Threat hunting has always been a craft built on experience and intuition. The ability to translate ideas and intelligence, map it to your environment, and convert these instincts into outcomes is a skill that takes years to develop and a dedicated team to execute. Most organizations don't have that luxury.
When we built Vibe Hunting, we wanted to make that skill accessible. We gave defenders a way to express what they were looking for in plain language and let our agents do the translation. That was the foundation.
Today, we're announcing Vespyr, Nebulock's autonomous hunting agent, and the next evolution in how organizations operationalize threat intelligence.
Why Vespyr?
Vespyr is rooted in vesper, the Latin word for evening star. In Roman tradition, Vesper marked the threshold between day and night, the last point of visible light before darkness took over. It was the moment when familiar reference points began to fade and the unseen started to move.
That threshold is where Vespyr operates. Not in the open, where threats are visible and defenses are oriented, but in the space just beyond clear sight, where attackers move before they're expected and detections haven't yet been written. Vespyr doesn't wait for the light to return. It hunts in the dark, continuously and autonomously, finding what was meant to stay hidden.
From Agentic to Autonomous
Vibe Hunting introduced agentic reasoning to the hunting workflow. You describe a hypothesis, and Nebulock's agents help you pursue it, running queries, surfacing context, and keeping your reasoning intact across a session. The human still initiates and the agent responds.
Vespyr is the next step. Autonomous hunting means the agent doesn't wait for a user directive. It monitors global intelligence, determines what's relevant to your environment, scopes and executes the hunt, and delivers findings without anyone having to kick it off. The human reviews, validates, and acts. The agent does everything before that.
Agentic was about unlocking new insights and removing friction from a workflow you were already running. Autonomous is about running the workflow whether you had time to or not. We all know there aren’t enough hours in a day to process every signal, every intelligence briefing; Vespyr’s autonomy eliminates the data disparity between intelligence, signal and time.
It's like having another teammate working without impacting our budget.
- Karina Galinskaya, Sr. Security Operations Engineer, Cribl
What Vespyr Does
Vespyr closes the gap between threat intelligence and actionable detection, fully and automatically.
Today, most organizations operate in a cycle that looks something like this: an intelligence report surfaces, someone on the team tries to decipher what it means for their environment, a hunt gets scoped (or not), queries get written, data gets pulled, findings get reviewed, and eventually, maybe, a detection gets built. That cycle takes weeks and assuming you have dedicated threat intelligence, hunting, and detection teams to run it.
Vespyr compresses that cycle to minutes.
When new intelligence surfaces, Vespyr doesn't wait for someone to read it and decide what to do. It captures the intelligence, maps it to your organization's environment and context, identifies the relevant behavioral indicators, and executes the hunt. The result lands in your Nebulock platform as a completed Hunt Report, tied directly to your stack, your data, and your exposure.
This is what threat-informed defense looks like in practice: not a quarterly exercise, but a continuous, automated pipeline from intelligence to coverage.
What that pipeline includes:
- TTP to coverage in near real-time. Vespyr maps threat actor techniques to behavioral indicators and hunts for them across your environment as intelligence emerges, not after your team finds time to act on it.
- Behavior-first detection. IOCs expire. Behaviors don't. Vespyr looks for how attackers act, not just the artifacts they leave behind, which means your coverage holds up even as attackers adapt.
- Personalized hunting context. Vespyr doesn't produce generic reports. It understands your organization's environment and generates findings that are relevant to your specific stack and exposure profile. Customers can also build their own knowledge bases, giving Vespyr the context it needs to hunt with precision that improves over time.
- Intelligence, hunt, and detection in one pipeline. We've automated the full workflow. From ingesting an intelligence report to executing a hunt to producing a deployable detection, Vespyr handles it end-to-end.
The Road to Vespyr
We started with coverage. When we launched, Nebulock came with out-of-the-box hunting across known gaps in common security stacks. That gave customers a baseline from day one, no prior hunting program required.
From there, we expanded into agentic reasoning. The goal was simple: agents that don't just run queries, but think the way experienced hunters think. Vespyr's reasoning reflects decades of real-world hunting experience, embedded into how it evaluates evidence, follows leads, and decides what matters. Our agents are evaluated and improved by hunters, not engineers. The people shaping how Vespyr thinks are the same people who have spent careers doing this work manually, so you get their instincts and experience delivered.
We also built a feedback loop that keeps Vespyr improving. Synthetic data, global intelligence aggregation, and customer-specific context all inform how Vespyr's knowledge graph evolves. The more it operates in your environment, the sharper its output becomes.
Built For Your Team
Vespyr isn't about replacing your security team. It's about freeing them from the most toilsome parts of the intelligence workflow so they can focus on the work that actually requires human judgment.
The hardest part of threat hunting isn't running queries. It's knowing what to look for, why it matters, and whether your environment is exposed. Vespyr handles that layer. Your team gets to focus on investigation, validation, and response, the work where experience and context make a real difference.
For organizations without dedicated threat hunters, Vespyr means you're no longer on the outside of threat-informed defense. You have access to the same quality of hunting that was previously reserved for teams of specialists, at the cost of tokens, not headcount.
Join the Hunt
Nebulock customers can access Vespyr's Hunt Reports directly in the Nebulock platform, alongside all existing Hunt Reports. No additional setup required.
If you're not yet a Nebulock customer and want to see Vespyr in action, reach out.
We built Vespyr because we believe proactive defense should be the default, not the exception. The work we've done to get here, from coverage baselines to agentic reasoning to autonomous, personalized hunting, has been leading to this. And this is still just the beginning.
