Trellix Fights 'Low-Noise' Cyber Threats with AI and Human Hunters

SAN JOSE, CA – February 10, 2026 – As cyber adversaries grow quieter and more sophisticated, cybersecurity firm Trellix today launched Trellix SecondSight, a new threat hunting service that combines artificial intelligence with elite human analysts to detect threats that typically fly under the radar of automated systems. The service aims to combat the growing problem of "alert fatigue" and provide organizations with a proactive defense against subtle, advanced intrusions.

"Threat actors' use of AI has significantly increased alert fatigue for security analysts," said John Fokker, VP of Threat Intelligence Strategy at Trellix, in a statement. "While automated systems flag high-level alerts, they often miss subtle, low-noise signals enabling actions like lateral movement. Trellix SecondSight is a critical component, offering analysts a 'second set of eyes' to actively monitor for these low-noise signals, acting as a force multiplier.”

The Rising Tide of 'Low-Noise' Threats

The core challenge SecondSight aims to solve is the proliferation of "low-noise" or "weak signal" attacks. Unlike loud, disruptive malware that is quickly flagged, these advanced threats often use legitimate system tools and processes to infiltrate and persist within a network, a technique known as "Living Off the Land" (LOTL). This approach makes malicious activity incredibly difficult to distinguish from normal administrative behavior.

Recent industry data underscores the severity of this trend. One 2025 analysis of hundreds of thousands of security incidents found that a staggering 84% of major attacks involved LOTL binaries. Attackers frequently abuse trusted utilities like PowerShell, which is present on the vast majority of enterprise endpoints, to execute commands, move laterally across a network, and exfiltrate data without triggering conventional alarms. This shift toward stealth allows adversaries to remain embedded in target environments for extended periods, quietly escalating privileges and preparing for larger attacks.

Furthermore, threat actors are increasingly leveraging AI to enhance their evasion tactics, developing adaptive malware and highly convincing deepfake phishing campaigns. This evolution puts immense pressure on corporate security teams, who are often inundated with thousands of daily alerts, many of which are false positives, making it nearly impossible to spot the subtle indicators of a sophisticated breach.

A Hybrid Defense: Combining AI with Human Intuition

Trellix's answer to this challenge is a hybrid, human-in-the-loop model. SecondSight integrates AI-driven analytics with the intuition and expertise of seasoned threat hunters. The service continuously ingests and analyzes vast streams of telemetry from an organization's security infrastructure, including Trellix's own Endpoint Detection and Response (EDR), Email Security Cloud, and Network Detection and Response (NDR) solutions.

The AI's role is to perform the heavy lifting—correlating events across disparate systems, identifying statistical anomalies, and flagging potential low-confidence signals that automated filters might otherwise dismiss as background noise. However, instead of simply generating another alert, these signals are escalated to human analysts.

It is in this "gray space" of ambiguous data that the human element becomes critical. The Trellix threat hunters apply their knowledge of adversary tactics, current geopolitical events, and campaign patterns to interpret the data with context that an algorithm lacks. They proactively hunt for evidence of intrusion, connect seemingly unrelated weak signals, and determine if an observed anomaly is benign or the precursor to a serious attack. This fusion of machine speed and human judgment is designed to provide early warnings of malicious activity with actionable notifications, enabling security teams to neutralize threats before they escalate into major breaches.

Navigating a Crowded Field of Proactive Defense

The launch of SecondSight places Trellix firmly within a growing industry trend that moves cybersecurity beyond reactive alert management toward proactive threat hunting. The market for Managed Detection and Response (MDR) services is robust, with major players like CrowdStrike, Mandiant, Palo Alto Networks, and Sophos all offering solutions that blend advanced technology with human expertise.

Industry analysts have noted that this combination is becoming the new standard for effective cyber resilience. The consensus is that while AI and automation are indispensable for handling the sheer volume of security data, human oversight is essential for investigation, analysis, and response. These services effectively augment an organization's internal security operations center (SOC), providing specialized skills and 24/7 monitoring that many companies struggle to resource internally.

Partners see the value in this proactive approach. "Proactive, actionable threat intelligence is no longer a nice-to-have; it’s a necessity for keeping pace with advanced actors,” noted Niklas Chachalatos, Business Manager Security Services at Advania Sweden, a Trellix partner. “Trellix SecondSight goes a level deeper, proactively hunting for threats for our customers and providing actionable guidance to thwart attacks and build cyber resilience.”

Actionable Intelligence from the Front Lines

To coincide with the launch, Trellix released its SecondSight Threat Hunting Report, which highlights critical campaigns and provides defensive recommendations. The report details real-world examples that illustrate the necessity of this advanced hunting capability, such as the UTA0355 spear-phishing campaign. In this case, attackers shifted from traditional methods to abusing OAuth—a common framework for granting application permissions—to bypass perimeter security and gain persistent access to accounts.

This type of attack demonstrates how adversaries exploit trusted infrastructure in ways that automated tools, which are often looking for known malware signatures or network anomalies, can easily miss. Only by cross-referencing public threat intelligence with internal telemetry and recognizing subtle campaign patterns can such a breach be identified. The insights from Trellix's global network and expert hunters underscore why proactive hunting remains one of the most effective defenses against modern threats like targeted espionage, supply chain vulnerabilities, and zero-day exploits. By providing not just detection but also actionable guidance, the service aims to empower organizations to defend with precision and stay ahead of their adversaries.