Build a Proactive Defense Strategy with Intelligence-Led Cyber Threat Hunting
Cyber threat hunting is a set of proactive cybersecurity processes used by Security Operations Centers (SOCs) to search computing networks and systems for hidden threat indicators. Traditionally, hunting has relied on internal data sources. These include reports and logs from security information and event management systems (SIEMs), along with data generated by systems that protect networks and devices and detect intrusion.
But there’s a problem: these systems only detect imminent or realized threats.

Federal agencies and large enterprises need more. In mid-2026, President Donald Trump issued an executive order mandating that certain Federal agencies deploy AI to “protect American ingenuity, intellectual property, and critical systems from exploitation and cyberattacks by adversaries.”[1]
This order builds on current cybersecurity leanings. Increasingly, SOC heads, IT leaders, and threat intelligence analysts turn to AI-enabled open-source intelligence (OSINT) to detect threat campaigns, adversary behavior, and other indicators before threats can pose a danger.
Read on to learn more about current cyber threat hunting processes, the emergence of intelligence-led cyber threat hunting, and how agentic risk intelligence platforms can help optimize security for both government and business.
Existing hunting processes
Broadly speaking, current threat hunting processes consist of:
- Hypotheses development — An analyst envisions possible threat scenarios (“an attacker may be using stolen credentials to access our VPN” or “a recent software update may have been used to deliver a trojan”) and directs systems to search for evidence of occurrence.
- Data collection — Analysts gather threat evidence from SIEM systems, endpoint management systems, network traffic analysis tools, and more.
- Pattern analysis — Analysts study and connect events to identify potential cyberattacks.
- Validation and prioritization of threats — Not every anomaly signals an attack. An employee accessing the network at odd hours may be attempting to download proprietary data to sell on the dark web. Or he may be working under deadline pressure. Analysts must separate benign anomalies from true attack indicators, and prioritize threats based on their potential severity.
- Response — Organizations must take the steps needed to prevent imminent threats from being realized, or to mitigate the damage caused by realized threats.

Learn the basics

Use Case
Using Babel Street to Protect Employees from Digital/Cyber Threats
How Babel Street can help protect from digital and cyber threats

Blog
How Can Cyber Threat Intelligence Help Protect Critical Infrastructure
Cyberattacks on critical infrastructure have become increasingly frequent and sophisticated. These attacks can have devastating consequences, disrupting essenti...

Blog
Beyond the Stadium: Solving the Biggest Security Challenges of Multi-Venue Events
The biggest security challenges facing a major soccer event, from border security and cyber threats to misinformation and event protection at scale.

Page
Executive Protection from Physical and Cyber Threats
Intelligence-led cyber hunting improves cybersecurity
The problem with existing threat hunting processes lies in the hypotheses developed: their quality, and the threat intelligence feeding them.
With insight only available from in-house security systems, analysts are left to develop hypotheses based solely on imminent or realized threats: the employee downloading proprietary data to sell on the dark web or an adversarial nation pinging government networks to probe for vulnerabilities.
But what about long-term risks? Or new cyberattack methods percolating in Nigeria? Or a disreputable security company in India that has begun selling hacking capabilities to criminal “clients?” Even the most sophisticated analyses of internal systems cannot alert hunters to these events.
Enter intelligence-led cyber threat hunting. This emerging sub-discipline enables the incorporation of worldwide events and trends into hunting hypotheses and other processes.

Intelligence-led cyber threat hunting cannot be implemented with only existing technology. Rather, it requires the use of agentic risk intelligence platforms to automate investigative processes and to surface signals appearing in open-source intelligence (OSINT) — or intelligence gleaned from a vast array of publicly available information (PAI).
What data sources does OSINT draw from? Sources include everything from social media platforms and legacy media databases to the MITRE ATT&CK© framework. From malware alerts issued by the Cybersecurity and Infrastructure Security Agency to threat indicators (including behavioral trends, the emergence of malicious IPs and suspicious domains, and phishing schemes) bubbling on the dark web.
These platforms both automate repetitive investigative tasks and provide analysts with external intelligence — not just internal data. In doing so, they empower analysts to hone their hypotheses to tackle both imminent risk and longer-term threats. In addition, by detecting phishing trends and other scams that trick employees into revealing sensitive company or agency information, intelligence-led cyber-hunting can improve digital protection.
Why Babel Street?
By feeding SOCs with intelligence that traditional security tools cannot access, the Babel Street Agentic Risk Intelligence Platform turns cyber hunting from a set of reactive processes into proactive threat detection. It enables government agencies and businesses to automate investigative processes, monitor emerging risks worldwide, and obtain continuous situational awareness. In doing so, it sets a new standard for threat detection while dramatically improving cybersecurity.
The platform is an AI-native operational framework in which governed AI agents execute, synthesize, and deliver structured, decision-ready cyber intelligence. Human authority is preserved at every step — beginning with investigative intent. It sits atop existing cybersecurity tools, bypassing the need to “rip and replace” systems.
Babel Street provides unmatched visibility into global cybersecurity risks. Our risk intelligence platform searches and collates information from thousands of PAI sources to surface risk indicators, map proximity risks, and identify persons of interest. Social-network mapping capabilities and associated visualizations help analysts understand key influencers and their roles in propagating cybersecurity threats worldwide — along with their connections to other people, organizations, and events. Real-time computer network analyses help organizations identify critical connections among network nodes. Always-on cyber risk monitoring keeps search operations running regardless of whether someone is actively using them, recording updates and automatically appending new information to search terms.
Fueled by Babel Street's Data Dominance™, the platform draws from rights-cleared, mission-curated, multilingual signals and proprietary enrichment pipelines other providers can’t access or replicate — including hard-to-access regional data. We collect data from more than 143,000 sources worldwide, published in more than 200 languages. This enables organizations to improve cyber-threat hunting hypotheses by monitoring threat indicators arising from sources worldwide.
Frequently Asked Questions
What role does open-source intelligence play in cyber threat hunting?
Open-source intelligence (OSINT) provides analysts with external intelligence about known and emerging cyber threats and attacker behavior. Combining this insight with the anomaly detection capabilities provided by SIEMs and endpoint-protection systems can provide meaningful investigative leads.
Consider this. Using a SIEM, an analyst detects outbound traffic to an unfamiliar IP. OSINT indicates that this IP is associated with a ransomware group. Combining these two pieces of information, the analyst can determine that someone at the company has downloaded ransomware. The organization can then take steps to mitigate the effects of this incursion.
How can organizations improve visibility into external cyber threats and risks?
Visibility into external threats and risks improves when organizations continuously gather outside intelligence, monitor known and emerging threats, and connect this information to information gleaned from internal security monitoring.
How can external data sources improve cyber-threat hunting outcomes?
External data helps improve cyber-threat hunting outcomes by revealing threats that internal security systems cannot. This insight improves and speeds investigations, and helps organizations improve cybersecurity.
How do security teams use cyber threat monitoring to detect emerging risks?
Security teams use cyber threat monitoring to detect emerging risks by continuously monitoring data sources worldwide for signs of emerging indicators of attacks. These indicators include attack trends, system vulnerabilities, and emerging attack behaviors.
How do analysts use threat intelligence to guide cyber-threat hunting efforts?
Analysts use threat intelligence to decide what to look for, where to look, and how urgently to act upon the cyber threats detected.
What type of threat indicators can risk intelligence platforms spot?
By searching PAI, agentic risk intelligence platforms can surface:
- Early warnings about new malware strains
- Active ransomware campaigns
- Industry-specific cyberattack trends
- Tactics and techniques used by cyber attackers
- IP addresses and domains associated with malicious activity
- Other threat indicators
What role do automation and AI play in modern cyber threat hunting techniques?
Automated AI capabilities enable cyber threat hunts to run at scale. Agentic risk intelligence platforms can automate repetitive analytical tasks while surfacing threat indicators. These platforms provide automated and rapid data collection and normalization, continuous scanning for known and emerging threat indicators, pattern detection and correlation, and alert prioritization.
These capabilities give human analysts the time needed to focus on the types of threats that require human detection and intervention.
What are the key benefits of intelligence-led cyber threat hunting?
By providing insight gleaned from OSINT worldwide, intelligence-led cyber threat hunting empowers analysts to look beyond imminent and realized threats to long-term risk. This intelligence helps organizations protect themselves from those risks.
In addition, because intelligence-led cyber threat hunting provides information on specific attack events and behaviors, it can dramatically reduce the number of anomalies erroneously tagged as “threats.” In doing so, it helps organizations better focus resources on verified threats, rather than benign anomalies.
How can organizations filter relevant signals from large volumes of threat data?
When working with agentic risk intelligence platforms, organizations can create rules that filter relevant information into prioritized risk categories based on the risk’s potential severity. Analysts can also compare anomalies against recognized risks (active breach campaigns, known malicious IPs, and more.) Further, they can correlate possible risk signals into more meaningful alerts. Unusual login behavior combined with a questionable data transfer is a more significant risk indicator than either of these activities taken singly.
What trends are shaping the future of cyber threat hunting and monitoring?
Cyber threat hunting is growing into an intelligence-driven discipline, one that requires the right agentic risk intelligence platform to continuously monitor publicly available information and transform it into true threat intelligence. While device/network indicators of security incursions will remain important, understanding of criminal behavior and trends will become paramount. To better secure their organizations, cybersecurity professionals will increasingly rely on automation, threat predictions, and detection of criminal trends and behaviors, among other capabilities.