Threat hunting teams struggle to reuse prior investigations, which leads to repeated setup work, inconsistent results, and limited benefit from AI tools that lack durable context. Early attempts to add AI often fail because hunts are unstructured, state lives in scattered notes, and models have nothing reliable to reason over.
This talk presents a CLI-first approach to threat hunting that captures hypotheses, assumptions, and outcomes as structured artifacts and uses that data to support AI-assisted recall and reasoning. Instead of prompting chatbots, teams integrated AI into the hunting workflow itself, allowing it to reference past hunts, surface related investigations, and suggest next steps while analysts remained in control.
After adopting this approach, teams reduced hunt restart time, improved analyst handoffs, and increased reuse of prior investigations. AI moved from a novelty to a practical assistant, with measurable gains in speed and consistency and clear lessons learned around integration pain, workflow changes, and where AI did not help.
