored security reports. Identify where "non-deterministic" AI outputs (variable results) might create inconsistencies in legal or compliance documentation.
3. **Prioritize Analyst Well-being:** Identify "career-killing" manual tasks (e.g., manual log correlation of billions of signals) that contribute to junior analyst burnout and target these for AI augmentation first.
### Short-term Improvements (1-3 months)
1. **Develop "Research-to-Hypothesis" Agents:** Build or configure AI agents to ingest external threat intelligence/research and automatically map it against your specific internal asset inventory to generate a risk hypothesis.
2. **Standardize Deterministic Anchors:** Since AI is non-deterministic, embed "deterministic points" (binary success/fail criteria or fixed logical checks) into AI workflows to ensure repeatable and verifiable threat predictions.
3. **Automate Indicator of Compromise (IoC) Reporting:** Implement AI modules that specifically identify IoCs and auto-generate summary reports, shifting staff roles from data entry to high-level problem solving.
### Long-term Strategy (3+ months)
1. **Shift to Agentic Defense:** Transition from static automation to autonomous agents capable of "threat hunting" across sprawling estates (SaaS, Cloud, and Legacy) without waiting for vendor updates.
2. **Scale for the "400 Billion" Future:** Re-architect data ingestion pipelines to handle a 5000x increase in signal volume, assuming that AI-powered attackers will continue to automate the backend of their attacks (phishing, exploit delivery, etc.).
3. **Evolve the Career Path:** Redesign the SOC tier structure. Move away from "Help Desk to Security" paths toward hiring graduates who can immediately leverage AI tools to access senior-level institutional knowledge.
## Implementation Guidance
### For Small Organizations
- **Focus:** Practical implementation of vendor-provided AI tools.
- **Action:** Use off-the-shelf LLMs to summarize threat intelligence reports, but always have a human verify the "deterministic" facts before acting.
### For Medium Organizations
- **Focus:** Customizing "wrappers" around existing data.
- **Action:** Use RAG (Retrieval-Augmented Generation) to allow AI tools to "read" your internal network documentation and security policies to provide context to alerts.
### For Large Enterprises
- **Focus:** In-house Agentic AI development.
- **Action:** Build bespoke AI agents specialized for your specific legacy stack. Vendors are often too slow to support niche or aging internal systems; in-house development ensures protection against AI-speed threats.
## Configuration Examples
While specific code is proprietary, the Commonwealth Bank model follows this logic:
- **Input:** External Threat Feed (RSS/API) + Internal Asset Database.
- **Processing:** Agentic AI performs a "What-If" analysis.
- **Output:** A risk hypothesis formatted for human review within 30 minutes.
- **Validation:** Integration of "Deterministic Points"—checks that ensure the AI doesn't hallucinate non-existent vulnerabilities in legacy systems.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF) 2.0:** Aligns with "Detect" and "Respond" functions through automated analysis.
- **ISO/IEC 27001:** Supports Continuous Improvement and Incident Management controls.
- **CIS Controls:** Specifically helps with Control 8 (Audit Log Management) and Control 17 (Incident Response Management) at extreme scales.
## Common Pitfalls to Avoid
- **Legacy Lag:** Assuming cloud-only security is enough. Agents must be able to hunt across legacy and on-prem systems where AI-powered attacks may hide.
- **The "Vendor Trap":** Waiting for security vendors to release "AI features" for emerging threats. In high-stakes environments, the delay (days/weeks) is too long.
- **Non-Deterministic Drift:** Allowing AI to produce inconsistent red team or audit results, which can lead to legal or regulatory gaps.
## Resources
- **NIST AI Risk Management Framework:** [https://www.nist.gov/itl/ai-risk-management-framework]
- **MITRE ATT&CK Framework:** [https://attack.mitre.org/]
- **Gartner Security & Risk Management Summit Insights:** [https://www.gartner.com/en/conferences/hub/cybersecurity-resources]