“AI for security” is everywhere: agentic hunting, autonomous investigations, GPT copilots for your SOC. The promise is real—but the outcomes hinge on a simple constraint: models can’t reason about signals they don’t see. If your telemetry is thin, delayed, or de-contextualized, even the smartest agent will produce confident, wrong answers. In short: garbage in, garbage out.

What “Agentic” Systems Actually Need

AI-driven hunters excel when four data properties are present:

  1. Coverage — Endpoint, identity, network, DNS/TLS, email, SaaS, cloud control plane, workload/runtime, and application logs. If identity or egress is missing, you’ll miss lateral movement and exfil
  2. Fidelity — Rich fields and process lineage; command lines, parent/child relationships, signed/unsigned status; DNS query/response pairs; cloud API callers and scopes.
  3. Continuity — Time-synced, lossless pipelines with enough retention to model sequence and dwell time.
  4. Context — Asset criticality, business function, user role, geolocation, exposure (internet-facing?), plus threat intelligence that maps behaviors to actors and campaigns.

Why XDR Isn’t Sufficient by Itself

XDR often aggregates EDR + email + some network signals. That’s a strong start, but it can still leave blind spots:

  • Identity & Access Gaps: Legacy protocol use, token theft, suspicious consent grants—often outside endpoint-centric views.
  • Cloud & SaaS Blindness: Control-plane abuse, cross-tenant pivots, and misconfigurations won’t show up in endpoint-only feeds.
  • Application/Runtime Silence: Data staging inside apps, service-account misuse, and intra-service hops require app/runtime telemetry.
  • Limited External Perspective: Without infrastructure intelligence (passive DNS, cert reuse, actor infrastructure), it’s hard to spot campaigns early.

XDR can correlate what it ingests; it cannot correlate what it never sees.

Threat Intelligence: The Missing Dimension

High-quality threat intelligence (TI) turns events into insight. Agents need:

  • Actor TTPs and playbooks to form better hypotheses than “anomaly = bad.”
  • Infrastructure intelligence (domain/IP/ASN patterns, TLS cert reuse) to connect seemingly unrelated alerts.
  • Exploit and campaign signals (PoCs, actor interest, sector targeting) to prioritize genuinely dangerous activity.
  • Exclusive sources—underground telemetry, private collections, and enriched passive DNS—to reveal links public feeds miss.

Models trained on behavior plus TI infer intent, not just deviation.

Failure Modes When Telemetry Is Thin


  • Confident hallucinations: The agent “explains” activity with missing facts.
  • Alert inflation: Anomaly-only detections flood analysts without actor/context signals.
  • Missed chains: Medium-severity steps look benign until chained—identity + egress + staging rarely co-occur in a single dataset.
  • Slow learning loops: Without durable context (campaign tags, actor infrastructure), agents can’t improve across incidents.

Build a “Telemetry Spine” Before You Add AI

Treat AI as the last mile. First, harden the data plane:

  • Map coverage: Endpoint, identity (IdP/SSO), DNS + egress, email, cloud audit, workload/runtime, application logs.
  • Normalize & de-duplicate: Common schemas and stable entity resolution (device ↔ user ↔ account ↔ asset).
  • Time discipline: NTP everywhere; preserve ordering; capture drops.
  • Enrich at ingest: Asset criticality, exposure, ownership, environment tags; attach ATT&CK technique hints when feasible.
  • Integrate TI deeply: Actor profiles, infrastructure graphs, exploit maturity, victimology—resolvable by indicator and behavior.

Agent-Ready Telemetry Checklist (Quick Start)

  • Internet-facing asset list + identity logs for all privileged actions
  • DNS + TLS SNI/proxy logs tied to device and user
  • Cloud control-plane audit trails and service principal activity
  • Endpoint process lineage with command lines and persistence events
  • Application/runtime logs for data access and staging patterns
  • Continuous threat intel: actor TTPs, infrastructure reuse, exploitation-in-the-wild
  • Retention windows that cover dwell time; hot storage for recent weeks

Takeaways

AI can triage faster, hunt wider, and explain better—but only atop broad, high-fidelity, context-rich telemetry. EDR + SIEM or a vanilla XDR stack won’t unlock agentic hunting on its own. Add deep identity, cloud, network/DNS, application/runtime visibility—and fuse it with high-quality, preferably exclusive threat intelligence. The model is the multiplier; data is the force.

Do you have the tools it takes to understand who is attacking your organization and why? Ultimately, it’s the only way to know how to stop attacks. Platform Blue offers government-grade threat intelligence to the worlds most elite threat hunting organizations. Get a demo today!