There is a version of agentic security where the vendor hands you a SaaS product and says: here is how investigations work. Here is how agents triage alerts. Here is how they respond. Adapt to it. No need for people anymore.
That version is already everywhere.
We built a different one.
Today 7AI is announcing Threat Hunt, Threat Intel Hunt, and Skills. If you want to understand why they exist, you have to understand the philosophy underneath them. These are not features. They are a statement about who should be in control.
The Commodity Trap in Security Investigation products
Most AI SOC platforms have been built on an implicit assumption: there is one way to do an investigation, and the vendor has defined it for you.
Alert fires. Triage follows a playbook. Escalation path is predetermined. Response runs a script.
It works for the easy case. It fails the ones that matter most, because the threat you don't already have a playbook for is the one that already found a way through.
This model is deeply comfortable for vendors. One way to do things means one thing to build, one thing to maintain, one thing to sell. It also means the SOC team at a financial services firm with 20,000 people and a 15-year threat model has to adapt their decades of institutional knowledge to fit someone else's idea of how security should work.
That never sat right with us.
What AI Agents Should Actually Do for Security Teams
No human analyst treats every alert the same way.
A suspicious login from a contractor account in an unmanaged network segment gets handled differently than the same behavior from an executive on a managed device. A threat hitting a PCI-scoped system triggers a different set of steps than one isolated to a dev environment. A newly published TTP from a threat actor relevant to your industry warrants a different response than generic commodity malware.
Analysts know this. They do it instinctively. The problem is that most commodity investigation products don't. They run the same workflow on everything, because building one workflow is easier than building one that adapts.
7AI was built to work the way analysts actually work. The platform has now completed more than 7 million investigations in production, and that scale matters for a specific reason: the agents already understand each customer's environment, network segments, user populations, and threat context. Threat Hunt and Skills let security teams take that foundation and direct it — telling the platform to take additional steps based on a specific threat type, follow a different path based on a network segment, geo, or user type, and respond differently based on what the asset actually is.
The platform conforms to how your team thinks. Not the other way around.
How 7AI Threat Hunt Works
Threat Hunt lets an analyst direct an autonomous, hypothesis-driven investigation in plain language. They describe a suspected technique, an emerging behavior pattern, or a MITRE ATT&CK TTP. The platform builds the hunt plan and runs the full investigation across live customer telemetry, returning a finding in minutes rather than the hours or days a manual hunt requires.
The analyst directs. The agents execute at machine speed.
Threat Intel Hunt connects to threat intelligence sources and uses incoming intelligence to launch investigations automatically. As a source delivers new indicators, attacker techniques, and TTPs, the platform checks them continuously against the customer environment and opens an investigation the moment one becomes relevant. Security teams are able to operationalize new intelligence the moment it arrives, instead of waiting for someone to read a feed and run a manual search.
Both capabilities are designed to meet the cyber threat hunting requirements of NIST SP 800-53 Rev. 5 RA-10 and HIPAA Security Rule §164.308, replacing manual, resource-intensive hunting programs with an always-on, audit-ready capability.
Skills: How Security Teams Teach AI Agents to Work Their Way
Skills is the capability that makes the philosophy real.
Security teams can build and deploy their own skills, defining exactly how investigations, hunts, and responses should run based on the conditions that matter in their environment. Based on a specific threat type, run additional investigation steps. Based on a network segment or user group, follow a different path. Based on asset classification, apply a different response.
This is the decision tree every experienced analyst carries in their head, made permanent and running at machine speed across every investigation.
The difference from traditional customization is what is actually being encoded. Not preferences. Not UI settings. Every investigation the platform runs reflects those decisions automatically, without anyone having to make them again.
Instead of your team adapting to how a vendor thinks security work should be done, the platform executes exactly how your team decided it should be done.
Proven in Production: The CRXfiltrate Investigation
7AI does not ship capabilities and then look for proof that they work.
The validation for Threat Hunt is CRXfiltrate — an undocumented JavaScript execution backdoor that 7AI's threat research team uncovered operating across roughly 60 Chrome extension domains for sixteen months. It had no public IOCs and no threat feed coverage. It was invisible to every detection system meant to catch it, because it left nothing for conventional tooling to match against.
Finding it required hypothesis-driven hunting. Threat Hunt allowed PLAID ELITE to hunt for the backdoor across customer environments the moment the team understood the technique, without waiting for a public IOC or feed coverage.
Full research is published at blog.7ai.com/crxfiltrate.
See Threat Hunt and Skills at Gartner Security Summit
If you are at Gartner Security Summit this week, come to the 7AI booth #916. We are showing Threat Hunt, Threat Intel Hunt, and Skills running live. Our team will walk you through how it works.
There is a version of this conversation that goes better in person, and this is it.
What This Is Really About
One-size-fits-all approaches make you adapt to the product. We think it should be the other way around.
Your team's expertise is the asset. The platform should amplify it, not replace it with something generic. That is the philosophy underneath everything we built today.
Threat Hunt. Threat Intel Hunt. Skills. Your way.
Frequently Asked Questions
What is AI-driven threat hunting? AI-driven threat hunting is a security capability in which an analyst provides a hypothesis — a suspected attacker technique, behavior pattern, or MITRE ATT&CK TTP — and an AI platform autonomously runs the full investigation across live telemetry. 7AI's Threat Hunt capability returns findings in minutes, compared to the hours or days a manual hunt requires. It is designed to replace resource-intensive manual hunting programs with an always-on, audit-ready capability.
How is 7AI Threat Hunt different from traditional threat hunting tools? Traditional threat hunting tools require analysts to manually construct queries, run searches, and interpret results across multiple data sources. 7AI Threat Hunt accepts a hypothesis in plain language and autonomously builds the hunt plan, executes the investigation across live telemetry, and returns a structured finding. Because the 7AI platform has already completed more than 7 million investigations in production environments, the agents carry deep environmental context into each hunt from the start.
What are Skills? In the 7AI platform, Skills are custom capabilities that security teams build and deploy to define exactly how AI agents should investigate, hunt, and respond based on conditions in their environment. Based on a specific threat type, run additional steps. Based on a network segment, user group, or asset classification, follow a different path. The platform encodes the logic analysts already use, and runs it at machine speed across every investigation automatically.
What is Threat Intel Hunt? Threat Intel Hunt is a 7AI capability that connects to threat intelligence sources and uses incoming indicators, attacker techniques, and TTPs to automatically launch investigations in the customer environment. The moment a new piece of intelligence is relevant to the customer's environment, the platform opens an investigation, without waiting for a human to read a feed or run a manual search.