From raw data to real-time defense: A conversation with John Hammond

Elastic Security Director of Product Management James Spiteri recently joined cybersecurity researcher, educator, and content creator John Hammond for an in-depth technical demonstration. John spends his days analyzing malware, breaking down attacker techniques, and making hackers earn their access.

In their conversation, James and John explored how SOC teams are detecting threats faster, investigating more efficiently, and responding to incidents in real time. They also take a hands-on look at how Elastic Security transforms security teams’ raw data into actionable intelligence and automation through AI-assisted data ingestion, analysis, automated triage, and streamlined incident response.

This capability dramatically accelerates mean time to detect (MTTD) by providing immediate, actionable summaries for even the most complex, multistage attacks. Analysts retain control over their preferred LLM selection, including open source options while gaining transparency into underlying data and logic.

To further combat alert fatigue, Elastic AI Assistant enables natural language queries on alerts and retrieval of remediation guidance relevant to specific incidents. For advanced hunting, Elastic integrates LLMs directly within Elasticsearch Query Language (ES|QL) queries, allowing analysts to score obfuscated PowerShell scripts and receive plain language descriptions of malicious intent — transforming manual analysis into automated, scalable hunting.

For enterprise teams managing thousands of endpoints, this operational efficiency eliminates administrative overhead that typically consumes significant SOC resources. 

Many security platforms treat detection logic as proprietary, leaving analysts unable to understand why alerts trigger or how to optimize rules for their environment. This opacity reduces confidence in detections and further contributes to alert fatigue.

Elastic Security provides nearly 1,500 detection rules with all logic publicly available in a GitHub repository. This allows analysts to easily inspect rule code, contribute improvements, and learn advanced detection techniques. Elastic's open source foundation delivers complete transparency in security detection logic — no black boxes or hidden algorithms.

Traditional incident response requires switching between different tools for different platforms, slowing response times and increasing the risk of procedural errors during high-stress situations.

Elastic Security provides a unified response console across Windows, macOS, and Linux. In the video, James shows real-time host isolation, process termination, and forensic file retrieval — all from a single interface. These actions extend to third-party endpoints, including endpoints managed by CrowdStrike, SentinelOne, and Microsoft Defender, while maintaining complete audit histories essential for compliance and post-incident analysis.

This unified response eliminates tool switching during active incidents, reducing cognitive load on analysts while ensuring consistent procedures and proper documentation.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. 

Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.