Beyond the Chatbot: Meet Your New Autonomous Tier-3 Threat Hunter

If you’ve been following our recent work at Stamus Networks, you’ve likely seen my demonstrations on integrating Large Language Models (LLMs) with Clear NDR via our Model Context Protocol (MCP) server. Until now, those sessions were mostly interactive—a "human-in-the-loop" conversation where the analyst asks a question and the AI provides an answer.

But here, I want to show you something that shifts the paradigm entirely.

We are moving past simple chat interfaces and into the realm of Autonomous AI Agents. By combining advanced prompt engineering with an LLM and our MCP tools, I’ve developed a prototype "Standard Operating Procedure" (SOP) using an LLM that allows an AI to act as a self-directed, Tier-3 network threat hunter. While I used Gemini 3 Pro for this exercise, I must emphasize that this can be done with any LLM that supports tool calling – including local LLMs such as GPT OSS, Llama, DeepSeek, Qwen, or Mistral.

Using a local AI model can help organizations protect data sovereignty and the choice of models allows the organizations to stay true to their internal AI strategy.

From AI Prompting to Prompt Engineering

The video below demonstrates a single, highly engineered prompt that directs the agent to do the heavy lifting for you. Instead of waiting for instructions, the agent:

• Self-Educates: It searches the Stamus Networks blog and technical documentation to learn our specific threat-hunting methodologies.
• Researches the Wild: It scours the live web (CISA, CVE.org, etc.) for today’s active exploits.
• Interrogates the Network: It uses our MCP server to pull real-time alert outliers and IP details directly from Clear NDR.
• Triages with Logic: It identifies the top five most suspicious assets and performs a deep-dive investigation into each.

Why This Matters for the SOC

The goal isn't just to find "cool" technology; it’s to solve the problems of uncovering hidden threats and alert fatigue. In the demo, you’ll see the agent identify Cobalt Strike beaconing and lateral movement, but it does so with operational intelligence. For example, it’s specifically instructed not to recommend isolating domain controllers—a move that would crash a network—but instead suggests staged remediation.

Imagine walking into your office at 6:00 AM, grabbing your first cup of coffee, and finding a fully formatted Markdown report waiting for you. It’s not just a list of alerts; it’s a comprehensive analysis of the last 24 hours, complete with "Patient Zero" identification and prioritized next steps.

Watch the full demonstration below to see the agent in action.

Two things are worth emphasizing as you watch:

• Openness and transparency – we expose all analysis steps if desired (e.g. via Agent0). There’s no black box, and we don’t lock customers into a specific LLM. Organizations retain the freedom to choose the model that fits their requirements.
• Local LLM support is standard – we can't emphasize enough that the LLM can run locally. This is important for organizations with jurisdictional, regulatory, or policy constraints that do not allow sensitive network data to leave their environment or be processed in external cloud services.
  

Let’s Get Hunting

At Stamus Networks, we believe AI should be a force multiplier for your team, not just a gimmick. We are more than happy to share the specific prompts used in this video with our customers so you can begin tailoring them to your own environment.

Would you like a copy of the SOP prompt I used in this demo, or would you prefer a deep dive into how to set up the MCP server for your own Clear NDR instance? Reach out via our Contact Form to keep the conversation going.