Summary

Agentic Threat Hunting Framework (ATHF) addresses the loss of context and knowledge in traditional threat hunting by providing a structured, persistent, and AI-accessible memory layer. It targets security analysts and teams seeking to enhance their threat hunting capabilities with automation and intelligence. ATHF enables organizations to build systems that remember, learn, and act with increasing autonomy, transforming hunts into a reusable knowledge base.

How It Works

ATHF structures hunts using the LOCK pattern (Learn → Observe → Check → Keep), creating a consistent, machine-interpretable format. It defines a five-level maturity model for agentic hunting, progressing from documented hunts to autonomous agents. The framework acts as a memory and automation layer, integrating with any SIEM/EDR and hunting methodology. This approach makes past investigations searchable and accessible to AI assistants, providing context and preventing knowledge loss.

Quick Start & Requirements

Installation is recommended via PyPI (pip install agentic-threat-hunting-framework). Key commands include athf init for workspace setup, athf research new for AI-powered pre-hunt research, and athf hunt new for creating hunts. Prerequisites include Python 3.8-3.13 and an AI code assistant (e.g., GitHub Copilot, Cursor). Optional dependencies for enhanced ATT&CK data ([attack]) and MCP server ([mcp]) are available. Official documentation is linked throughout the README.

Highlighted Details

• Includes AI-powered research and hypothesis generation agents (v0.3.0+).
• Features MITRE ATT&CK Data Management (v0.11.0) with optional STIX support for detailed technique metadata.
• Offers an MCP Server (v0.11.0) that exposes 17 tools for direct integration with AI coding assistants.
• Defines a five-level maturity model for agentic threat hunting capabilities.

Maintenance & Community

Community interaction is facilitated via GitHub Discussions and Issues. Updates and organizational information are available on the Nebulock Inc. LinkedIn page. The framework is designed for organizational internalization and customization, with adoption guidance provided in USING_ATHF.md.

Licensing & Compatibility

The README does not explicitly state the software license. The framework is designed for forking and customization and is compatible with any SIEM/EDR platform.

Limitations & Caveats

Advanced agentic hunting levels (3 and 4) are optional and require significant implementation time (weeks to months). Full MITRE ATT&CK data requires optional installation. Crucially, the absence of a stated software license in the README presents a significant adoption blocker and requires clarification.