Hunters.AI looks to redefine threat hunting with autonomous hunting approach

The early-stage Israeli startup just completed a seed funding round, and while they are still in proof-of-concept stage, the plan is to take it to MSSPs and MDR partners.

Israeli cybersecurity startup Hunters.AI is looking to rethink the threat hunting space. The company has announced that it has raised a $5.4 million seed funding round, led by YL Ventures and Blumberg Capital, which is large for a seed funding stage. Hunters is still very much in the proof-of-concept stage, and are working on their messaging to the market. The technology is built out, however, and the company thinks that it will differentiate them in a crowded market with no shortage of noise.

Hunters.AI, defines itself as the pioneer in autonomous threat hunting, which begs the question, in an industry so beloved of buzzwords and marketing slogans, exactly what that means.

“The threat hunting world is pretty big, but we have a very interesting way of detecting and investigating attacks,” said Uri May, Hunters’ Co-Founder and CEO. “We correlate data that wasn’t all being correlated before. This multidimensional aspect is important because differentiating between what’s bad and what’s benign is hard. We do that by connecting these dots. Other detection tools are very focused on a single dimension such as the network or the endpoint, but they lack holistic visibility.”

The object of correlating this data isn’t to find obviously threatening acts, but incidents which by themselves appear benign, but which, when assessed in context with other benign-looking incidents as part of a larger pattern, are seen to be threatening. The Hunters technology is focused on finding the ‘breadcrumbs’ that intruders will always leave, but which often are not otherwise detected.

“What we are looking for is patterns that look like how attackers behave,” May said. “That’s different from looking for anomalous behavior, or known signatures. Our team has a lot of unique experience, and we leverage that to correlate signals from different data sources and in different dimensions.” In addition to May, Hunters leadership includes CTO Tomer Kazaz, and addition co-founders Chairman Ehud Schneorson, Yodfat Harel Buchris and Idan Nurick.

Autonomous threat hunting is not synonymous with automated threat hunting, May stressed.

“The difference is intelligence,” he said. “Automating a process is writing a playbook. What we are doing in our model is taking context and training and adding it in. It’s not just automated, but also has intelligence incorporated within. The main challenge here is getting the right balance between men and machines. AI itself is not a silver bullet to cybersecurity. It’s getting the right mix between machines and humans that is the key.”

Hunters is emphasizing a case study with an early customer, cloud data warehouse unicorn Snowflake Computing. They conducted a recent Red Team attack exercise combining all elements of a worst-case scenario. The attackers were given credentials for a user account with elevated admin privileges, an internal company laptop and the element of surprise. Hunters identified the attack in minutes and alerted the Snowflake response team.

“In that case, we detected a series of actions, none of which by themselves was malicious but the combination of which was anomalous,” May said.

The Hunters solution is entirely cloud based, uses an agentless technology and does not require anything to be deployed on endpoints. They provide a high-fidelity Attack Hunting Report that exposes the threats and risks associated with a given attack and outlines the complete attack story including timeline, path, target, impact and required remediation steps.

Early customers like Snowflake have been key design partners.

“We also have a big customer in U.S. retail that integrates us into their data,” May said.

At this stage, however, Hunters has too few customers to start building out a full go-to-market model. It has been planned out, however.

“When we have between 5 and 10 paying customers, we will get to that stage, and also look for A stage funding, which is typically about building out the product marketing,” May stated. “We think we are really good, but we don’t have enough market presence to be there yet.

“In terms of the go-to-market strategy, we made a well thought-out decision to start generating value from Day One, May continued. “We took that risk and our design partners get this vision and progress. What we are aiming for is to get to the point where in parallel to ourselves, MSSPs and MDRs can use us, and Fortune 500 companies can use us.”

May said that their solution is a natural for channel partners.

“MSSPs and MDRs are interested in solutions like this, which provide better services, lower cost and access to sophisticated IP around cybersecurity,” he emphasized. “Snowflake Computing, which started as a customer, hopefully will be a channel partner as well. Today, however, our solution is not baked enough. We want to be sure that it can create that exponential value. We will get there as we work with more customers. We will then be able to scale out the technology. We are not there yet, but this is the strategy we are planning for the company.”

General availability for the Hunters solution is planned for late 2019.