Back to Blog
Inside the SOC

Run a CISA Hunt Directive in 5 Hours, Not 5 Days

TL;DR

Collaborating AI threat intelligence analysts and AI threat hunters turn a CISA emergency directive into an automated hunt. AI agents convert the directive's behavioral indicators into queries that run across SIEM, EDR, identity, and network telemetry where the data already lives, with a SOC analyst on the loop. In this demonstration against CISA directive ED-26-03, that compressed roughly five days of manual work into about five and a half hours.

Introduction

The Agentic SOC is a model where AI agents collaborate to autonomously complete tasks end-to-end, executing human strategy at machine scale. One example is turning new threat intelligence into threat hunts. 

Let’s use a recent CISA Emergency Directive for federal agencies as an example of how this works. On February 25, 2026, CISA issued Supplemental Direction ED-26-03, after confirming active exploitation of an authentication bypass (CVE-2026-20127) that gave attackers admin access and persistence on network infrastructure. The instructions are clear: inventory affected systems, patch the vulnerability, collect logs, hunt for compromise on a defined behavioral list. Reading the directive takes minutes. Operationalizing the hunt guidance usually takes days.

The Directive Is the Easy Part

Read the Directive in Five Minutes

If you've executed a CISA emergency directive before, you know the structure is predictable. ED-26-03 follows the pattern:

  • Inventory exposed systems
  • Patch the underlying vulnerability
  • Collect logs and configuration snapshots
  • Hunt for behavioral indicators of unauthorized SD-WAN (software-defined wide area network) peering and rogue device registration
  • File the report inside the directive's defined window

CISA doesn't publish vague advisories, since the agency knows the cost of ambiguity. The instructions in ED-26-03 are scoped, technical, and time-limited. The text gives you exactly what to do.

What the text doesn't give you is any hint of how to budget for doing it. Directives don't allocate operational capacity. If you run multiple Cisco SD-WAN deployments across business units, even step one (inventory) is a day of network engineering work before you've touched a log file, and steps two onward compound from there.

Then Spend Five Days Doing It

Walk the manual playbook step by step, and the cost gets concrete fast. A network engineer pulls device inventory from the SD-WAN management plane, while a security engineer pulls the logs they need from the affected devices. A SOC analyst may also translate the directive's behavioral indicators into queries against whatever combination of SIEM (security information and event management), EDR, identity provider, and network telemetry the organization has.

The security engineer or analyst then filters through the resulting data set and escalates suspicious findings to incident response.

For an organization with mature, unified telemetry, query writing and filtering alone takes about half a day per behavior. Multiply that by four behaviors, factor in the data quality issues that surface mid-hunt, and the hunting cycle stretches across a week.

For an organization without unified telemetry, you multiply again and add coordination costs across the teams that own each data domain.

Mandiant's M-Trends 2026 puts a hard number on the cost of detection delay: global median dwell time (how long an attacker stays inside the network after a breach) climbed to 14 days in 2025, up from 11 days in 2024. Every day a hunt sits half-executed is another day attackers operate inside the exact threat the directive flagged. 

Under Five Hours Instead of Five Days

Hour Zero: The Hunt Pack Builds Itself

00:00 is the moment the directive lands. In this scenario, the AI Threat Intelligence Analyst monitors a continuous OSINT (open-source intelligence) stream, so when ED-26-03 drops, it's reading the directive against the Five Eyes joint advisory on the same Cisco SD-WAN exploitation, the Cisco PSIRT (Product Security Incident Response Team) disclosure for CVE-2026-20127, and broader OSINT chatter on the campaign.

From the directive text alone, the agent pulls the four behaviors you'd extract by hand if you had a clean week to read it:

  • Unauthorized SD-WAN peering as the authentication-bypass tell
  • Rogue device registrations as the persistence tell
  • Privilege escalation against the SD-WAN management plane
  • Configuration manipulation across SD-WAN policy components

The AI Threat Intelligence Analyst packages the behaviors into an executable hunt pack that encodes TTPs (tactics, techniques, and procedures), IOCs (indicators of compromise), and behavior-based hypotheses.

By around the 04:00 mark, the behavioral hunt pack is ready. The work an analyst would have spent the morning on, the agent has done before lunch, and unlike the analyst, it hasn't skipped any of those sources. The hunt pack is also a durable artifact, so it runs against tomorrow's telemetry without re-extraction.

Hour Four: The Hunt Runs Across Your Stack

From roughly 04:00 to 05:30, AI Threat Hunter executes the hunt pack across SIEM, EDR, identity, and SD-WAN control-plane telemetry simultaneously. The execution is federated, meaning the agent queries the data where it lives without requiring you to centralize everything into a single pane first. The Dropzone AI Threat Hunter also works in a vendor-agnostic manner, expertly using whatever systems that you have deployed. 

That compresses what would normally be up to 40 hours of manual hunting into roughly an hour of agent time. The AI Threat Hunter knows how to expertly craft and run queries so as to not cause your tools to become unavailable for other users. 

Embed Storylane tour here https://dropzone.storylane.io/share/xcjh58i0zfu7 

In the product tour shown above, the AI Threat Hunter scanned 333 MB and 464,973 logs in 1 hour 13 minutes, executing five sub-hunts under a single T1572 Protocol Tunneling investigation.

The output is a federated threat hunt report sorted by Urgent, Notable, and Informational findings. Each finding ships with linked evidence, recommendations, and remediation actions aligned to the CISA reporting requirements.

Concrete sample findings surfaced in that demo:

  • 23 requests to /tcp.php, a known reGeorg web shell tunneling indicator, from internal IPs.
  • 9 requests to /superadmincreate.php, a suspected backdoor for creating privileged accounts.
  • Anomalous traffic to /service/v4/rest.php from internal IPs flagged as confirmed web shells.

Even Clean Hunts Pay

Most conversations skip the part where a clean hunt is still useful. The categories of findings from an AI Threat Hunter report when no malicious activity is confirmed include:

  • Policy violations
  • Visibility gaps
  • Misconfigurations
  • Vulnerabilities
  • Detection opportunities

None of those is confirmation of malicious activity, but each one closes a real gap. For ED-26-03 specifically, a clean hunt may surface a logging gap on the SD-WAN control plane, which tells you where the next campaign would have hidden. The hunt becomes a hardening event as well as a compromise check, and that value compounds across every advisory CISA publishes after this one.

What Actually Changed

What was a five-day cost on this directive becomes a fifteen-minute re-run on the next one. The catalog also accumulates environment-specific tuning over time, so each new hunt starts from a sharper false-positive baseline. 

Conclusion

Active exploitation now lands in the wild before most environments fully operationalize the corresponding security advisory, and that asymmetry will keep widening as exploit development moves toward machine speed. ED-26-03 is one example of the type of emerging threat that AI SOC agents can help with. 

Key Takeaways

  • Cheap to read. CISA directive ED-26-03 (February 2026) demanded inventory, patch, log collection, and active hunting for compromise on Cisco SD-WAN systems. That work historically takes days of cross-team analyst time.
  • Four hours. AI Threat Intel Analyst extracts TTPs (tactics, techniques, and procedures) and IOCs (indicators of compromise) from the directive, along with its broader OSINT (open-source intelligence) context, and generates a behavioral hunt pack in roughly four hours. AI Threat Hunter then executes a federated hunt across SIEM, EDR, identity, and network telemetry in roughly ninety minutes.

Hours, not days. The same playbook CISA wrote runs against the environment in five and a half hours instead of five days, with the same compromise-detection objective and the same human-on-the-loop oversight from the SOC analyst reviewing the output.

FAQs

How Is This Different From a Traditional TIP?
Traditional threat intelligence platforms (TIPs) aggregate feeds and leave analysts to manually translate intel into hunts. AI Threat Intel Analyst, coming this summer, monitors a continuous OSINT stream, categorizes inputs, and extracts TTPs and IOCs into hunt packs that AI Threat Hunter can execute the same day. It's the missing analyst layer, sitting in complement to existing TIPs rather than replacing them.
Do We Need to Centralize Our Data First?
No. There's no data-lake spend and no pipeline re-architecture to do first. AI Threat Hunter runs against the connectors you already have across your major SIEM, EDR, and identity stacks, so you don't buy new storage or rebuild ingestion to operationalize a hunt pack. The architecture cost of starting is effectively zero, which is what makes same-day directive response realistic.
What Happens When a Hunt Comes Back Clean?
A clean hunt isn't wasted. Treat it as a measurable deliverable per directive cycle: every run produces detection-engineering and hardening output you can count and report, even when no compromise is confirmed. Over a year of directives, that's a steady stream of quantifiable coverage improvements, which turns mandatory compliance work into ROI you can actually show leadership.
How Does This Fit Alongside Our Existing CISA Directive Runbook?
AI Threat Hunter's output slots into the existing IR process rather than replacing it. Confirmed compromises escalate with supporting evidence already collected; clean hunts feed back into detection engineering and hardening; and the federated hunt report can be aligned with CISA reporting templates to shorten the time-to-report cycle. The runbook doesn't change; the cost of executing it does.
Isn't This Just SOAR?
Security orchestration, automation, and response (SOAR) is built for deterministic automation: enrichment lookups, ticket creation, and response actions tied to known triggers. What it doesn't do is investigative reasoning, which is exactly what hunting for behavioral indicators of compromise requires. AI Threat Hunter and AI Threat Intel Analyst cover that reasoning layer, then hand off to whatever SOAR or response stack you already operate.
What If We Already Have a Dedicated Hunt Team?

A mature hunt function gets the same compression. The agents own the mechanical layer: intel ingestion, hunt-pack authoring, query execution, and cross-source correlation. That frees the hunt team to focus on hypothesis design, adversary emulation, and detection engineering: the work that benefits most from human judgment. The team's strategic capacity expands; the directive cycle no longer competes for it.

Sources

A man with a beard and a green shirt.
Tyson Supasatit
Principal Product Marketing Manager

Tyson Supasatit is Principal Product Marketing Manager at Dropzone AI where he helps cybersecurity defenders understand what is possible with AI agents. Previously, Tyson worked at companies in the supply chain, cloud, endpoint, and network security markets. Connect with Tyson on Mastodon at https://infosec.exchange/@tsupasat

Read More

Self-Guided Demo

Test drive our hands-on interactive environment. Experience our AI SOC analyst autonomously investigate security alerts in real-time, just as it would in your SOC.
Self-Guided Demo
A screenshot of a dashboard with a purple background and the words "Dropzone AI" in the top left corner.

Read More from the Category

Inside the SOC

Run a CISA Hunt Directive in 5 Hours, Not 5 Days

Reading a CISA emergency directive takes 5 minutes. Running it takes 5 days. AI Threat Intel Analyst and AI Threat Hunter compress it to 5h 30m.
Tyson Supasatit
June 10, 2026
Security operations center with analysts at workstations under a city skyline, and a hooked fishing lure suspended over a desk — illustrating the unresolved blast radius of a detected phishing attack.
Inside the SOC

Phishing Blast Radius: What Happens After Detection

Phishing detection flags the email; blast radius analysis traces what happened next across email, identity, endpoint, and network. Why SOCs get stuck.
Tyson Supasatit
May 11, 2026
Dark illustration digital tree built from cascading teal data glyphs, with red malicious nodes scattered through its branches and a glowing red threat marker at the trunk, visualizing how an AI SOC investigates vulnerability chains and AI-augmented attacks
Inside the SOC

AI SOC, Mythos, and Next-Gen LLMs

Claude Mythos signals a shift in AI-powered attacks. Here's how an AI SOC investigates every alert, exposes zero-day exploits, and contains the blast radius.
Ethan Packard
May 8, 2026
Copyright © Dropzone AI 2026. All Rights Reserved.