Cisco Talos Expands AI-Driven Threat Hunting at Cisco Live

Cisco Talos announced at Cisco Live U.S. in Las Vegas (May 31–June 4) that it is expanding its AI-driven Threat Hunting program to hunt for advanced adversaries by combining automated telemetry analysis with expert human validation. The program uses hypothesis-driven methods to correlate weak signals across endpoint, network and identity telemetry to identify intrusions that do not trigger conventional alerts.

The announcement came on the event’s closing day as security professionals discussed how organizations will move and protect large volumes of data in environments that use generative AI and automated agents. Talos described the expanded service as applying machine learning to large telemetry sets, then pairing those outputs with human analysis to validate complex intrusion scenarios before formal detection signatures exist.

In the Talos approach, analysts form investigative hypotheses about likely attacker behaviors and use AI to surface low-confidence or fragmented indicators across multiple telemetry sources. Human experts then review those indicators to assemble a coherent timeline and determine whether the activity represents a real intrusion. Talos identified a recent KongTuke command-and-control activity using that method before a formal signature was available.

Talos framed the program as a response to attackers’ increased use of automation and evasive techniques. The team noted that simple pattern-matching rules can miss sophisticated campaigns that deliberately stay below standard alert thresholds, and that correlating signals across domains can reveal activity that isolated alerts do not.

The expanded hunting service will be available through Cisco’s customer channels and via a dedicated portal in Cisco Security Cloud Control. Talos advised organizations that lack internal continuous hunting capacity to consider engaging the team for persistent coverage. The group published a detailed write-up of the KongTuke investigation on its blog and invited customers to contact their Cisco account teams for access.

At Cisco Live, Talos also highlighted several active threats observed in its telemetry. Examples include a sustained email compromise that provided near-continuous access to an executive’s inbox through legitimate system tools; a vulnerability that enables malicious code to steal OAuth tokens from web-based code editors; a phishing-as-a-service platform expanding its targets to additional cloud and identity providers; and a campaign that used compromised official package accounts to distribute a worm that harvests credentials. Talos additionally reported a fast-acting denial-of-service style exploit that affects many web servers configured with default HTTP/2 settings.

The team noted timing matters as the security industry approaches a period with many vendor patches and advisories. Talos recommended that organizations prepare for a busy patch cycle and maintain active hunting and monitoring ahead of major security conferences later this summer.

Talos also referenced internal research on improving detection testing, including projects that generate richer synthetic logs to better simulate real-world attack behavior for tuning detection rules. The expanded threat-hunting offering builds on those detection-testing efforts and on ongoing telemetry analysis to increase the chance of finding sophisticated intrusions earlier.