Threat hunting has always depended on a certain kind of instinct.

A security analyst notices something that feels wrong. A strange login pattern. An unusual cloud permission change. A new process running where it shouldn’t. A connection between events that doesn’t quite sit right.

The problem is that instinct alone doesn’t start the investigation.

In most security operations centres (SOCs), that instinct has to be translated into queries. The analyst needs to know which tool to open, which syntax to use, which data source to check, which logs to compare, and which signals might prove or disprove the original suspicion.

em360tech image

That takes time. And time is becoming the one thing defenders have less of.

Google Cloud’s Cybersecurity Forecast 2026 warns that threat actors will use AI to increase the “speed, scope, and effectiveness” of attacks, while defenders will also use AI agents to strengthen security operations and analyst capabilities. That tension sits at the centre of modern threat hunting. Attackers are getting faster. Environments are getting more complex. Analysts are being asked to move with more confidence, across more data, with less room for delay.

This is why Vibe Hunting matters. Exaforce describes it as a natural language threat search that helps customers answer questions that would otherwise require extensive queries. But the bigger shift isn’t only about replacing one search method with another. It’s about moving threat hunting closer to how analysts actually think.

The future of threat hunting won’t be defined by who can write the most complex query. It’ll be defined by how quickly a team can turn intent into evidence.

AI Has Changed the Rules of Threat Hunting

AI has changed cybersecurity on both sides of the table.

For defenders, it can help reduce manual work, connect signals faster, and support analysts during investigation and response. For attackers, it can help scale reconnaissance, phishing, social engineering, vulnerability research, and parts of malware development.

That doesn’t mean every cyber attack is now fully autonomous. We’re not quite at “the robots are doing crime in hoodies” territory. But we are moving into a world where attackers can use AI to move faster through work that used to take more time, more skill, or more people.

Anthropic reported that attackers had used AI’s agentic capabilities not only for advice, but to execute parts of a cyber espionage campaign. That kind of example matters because it shows where the pressure is heading. The risk isn’t only that attacks become more advanced. It’s that more attackers can operate at a higher tempo.

Security teams already feel that pressure.

Modern investigations rarely sit neatly inside one tool. A single suspicious action might require an analyst to check identity activity, endpoint behaviour, cloud logs, SaaS usage, source code activity, network connections, and threat intelligence. Each one tells part of the story. None of them tells enough on its own.

So the analyst’s job becomes less like checking an alert and more like assembling a live puzzle while someone keeps shaking the table.

That’s hard enough when attackers are human-paced. It becomes much harder when attackers are using AI to speed up the early stages of an operation.

The Problem Isn’t Finding Data. It’s Turning Questions Into Investigations

Most enterprise security teams don’t have a data shortage.

They have logs. Alerts. Events. Dashboards. Endpoint data. Identity records. Cloud telemetry. SaaS activity. Threat intelligence feeds. Probably more dashboards than any human being should have to look at before breakfast.

The real issue is turning a good question into a useful investigation.

A threat hunter may want to know whether a newly created admin account touched sensitive systems after an unusual login. Or whether a developer token was used from a new location before code was changed. Or whether a cloud role was modified before data moved somewhere unexpected.

Those are clear investigative questions. But in many SOC workflows, they still need to be broken into multiple searches across different systems. The analyst has to translate the question into tool-specific logic, check whether the right data exists, pivot between results, and manually stitch together the timeline.

That’s where traditional threat hunting starts to drag.

Specialised query languages are powerful. They’re also demanding. They reward people who know the syntax, the schema, and the quirks of each platform. For experienced analysts, that skill is valuable. But it also creates a bottleneck. If only a few people can turn a hypothesis into a hunt, threat hunting becomes something teams do when they have time.

And most SOC teams don’t have spare time lying around like loose change in the sofa.

The 2025 SANS Detection and Response Survey found that more than 60 per cent of respondents encounter false positives frequently or very frequently, with “very frequent” false positives rising from 13 per cent to 20 per cent year on year. That’s not just annoying. It’s operationally expensive. Every false positive competes with real investigation work. Every manual pivot slows down the questions analysts actually need to answer.

Threat hunting should start with the question. Not the syntax.

Why Intent-Driven Threat Hunting Changes the Workflow

Intent-driven threat hunting changes the starting point.

Instead of asking, “What query do I need to write?”, the analyst can ask, “What am I trying to prove?”

That shift sounds simple. It isn’t. It changes the role of AI from a generic assistant into something more useful: a bridge between human reasoning and machine execution.

In an intent-driven workflow, a security analyst describes what they’re looking for in natural language. AI agents can then help translate that intent into investigative steps, searches, pivots, and evidence gathering. The analyst still decides what matters. The AI helps remove the mechanical drag between question and answer.

This is where AI-powered threat hunting becomes more than automation.

Automation usually follows predefined rules. It’s useful for repetitive tasks, but it struggles when the investigation depends on context, judgement, and an evolving hypothesis. Threat hunting is rarely linear. Analysts ask one question, find a clue, adjust the hunt, then ask a better question.

Natural language security workflows are useful because they let analysts stay closer to that thinking process. They can move from suspicion to validation without stopping every few minutes to wrestle with syntax.

That doesn’t make expertise less important. It makes expertise easier to apply.

A junior analyst can ask better questions sooner. A senior analyst can move faster through the boring parts. A stretched SOC can run more proactive hunts instead of waiting for alerts to dictate the day.

That’s the practical promise behind Vibe Hunting. Not magic. Not “AI does security now, everyone go home.” Just a cleaner path between what an analyst suspects and what the evidence can show.

Fighting AI With AI Requires Context, Not Just Automation

Adding AI to a SOC doesn’t automatically make it smarter.

If the AI can only see isolated alerts, it’ll still struggle to understand what’s really happening. It may summarise faster. It may search faster. But speed without context just gets you to confusion more efficiently.

That’s why context matters.

A suspicious login may not mean much on its own. But it matters more if it connects to a privileged identity, a new device, an unusual location, a cloud permission change, and access to sensitive data shortly afterwards. The value isn’t in one event. It’s in the relationship between events.

Good threat hunting depends on those relationships.

Security teams need to understand how identity, endpoint, cloud, SaaS, and activity data connect across the full attack path. Otherwise, an investigation can easily become a pile of technically accurate fragments that still doesn’t answer the real question: is this a threat, and what should we do next?

Exaforce’s Vibe Hunting messaging points to this wider need by tying natural language search to connected security context. Its platform positioning describes investigations across identity, cloud, endpoint, and SaaS, with AI threat hunting designed to pivot across those areas. That matters because AI-assisted investigations are only useful when they can reason across the environment, not just repeat what one log source says.

The human role still matters here.

Are you enjoying the content so far?

AI can help gather evidence. It can suggest paths. It can connect patterns that might take a person longer to find. But humans still bring judgement, risk awareness, business context, and the ability to ask whether an answer actually makes sense.

That’s the balance security teams should be aiming for. Not replacing analysts. Not turning every decision over to a model. Strengthening the analyst’s ability to think clearly under pressure.

The Future of Threat Hunting Is Helping Analysts Think Faster

The future of threat hunting isnt about making analysts less necessary. It’s about making their thinking less trapped by tooling.

For years, SOC progress has often been measured through more dashboards, more detections, more alerts, and more integrations. Some of that is useful. Some of it is just more noise wearing a nicer jacket.

The better measure is whether analysts can answer important questions faster and with more confidence.

  • Can they understand what happened?
  • Can they connect the activity across systems?
  • Can they validate or dismiss a hypothesis quickly?
  • Can they move from detection to decision before an attacker gets comfortable?

That’s where intent-driven hunting becomes strategically important. It reduces the distance between analyst judgement and investigation output. It helps teams spend less time translating their thoughts into tool commands and more time deciding what those results mean.

It also changes who can participate in threat hunting.

When hunting depends heavily on advanced query writing, it naturally concentrates around a smaller group of specialists. When hunting becomes more intent-led, more analysts can contribute. That doesn’t remove the need for deep expertise. It spreads useful investigative capability across the SOC.

For security leaders, that has real operational value. The ISC2 2025 Cybersecurity Workforce Study found that 88 per cent of respondents experienced at least one significant cybersecurity consequence because of skills deficiencies within their team or wider organisation. Tools won’t solve the skills gap by themselves. But better workflows can help teams use the skills they already have more effectively.

That’s the point.

The next generation of threat hunting shouldn’t ask analysts to become slower versions of machines. It should let them do the thing humans are good at: ask better questions, spot odd patterns, weigh uncertainty, and make decisions when the evidence isn’t perfectly neat.

Final Thoughts: The Future of Threat Hunting Starts With Better Questions

Threat hunting is shifting from queries to intent because the old workflow can’t keep up with the speed and complexity of modern cyber threats.

AI is changing attack and defence at the same time. Attackers are using it to move faster. Defenders are using it to reduce manual drag, connect signals, and support security analysts through investigation and response.

But the real advantage won’t come from adding AI for the sake of it. It’ll come from helping analysts move from instinct to investigation with less friction and better context.

That’s why Vibe Hunting is a useful signal of where security operations are heading. It points to a SOC model where analysts don’t have to begin every hunt by fighting the tooling. They can start with the question that matters, then use AI to help gather the evidence around it.

Every minute spent translating intent into a query is a minute an attacker can keep moving.

For EM360Tech readers rethinking how their SOC should operate in the AI era, the next step is to look closely at where investigation time is really being lost. If your team is ready to see how Exaforce helps analysts hunt faster while keeping human judgement in control, request a demo and see what Vibe Hunting looks like in practice.