The Evolution of the Threat Hunting Market

The emerging use of agentic AI in automating hunting tasks has the potential to considerably change the game - for defenders as well as attackers. It is therefore worth looking at the current state of the market, including why security professionals should assess their current defensive strategies, and which vendors and service providers are bringing new offerings to market.

In the beginning...

While many of you will know much of the following, some might not, so it’s worth giving a short history. If nothing else, it helps us understand why current market developments are so important to understand, and the challenges we face. Threat hunting has been a part of the wider conversation around threat detection, threat intelligence, and threat modelling for many years, but as adversaries have become more sophisticated and capable, the “hunting” aspect takes things a few steps further. Up until recently, threat hunting has developed along two broad lines:

• Reactive - the “what happened?” scenario. This involves hunting that is triggered by a known signal, such as an alert, indicator of compromise, or breach report. The goal is to determine if an event is isolated or part of a larger compromise. How quickly we respond, and how well we identify and then recommend actions to tackle the threat is a critical metric.

• Proactive - the “something like this has happened and/or this attack vector is known in this environment” (industry, customer segment, etc.) scenario.This involves hunting without a known alert, but driven by a hypothesis e.g. that an attacker might be using valid credentials, or some other possibility. This approach requires a higher level of skills coupled with broader telemetry across cloud, email, and network environments. It also often involves dark web work - which not everyone has the ability to do. In theory, if the strategies put in place through previous reactive activities worked well, then a proactive approach should reduce the time to act following an attack, and increase the speed of response and resolution.

Whether reactive or proactive, there is also the question of how far the above strategies extend i.e. the balance between detection and response, how much activity happens prior to any security breach versus remediation that is implemented post-breach.

Then along came AI…

Without re-hashing the history of the advent of generative AI, the appearance of AI agents and the introduction of the technology into both the defender’s SOC, and the cyber criminal’s cybersecurity toolkit, we need to take note of why this matters. In the last 12 months or so, vendors, analysts and service providers have started talking about “pre-emptive” threat hunting. Although the exact definition is debatable, it is generally acknowledged that pre-emptive is the most difficult and modern iteration of threat hunting, where telemetry and attacker behaviour are analysed to identify and stop threats - such as taking down malicious domains - before they reach a company’s environment.

The difference with pre-emptive is the speed and scale at which defenders need to operate. Until AI agents became widely available, proactive strategies requiring the fastest and broadest responses were ultimately limited by the size and speed of the analyst teams. Advanced automation tools can help offset this, but not completely. By using AI agents to hunt, triage and remediate at machine-speed, it is possible to implement activities at the scale and extent that have not been possible until now.

Does this mean that pre-emptive is the “new” proactive? Well… yes and no. Pre-emptive threat hunting assumes that the activities and actions of attackers can be predicted based on not just previously identified threats, intended effects, and (in the best cases) tried-and-tested mitigations, but also on origin, behaviour, similarity etc. And despite advances in AI, reactive threat hunting will likely exist forever. This is because the industry often prioritises speed and efficiency in development, which leaves security as a trailing concern that requires constant “chasing". It’s the whack-a-mole situation that will not disappear anytime soon.

The importance of partnerships

As noted above, pre-emptive threat hunting is the most difficult in terms of the sheer volume of telemetry required. The challenge boils down to: can a provider correlate the necessary data (client risk, industry-specifics, vulnerabilities, likely threat actor attack interest given past history and ‘noise’) in the wild to guess/approximate where an attack will occur and provide remediation steps ahead of an attack?

That no single provider has been able to do this (yet) is not due to lack of interest or intent. Rather it is the sheer scale of what is required. Major service providers like IBM and Google emphasise the need to integrate planet-scale telemetry and threat intelligence into their security platforms to improve investigation and response. Individual companies may have proprietary databases built over many years, but can never have all the telemetry, all of the time.

Which is why an ecosystem of industry partnerships is vital - the strategy is much less about keeping your own data close to your chest, and more about sharing telemetry with those who also encounter and track threats at different points across the wider global digital infrastructure. This means having deep relationships with ISPs, internet registrars, network providers and others. Additionally, digital risk protection (DRP) and attack surface management (ASM) companies hunt across the internet for: phishing domains before campaigns launch, fake login pages, brand impersonation, people/exec impersonation, fake social accounts, etc.

Given the current geopolitical tensions and the potential for isolationist or sovereign-only solutions, vendors and providers will need to work hard to maintain the above capabilities for threat hunting.

Who are the early movers?

The threat hunting market is broad, and current capabilities are baked into numerous solutions available from vendors, managed service/security service providers, MDR providers, system’s integrators and consultants. Leading threat hunting vendors and providers include Google, CrowdStrike, IBM X-Force, LevelBlue, Bishop Fox and others.

Where the market is rapidly developing is the action that takes place after the threat is located - the threat "takedown". While pre-emptive hunting asks: "Is the attacker preparing to target us?", takedown services ask: "Can we remove the attacker's infrastructure before they target us?"

The line between threat hunting and takedown services will blur in the future. Today, they are related conceptually, but they operate in very different parts of the security lifecycle. The largest threat intelligence providers like Google and Crowdstrike perform threat hunting and will absolutely move toward pre-emptive hunting, but to complete the lifecycle, perhaps its relevant to consider partnering now and in the future with  takedown service providers.

Some examples of providers offering takedown services include:

• BforeAI is a newer entrant and positions itself in preemptive domain and infrastructure defense following malicious campaign patterns that can be predicted before attacks fully launch. Its PreCrime platform is positioned around predicting and blocking malicious campaigns days or weeks ahead of execution.

• Doppel - also a startup - focuses on AI-driven detection and removal of impersonation threats across domains, social media, ads, marketplaces, and other digital channels.

• Netcraft has a long and rich heritage in threat hunting, and has incorporated AI in its solutions to perform pre-emptive domain disruption, proactively identifying and taking down criminally controlled domains before they can be used in phishing or fraud campaigns.

• ZeroFox positions takedowns as part of broader digital risk protection. Like each of its competitors, it monitors the external attack surface for brand, domain, social media and asset abuse, then uses automated enforcement workflows to remove phishing domains, fake accounts, fraudulent apps, counterfeit listings, and other policy-violating assets.

• Nisos comes to mind where takedown requires investigation, attribution, and human-context intelligence. It is less of a pure automated takedown utility and more of a digital investigations partner for executive impersonation, fraud, harassment, insider-adjacent risk, trust and safety, and actor identification. We list it here because we think the realm of pre-emptive executive protection is an interesting and growing area in the takedown space.

Where is the market headed?

Threat hunting has been accelerated by the advent of AI agents that automate tasks at machine-speed and scale. At the same time, attackers are using agents to automate the creation of new threats. If we assume that some form of pre-emptive capability is emerging and that AI agents are fuelling the ability to achieve this, what does this mean for the market?

If we go back to evolutionary theory, the next stage of threat hunting should be a significant upgrade in terms of capability. But what could be beyond pre-emptive? Fully-autonomous, sentient security maybe? Proponents of the advent of Artificial General Intelligence (AGI) might support that view. Imagine an agentic-powered SOC that operates in almost real-time, that anticipates and blocks attacks before they happen, and remediates any structural or code-level vulnerabilities without a human analyst needing to intervene. AI agents trolling the internet, our network and services, validating against threat intelligence and seeking criminal activity in the "wild" and then taking down a service with partners on our behalf without our knowledge.

We’re not there yet, but we don’t need 100% of the technology to be able to provide good, pre-emptive threat hunting capabilities for defenders today, if we continue to share telemetry and avoid any retreat from our global partnerships.

In the meantime, there are plenty of moles to be whacked.