Security leaders from a range of industries recently gathered for a discussion on the current state of threat hunting, operational security maturity, and the growing influence of AI in security operations. The conversation offered a shared recognition that proactive defense is essential, but many organizations are still working through the practical challenges of implementing it at scale.
Participants described a landscape where security teams must balance strategic initiatives with immediate operational demands. Threat hunting, advanced analytics, and intelligence driven investigations are widely viewed as important capabilities. At the same time, many organizations are still focused on strengthening core security operations, maintaining compliance obligations, and responding to the constant flow of alerts and incidents.
One CISO summarized the challenge directly, noting that proactive security practices are widely supported in theory but are often difficult to prioritize in day-to-day operations.
“Threat hunting is something we all want to do more of, but it competes with a lot of other priorities that demand attention first.”
Threat Hunting as a Maturing Capability
Threat hunting was a central topic of the conversation, with participants describing varying levels of maturity across their organizations. While some teams have established structured hunting programs, many are still developing the internal expertise and operational frameworks required to support continuous proactive investigations.
Several leaders explained that threat hunting is often misunderstood within organizations. It is not simply an extension of monitoring or alert triage. Instead, it requires analysts who can examine behavioral patterns, investigate subtle anomalies, and connect signals that automated tools may not immediately surface.
“It cannot be something someone does when they have spare cycles. It really needs dedicated people who are focused on hunting.”
In many environments, threat hunting currently takes the form of targeted investigations rather than continuous programs. Analysts may pursue specific hypotheses or explore suspicious signals that emerge from telemetry platforms. These investigations are often driven by threat intelligence insights or emerging attack patterns observed across the industry.
As organizations mature their security programs, many leaders expect threat hunting to evolve from occasional exercises into structured operational capabilities.
The Role of Managed Services in Security Operations
Another consistent theme across the discussion was the reliance on managed security services to supplement internal teams. Many organizations leverage managed security operations centers or managed detection and response services to handle monitoring, alert triage, and periodic threat investigations.
For some organizations, these services provide the primary mechanism for proactive detection. Managed providers may conduct scheduled threat hunts or investigate anomalies surfaced through endpoint and network telemetry.
However, several CISOs stated that external services are most effective when combined with internal expertise. Managed services can monitor environments and provide valuable insights, but they often lack the deep organizational context that internal teams possess.
One security leader explained that managed services play an important supporting role but cannot fully replace internal capabilities.
“Our SOC provider does a lot of the monitoring and hunting for us, but we still need internal people who understand the environment and can interpret what those signals actually mean.”
This hybrid model is increasingly common. Organizations rely on managed providers for scale and coverage while gradually building internal security teams that can perform deeper investigations and strategic analysis.
Security Teams Balancing Compliance and Real-World Risk
Compliance obligations were another important part of the conversation. Many organizations must maintain certifications or regulatory frameworks that require extensive documentation, audits, and policy enforcement.
While these frameworks provide useful structure, participants noted that compliance activities can sometimes consume resources that might otherwise support proactive security initiatives.
Security leaders highlighted that compliance should be viewed as a baseline rather than the ultimate goal of a security program. Meeting regulatory requirements does not necessarily mean an organization is well prepared to detect advanced threats.
“Compliance gets you to a minimum standard, but attackers are not following those frameworks.”
As a result, many security leaders are attempting to strike a balance between satisfying regulatory expectations and investing in capabilities that improve real world threat detection.
AI and Automation in Security Workflows
It should come as no surprise that AI was a focal point of the roundtable. Participants described growing interest in AI tools that can assist with operational efficiency, particularly in areas such as vulnerability management, reporting, and incident coordination.
Rather than replacing analysts, most organizations are using AI to streamline repetitive tasks and help teams process large volumes of security data. Tools that summarize findings, assist with documentation, or generate operational insights are becoming increasingly common.
Some organizations are also exploring AI capabilities integrated into enterprise platforms to support broader security workflows. These tools can help analysts quickly interpret alerts, identify relevant context, and accelerate response activities. However, participants stated that AI remains a supporting capability rather than a complete solution.
Human expertise remains critical for interpreting complex signals, understanding attacker behavior, and evaluating unusual activity within large environments. Automation can surface potential indicators, but experienced analysts are still needed to determine whether those signals represent legitimate threats.
Intelligence Driven Security Investigations
Several organizations described integrating intelligence insights into their threat hunting efforts in order to focus investigations on realistic adversary tactics. Rather than scanning environments randomly, intelligence driven hunting allows analysts to test specific hypotheses based on known attacker behaviors. This approach helps security teams prioritize their efforts and concentrate on threats that are more likely to affect their organizations.
It was noted that analysts with backgrounds in intelligence or military operations often bring structured investigative methods to these efforts. These methodologies can improve the effectiveness of threat hunting programs and help teams develop repeatable investigative processes.
By combining intelligence insights with telemetry from endpoint detection, SIEM platforms, and other monitoring tools, security teams can develop a more complete picture of potential threats.
The Path Toward Stronger Security Maturity
The roundtable discussion ultimately highlighted the ongoing evolution of enterprise security programs. Many organizations are still strengthening foundational capabilities such as monitoring, incident response, and vulnerability management. At the same time, there is growing recognition that proactive threat detection will play a larger role in the future.
Security leaders expect their teams to gradually expand threat hunting capabilities as resources and expertise grow. This process often begins with targeted investigations, intelligence driven campaigns, and closer collaboration between security operations and engineering teams.
The discussion also made clear that the future of security operations will depend on a combination of skilled analysts, effective tools, and strong operational processes. Technology can improve visibility and efficiency, but mature security programs still depend on experienced professionals who can interpret signals, ask the right questions, and investigate unusual behavior.
For many organizations, the goal is not simply to respond to threats more quickly. It is to identify and disrupt them before they can cause meaningful harm.
