Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

Toward a threat-hunting automation maturity model

Alex Pinto (Niddel)
3:50pm–4:30pm Tuesday, October 31, 2017
Security analytics
Location: Sutton North
Average rating: ***..
(3.00, 1 rating)

Who is this presentation for?

  • Security, DevOps, and automation engineers, incident responders, and threat hunters

Prerequisite knowledge

  • A basic understanding of incident response, threat hunting, malware detection through log analysis, and the concepts of threat intelligence and indicators of compromise

What you'll learn

  • Explore a hunting automation maturity model that elevates the quality of data available to automation processes to efficiently simulate analyst intuition and significantly augment human analysts


Threat hunting is usually thought of as a series of investigative actions performed by analyst teams to cover detection gaps where automated tools fail. However, as these techniques become more and more widespread and standardized, wouldn’t it be more effective to automate a large part of those threat hunting activities?

Alex Pinto demonstrates how to automate threat hunting techniques to augment human activity by encoding analyst intuition into repeatable data extraction and processing technologies. Those techniques can be used to simplify the triage stage and get actionable information from potential threats with minimal human interaction. Alex then offer an overview of the hunting automation maturity model (HAMM), which organizes these techniques around capability milestones, including internal and external context and analytical tooling.

By elevating the quality of data available to your automation processes, you can efficiently simulate analyst intuition on some of the more time-consuming aspects of threat hunting. Incident response teams can then be more productive as soon as the initial triage stages, where instead of sifting through raw log data, they will be able to focus on consuming data products that provide a sixth sense on which events are worth additional analyst time.

Photo of Alex Pinto

Alex Pinto


Alex Pinto is the chief data scientist of Niddel and the lead for the MLSec Project. Alex is currently dedicating his waking hours to the development of machine learning algorithms and data science techniques to automate threat hunting (I know) and making threat intelligence “actionable” (I know, I know). If you care about certifications at all, Alex is currently a CISSP-ISSAP, CISA, CISM, and PMP. He was also a PCI-QSA for almost seven years but is a mostly ok person in spite of that.