Technology deep-dive

MLOps tools for threat hunters.

A mature threat hunt is a small data-science experiment in disguise. The hunter forms a hypothesis, queries logs, measures precision and recall, documents what worked, and shares it with the team. That is the scientific method applied to security telemetry. The tooling the rest of the data world uses for this work (notebooks, experiment trackers, data versioning, quality tests, feature stores) has names that sound foreign to most SOC analysts, even though the work underneath the names is work those analysts already do.

Reading time: about 18 minutes. Evidence tier: B overall (SANS Hunting Maturity Model framework, Splunk PEAK framework, vendor documentation for MLflow, Kubeflow, Feast, ClearML, and Weights & Biases). The HMM-to-tool mapping is my synthesis, not a published framework, flagged as such where it matters. I have not independently benchmarked any of these tools on production OCSF data.

MLOps (machine learning operations) is the discipline of running data-science workflows as production systems rather than one-off experiments. The category was built for teams shipping ML models, but the underlying tools solve four problems that any mature hunter recognizes: reproducibility, collaboration, versioning, and quality validation.

Five tool categories cover most of what a HMM2-to-HMM4 program needs:

• Interactive notebooks. Jupyter and JupyterLab. The work surface where the hunt lives.
• Experiment tracking. MLflow, ClearML, Weights & Biases. The system of record for which hunt variant beat which.
• Data versioning. DVC (Data Version Control). The way you reproduce a hunt result six months later against the same data.
• Data quality testing. Great Expectations. The early-warning system for schema drift in the log sources you depend on.
• Feature stores. Feast. Centralized, reusable computations across detection models. An HMM4 concern, not an HMM2 one.

A sixth category, orchestration platforms like Kubeflow, sits adjacent to all of these. Kubeflow runs ML pipelines on Kubernetes; it's the production-deployment piece, not the hunt-development piece. I mention it because security teams already running Kubernetes platforms sometimes ask about it. For HMM2-to-HMM3 work, it's overkill. For HMM4 production detection pipelines, it earns its keep, though the operational complexity is real.

Experiment tracking is the system of record for "I tried ten variants of this detection rule. Which one wins on precision and recall, and what exactly was variant seven?" Spreadsheets are the default tool, and they work for two or three variants but break by variant ten, because no one remembers to update the spreadsheet consistently and the artifacts (the query text, the chart, the dataset snapshot) live somewhere else.

An experiment tracker records three things per run: parameters (what you fed the experiment: dataset, timeframe, threshold, query text), metrics (what came out: precision, recall, true-positive count, false-positive count), and artifacts (the files: the detection rule, the notebook, the chart, the report). The UI lets you compare runs side by side and click through to the exact configuration that produced any given result.

The three credible options in early 2026:

• MLflow. Open source, originally from Databricks. The most widely adopted option. Self-hostable on a small VM with a PostgreSQL backend and S3-compatible artifact storage. The UI is functional rather than polished. This is what I would default to for a security team standing up experiment tracking for the first time, and what most public documentation in the security-data-science space assumes.
• ClearML. Open source, with a hosted SaaS tier. Stronger out-of-the-box experience than MLflow, including a more polished UI and built-in pipeline orchestration. Smaller community, which matters if you're going to lean on Stack Overflow and blog posts to unblock yourself.
• Weights & Biases. Commercial SaaS, with a generous free tier for individual use and paid plans for teams. The UI is the best of the three by a useful margin, and the collaboration features (commenting on runs, sharing reports) are designed for team workflows. The trade-off is that you're sending experiment metadata to a vendor cloud, which matters more in security than in most domains.

For a hunter, the unit of "experiment" is a hunt campaign or a detection-rule variant. The parameters are the dataset window, the threshold values, and the query text. The metrics are precision, recall, alert volume, mean-time-to-investigate. The artifacts are the notebook, the SQL file, and any charts worth keeping. The work to instrument this is a few extra lines per notebook: start a run, log parameters, log metrics, log artifacts, end the run.

The honest caveat: experiment tracking pays off when you have ten or more variants to compare. Below that, a Markdown table in the notebook is sufficient, so I would not adopt MLflow on day one but rather after the first ten-to-twenty Jupyter hunts, when the cost of forgetting which variant you ran starts to bite.

Great Expectations is a Python framework for writing data-quality tests ("expectations") that run automatically against your tables and alert when they fail. An expectation is a declarative assertion: this column must exist, this column must not be null more than 5% of the time, this column's values must fall in this range, this table must have rows from the last hour.

For a hunter, the failure mode this addresses is the silent miss. Your detection rule queries a CloudTrail field called userIdentity.principalId. AWS renames the field, or your pipeline normalizes it differently after an OCSF mapping update, or the source schema rolls over. The query keeps running and returns zero results, and zero results looks identical to "no adversary activity," so the adversary operates undetected for as long as it takes someone to notice the change.

An expectation suite for CloudTrail might assert:

• Required columns are present, including the OCSF-normalized identity fields.
• The event_time column has rows within the last 60 minutes.
• The region column's distinct values stay inside the expected set.
• The eventName column's null rate stays under 1%.

Great Expectations runs the suite on a schedule. When something fails, the failure routes to Slack or PagerDuty before the detection rule misses anything. The framework also generates a data-quality report you can hand to the source owner ("your CloudTrail feed broke at 03:14, and here's the specific assertion that caught it") which tends to shorten the time-to-fix.

The cost is real: writing expectations is its own skill, and a bad expectation suite generates alert noise no more useful than a noisy SIEM. The Great Expectations CLI has a profiler that generates a starting suite from a sample of your data, which is a reasonable way to start, and from there you prune the assertions that don't matter for your actual hunts. Six-to-ten hours to a working first suite is typical.

The SANS Hunting Maturity Model defines five levels. HMM0 is no hunting. HMM1 is alert-driven triage. HMM2 is procedural hunting (applying community playbooks from MITRE ATT&CK and threat reports). HMM3 is innovative hunting (developing novel hunts, applying data-analysis methods, measuring effectiveness). HMM4 is leading with automation: codifying mature hunts into ML-assisted production detection.

The mapping below is my synthesis of where each tool earns its keep against the HMM ladder. It is not a published framework. Treat it as a working hypothesis to test against your own program. The general shape (start light, add tools as the cost of not having them shows up) seems to hold across the teams I've worked with.

HMM2 to HMM3 transition

Goal: turn procedural hunts into a library of documented, reproducible, peer-reviewed playbooks. Add Jupyter first, and document one hunt end-to-end in a notebook, commit it to Git, have a teammate review it, and repeat ten times, because that single workflow change is the highest-leverage move on the list.

Great Expectations follows in the same phase. After your second or third hunt fails because a log source schema changed without anyone noticing, the data-quality framework starts paying for itself.

What to defer at this stage: MLflow, DVC, Feast. You don't have enough variants yet to need experiment tracking, you're not validating against frozen datasets yet, and you have no ML models. Adopting these too early creates infrastructure overhead without proportional benefit.

Timeline I'd plan against: six-to-twelve months at this phase. Success looks like 20-or-more documented hunts in Jupyter, five-or-more reproducible playbooks with precision over 80%, data quality tests on the critical log sources, peer-review as part of the hunt workflow.

HMM3 innovative hunting

Goal: build a library of validated hunts and start identifying automation candidates. Add MLflow (or ClearML, or Weights & Biases; pick one and commit) once you're routinely comparing ten-plus variants of a detection rule. The experiment tracker becomes the system of record for which variant ships.

Add DVC when you start validating detection rules against frozen historical windows. If you're Iceberg-native, the lighter version of this is a tagging convention against Iceberg snapshot IDs and a notebook that pins the snapshot it ran against. Either approach works; the discipline matters more than the tool.

Continue Jupyter and Great Expectations from the previous phase, and keep deferring Feast and Kubeflow.

Timeline: 12-to-18 months. Success looks like 50-or-more hunt campaigns tracked in the experiment tracker, 10-or-more versioned baseline datasets, and five-or-more validated detection rules ready for automation with precision over 90%. The five rules at over 90% precision are the input to the HMM4 transition.

HMM4 leading with automation

Goal: automate the routine investigation work that the validated playbooks now describe. The realistic ceiling for HMM4 automation in a human-in-the-loop SOC is roughly 30-to-40% of routine investigations. I work through why it sits there, and why agent-native claims in the high nineties don't yet hold up, in the agentic-SOC reality piece.

At this phase, the full toolchain comes into play, with Jupyter for prototyping new techniques, MLflow (or equivalent) for tracking model versions in production, DVC for training datasets, Great Expectations for production data-quality gates, Feast for the feature layer once you have multiple ML detectors, and Kubeflow (or an equivalent orchestrator: Airflow, Prefect, Dagster) for running the production detection pipelines on Kubernetes.

What distinguishes HMM4 from earlier phases is the workflow move from "human runs the hunt, tool documents it" to "tool runs the playbook, human reviews exceptions." The toolchain is the same; the operating model changes. That shift takes 12-to-24 months from the start of HMM3 maturity, and the limits on it are organizational (analyst workflows, on-call structure, escalation paths) more than technical.

I want to flag one debate that lives at this maturity level. Some agent-architecture vendors claim higher automation rates (98% or more) via investigation-coordinator agents that orchestrate end-to-end. That model exists as a research direction and as a small number of production deployments. I don't have independent evidence that it generalizes, and the published 30-to-40% MLOps automation number from Expel is the floor I trust. Treat the higher agent-architecture claims as Tier C-to-D until production validation lands.

Six honest limits, none of which I'd hide from a stakeholder evaluating this stack:

• Tooling does not produce hunters. Jupyter does not generate hypotheses, and MLflow does not invent novel detection techniques, because the tools amplify the analytical discipline of a team that already has it, so a team that hasn't formed hunting hypotheses before will not start because they installed JupyterLab.
• The HMM-to-tool mapping is my synthesis. SANS publishes the maturity model; the tool placements against the maturity ladder are an opinion that fits the teams I've worked with. Other practitioners will draw the lines differently and may be right for their context. Treat it as a starting point, not a prescription.
• I have not independently benchmarked these tools on production OCSF data. The descriptions of where each tool earns its keep are drawn from documentation, training workshops, and conversations with practitioners, not from a controlled study. A security-specific benchmark of MLflow tracking overhead against high-volume hunt campaigns is on the lab roadmap and would be Tier B evidence at best when it lands.
• The 30-to-40% HMM4 automation ceiling is Tier B, not Tier A. Expel's published number is a single vendor's reported outcome on a particular managed-detection workload. The structural argument for why it sits at roughly that ceiling (human-centric SOC workflow, MLOps tools designed for human-in-the-loop) is plausible. The number may shift as agent architectures mature.
• The operational cost is real. Running MLflow, DVC, Great Expectations, and Feast as production infrastructure is non-trivial. For an HMM2 team starting here, the message is: do not adopt all five at once. The benefits compound, but so does the maintenance burden. The "start with Jupyter, add the next tool when the cost of not having it bites" sequencing is deliberate.
• The toolchain is itself an attack surface. Every tool here is a service that holds your detection logic, your dataset pointers, and often the credentials a run needs, which makes the MLOps layer a target in its own right rather than neutral plumbing. MLflow's tracking server has a documented record of unauthenticated path-traversal and remote-code-execution flaws, and model artifacts serialized as pickle, joblib, or torch weights run arbitrary code on load, so a poisoned model file is an entry point and not just bad data. The discipline that answers this has a name, SecMLOps: keep these services off the public internet, rotate default credentials, constrain artifact paths, and prefer pickle-free formats like ONNX or Safetensors. I work through the CVEs and the hardening checklist in the Jupyter-to-MLflow piece; the point to carry here is that standing up data-science tooling expands the surface you have to defend, and a service that stores your security logic earns the same patching and network hygiene as anything else in production.

None of these are reasons to dismiss the approach, but they are reasons to size expectations and sequence adoption correctly.