◆ Autonomous Orchestrator
Forms hypotheses from fresh threat intel ('if this APT is in our sector, here is what their lateral movement looks like') and hunts for the predicted footprint across the telemetry. It sustains the search across data domains, parking and resuming leads. Confirmed leads become new detections; everything else becomes a documented hunt.
Memory
Working The hunt hypothesis and the evidence board.
Episodic Prior hunts and which hypotheses paid off.
Semantic Adversary TTP library, the bank's environment baseline.
Store Knowledge graph (TTP ↔ telemetry) + hunt journal
Orchestration
orchestrator-worker MCPA2A
Harness · Managed Agents: orchestrator spawning parallel hunt sub-agents over data domains; fresh context per sub-agent; structured note-taking for the hunt journal.
Tools
›_ Data lake / log search Code exec ⌘ Threat-intel platform MCP { } Detection-rule repository API ⇄ SOC triage agent A2A
Evals & guardrails
- New detection rules ship to shadow-mode first; false-positive rate gated before promotion.
- Citation discipline: every hunt finding links to the source telemetry.
- Containment actions route through the Guardrails agent for scope enforcement before commit.
Frontier edge
- ▲Long-horizon autonomy: sustains a multi-hour hunt across data domains, parking and resuming leads, well out on the METR time-horizon curve.
- ▲World-model simulation: models how a given APT would move laterally through the bank's own topology, then hunts for that predicted footprint.
- ▲Proactive / anticipatory: forms and chases intel-driven hypotheses below the alerting threshold before anything fires.
In numbers
40+
Hunts / week
12
New detections promoted / month
Handoffs
Fed by ← SOC Alert Triage Agent
Hands to → Guardrails & Kill-Switch Agent