SCALING THREAT HUNTING IN AN ENTERPRISE CONTAINER ENVIRONMENT THROUGH A SYSTEM OF SYSTEMS APPROACH WITH KESTREL-AS-A-SERVICE

Abstract

SCALING THREAT HUNTING IN AN ENTERPRISE CONTAINER ENVIRONMENTTHROUGH A SYSTEM OF SYSTEMS APPROACH WITH KESTREL-AS-A-SERVICE Modern threat hunting is fundamentally limited by manual, siloed, and single-threadedpractices that cannot keep pace with the ephemeral nature of cloud-native environments. While automated security tools successfully mitigate common, high-volume threats, sophisticated actors exploit the lack of collaborative infrastructure to remain undetected for months. This visibility gap creates a critical vulnerability as adversaries increasingly leverage Artificial Intelligence (AI) driven automation to conduct high-speed, polymorphic attacks. This research exists to address the scalability crisis in defensive cybersecurity operations by moving beyond isolated human-only analysis toward a persistent, teambased proactive defensive security posture. The primary objective of this dissertation is to develop and validate "Kestrel as a Service"(KaaS), a collaborative threat hunting platform that shifts the defensive paradigm from individual analysis to a distributed "pack hunting" or “crowd hunting” model. The research investigates whether standardized, containerized architecture can significantly reduce Mean Time to Detect (MTTD) by enabling real-time collaboration. The thesis posits that by providing a team of hunters with a secure, scalable, and persistent environment, organizations can proactively identify complex threats at an enterprise scale while eliminating the mechanical repetition inherent in traditional workflows. Using a systems engineering approach, KaaS is architected as a Directed System ofSystems (SoS) that integrates independent technologies into a cohesive platform. The methodology utilizes the Systems Engineering V-Model to verify and validate the platform across four evolutionary deployment tiers, ranging from local developer testbeds to enterprise-scale self-managed or managed clusters. The study evaluates the platform's efficacy through scenario-based testing mapped to the MITRE ATT&CK Framework for Containers, simulating advanced adversary tactics to measure performance across realistic network infrastructures. The results demonstrate that the KaaS architecture significantly reduces adversary dwelltime by decoupling creative domain logic from mechanical execution. Findings show that collaborative "packs" of hunters identify complex threats faster and more consistently than standalone analysts. Furthermore, the platform ensures the persistence and reuse of sophisticated hunting flows and strategies, preventing the loss of specialized knowledge across organizational silos. By standardizing the way teams search for threats, the platform facilitates the rapid dissemination of intelligence across the broader security ecosystem. This research provides a scalable, open blueprint for autonomous defense andestablishes a foundation for a new Threat Hunting Modeling Notation (THMN) with AI and Automation steps, as well as a dashboard for building and monitoring the Hunts. These findings are significant for enterprise deployments as they offer a structured path toward resilient operations that can counter the speed and sophistication of modern AI-driven threats.