Exploring the AI Automation Boundary for Threat Hunting
A practitioner talk by Arthi Nagarajan (Datadog) at Unprompted (March 2026), on applying AI to threat hunting across large, schema-diverse telemetry. Abstract-only; slides and video are not yet captured.
The Argument
The talk’s framing is that modern threat hunting is limited not by a lack of telemetry but by humans’ ability to navigate overwhelming volumes of it. Datadog automated three parts of the hunting workflow: hypothesis-driven query generation, iterative refinement, and narrowing toward pivotal evidence. The system evolved from a single agent into an orchestrator-subagent architecture. The talk’s central contribution is the idea of an automation boundary: an explicit account of where AI accelerates defensive work, where it creates new risk (trust, hallucinations, evaluation under real-world constraints), and which design decisions establish trust with human threat hunters.
Where It Fits
This is direct evidence for the threat-hunting capability in the Agentic SOC: State of the Field thesis. The single-agent → orchestrator-subagent migration matches the supervisor-worker pattern named in the Oversight Layer and in the Salesforce Beyond the Chatbot Agentic SOC talk. The “automation boundary” is the operational form of the thesis’s action-authority question: which steps an agent runs autonomously versus where a human stays in the loop.