Vibe Hunting and the Quiet War

Damien Lewke runs Nebulock, a Boston-based startup building autonomous threat hunting agents — and the conversation arrived the same week Anthropic dropped its disruption report on the first AI-orchestrated cyber espionage campaign. The timing wasn't planned, but it landed perfectly. Anthropic's report demonstrated what an adversary can now do with agents end-to-end. Damien's product launch — Vibe Hunting — demonstrated what a defender can now do with the same building blocks, on the other side of the fence.

The substantive thread of the conversation is that threat hunting has historically been a discipline reserved for the wealthiest, most mature security programs — the cost of a five-person hunt team being out of reach for almost everyone. The reason that matters is that proactive defense — the work that catches the one signal that prevents a multi-million-dollar breach — was effectively gated behind budget. Damien's argument is that agentic platforms can now translate the workflows of senior threat hunters into agents that any organization can run continuously, regardless of size, skill set, or budget. That's a structural shift in who gets access to proactive security as a capability.

The harder layer of the conversation goes after the architectural rethink. The unit cost of attack has fallen to the floor — Anthropic's report showed adversaries chaining agents across full kill-chain operations. The unit cost of defense has not yet. Damien's framing of the path forward is the most practical the show has aired: start with a threat-informed defense built around the metrics adversaries actually achieve today, work backward to the controls those metrics demand, and then ask which of those controls require an agent versus what your existing tooling can already do well. The result is fewer widgets, more value out of what you already own, and AI applied where it actually compresses defender work.

Thank you to our Sponsors:

Hampton North is the premier US based cybersecurity search firm. Start building your security team with Hampton North 

Sysdig is the leader in AI-powered real-time cloud defense; stop watching and start defending

Damien's diagnosis of the threat-hunting problem is sharper than the usual industry talk. Most security leaders have treated threat hunting as a nice-to-have because the unit economics didn't pencil — a five-person hunt team is out of reach for almost any organization that isn't named Apple or JPMorgan. Conor's lived version was running threat hunting at Clear, where the biometric stakes justified the spend; almost everywhere else, it gets cut. The problem is that proactive defense — the discipline that finds the one signal before it becomes a breach — is genuinely a must-have, not a nice-to-have. Rationing it by budget means most organizations only catch problems after they've cost something material.

Nebulock's argument is that agentic platforms can translate the workflows of senior hunters into agents that any team can run continuously, at a fraction of the cost of an FTE. The democratizing claim is real, but it isn't a marketing slogan — it's a unit-economics argument. If proactivity is structurally a right of every security program, the only credible way to extend it to the bulk of the market is to drop the cost of running it. That's the pitch.

Vibe Hunting is the product name and the operating frame. The pattern is simple — natural-language prompts kick off agentic workflows, parallelized so multiple hunts can run concurrently, with the agent reasoning over normalized telemetry that already lives inside the platform. The interesting design choice is what happens when a hunt finds nothing. Most tools treat null results as failed work. Nebulock treats them as context — the absence of a finding is a piece of organizational truth worth storing for the next hunt, and the same UI lets the user spin a hunt hypothesis into a behavioral detection that gets pushed back into the SIEM.

Conor pulled out the most useful frame. Daniel Miessler has been arguing for a year that organizational context is the missing input for any AI security workflow — the system needs to know that you're a 20-person Boston seed-stage startup before it can decide that hands-on-keyboard activity from Belarus is suspicious. Vibe Hunting's storage of hunt context, hypotheses, baselining, and analyst feedback is exactly the loop Miessler describes. The platform gets smarter about your environment the more you hunt, and that compounds. 

Stuart's question on the user profile is the right one — is this a tool for elite SOC directors or for IT directors at regional businesses? Damien's answer was both, with a real-world example of a non-technical Vibe Hunting user finding embedded AI-application data exfiltration in their environment while multitasking. The democratizing claim isn't theoretical — it's how the product is being used in week one of GA.

The Anthropic disruption report on the first AI-orchestrated cyber espionage campaign is the document that makes Damien's product launch land harder than a normal product launch would. His three takeaways are the cleanest summary the show has heard.

The second takeaway is the asymmetry that's getting worse fast — adversaries are orchestrating entire campaigns with agents while almost no security team has done the same on the defender side. The third is that the only credible response is to think proactively, because reactive defense at the speed of agentic adversaries is a losing race. The Stuart-Conor-Damien consensus on the cost of offense having fallen to the floor is the underlying economic argument — if attack unit-costs collapse, defenders need their unit-costs to follow, and that requires architectural change, not more widgets.

The single most actionable frame Damien laid out came in response to the question of how a security leader actually starts retooling for the AI era. The answer is to invert the typical buying motion. Don't start with which widget you should buy next. Start with what the adversary is actually doing today — what's the lateral movement time, what's the dwell time, what techniques are being used in real campaigns — and let those metrics define your control requirements. CrowdStrike's most recent breakout time figure is roughly two minutes. That sets the MTTD requirement for lateral movement detection. Work backward from the metric.

Once the requirements are clear, ask which of them can be satisfied by tools you already own and aren't using to their full capability. Ask which require orchestration, automation, or just better allow-listing. And only then ask which require an agent. The result is fewer net-new purchases, more value extracted from existing investments, and AI applied where it actually compresses defender work — not as a feature checkbox. The Crossing the Chasm aside Conor added is the right complement: vendors who help customers cross from the first 15% of value into the meat of the use cases see churn collapse, because the platform becomes embedded in operations rather than orphaned in a magic quadrant.

Damien closed with the substack-essay frame he's been writing under — the Quiet War. The thesis is that the front lines of cyber defense will be fought by humans driving agents on both sides of the fence, and what wins is the defender's ability to reason critically, communicate clearly, and act decisively in coordination with the agents under their control. The career advice that follows is consistent with the pattern across all of Zero Signal's recent guests: low barrier to entry, high bar to succeed.

For the threat hunter wondering what their five-year career looks like if Nebulock's vision plays out — Damien's answer was honest. Agents won't replace adversarial hunting, the part of the work that requires an experienced human to outthink another human. They will replace data normalization, enrichment, the Jupyter notebook stochastic analysis nobody loves doing. The advice is to list the ten things you love about the job and the ten things you hate, and start automating the hate side. The hunters who do this become the operators of agent swarms — substantially more effective, substantially more in demand. The hunters who don't are going to be in the bottom half of the talent stratification curve Daniel Miessler has been warning about for the last year.

Guests — Damien Lewke (pronounced "Lukey"), Founder and CEO of Nebulock; previously at Northrop Grumman, CrowdStrike, SecureWorks, and Arctic Wolf

Books mentioned — Crossing the Chasm (Geoffrey Moore — referenced by Conor); Jocko Willink's Extreme Ownership (referenced by Conor on Fallujah and overwhelming force)

Frameworks / models / tools named — Vibe Hunting (Nebulock product); "the Quiet War" (Damien's substack series); threat-informed defense; "democratizing threat hunting"; agentic threat hunting; living-off-the-land techniques (84% of successful breaches per Damien); CrowdStrike breakout time (~2 minutes); Anthropic's November disruption report; Google Threat Intelligence Group AI threat tracker (Gemini polymorphic-code report referenced); Rob Joyce's 2016 USENIX talk on nation-state intrusion

Other people / shows / resources referenced — Mike Lyons, CISO at Cribl (referenced as a Nebulock customer and friend of the show); Daniel Miessler (referenced re: organizational context as the missing AI security input); Anthropic (the November threat-actor report); Google Threat Intelligence Group (the AI threat tracker referenced as the November 5 publication); Ruby on Stuart's Hampton North team (mentioned as a B-Sides speaker hopeful); RSA / B-Sides / AWS reInvent (referenced for upcoming events)