Toward Threat-Hunting Convergence with MCP

Quick! An IP address has been confirmed as APT infrastructure: how many services do you need to query to determine its presence? For many SOCs, the answer is “too many.” Faced with this problem, the Operations & Engineering team at Harvard University built Moirai, a unified threat-hunting platform that orchestrates our existing security stack through the Model Context Protocol (MCP). This session shares our journey from tool sprawl and analyst fatigue to unified threat-hunting, showing how we created a single interface that combines existing tools without moving data or purchase of another platform. We will describe how we use MCP as a universal integration layer, connecting services via HTTP, and how we incorporated the open- source Agentic Threat Hunting Framework (ATHF) so hunts can be defined one time and executed across multiple systems. Attendees will see real screenshots of multi-platform hunts running from a single-definition, cross-system investigation launched from one search box, and deterministic AI enrichment that accelerates investigations while keeping analysts in control. Key insights will include how manual 30-minute investigations became 5-minute assisted queries, and how we kept all data within our organization without migrating to a new SIEM or data lake. We will conclude by inviting peer institutions to share threat intelligence and hunt definitions, turning individual institutional knowledge into a more effective collective defense.