Meet the Threat Hunters Who Alert Security Teams To What’s Coming

• The Symantec and Carbon Black Threat Hunters emerged from the Symantec Attack Investigation Team (AIT), founded in 2011 to track sophisticated cyber threats, eventually evolving into today’s Threat Hunters.
• The group consists of three teams—Threat Hunting and Research, Security Intelligence and Analytics, and Threat Intelligence Content—working together to investigate attacks, develop AI-driven analytics and provide actionable intelligence.
• Their work led to a groundbreaking, AI-powered feature called Incident Prediction, which can predict attackers' next four to five moves with up to 100% confidence.
• The team continues to refine its methods, recently integrating Carbon Black’s telemetry data to enhance threat detection, ensuring organizations stay ahead of emerging cyber threats.

You’re probably familiar by now with the Symantec and Carbon Black Threat Hunters, especially if you’ve kept up with our threat intelligence reports. Perhaps you’ve wondered about the people behind that intelligence. Their story is one worth telling.

The primary function of this team is to investigate potentially critical attacks on customers with the aim of both improving how Symantec and Carbon Black products protect against these threats, either through refining Broadcom’s existing protection and detection technologies or creating new defenses. We also share actionable threat intelligence with our customers and the information security community.

Tracking a new breed of threats

The Threat Hunters can trace their beginnings to the foundation of the Symantec Attack Investigation Team (AIT) in 2011. The catalyst for its creation was the growing sophistication displayed by attackers, and by espionage groups in particular.

Nothing exemplified this more than Symantec’s 2010 discovery that the advanced Stuxnet Trojan was being used to target the Iranian nuclear enrichment program. Capable of reaching inside air gapped networks and specifically designed to disrupt the industrial control systems used by the program, Stuxnet epitomized a new breed of threats.

AIT was tasked with tracking all known espionage actors and major cybercrime organizations and discovering new campaigns, tactics, techniques and malware families. The volume of discoveries it made prompted the formation of a team of content developers to document and publish these findings. AIT added software developers to produce new tools and systems to aid the team in its work. By 2020, what began as AIT had evolved into what we know today as the Threat Hunters.

Three teams, countless contributions

Today, the Threat Hunters are a multi-disciplinary group consisting of three closely aligned teams: 

The Threat Hunting and Research Team is a group of experienced attack investigators and skilled malware analysts who investigate incidents on customer networks and hunt for related threats. Symantec’s product team, in its effort to improve the protection and detection capabilities of Symantec solutions, relies on this team’s ability to identify previously unknown tools and techniques. Their findings are also passed to the second Threat Hunter team.

Security Intelligence and Analytics is a team of data scientists tasked with harnessing the power of AI to act as a force multiplier for us and our customers. They use investigation findings to create and train AI-based analytics designed to automatically identify and predict malicious behavior. This began with Cloud Analytics, which is trained using all previous Threat Hunter investigations and can identify similar patterns of malicious activity involving legitimate tools as attacks occur on customer networks. Like many Threat Hunter innovations, Cloud Analytics was originally created as an aid for Threat Hunter analysts, enabling them to identify new breaches. 

It wasn’t long before Symantec and Carbon Black product developers recognized the value this could bring to Symantec endpoint protection and Carbon Black endpoint detection and response (EDR) products. Case in point: Our recently introduced AI-powered feature, Incident Prediction, has been trained on a catalog of more than 500,000 real-world attack chains built by the Threat Hunters, Incident Prediction can predict the next four or five moves attackers will take in a customer’s environment with up to 100% confidence. Incident Prediction allows security analysts to then select the predicted behaviors to mitigate and apply them to the Adaptive Protection policy. Customers can stop attackers in their tracks without having to shut down the entire system or network.

The Threat Intelligence Content team then turns our investigations and analysis into actionable threat intelligence for Symantec and Carbon Black customers. This includes:

• Our Threat Intelligence blog, where we publish our most significant research, such as the discovery of new attack campaigns, threat actors, and tools and tactics.
• Short, tactical Threat Alerts designed to rapidly share indicators of compromise and contextual information about critical threats, so they can rapidly take steps to protect their organizations.
• Quarterly white papers that encapsulate our deep dive research into adversaries, threats and tactics. Recent publications include in-depth study of China-linked espionage actors and our annual look at the ransomware threat landscape. This research also informs our numerous presentations at industry conferences, such as our popular presentation on nation-state threats at RSAC 2025 Conference.
• The Threat Landscape Bulletin, a daily email that summarizes all major cybersecurity news and distributed exclusively to Broadcom’s security customers.  

Threat intelligence feeds and our Threat Intelligence API. Customers who query an IoC using the API will see any reports the team has produced related to the group associated with that IoC.  

Evolving along with threats

The work of the Threat Hunters has led to some significant breakthroughs. These include the 2014 discovery of Regin, one of the stealthiest and most advanced threats discovered to date. The Threat Hunters were also responsible in 2022 for uncovering Daxin, one of the most advanced pieces of malware we’ve seen used by China-backed actors. Optimized for use against hardened targets, Daxin allowed its operators to burrow deep into a target’s network and exfiltrate data without raising suspicions.

The Threat Hunters have grown and transformed significantly since the team was first created, and that evolution is continuing to this day. The most recent development stems from the integration of Carbon Black into the Broadcom Enterprise Security Group, and by extension into the Threat Hunters.

Carbon Black’s unprecedented telemetry provides another rich seam of data that Threat Hunters can mine, providing us with even greater visibility into attacker activity. Meanwhile, Carbon Black customers will soon benefit from higher-quality detections based on the work of this team, along with future integrations that will help customers enhance their own detection capabilities. 

It’s always hunting season

The Threat Hunters work hard to maximize the positive impact of Symantec and Carbon Black solutions, taking point on identifying what attackers are up to and assessing the evolving threats that organizations face today. We’ll continue to keep you informed and help keep you safe. Because here at Broadcom, it’s always hunting season.