UMBC Cyber Defense Lab presents

Agentic Threat Intel: From Unstructured Reports to Coordinated Hunts

Sai Kiran Uppu, Senior Security Researcher, Adobe

12–1pm ET Friday, March 27, 2026, via WebEx

Picture a typical week. A long threat report lands in your inbox. It tells a story: who moved where, what they touched, and why defenders should care. Much of that value is not a single IP or hash. It lives in patterns: sequences of behavior, abuse of trust, and repeatable tactics, techniques, and procedures (TTPs). Yet many workflows still stop at atomic indicators (domains, file hashes, wallet addresses) because those are easy to feed into rules. Someone must sit in the middle, read the prose, translate both the "what" (indicators of compromise (IOCs)) and the "how" (TTPs) into hunts across identity consoles, endpoints, and cloud logs before the moment passes.

That gap gets sharp when you read public reporting on groups such as Scattered Spider or Shiny Hunters. Their paths often run through people and process (vishing, help-desk resets, multi-factor authentication (MFA) fatigue) more than through one static indicator you can block forever. The evidence is real, but it is split across tickets, identity provider (IdP) sessions, software-as-a-service (SaaS) APIs, and endpoint detection response (EDR). Playbooks help with fragments. They rarely replay the whole story as one timed, cross-signal hunt.

This talk walks that storyline, then turns the page. A core part of the session is showing why agentic threat intel is not only about scraping atomic IOCs faster. It is about lifting behavioral patterns and TTPs from messy text, pairing them with indicators when they appear, and using that richer picture to orchestrate parallel checks, with limits so you do not drown the security information and event management (SIEM) or the budget. I tell it from the builder's perspective: how the pipeline represents both layers, where LLM-style reasoning helps map prose to TTP-shaped hunts, and where it still misbehaves. Examples stay tied to identity-first patterns you have seen in the news, not to any one product stack.

 If you already know the basics of networking, logins, and incident response, you can follow along. You will leave with a simple mental model of how unstructured text turns into both atomic IOC hunts and TTP-level hunts, plus honest limits, and patterns you can reuse in a class project or a future security operations center (SOC) design. We will keep room for questions at the end.

Sai Kiran Uppu (uppu@adobe.com) is a Senior Security Researcher in Adobe's Cybersecurity Threat Research & Intelligence (CTRI) team, where he focuses on AI-driven threat intelligence and cloud security. He architects large-scale threat intelligence and fleet-sweep capabilities and has built agentic pipelines for IOC extraction and enrichment from unstructured sources. He holds a master's degree in security informatics from Johns Hopkins and is a 2026 Cybersecurity Excellence Awards Gold winner (AI Security Innovator of the Year). He has spoken at IEEE SVCC, The Diana Initiative, BSides SLC, and Penn State, and was an invited panelist for Johns Hopkins Security Metamorphosis 2026. 

Support for this event was provided in part by the NSF under SFS grants DGE-1753681 and 2438185. The UMBC Cyber Defense Lab meets biweekly Fridays 12-1pm.  All meetings are open to the public. Host: Alan Sherman