Home
Blog
Investigations
July 11, 2024
7
min read

Rediscover threat hunting and investigations

Command Zero set out to solve the most significant bottleneck for security operations: investigations. There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders. In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.

investigations
Alfred Huger
Cofounder & CPO
In this article
H2 Title
H3 Title

Introduction & Our problem space

Command Zero set out to solve the most significant bottleneck for security operations: investigations.  

There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders.  (Read more about the problem we’re solving and our unique approach on Dov’s blog post)

To achieve this hefty goal, we’ve built an expert investigations platform for every user. (read more about some of the principles and architectural decisions we’ve made so far on Dean’s blog post)

We do this by encoding the research, the investigatory expertise along with the deep understanding of every unique data source into the platform.

In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.  

To demonstrate this, I will walk you through a hypothetical flow that starts with an investigation stemming from multiple alerts, a brief touch on threat hunting and an overview of a complex investigation using the Command Zero platform.  

Alert-driven investigations

Command Zero has been deployed in production environments of our early adopters and is being put to the test every day. With this usage, we observed that many investigations start with alerts from security solutions today.  

So, building a feature where users can review alerts from the key systems and kick off investigations based on multiple alerts was a natural step for us.  

The alert view provides an overview of alerts from multiple connected systems.
Users can initiate investigation based on an alert or multiple alerts.

When a user starts an investigation based on alerts, Command Zero automatically takes the initial steps and asks the most relevant questions to the data sources involved. This not only saves time for the investigation, but also it helps analyst understand the context more quickly.

Command Zero automatically takes initial steps and renames each investigation based on context.

The platform renames the investigation based on discovered context. It also builds a short summary and potential leads for the analyst.  

Once an investigation starts, the user has multiple capabilities at their fingertips:  

  1. See the investigation summary, review investigation leads.
You can get an overview of the investigation and a summary.
  1. Query multiple sources using pre-built questions to further investigate leads.
Interrogating multiple data sources is done by using pre-built investigation questions.
  1. View previous investigations and notes about the leads in scope.
Past investigations on leads help get up to speed on the historical context.
Notes taken by the analyst or the team help build institutional memory on leads.
  1. Run facets to replicate best practices and save time.
Facets are dynamic playbooks that save time, ensure consistency and build organizational knowledge.
  1. Add questions to timeline.
Users can add noteworthy questions and answers to the timeline for building the narrative of a case.
  1. Each question receives an LLM-generated summary that not only reduces the labor for reporting, but also it ensures that no detail gets missed or overlooked.
Question summaries help better understand results and save time with reporting.
  1. See timeline with notes, add additional notes for reporting.
Auto-generated timelines help communicate the narrative with stakeholders.
  1. See the complete summary of the investigation.
Investigation summaries combine all questions, patterns and timelines.

Reviewing past investigations or current alert-driven investigations on Command Zero is a great way to educate your teams on where the heat map of threats, gaps and overall risk are for our environments.  

Wherever you see the most escalated cases is generally where your team needs to hunt more and take a more proactive stance against these threats.  

Threat hunting

We all agree that threat hunting is a highly impactful activity for organizations. That stated, unless you have a dedicated team for threat hunting, it is an activity that we’re all doing less frequently than we need.  

And when we do threat hunt, we hardly know where to look and which patterns to look  for.  

Threat hunting has three impediments to properly adopt:  

1) Threat hunting expertise,  

2) access to systems in the environment,

3) technical expertise on diverse systems in the environment.

Command Zero tackles all three barriers as an expert platform with federated access to universal data sources.  

Users can interrogate security and non-security data sources in their environments with pre-built expert questions. They no longer need direct access to data sources at the individual level or be administrator level experts for technologies within the scope of the hunt.  

Users can threat hunt across data sources by using pre-built questions.

Traditionally threat hunting was (and still is) an elite activity exclusive to the highly experienced teams. And since these team members are oversubscribed with manual investigations, threat hunting often gets de-prioritized in most organizations.  

Command Zero’s fresh approach democratizes threat hunting to all your analysts, regardless of experience levels and technical expertise for target systems.  

We believe these capabilities will encourage implementation of more threat hunting programs at all organizations, helping the industry shift to a more proactive stance.  

Users can review the responses and identify patterns of interest. They can either interrogate potential leads more before they decide, or they can promote these objects as leads for further investigation.  

Users can promote leads in threat hunts to be further investigated.

By utilizing Command Zero for investigation and threat hunts, analysts not only get a better understanding of the overall picture, but they also gain the ability to focus more on problem areas.  

The threat hunting and investigation experiences above are significant improvements over the manual, chaotic and labor-intensive experiences for these activities today.  

The transformative investigation experience

For each investigation run on the Command Zero platform, every step of the case is documented, visualized and summarized. These capabilities enable transparent collaboration between multiple analysts or teams, coaching opportunities between team members and smooth handovers between teams.  

Command Zero is not a case management system. And we don’t intend to build case management capabilities in the platform. Instead, we are integrating with the leading systems in this space like ServiceNow to facilitate the normal workflow.  

Command Zero works in tandem with case management solutions, yet the platform provides a record of all current and past investigations to help analyst teams do their best work, within the scope of investigations.  

Analysts can review current and past investigations all on one dashboard.

The platform runs autonomous investigations and threat hunts. These activities also appear on the list of investigations. Users can review autonomous investigations, dive deeper into them with additional questions or facets (dynamic playbooks).

Conclusion

To conclude, Command Zero speeds up threat hunting and investigation processes, delivers consistency and enables collaboration for tier-2+ teams. The platform has been a game-changer for our early adopters, and we believe it will make a huge impact for any organization handling investigations.  

Please check out www.cmdzero.io to learn more or watch our platform overview video.  

Alfred Huger
Cofounder & CPO

Continue reading

Investigations
Highlight

The 51-Second Problem: Why SOCs Can't Keep Pace with Machine-Speed Adversaries

Adversaries achieved 51-second breakout times in 2024—faster than most SOCs can triage an alert. While top-performing teams reach Mean Time to Detect of 30 minutes to 4 hours, typical investigations take 90+ minutes before response coordination begins. By then, attackers have already moved laterally and established persistence. The bottleneck isn't analyst speed—it's investigation architecture. Analysts spend 60-70% of investigation time on mechanical tasks: translating questions into queries, context-switching between tools, manually correlating findings across systems, and maintaining investigation state. No amount of training can compress human-paced investigation processes to match machine-speed attacks. The solution requires eliminating mechanical work through investigation patterns that execute at machine speed, allowing analysts to focus on judgment and decision-making. Organizations achieving investigation velocity improvements aren't just deploying better technology—they're consolidating workflows, capturing expert methodologies in executable patterns, and redesigning SOC architecture for the threat landscape they actually face.
Eric Hulse
Dec 3, 2025
6
min read
Investigations
Highlight

Anthropic's GTG-1002 disclosure: When AI Becomes a Cyber Weapon of Mass Destruction, Investigation Capabilities Must Scale

When Chinese state-sponsored group GTG-1002 weaponized AI to attack thirty organizations simultaneously—with AI handling 80-90% of tactical operations—it exposed a critical gap in cybersecurity: offensive automation has scaled dramatically while defensive investigation remains human-paced. This blog examines how AI-augmented security investigations address the fundamental mismatch between AI-driven attack scale and traditional incident response capabilities. Command Zero's approach leverages LLM advancements to transform security investigations through question-driven frameworks that execute across multiple data sources simultaneously. Rather than replacing analysts, AI augmentation eliminates mechanical query work, enabling security teams to investigate thirty incidents with the same thoroughness as one. As threat actors increasingly weaponize AI for cyberattacks, defenders need investigation tools that match offensive automation's scale and speed. Learn how AI-augmented investigation helps SOC teams respond to sophisticated threats at machine speed while maintaining human expertise where it matters most—strategic analysis and decision-making.
Eric Hulse
Nov 18, 2025
7
min read
Investigations
Highlight

Breaking the SOC Alert Fatigue Cycle: Why Speed Metrics Are Killing Quality

Security operations centers face a critical crisis: alert fatigue is overwhelming analysts and creating dangerous investigation gaps. Traditional SOC metrics like MTTR and MTTI incentivize speed over thoroughness, forcing analysts into narrow investigation scopes that miss connected threats across enterprise environments. The fundamental challenge lies in systemic operational constraints. Analysts validate alerts, implement basic containment measures, and close cases without investigating broader attack scope—leaving lateral movement and data exfiltration undetected. This assembly-line approach creates a backlog of unresolved threats that eventually culminate in headline-grabbing breaches. Modern AI technology offers a transformative solution by correlating disparate data sources across endpoint logs, identity systems, cloud platforms, and network traffic in minutes rather than hours. Command Zero's platform automatically establishes comprehensive investigation scope, checking for related activity across AWS, Azure, identity providers, and SaaS applications when alerts trigger. The strategic approach acknowledges organizational reality: rather than eliminating established performance metrics, advanced technology empowers analysts to investigate comprehensively within existing time constraints, delivering higher-quality outcomes while maintaining operational efficiency in today's complex threat landscape.
Alfred Huger
Jun 11, 2025
4
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All