Vibe Hunting: A Vision for Our Threat Hunting Future

It’s All About the Vibes These Days, Isn’t It?

Happy Marathon Monday from Boston folks! There's a phrase that's been floating around in AI engineering circles lately: vibe coding. It's the practice of throwing a prompt into an LLM, tweaking the outputs until the errors stop, and shipping it. It's chaotic, intuitive, and surprisingly effective. In some corners of the internet, it's a meme. In others, it's a movement. But in cybersecurity, where precision matters and creativity is mandatory, there's something in the "vibe" movement worth exploring.

This Substack exists to make the esoteric world of cybersecurity more explainable. And there's arguably nothing more misunderstood, misused, or mythologized in our industry than threat hunting. Ask ten people to define it, and you'll get thirteen answers—usually involving keywords like "hypothesis-based," "PEAK," or "tribal knowledge." (As a note: beware when someone uses the term IOC in the same sentence as threat hunting, my friends.) Threat hunting is a career path, a strategy, a mindset and a workflow. It's also, often, a four-letter word for CISOs trying to explain to the board why they need another $500K to look for unknown unknowns.

So here's a question: what if we could make threat hunting more accessible? Not just AI-ify the job with another co-pilot or chatbot, but actually empower current and future network defenders to translate their instincts into action without needing to memorize a detection DSL (domain specific language) or swivel between five tabs? What if we could bring the intuitive approach of "vibe coding" to the disciplined practice of threat hunting?

Endgame Was a Beginning

Back in the 2010s, a company called Endgame introduced Artemis (the "goddess of the hunt"). Artemis was one of the first attempts to use natural language for threat hunting. It was ahead of its time. Endgame was acquired and Artemis has not been heard of in almost a decade. But the vision was clear: ask your system a question like "Are there any parent-child process anomalies on my finance team's endpoints this week?" and get an answer you could act on.

Fast forward to 2025, and every vendor now offers some kind of "AI co-pilot" with varying levels of actual utility. They summarize alerts. They auto-close tickets. Some even write detections. But most fall short of enabling true threat hunting, the kind that lets a human analyst shape the hypothesis and steer the investigation.

So what's missing?

Introducing: Vibe Hunting

At its core, vibe hunting is about prompting LLMs or agents to perform parts, or all, of a threat hunting workflow. It's a little less rigid than formal detection engineering. A little more exploratory than reactive triage. But it's grounded in real signals.

Currently, many LLM integrations in security focus solely on translating natural language into queries, which deliver microefficiencies but miss the bigger picture of how analysts actually work through the hunting process end-to-end. There must be a better way to leverage AI across the entire hunting workflow.

Here's a tangible example of what this looks like in practice:

Imagine a threat hunter notices unusual behavior tied to recent nation-state campaigns. Instead of manually drafting queries, the hunter simply prompts: "Show me endpoint logs matching known APT lateral movement tactics from this week." Instantly, the system returns refined queries, enriched findings with contextual threat intel, and a validated hypothesis, ready to share and act upon. The result? A potential attack pathway identified in minutes rather than hours, with less cognitive load and more comprehensive results.

Vibe hunting can further include:

• Asking an LLM to generate queries across your endpoint telemetry to look for patterns matching recent APT tactics.

• Feeding in suspicious log lines and getting not just a summary, but an enriched hypothesis with links to MITRE ATT&CK.

• Walking through a full hunt loop: from hypothesis → query → results → enrichment → decision, without chair-swiveling between tools.

• And yes, doing all of this in a way that feels more like conversation than code.

Vibe hunting isn't about replacing threat hunters. It's about giving them superpowers…especially the next generation who may not have spent ten years writing KQL or Regex.

What Threat Hunting Looks Like Today

To visualize this shift clearly, consider the following simplified Threat Hunting workflow:

In traditional hunting, every arrow in this chain represents manual toil and potential friction. To be clear, there may not always even be an actionable detection after a threat hunt is completed. Each transition requires switching contexts, tools, or thought processes. Vibe hunting smooths each transition, maintaining clarity, speed, and focus throughout the entire process.

Let's not sugarcoat it: hunting today is still deeply siloed and painfully manual. A typical hunt might involve:

• Extracting a vague hypothesis from threat intel

• Writing detections in a bespoke DSL

• Waiting for data to process

• Enriching results by Googling, Slack-pinging a teammate, and maybe checking VirusTotal

• Documenting results manually

• And then... maybe getting buy-in to productionize the detection

It's tribal. It's labor-intensive. And it's absolutely not scalable, especially for lean teams or orgs without dedicated hunters.

So what if an LLM could augment this process, not to hallucinate detections, but to scaffold, suggest, and iterate faster?

Jarvis…Show Me Threats!

I'm a huge Iron Man fan, so when thinking about vibe hunting, I can't help but use Tony Stark to illustrate a concept. When it comes to AI + threat hunters, humans remain the critical decision-makers in this process, like an Iron Man suit. Jarvis, Tony Stark's "AI assistant" assists with data gathering, hypothesis posing and fighting bad guys. The same applies here. Human intuition excels at judgment calls, contextual awareness, and final validation. Vibe hunting lets LLMs handle the repetitive groundwork, freeing hunters to focus on insights and strategy.

Here's what vibe hunting makes possible:

• Prompt-based hypothesis building: Describe suspicious behavior in natural language and get back a set of refined queries, mapped to a common framework like the MITRE ATT&CK Framework and tuned to your own data schema.

• Feedback loops with synthetic data: Simulate attack behavior and let the system self-validate whether the detection logic would catch it.

• Fused context: Rather than bouncing between your SIEM, a markdown file, and a threat intel report, vibe hunting consolidates the context into one place.

• Human-in-the-loop refinement: You're not out of the loop. You're the loop. Vibe hunting lets analysts stay in control, but move faster and deeper.

It's the equivalent of replacing manual gear-shifting with a dual-clutch paddle…you still drive, but now you fly.

Practical Considerations and Limitations

Let's get this straight: vibe hunting is not magic. LLMs can hallucinate. They don't know your data quality. They can guess wrong.

Let's clearly address operational challenges too. Beyond hallucinations and data quality issues, organizations must manage:

• Compliance concerns: How do you audit AI-assisted hunting decisions?

• Data privacy: What context is being shared with the LLM?

• Permission management: How do you ensure the AI only operates within appropriate boundaries?

These risks aren't trivial. They are manageable through thoughtful implementation, proper guardrails, and human oversight.

With the right architecture including validation against known-good data, analyst review, permission-aware context; vibe hunting becomes a serious workflow enhancer. And the better the feedback loop between human and AI, the better the outcome: 1 + 1 really can equal 3.

Why Now?

Because the adversary is already vibing. They're using AI to generate phishing templates, to morph payloads, to blend into noise. And we're still hunting with SQL queries, IOC lookups, Jira tickets and Google Sheets.

Vibe hunting isn't about skipping steps. It's about skipping the toil. And if we do this right, we don't just make today's threat hunters better, we unlock and empower an entire generation of network defenders who can contribute earlier, faster, and more creatively than ever before.

So yeah. Maybe "vibe hunting" sounds like a meme. But the mission is very real. This concept is not designed to replace intuition, but accelerate it.

Let me know in the comments: Have you experimented with AI-assisted hunting workflows yet? What specific challenges do you think "vibe hunting" could help you solve? And for the skeptics: what guardrails would make you more comfortable with this approach?

Stay secure and stay curious, my friends.

Damien

Further Reading

• Vibe hunting prospective users: Explore the MCP integration with Velociraptor at https://github.com/mgreen27/mcp-velociraptor

• Vibe attacking: See how adversaries leverage AI with autonomous GenAI platforms in this DarkReading article: Autonomous GenAI Attacker Platform