Skip navigation
Previous searches
    Suggested searches
      Like what you’re reading?

      How automated threat hunting strengthens cyber resilience

      • Modern attacks stay hidden by design, using sophisticated techniques and native system tools to evade detection, thus inflating containment cost.
      • Automated threat hunting complements reactive alerts with continuous validation, cutting down detection time while providing coverage across critical systems.

      Senior Researcher, Security

      Senior research manager, Security

      Head of Cyber Defense Center

      Research Director Security

      Senior Researcher, Security

      Senior research manager, Security

      Head of Cyber Defense Center

      Research Director Security

      Senior Researcher, Security

      Contributor (+3)

      Senior research manager, Security

      Head of Cyber Defense Center

      Research Director Security

      Digital infrastructure is increasingly built for agility and rapid service evolution, including service-based 5G cores, application programming interface (API)-driven control planes, and Kubernetes platforms. But while mobile networks and enterprise environments continuously evolve, so does the threat landscape. Attackers are becoming more adaptive, stealthy, and in some cases, they are leveraging artificial intelligence (AI) to accelerate reconnaissance, evasion, and attack execution. This agility expands the attack surface and makes traditional, alert-driven security less effective. Threat actors blend in by abusing legitimate identities, subtle configuration changes, and living-off-the-land (LOTL) techniques. For organizations where resilience, operational continuity, regulatory exposure, and efficient security operations are key concerns, this creates a pressing need for more proactive and scalable defense approaches.

      Automated threat hunting addresses the stealthy nature of modern attacks, which are designed to remain unnoticed and difficult to detect, by continuously testing for attackers’ presence across signaling, network functions, cloud events, and enterprise identity telemetry. By translating diverse signals into a runtime view of entities and relationships, and by applying AI to correlate, enrich, and interpret this telemetry at scale, organizations can predict likely attack paths, prioritize investigations, and measure defensive coverage against frameworks such as MITRE ATT&CK and FiGHT.

      The problem with "alert-first" security

      Alert-first security is optimized for volume, not certainty. Modern environments generate thousands of alerts across endpoints, cloud services, identity systems, and network tools. This multi-layered multi-modal data produces many low-fidelity signals that make it difficult to correlate these diverse signals. Even after triage, a significant number remain to be handled manually. This creates an operational bottleneck where security analysts spend time filtering noise instead of investigating meaningful patterns.

      Threat actors exploit this mismatch. They increasingly use valid accounts, built-in administration tools, and subtle configuration changes that look “normal” in isolation and may never trigger a high-severity alert. As a result, security teams can have strong tooling coverage yet still miss early indicators, discover incidents late, and struggle to determine scope quickly.

      The consequence is measurable business risk: longer waiting time, higher recovery cost, greater disruption during containment, and increased exposure to regulatory and customer impacts.

      What threat hunting is and what automated really means?

      Threat hunting is a proactive security defense that actively searches for and identifies stealthy adversaries within the network boundary. Instead of waiting for an alert, security analysts deliberately look for signs of compromise based on how real attackers operate. As shown in Figure 1, threat hunting is part of security management. It starts with the creation of a hypothesis, for example, an adversary is using stolen credentials to move laterally. Then it tests that hypothesis by analyzing telemetry across identity, endpoint, cloud, network, and enterprise sources. The goal is to detect stealthy malicious threats, uncover new attacks, reveal blind spots in detection systems, and enrich analytics.

      ""
      The illustration shows a yellow rectangle labeled “System / network” on the left. A horizontal arrow labeled “Telemetry” points from this box to a large outlined rectangle on the right labeled “Security operation center.” Inside it is a smaller gray box labeled “Security management,” which contains another box labeled “Threat hunting.” Below the Threat Hunting box, a shaded spotlight leads to a circular workflow made of four connected colored arrows: 01 (purple-blue, upper right): Investigate hypothesis 02 (blue, lower right): Uncover new attacks 03 (red-pink, lower left): Enrich analytics 04 (orange, upper left): Create hypothesis The four numbered arrows form a continuous cycle, with the labels positioned around the outside of the loop

      Figure 1. Overview of threat hunting integration, along with hunting steps.


      Automated threat hunting means turning proven hunts into repeatable, continuously running checks. It codifies data queries, correlation logic, and enrichment steps such as asset criticality, user roles, known attack techniques, and routes findings into consistent workflows for validation and response. Automation does not replace human judgment but rather accelerates evidence collection and prioritization. 

      How does automated threat hunting work?

      Figure 2 illustrates how threat hunting is traditionally a highly manual process, and Figure 3 illustrates how we aim to automate it.

      In manual hunting, expert analysts must

      • Connect signals across domains
      • Form a hypothesis
      • Test the hypothesis quickly
      • Document the findings.

      This process depends on specialized knowledge that is difficult to acquire, extensive hands-on experience, and significant time and effort. As a result, manual hunting can lead to alarm fatigue, delayed investigations, and, in some cases, missed critical alerts.

      ""
      A diagram shows telemetry data from three sources, represented by server, wireless signal, and network icons on the left. An arrow leads to a box labeled “Data aggregation and management.” Another arrow points into a dashed box labeled “Hunting process.” Above the hunting process are two boxes, “Security technology” and “Threat intelligence,” with arrows pointing downward into the process. Inside the hunting process are three connected boxes: First “Logs and alerts labeling,” with a small label indicating “Logs to techniques. Then “Threat and data analysis,” with a small lable indicating “Threat hypotheses,” Finally “Threat investigation.” With a small label indicating “Attack testflows.” An arrow from the hunting process points to a SOC team icon on the right. In the next step, a hacker icon appears on the far left, with three red arrows pointing toward the telemetry sources. An orange alarm symbol between the telemetry sources and the data aggregation box indicates an attack. Within the hunting process, the label “Logs to techniques” is replaced by “Millions of logs,” “Threat hypotheses” becomes “Millions of hypotheses,” and “Attack testflows” becomes “Millions of testflows.” On the right side, above the SOC team icon, there is a large red thought bubble containing a question mark.

      Figure 2. Manual threat hunting.


      Automated threat hunting addresses these challenges by operationalizing what expert analysts do manually. It transforms hunting into a repeatable and scalable workflow that can continuously analyze telecom control-plane activity, cloud platforms, and enterprise identity systems. Instead of relying only on human effort, the system automatically connects signals, generates and tests hypotheses, and produces evidence-backed findings.

      ""
      A diagram shows telemetry data from three sources, represented by server, wireless signal, and network icons on the left. An arrow leads to a box labeled “Data aggregation and management.” Another arrow points into a dashed box labeled “Hunting process.” Above the hunting process are two boxes, “Security technology” and “Threat intelligence,” with arrows pointing downward into the process. Inside the hunting process are three connected boxes: First “Logs and alerts labeling,” then “Threat and data analysis,” and finally “Threat investigation.” With a small label indicating “Attack testflows.” An arrow from the hunting process points to a SOC team icon on the right. An icon on the far left and three red arrows pointing toward the telemetry sources indicates a hacker. An orange alarm symbol between the telemetry sources and the data aggregation box indicates an attack. On the right side, above a SOC team icon, there is a large red thought bubble containing a question mark. In the next step, three stages in the hunting process are enhanced with AI-assisted functions: Telemetry labeling replaces manual telemetry analysis and mapping. A call-out box lists actions: Uses generative AI to map each telemetry log to a set of potential attack techniques. Hypotheses generation replaces manual knowledge discovery and hypothesis creation. A callout box lists actions: Leverages knowledge discovery to generate relevant threat hypotheses and identify potential threat actors. Hypotheses testing replaces manually created investigation and validation workflows. A callout box lists actions: Uses machine reasoning to generate new test flows that help validate the hypothesis under investigation. The hacker and the attack icon disappear, the question mark above the SOC team icon is replaced by a happy smiley.

      Figure 3. Automated threat hunting research prototype.


      What telemetry do we need to see the full attack surface?

      Automated threat hunting works best when it connects “raw signals” of complex environments into a living map of behavior and then uses that map to continuously test for attacker activity. In mobile network and enterprise contexts, the first step is broad telemetry ingestion across domains and layers. This includes signaling and control-plane data, network function (NF) logs, service-based architecture (SBA) and API interactions, and platform layer, for example, Kubernetes and cloud control-plane events. The objective is not to collect more logs, but to preserve the relationships between events across domains such as network, identity, and infrastructure.

      How do we turn disparate logs into a shared security language?

      Next, the system normalizes and labels this telemetry into a knowledge graph aligned with frameworks that a security operations center can govern, for example, MITRE ATT&CK for cloud and enterprises and FiGHT for 5G. Machine learning (ML) and AI models such as large language models can accelerate this step by mapping heterogeneous log fields into consistent entities and relationships. In this graph, entities include NFs, subscribers, sessions, clusters, and identities, while the connections between them capture how the system behaves, such as API calls, authentication events, configuration changes, roaming activities, and communications between network functions. The graph becomes a shared language across security practitioners and network engineering.

      How do we decide what is suspicious enough to investigate?

      With this foundation, automated hunting generates and prioritizes hypotheses using knowledge discovery and analytic methods. For example, graph pattern mining can surface new or rare NF-to-NF call paths, while statistical change detection can flag shifts in behavior, such as abnormal roaming-driven access or sudden changes in who can call which SBA endpoints. A graph-based ML model can also predict the attacker’s next techniques within a time window to improve the accuracy of the generated hypotheses, which are then ranked by likelihood and impact using context and similarity with known attack techniques.

      How do we convert a hypothesis into an investigation that runs itself?

      The system generates test flows using machine reasoning, translating a hypothesis into an investigation plan that follows likely attack paths across the graph. Automation executes that plan, pivoting from a suspicious identity to sessions, from sessions to NFs, and from NFs to configuration changes, bundling evidence into a coherent case rather than isolated alerts.

      Finally, findings are attributed to threat actors and mapped to ATT&CK techniques and FiGHT 5G security use cases. This enables the security operations center to report answers to the question of whether we are covered with solid evidence of which behaviors are monitored, which attack paths were tested, and where gaps remain.

      Where it pays: use cases

      How do we hunt Advanced Persistent Threats (APTs) without drowning in noise?

      APT actors succeed by being patient, consistent, and stealthy. Automated APT hunting focuses on campaign-level behaviors and attack paths rather than one-off indicators: long-lived credential access, periodic beacon-like administrative activity, gradual privilege accumulation, and staged access to high-value assets such as subscriber data, control-plane functions, continuous integration and continuous deployment (CI/CD), and identity providers. A knowledge-graph approach is especially effective here: it can surface rare relationship patterns,  including new trust paths, unusual NF-to-NF call chains, slow configuration drift, and track them over weeks. Automation continuously re-tests hypotheses, preserves evidence, and maps activity to ATT&CK and FiGHT, enabling disciplined reporting and sustained pressure against sophisticated adversaries.

      How do we catch persistence early?

      Persistence shows up as small configuration changes that appear legitimate in isolation. Automated hunting monitors for suspicious creation of access keys, role assumption patterns, token minting behaviors, and stealthy policy edits, then correlates them with telecom-specific control-plane signals such as anomalous SBA/API call patterns or unexpected NF-to-NF interactions.

      The value is preventing “silent entrenchment,” where an attacker remains present across redeployments and routine maintenance.

      Where do lateral movement and credential abuse hide in plain sight?

      Attackers often avoid malware and instead chain legitimate administration tools to move across systems. Automated hunting looks for behavior sequences rather than single alerts, for example:

      • A privileged login followed by new remote access, service creation.
      • Secret access.
      • Sudden permission changes in identity and access management and Kubernetes role-based access control.

      Automated hunting continuously tests for rare-but-risky pivots, such as new admin paths, first-time access to sensitive namespaces, unusual cluster role bindings, and bundles evidence into a timeline so responders can confirm the scope quickly and cut off the path of spread.

      Closing take-away

      Automated threat hunting shifts security from reactive alert handling to continuously validating attacker behaviors across mobile, cloud, and enterprise layers. It scales expert hunts into repeatable checks, shortens time-to-confirm, and produces measurable coverage mapped to ATT&CK and FiGHT. The result is faster containment, clearer risk visibility, and fewer blind spots.

      Learn more

      Delve deeper into network security and what it will look like in the future:

      The Ericsson Blog

      Like what you’re reading? Please sign up for email updates on your favorite topics.

      Subscribe now

      At the Ericsson Blog, we provide insight to make complex ideas on technology, innovation and business simple.