Home
Blog
Investigations
July 11, 2024
7
min read

Rediscover threat hunting and investigations

Command Zero set out to solve the most significant bottleneck for security operations: investigations. There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders. In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.

investigations
Alfred Huger
Cofounder & CPO
In this article
H2 Title
H3 Title

Introduction & Our problem space

Command Zero set out to solve the most significant bottleneck for security operations: investigations.  

There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders.  (Read more about the problem we’re solving and our unique approach on Dov’s blog post)

To achieve this hefty goal, we’ve built an expert investigations platform for every user. (read more about some of the principles and architectural decisions we’ve made so far on Dean’s blog post)

We do this by encoding the research, the investigatory expertise along with the deep understanding of every unique data source into the platform.

In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.  

To demonstrate this, I will walk you through a hypothetical flow that starts with an investigation stemming from multiple alerts, a brief touch on threat hunting and an overview of a complex investigation using the Command Zero platform.  

Alert-driven investigations

Command Zero has been deployed in production environments of our early adopters and is being put to the test every day. With this usage, we observed that many investigations start with alerts from security solutions today.  

So, building a feature where users can review alerts from the key systems and kick off investigations based on multiple alerts was a natural step for us.  

The alert view provides an overview of alerts from multiple connected systems.
Users can initiate investigation based on an alert or multiple alerts.

When a user starts an investigation based on alerts, Command Zero automatically takes the initial steps and asks the most relevant questions to the data sources involved. This not only saves time for the investigation, but also it helps analyst understand the context more quickly.

Command Zero automatically takes initial steps and renames each investigation based on context.

The platform renames the investigation based on discovered context. It also builds a short summary and potential leads for the analyst.  

Once an investigation starts, the user has multiple capabilities at their fingertips:  

  1. See the investigation summary, review investigation leads.
You can get an overview of the investigation and a summary.
  1. Query multiple sources using pre-built questions to further investigate leads.
Interrogating multiple data sources is done by using pre-built investigation questions.
  1. View previous investigations and notes about the leads in scope.
Past investigations on leads help get up to speed on the historical context.
Notes taken by the analyst or the team help build institutional memory on leads.
  1. Run facets to replicate best practices and save time.
Facets are dynamic playbooks that save time, ensure consistency and build organizational knowledge.
  1. Add questions to timeline.
Users can add noteworthy questions and answers to the timeline for building the narrative of a case.
  1. Each question receives an LLM-generated summary that not only reduces the labor for reporting, but also it ensures that no detail gets missed or overlooked.
Question summaries help better understand results and save time with reporting.
  1. See timeline with notes, add additional notes for reporting.
Auto-generated timelines help communicate the narrative with stakeholders.
  1. See the complete summary of the investigation.
Investigation summaries combine all questions, patterns and timelines.

Reviewing past investigations or current alert-driven investigations on Command Zero is a great way to educate your teams on where the heat map of threats, gaps and overall risk are for our environments.  

Wherever you see the most escalated cases is generally where your team needs to hunt more and take a more proactive stance against these threats.  

Threat hunting

We all agree that threat hunting is a highly impactful activity for organizations. That stated, unless you have a dedicated team for threat hunting, it is an activity that we’re all doing less frequently than we need.  

And when we do threat hunt, we hardly know where to look and which patterns to look  for.  

Threat hunting has three impediments to properly adopt:  

1) Threat hunting expertise,  

2) access to systems in the environment,

3) technical expertise on diverse systems in the environment.

Command Zero tackles all three barriers as an expert platform with federated access to universal data sources.  

Users can interrogate security and non-security data sources in their environments with pre-built expert questions. They no longer need direct access to data sources at the individual level or be administrator level experts for technologies within the scope of the hunt.  

Users can threat hunt across data sources by using pre-built questions.

Traditionally threat hunting was (and still is) an elite activity exclusive to the highly experienced teams. And since these team members are oversubscribed with manual investigations, threat hunting often gets de-prioritized in most organizations.  

Command Zero’s fresh approach democratizes threat hunting to all your analysts, regardless of experience levels and technical expertise for target systems.  

We believe these capabilities will encourage implementation of more threat hunting programs at all organizations, helping the industry shift to a more proactive stance.  

Users can review the responses and identify patterns of interest. They can either interrogate potential leads more before they decide, or they can promote these objects as leads for further investigation.  

Users can promote leads in threat hunts to be further investigated.

By utilizing Command Zero for investigation and threat hunts, analysts not only get a better understanding of the overall picture, but they also gain the ability to focus more on problem areas.  

The threat hunting and investigation experiences above are significant improvements over the manual, chaotic and labor-intensive experiences for these activities today.  

The transformative investigation experience

For each investigation run on the Command Zero platform, every step of the case is documented, visualized and summarized. These capabilities enable transparent collaboration between multiple analysts or teams, coaching opportunities between team members and smooth handovers between teams.  

Command Zero is not a case management system. And we don’t intend to build case management capabilities in the platform. Instead, we are integrating with the leading systems in this space like ServiceNow to facilitate the normal workflow.  

Command Zero works in tandem with case management solutions, yet the platform provides a record of all current and past investigations to help analyst teams do their best work, within the scope of investigations.  

Analysts can review current and past investigations all on one dashboard.

The platform runs autonomous investigations and threat hunts. These activities also appear on the list of investigations. Users can review autonomous investigations, dive deeper into them with additional questions or facets (dynamic playbooks).

Conclusion

To conclude, Command Zero speeds up threat hunting and investigation processes, delivers consistency and enables collaboration for tier-2+ teams. The platform has been a game-changer for our early adopters, and we believe it will make a huge impact for any organization handling investigations.  

Please check out www.cmdzero.io to learn more or watch our platform overview video.  

Alfred Huger
Cofounder & CPO

Continue reading

Investigations
Highlight

2026 SOC Resolution: Stop Machine Speak. Level up Investigations with Natural Language

SOC analysts waste critical time translating investigations into complex query languages like SPL, KQL, and SQL instead of hunting threats. Natural language investigation platforms eliminate this cognitive burden, enabling analysts at all skill levels to conduct sophisticated investigations by simply asking questions. Pre-built investigative sequences should operationalize expert methodology across common use cases like impossible travel and suspicious activity analysis, standardizing excellence while breaking down data silos across endpoints, identity providers, and cloud environments. Question-based approaches create reinforcement learning feedback loops, continuously improving investigation quality through analyst validation. By removing syntax barriers, junior analysts gain advanced capabilities while senior investigators accelerate case closure. As alert volumes surpass human capacity in 2026, natural language interfaces become essential for SOC scalability. Modern security operations teams should expect tools that close complex cases in minutes through AI-assisted analysis and autonomous investigative flows, fundamentally transforming how they handle evolving threats.
James Therrien
Jan 7, 2026
5
min read
Investigations
Highlight

Investigating Service Principal Attacks with Graph API Activity Logs

Service principal attacks are escalating, with threat actors like Midnight Blizzard and Storm-0501 exploiting non-human identities to compromise enterprise environments. These attacks historically succeeded because reconnaissance activity—enumeration of users, groups, and roles—remained invisible to defenders through traditional directory audit logs. Microsoft's new GraphAPIAuditEvents table in Defender XDR Advanced Hunting changes this by capturing all Graph API requests, including reads, writes, and failures. This preview feature provides unprecedented visibility into service principal activity, enabling security teams to detect enumeration attempts, privilege escalation, and OAuth abuse before attackers execute their primary objectives. Leveraging Microsoft’s new GraphAPIAuditEvents, Command Zero automates the detection of previously invisible reconnaissance—such as permission enumeration—that legacy logs miss. By embedding expert knowledge into AI-assisted investigation frameworks, the platform correlates disparate data points (IPs, tokens, API calls) to expose complex attack chains. This transforms raw logs into finished investigations in minutes, enabling SOC teams to close the visibility gap and maximize productivity without sacrificing control or transparency.
Kiki Preteau
Dec 23, 2025
4
min read
Investigations
Highlight

The 51-Second Problem: Why SOCs Can't Keep Pace with Machine-Speed Adversaries

Adversaries achieved 51-second breakout times in 2024—faster than most SOCs can triage an alert. While top-performing teams reach Mean Time to Detect of 30 minutes to 4 hours, typical investigations take 90+ minutes before response coordination begins. By then, attackers have already moved laterally and established persistence. The bottleneck isn't analyst speed—it's investigation architecture. Analysts spend 60-70% of investigation time on mechanical tasks: translating questions into queries, context-switching between tools, manually correlating findings across systems, and maintaining investigation state. No amount of training can compress human-paced investigation processes to match machine-speed attacks. The solution requires eliminating mechanical work through investigation patterns that execute at machine speed, allowing analysts to focus on judgment and decision-making. Organizations achieving investigation velocity improvements aren't just deploying better technology—they're consolidating workflows, capturing expert methodologies in executable patterns, and redesigning SOC architecture for the threat landscape they actually face.
Eric Hulse
Dec 3, 2025
6
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All