By Security operations teams are fighting a speed problem they cannot solve with manual processes. Modern attack campaigns — supply chain exploits, GitHub bot attacks, privilege escalation campaigns — can spread across enterprise environments in under two hours. Meanwhile, most SOC teams are still writing SIEM queries by hand, waiting on post-ingestion delays, and running threat hunts on quarterly schedules. The gap between attacker speed and defender speed has never been wider.
A new concept called “vibe hunting” is emerging as the answer — and it’s not just a buzzword. It represents a fundamental shift in how AI-native security platforms empower threat hunters, detection engineers, and CISOs to move at machine speed without sacrificing human judgment or analytical quality.
The Guest: Aqsa Taylor, Chief Security Evangelist at Exaforce
Key Takeaways
- Vibe hunting uses AI-powered SOC platforms to compress hours of manual threat hunting into minutes — without reducing detection quality.
- Exaforce‘s semantic knowledge layer ingests streaming data in real time, eliminating the post-ingestion delays that make legacy SIEMs reactive rather than proactive.
- AI agents in Exaforce automatically monitor threat intel feeds and update indicators of compromise (IOCs) as new attack campaigns emerge — no manual analyst intervention required.
- The quality of vibe hunting depends entirely on the data foundation and guardrails behind the AI agents, not just the model itself.
- Exaforce serves both resource-constrained small teams and mid-enterprise SOCs drowning in alerts, with CISO-ready reporting built into the platform experience.
***
In this exclusive interview with Swapnil Bhartiya at TFiR, Aqsa Taylor, Chief Security Evangelist at Exaforce, discusses what vibe hunting really means for modern security operations, how Exaforce’s AI SOC platform is built differently from SIEM-bolt-on solutions, and why the data layer — not the LLM — is the true differentiator in agentic security.
What Is Vibe Hunting — And Where Did It Come From?
The term didn’t originate in a marketing meeting. It emerged from Exaforce’s own MDR team, who were actively tracking live attack campaigns — including the Axios NPM supply chain attack, the TeamPCP campaign, and the GitHub Hackerbot-Claw — and consistently staying ahead of them. Aqsa Taylor noticed her MDR hunters were detecting, escalating, and containing threats at a speed that would have taken traditional SOC teams hours to achieve manually. When she dug into how they were doing it, the answer was clear: they were using Exaforce’s own AI SOC platform to compress the manual investigative workflow into minutes.
Q: What exactly is vibe hunting?
Aqsa Taylor: “It’s not replacing human analysts or human judgment, but it’s empowering them to be able to do hours worth of work in minutes — by taking that cumbersome, long, manual threat hunting process, automating it and making it easily deployable at scale, just to keep up with the attack surface itself. In the case of TeamPCP or these other attack campaigns, you see them happening and escalating within two hours at a larger scale. So to be able to keep up with those defenses, vibe hunting is how you use AI-enabled platforms like Exaforce to do that efficiently, in real time.”
How Exaforce Enables Real-Time, Intent-Based Threat Hunting
Legacy SIEM platforms create a structural problem: data must be ingested first, and detection rules are applied after the fact. This post-ingestion delay means security teams are always working off stale context. Exaforce was architected around a different model — streaming data with behavioral baselines built over time, not just from the moment of integration.
Q: How does Exaforce handle real-time, intent-based threat detection differently from traditional SIEMs?
Aqsa Taylor: “What Exaforce does differently is that it’s looking at streaming data. As soon as we ingest or onboard an integration, we go back in history — we start looking at data not just from the point of integration, but behaviorally. What did the audit logs look like maybe 30 or 90 days ago? Exaforce also brings in configuration data and posture data — the kind of data that’s usually not available in SIEM or SOAR platforms. So what it’s doing is looking at your weaknesses, your risks, and attaching those in real time. Instead of waiting for everything to happen later and waiting for detection rules to be updated periodically, Exaforce provides detection content out of the box.”
Q: What does the actual workflow look like for a threat hunter using Exaforce?
Aqsa Taylor: “Whenever there is a hypothesis — the initial understanding of an attack — the manual work traditionally comes in where the analyst has to create detections and add the indicators of compromise. In Exaforce, we allow for automation agents — AI agents that automatically look at news sources and intel feeds and update our IOCs automatically based on new data that is evolving. With the knowledge semantic layer already bringing context together — not just from your SIEM platforms, but also configuration, posture, and all the other platforms Exaforce is gathering context from — it’s able to stitch that context much faster, and even show you visibility gaps that you may not have thought about in your own detection criteria.”
Why Vibe Hunting Without the Right Data Foundation Fails
One of the most important and nuanced points in this conversation is the distinction between vibe hunting done right and vibe hunting done recklessly. The negative connotation around “vibing” in security — using AI without structure or context — is real, and Aqsa Taylor addresses it directly. The risk isn’t the concept of AI-assisted hunting; it’s building on a weak data foundation.
Q: Why does vibe hunting have a negative reputation in security circles, and is it deserved?
Aqsa Taylor: “The whole negative connotation is because of the inexperience or immaturity of that model. If you use AI agents just for the sake of using them, without having knowledge of what you’re trying to build, it will take longer to debug for bugs and security issues, so it ends up being a burden on senior analysts or senior QA engineers. The same concept applies in vibe hunting: if you just rely on AI models that do not have context, that do not have that knowledge semantic layer, then you end up with incomplete results. It’s vibe hunting itself that is not negative — but if the data it’s relying on, the guardrails in place, the transparency, and the explainability of those models are lacking, then yes, you end up with more work than you bargained for.”
Q: Does the agent itself matter, or is it purely about the data?
Aqsa Taylor: “The agent absolutely matters, because in architecting the agent, there are certain parameters you set — like how much creativity does it have, or does it need to strictly bound itself to the data it’s fed. That’s where hallucinations come from. Explainability is important: what sources are you pulling from? It needs to be able to reason and justify those factors. So it does matter that agents are built with certain guardrails in place, so the data they produce is trustworthy. If it makes your job easier and you only have to review 20% of the time versus 90% because you can’t trust the results — that’s the real value.”
Built From the Ground Up: How Exaforce Avoids the AI Bolt-On Trap
The enterprise security market is saturated with vendors claiming AI capabilities that amount to little more than a natural language query layer on top of an existing rule-based engine. Exaforce took a different approach — starting with the data and knowledge architecture before building the agentic layer on top of it.
Q: How is Exaforce approaching AI differently from vendors that are just bolting it onto existing solutions?
Aqsa Taylor: “A lot of times people think natural language query is AI and let’s just go with it. Exaforce took a step back and said we need to build this from the ground up. It’s not just about putting an LLM agent on top of whatever we stitch together to make things faster — it’s about quality as well. Before you even jump into engineering the agents and LLMs, let’s talk about the foundation. The knowledge layer, the semantic layer that we built, is really the foundation of everything else that the agentic model is built on top of. It takes into account that you need real-time context — you can’t wait for a lag or delay. And the baseline behavior is so different even from user to user. Maybe I travel a lot, so it’s common to have different locations. Maybe you don’t travel as much. So it’s very unusual for you to suddenly be in a different city. There is so much that goes into creating behavioral analysis. And that’s where Exaforce really built from the ground up — to enable SOC analysts and threat hunters to have not just faster results, but quality results they can trust.”
Q: Can you walk through a real-world example of how Exaforce handled a recent attack campaign?
Aqsa Taylor: “The GitHub Hackerbot-Claw attack campaign is a great example. Pull requests were being targeted for malicious code execution, privilege escalation, or even just changing a README file and manipulating agent prompts whenever there was an auto-approval process for version changes. This kind of activity is generally seen as normal in GitHub — sending PRs, changing versions. A lot of platforms don’t have native detection coverage for such things. Because Exaforce was able to detect this activity, we automatically alerted customers: ‘Hey, there’s this thing going on, and we see similar patterns in your environment.’ Our MDR team then investigated and sent an automated case report — something you could take to a CISO. Not just a dashboard with numbers, but a full end-to-end report: here’s what happened, how it happened, where it happened, and when. One of our customers, Manish from Replit, said during an RSA panel that he was able to take a screenshot from our dashboard and immediately inform his CISO — showing what locations were impacted, where teams are located. That’s what user experience is about: reducing the translation layer between your engineering team and your executive team.”
