--- title: "Threat Hunting In The Matrix" description: "Orbie is an AI threat hunting agent built in Claude Code that coordinates 16 data sources to surface novel attacker behavior across 54TB of honeypot data." pubDatetime: 2026-04-05T05:00:00Z author: hrbrmstr tags: ["ai", "agent", "cybersecurity", "threat-intel", "honepots", "detection-engineering", "deception-engineering"] --- > Original: [Threat Hunting In The Matrix](https://ai.rud.is/posts/2026-04-05-unprompted-orbie) https://www.youtube.com/watch?v=k19CmI_Ni3M At our previous employer, the global deception and detection infrastructure generates tons of events that eventually make their way into an ever-growing data lake with (as of February 2026) 22 TB of PCAPs and 32 TB of session protocol data. When trying to find novel and truly dangerous attacker behavior, the bottleneck isn't the data — it's the analyst trying to hold it all in their head while toggling between [Arkime](https://arkime.com/), [Censys](https://censys.com/), [VirusTotal](https://www.virustotal.com/), and five other tabs. [Glenn Thorpe](https://www.cyberuk.uk/2026/speaker/2134961/glenn-thorpe-iii) and I built Orbie to attack that problem. It's a prompt-engineered analytical system running in Claude Code that coordinates 16 data source integrations, 8 investigation skills, and 2 background enrichment agents across structured, reproducible workflows — with one rule we never bent on: never assume, always query, show your work. The full architecture, the failure modes, and where it's going are in the talk we gave at the February 2026 installment of [[un]prompted](https://unpromptedcon.org/), above, and you can get some more info and freebies at .