Back

As Mythos Expands What Detection Can’t See, Daylight Launches Managed Agentic Threat Hunting

Lior Liberman
Lior Liberman
April 22, 2026
Product
As Mythos Expands What Detection Can’t See, Daylight Launches Managed Agentic Threat HuntingBright curved horizon of a planet glowing against the dark backdrop of space.Bright curved horizon of a planet glowing against the dark backdrop of space.

A few weeks ago, threat hunting was still something most security teams agreed they should do more of. It existed as plans, hypotheses, and occasional exercises, but rarely as a continuous practice. That changed.

Systems like Mythos, AI-driven attack discovery systems, are expanding how attackers identify weaknesses. They don’t just automate exploitation; they automate discovery. They explore environments, test assumptions, and surface paths that would not have been obvious before.

The implication is not just that attacks are faster. It is that the space of possible attacks is expanding faster than detection can keep up.

Detection can only cover what is already understood. Threat hunting exists to test what is not.

Detection vs. Threat Hunting: Two Different Systems

Detection is based on knowns. It relies on predefined logic: rules, signatures, models, that map behavior to alerts. It is optimized for speed and repeatability.

Threat hunting operates differently. It starts from a hypothesis and tests it against raw telemetry. It is not triggered by alerts, and it does not assume the outcome in advance. Instead, it requires iterative analysis, correlation across systems, and decision-making at each step.

This difference is not philosophical. It is operational.

Detection scales because it is deterministic. Threat hunting does not scale because it is exploratory.

Why Threat Hunting Does Not Scale Today

In most organizations, threat hunting is constrained by execution.

A typical hypothesis-based hunt involves multiple stages: defining the hypothesis, identifying relevant data sources, writing queries, iterating through results, and refining the dataset. Each step requires judgment.

Even with strong tooling, this process is manual. Analysts must decide what to filter, what to group, what to ignore, and what to investigate further. As a result, only a limited number of hypotheses can be explored at any given time.

This leads to a common pattern: teams maintain a backlog of hypotheses but execute only a small subset. The majority are never tested.

In a static environment, this is inefficient. In a dynamic environment shaped by systems like Mythos, it creates a growing blind spot.

Making Threat Hunting Executable at Scale

To make threat hunting continuous, the execution model must change.

At Daylight, this is done by separating hypothesis definition from execution, and by introducing a system that can carry out investigations iteratively and in parallel.

There are two core types of hunts: hypothesis-based and IOC-based. Each serves a different purpose and follows a different execution model.

Hypothesis-Based Threat Hunting (Unknown Threats)

Hypothesis-based hunting is designed to uncover activity that is not already known or detected.

The process begins with a hypothesis defined by a security expert. For example, this could be misuse of service accounts, lateral movement patterns, or abnormal identity behavior.

Each hypothesis is broken down into a set of analyses. An analysis represents a structured way to test a specific aspect of that hypothesis. It includes an initial query, the relevant data sources, and the expected types of transformations required to refine the dataset.

Execution begins with deterministic data extraction. The system queries relevant telemetry, often across multiple systems and up to 90 days of historical data, to establish a complete starting dataset.

From there, the investigation becomes iterative.

Instead of following a predefined sequence of steps, the system uses a collection of specialized AI agents. Each agent performs a single function: filtering known benign activity, grouping events, identifying anomalies, or correlating signals across systems.

Each iteration takes the output of the previous step and decides how to refine it further. This creates a loop where the dataset is progressively reduced from broad activity to a small set of unexplained behaviors.

This approach has several important properties:

  1. It is non-deterministic in execution. The path of the investigation is determined by the data, not by a fixed playbook.
  2. It avoids compounding bias. Each step operates independently on the current dataset.
  3. It scales naturally. Multiple analyses can run in parallel.

The process continues until one of two outcomes is reached: either all activity is explained and the hypothesis is disproven, or unexplained behavior remains and is escalated for further investigation.

IOC-Based Threat Hunting (Known Threats)

IOC-based hunting serves a different purpose: validating exposure to known threats.

These hunts are triggered by external inputs such as threat intelligence, vulnerability disclosures, or indicators observed in other environments.

Unlike hypothesis-based hunts, IOC-based hunts are deterministic. They rely on predefined playbooks that define where to search, how to query data, and how far back to look.

Execution involves scanning across multiple data sources: endpoint, identity, cloud, and SaaS, to identify matches for the given indicator. Results are then correlated to determine scope and impact.

The outcome is binary: either the indicator is not present, or it is found and escalated.

While simpler in structure, IOC-based hunts provide critical coverage for known threats and complement hypothesis-based investigations.

From Execution Constraint to Continuous System

When both types of hunts are executed by a system rather than manually, the constraints that previously defined threat hunting are removed.

Hypothesis-based hunts can run continuously, testing multiple scenarios in parallel. IOC-based hunts can be triggered and executed immediately across all relevant data.

This enables a shift from periodic investigation to continuous validation.

Instead of asking "what should we hunt next," teams can ask "what have we not yet validated," and have the system execute against that question.

What This Enables

Running threat hunting as a system changes three things.

First, it increases coverage. More hypotheses can be tested across more data, more frequently.

Second, it improves consistency. Each investigation follows a controlled and repeatable process.

Third, it reduces time to outcome. Investigations that previously required hours or days can be completed in minutes.

These are not incremental improvements. They change what is operationally possible.

Final Thought

The shift introduced by systems like Mythos is not about speed alone. It is about expanding what attackers can discover.

As that space grows, detection becomes inherently incomplete.

Threat hunting is the only mechanism designed to explore that unknown space.

The question is no longer whether threat hunting is important. It is whether it can be executed continuously.

Until recently, the answer was no. Now, it can.

Table of contents
Example H2
Example H3
form submission image form submission image

Ready to escape the dark and elevate your security?

button decoration
Get a demo
moutain illustration
Cookie Notice

We use cookies to improve your experience on our website. By continuing to browse, you agree to our use of cookies.

Got it