Threat hunting starts with a hypothesis. A SecOps agent can draft one by reading SIEM telemetry, EDR detections, and threat intel, then propose a search for a human hunter to approve. The agent never executes the hunt on its own. Dock holds the hypothesis, the approval, and the eventual finding. Splunk, CrowdStrike, and Mandiant Advantage stay the systems of record. This is the pattern used by teams already running Dock for security operations at scale.
Splunk, CrowdStrike, and Mandiant Advantage stay the system of record for the raw data. Dock is the system of record for what the AGENT INTERPRETS. Each Dock row carries a pointer back to the platform record, agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state.
The Hunt Hypotheses surface
One Dock table, hunt-hypotheses, holds every draft the agent produces. Each row links back to the Splunk search ID, the CrowdStrike detection, and the Mandiant intel report it drew from.
| Hypothesis ID | Drafted by | ATT&CK technique | Source signals | Hunter | Status | Decided at |
|---|---|---|---|---|---|---|
| HH-1142 | agent:sec-hunter-01 | T1059.001 PowerShell | splunk:srch-99a, cs:det-7731 | k.okafor | Approved, hunt running | 2026-05-29 14:02Z |
| HH-1143 | agent:sec-hunter-01 | T1071.004 DNS C2 | splunk:srch-99b, mandiant:rpt-APT41-Q2 | r.alves | Rejected, prior-art duplicate | 2026-05-29 15:18Z |
| HH-1144 | agent:sec-hunter-01 | T1003.001 LSASS dump | cs:det-7740, mandiant:rpt-UNC5174 | k.okafor | Pending review | 2026-05-29 16:41Z |
The hunter sees the agent's reasoning, the source IDs, and a one-click path back to the platform record. Approval is the trigger that lets the search execute. This is the same dangerous-ops contract we apply to any irreversible action.
One workflow: from telemetry to approved hunt
The agent pulls a window of Splunk search results, correlates them against open CrowdStrike detections, and queries Mandiant Advantage for related actor TTPs. It writes a row in hunt-hypotheses with the proposed search query, the mapped MITRE ATT&CK technique, the source signal IDs, and a confidence note. The hunter reviews. If approved, the agent runs the search against Splunk and writes results to a child row. If rejected, the hypothesis is closed with the hunter's reason, which the agent reads on its next pass so it stops re-drafting the same dead end. The audit trail satisfies the same controls covered in Dock for compliance.
Why this matters
Hunters spend most of their day on context gathering. An agent that drafts hypotheses with citations cuts that overhead without taking the trigger. The hunter still owns the search. Dock owns the record of who decided what, when, and why, which is the artifact agent audit and compliance reviewers actually need. The same pattern, agent reads and drafts, human approves, generalizes to incident triage, vulnerability prioritization, and even Dock for research where an agent drafts a literature scan for a human reviewer.
The agent operates under its own identity, not a shared service account, which is the whole point of agent identity in security tooling. Every draft is attributable.
Try the pattern
Spin up a hunt-hypotheses table in your Dock workspace, point your agent at Splunk, CrowdStrike, and Mandiant Advantage with read-only credentials, and require human approval before any search executes.
FAQ
Can the agent run searches on its own? No. The agent drafts. The hunter approves. The search executes only after a human row-level approval, the same contract Dock applies to any state-changing operation.
What stops the agent from drafting the same hypothesis repeatedly? The agent reads the status of closed hypotheses on each pass. A rejection with a written reason is training data for the next draft. Duplicates get closed fast and the agent learns to skip them.
How does this map to MITRE ATT&CK? Every hypothesis row carries an ATT&CK technique ID. The agent uses ATT&CK as a shared vocabulary so hunters can filter, group, and report against a known taxonomy (attack.mitre.org).
Is this enough for an audit? The row-level record of agent identity, source signals, hunter decision, and timestamp covers the artifact most SOC auditors ask for. Mandiant's M-Trends report tracks how dwell time and detection workflows are measured (cloud.google.com/security/resources/m-trends), and SANS FOR508 documents the hypothesis-driven hunting methodology this workflow mirrors (sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training).
