Every security team has its playbook that includes rules to follow, patterns to spot, and alerts to chase. But the best hunters don't just follow instructions. They trust their gut. Sometimes it starts with a log that looks a little off, or a pattern that doesn't quite sit right. And once that thread is pulled, they can't let it go.

Jose Hernandez knows that mindset well. He leads Splunk's Threat Research Team, where he and his team simulate attacks, build detections, and constantly test their ideas against what real attackers are doing. Outside of work, he's someone who values the quiet parts of life too: raising chickens, spending time with family, and finding the calm between the high-pressure demands of security research.

In this interview, Jose shares how his team builds detections that matter, how he spots emerging threats before they hit the headlines, and how tools like Hunt.io and MagicSword are helping defenders shift from reactive to strategic. He also talks about work-life balance and why hiring curious people is the best investment a team can make.

Can you tell us a bit about your role at Splunk and the objectives of the Threat Research Team?

Jose: The team's objective and role in short is to ship content for the Splunk Enterprise Security SIEM product. Although easier said than described, since this really entails many things. We are responsible for understanding emerging threats (or market use cases), stimulating attacks/running POC, and generating the necessary events a SIEM would collect, then we write/test/deploy analytics/detections that work across +2000 SOCs today that are powered by Splunk.

As the Director of Threat Research, my role is to lead the teams that make this happen. This entails content charter along with products, overseeing tools architecture and design, hiring, supporting our content, and of course connecting with our customers to make sure we are building things they find useful.

How does your team at Splunk approach threat hunting and detection? What methodologies do you find most effective?

Jose: My team focuses on threats on top malware on sandbox analysis and other CTI data:

• Simulate the attack (heavy emphasis on Atomic Red Team), testing stuff

• Write the detection into security_content, leveraging our detection-as-code framework

• Where it is automatically linted and tested via our CI pipeline, leveraging GitHub actions

With the recent acquisition of SnapAttack, how has this shifted or enhanced your team's workflow in producing and deploying detections?

Jose: It has improved our workflow. First, their threat research team has joined ours, and now our detection library has grown tremendously as a result of uniting both products' detection stockpile. We specifically are now using or looking to use their CapAttack (attack capturing) tool inside the Splunk Attack Range to have better data captures during our attack simulation. I'm hoping that the community can benefit from this, and that will hopefully result in massive improvements to Splunk's Attack data project.

What do you believe is the biggest challenge when it comes to building effective detection rules, and how do you overcome those challenges?

Jose: I don't know if it's the biggest challenge, but some of the core challenges we're always struggling with are to make sure the detection is actionable and not just simply a notice to the SOC. Secondly, false positives and essentially building a detection that works across a varied set of environments is an extremely hard challenge, especially in a high-efficacy section.

And another core challenge, especially when building behavioral detection, is not building behavior detections for behaviors that are so common that they're meaningless. There's obviously a lot more challenges as somebody's building the detections out, but some of the core challenges are from the efficacy, and making sure you are consistently testing the efficacy of the detection, to how actionable that is if the SOC does get the alert and was it obvious what they should do with it, is it obvious that they can convict an alert given that detection.

Threat hunting requires a mix of intuition and technical skill. How do you foster that balance, and what advice would you give to someone starting their journey in threat hunting?

Jose: Honestly, the intuition-versus-technical balance comes down to hiring curious people and giving them room to follow weird hunches. I can teach anyone to write SPL searches or parse logs, but I can't teach someone to get that nagging feeling when authentication patterns look "off" for no obvious reason. My best researchers are the ones who get genuinely annoyed when they can't explain why something bothers them, then obsessively dig until they figure it out.

For new hunters, I tell them to learn their environment, which usually entails building a Splunk Attack Range and just look for what normal logs and data patterns are, and spend time understanding normal before you can spot abnormal. And always think like the attacker, not the defender. Most threat hunting fails because people look for what they expect to find instead of what adversaries actually do.

In your opinion, what's the most critical skill for a threat hunter to possess, and why?

Jose: To me, the most important skill a hunter possesses is curiosity and the reason is because without being curious, it's very easy to overlook or pass a defensive agent, or essentially miss a smoking gun sometimes in a hunt for a threat. But two, I think beyond curiosity, it's also the curiosity of understanding how actors and threads operate and really being on top of them. I often say that, you know, cybersecurity is very similar to medicine, where medicine maybe changes every two to three years, and a doctor needs to stay up to date and read and study every two to three years.

Well, cybersecurity is a lot more intense because every six months there's a new technology, a new way to essentially perpetuate an attack. And I think a hunter needs to be curious enough to understand how these work and then also curious enough to see how they work, how they manifest themselves on the internet, and the way that they detect themselves.

...Best hunters don't just follow instructions. They trust their gut. Sometimes it starts with a log that looks a little off, or a pattern that doesn't quite sit right. And once that thread is pulled, they can't let it go.

Share this insight:

Can you talk about how automation plays a role in your threat hunting process? To what extent do you automate routine tasks?

Jose: Automation should amplify your hunters, not replace them - I always tell people "automate the boring stuff so humans can do the interesting stuff." I recently started (and love) using Feedly to track what's actually trending, not just what vendors are hyping, but what researchers are genuinely worried about. When I see the same TTPs/CVE/Malware popping up across multiple blogs, that's my cue to start building hunts. Same with sandboxes like Malware Bazaar and ANY.RUN if hundreds of researchers are suddenly analyzing a particular family, or it shows up in their top 10 list there's probably a reason.

That trending analysis becomes hunt inspiration way faster than waiting for formal threat intel reports. Also, if they are topping a chart but we do not have coverage on Splunk Security content, it's usually another great reason to start a hunt.

Enrichment is absolutely king, though.

We're drowning in alerts but starving for context, so I'd rather have one enriched indicator than 50 raw IP addresses. Tools like GreyNoise and Cymru save us from chasing scanner noise, while Hunt.io is perfect for drilling down on infrastructure that's already doing sketchy things online and serving evil to people.

The Sigma rule approach, or your Splunk hunting rules at research.splunk.com, give us that foundation so hunters can focus on the "what if" scenarios rather than reinventing basic queries. Try and automate the hell out of initial triage and data correlation, but keep humans in the loop for pattern recognition and those "something's not right here" moments. That's where the real hunting happens.

As a threat researcher, how does Hunt.io fit into your threat hunting workflow? Can you share an example of how it's been particularly useful in your investigations?

Jose: Hunt.io is basically my "what's actually running on this thing?" tool when I'm staring at a pile of suspicious IPs and don't know where to start. It's perfect for quickly determining if infrastructure is actively serving Cobalt Strike beacons, pushing malware, or just running benign services. Instead of manually checking hundreds of IPs, I can filter a large dataset down to the actual threats in minutes. It's like having X-ray vision into what's really happening on suspected bad infrastructure.

Here's a recent example that was pretty slick - we were hunting for government impersonation campaigns and ran a HuntSQL™ query for hostnames containing "gov" in Hunt.io's malware dataset. One result jumped out: a domain that was clearly trying to spoof an Eastern European country's Energy Regulatory Office instead of using the proper government domain format. Hunt.io showed it resolving to a Microsoft IP in the Netherlands with an exposed GoPhish admin panel on the default port used 3333. That single find led us to uncover 18 additional domains on the same infrastructure, all targeting regional energy companies.

The certificate transparency data in Hunt.io revealed they were cycling through short-lived Let's Encrypt certs and had been active for months. Without Hunt.io's ability to correlate the malware detection with domain patterns and certificate history, we would've missed the scope of this targeting campaign entirely. It turned what started as one suspicious domain into a complete picture of a sector-specific phishing operation.

Hunt.io is basically my "what's actually running on this thing?" tool when I'm staring at a pile of suspicious IPs and don't know where to start.

Share this insight:

What tools do you find most valuable for threat hunting? How does Hunt.io compare to other tools you've used in terms of its effectiveness and ease of integration?

Jose: For threat hunting, I'm constantly switching between different tools depending on what I'm chasing, but Hunt.io fills a unique gap that most platforms miss entirely. Most threat intel tools are obsessed with individual IOCs - here's a bad IP, here's a malicious hash, here's a sketchy domain. That's useful for enrichment, but it doesn't tell you the story of who's behind it or how their infrastructure connects.

Hunt.io gives me that actor view of what's actually happening on the internet. Instead of just knowing that 1.2.3.4 is bad, I can see that it's hosting Cobalt Strike, what certificates it's using, what other domains resolve there, and how long the actor has been operating that infrastructure. It's the difference between playing whack-a-mole with individual indicators versus understanding the adversary's operational patterns. When I find one piece of their infrastructure, I can quickly pivot to find the rest of their setup instead of waiting for someone else to burn those IPs individually.

The integration is pretty straightforward since it's mostly API-driven, and the data enrichment happens fast enough to use during active hunts rather than just for retrospective analysis. Other tools I've used give me great detection capabilities or fantastic IOC feeds, but Hunt.io is the only one that consistently helps me think like the attacker and map out their entire operation. It turned hunt results from "we found some bad stuff" into "here's exactly how this actor operates and where to look for them next time."

Most threat intel tools are obsessed with individual IOCs - here's a bad IP, here's a malicious hash, here's a sketchy domain. That's useful for enrichment, but it doesn't tell you the story of who's behind it or how their infrastructure connects.

Share this insight:

MagicSword is your personal project that focuses on building open-source security tools. Can you elaborate on how these tools use advanced data analysis to protect businesses from internet threats?

Jose: MagicSword is actually a collective effort, not just my personal project, but a group of us working together to build tools for the broader cybersecurity community. The whole thing started when we kept seeing threat actors abusing legitimate Windows drivers in attacks, but there wasn't any good public catalog of which drivers were getting weaponized. So we built loldrivers.io as our first project to tackle that gap.

We've evolved quite a bit since then, now we're working on lolrmm.io, bootloaders.io , and have adopted sigconverter.io. Here's the core problem we're trying to solve: it's incredibly difficult for organizations to control what legitimate tools get abused in their environment and how to defend against them.

Most security tools are focused on detecting malware or preventing obvious bad stuff, but they completely miss when attackers are using a trusted app or "living-off-the-land" with perfectly legitimate software.

We see this every single day as researchers: actors compromise organizations using tools that are supposed to be there, like legitimate remote management software, system utilities, or signed drivers. The security industry has this massive blind spot where we're great at stopping overtly malicious code but terrible at recognizing when good tools are being used for evil purposes.

That's the gap MagicSword is trying to fill, giving defenders the visibility and control they need when the threat isn't some exotic malware, but rather someone abusing the very tools their EDR trusts.

What are the next steps or innovations on the horizon for Magic Sword's solutions?

Jose: Building on what we've learned from projects like loldrivers.io and lolrmm.io, the next big challenge we're tackling as a collective is helping organizations actually operationalize this living-off-the-land intelligence. It's one thing to catalog which legitimate tools get weaponized, we've gotten pretty good at that, but it's another thing entirely to help organizations actually use that knowledge in their environments.

The most common solution today is application control, but honestly, it's implemented terribly. Look at technologies like Windows Defender Application Control (WDAC) or vendors like ThreatLocker, CyberArk, and others that take the approach of "learn everything, block everything else". They'll spend weeks or months cataloging every single application in your environment, then flip a switch to deny anything not on the whitelist. Sounds great in theory, but it becomes a maintenance nightmare for IT teams.

What we're researching is whether we can flip that model, instead of trying to control every application. What if we only focused on the specific tools that our community research shows actually get weaponized in real attacks?

We've been able to validate this approach in a research environment with over 1000 endpoints, and the results were really promising. We saw a significant drop in security incidents and a massive reduction in attack surface. When you're only focusing on the tools that actually get weaponized instead of trying to monitor everything, the impact is immediate and measurable.

The beauty is in the simplicity. Security teams get precise application control without the complexity. They're not drowning in alerts from legitimate business applications or spending weeks tuning policies. They're just stopping the specific tools and techniques that our research shows are actually being used to compromise organizations right now.

It's still early research, but it fits perfectly with MagicSword's mission of giving defenders practical tools to address that blind spot where trusted tools get used for evil.

On a more personal note, we hear you recently moved. How's the transition going, and how has your work-life balance shifted with this change?

Jose: I have to start by saying that none of what I do would be possible without my wife, Cristine; she's been incredible throughout this whole move. The transition has gone so smoothly, and that's entirely thanks to her handling all the logistics and keeping everything organized while I was juggling work commitments.

My work-life balance has definitely improved since everything's way more convenient now - I'm five minutes from most things instead of driving an hour each way for the kiddo's school. We've got more space too, which doesn't hurt. Long story short, it's been a solid upgrade all around.