Why Trellix SecondSight Is Like Gaining a Team of Elite Threat Hunters

By Brian B Brown · March 3, 2026

Security tools generate data. Lots of it. That is a double-edged sword for teams, who then have limited time and resources to sift through all the received telemetry and alerts to prioritize and take action. In an era where attackers increasingly "live off the land" using legitimate tools to hide activity and bypass automated defenses, security teams need to pore through all of the data and alerts they receive to find early indicators of attacker activity.

Trellix recently announced Trellix SecondSight advanced threat hunting to provide customers with an elite "second set of eyes" over their security landscape. In discussions with our customers, I often hear about their struggles to stay on top of the threat landscape and perform threat hunting.  These are not unfamiliar concerns for anyone in cybersecurity, and Trellix has taken a crucial step to assist with these longstanding operational problems. SecondSight provides the human intuition, Trellix-native knowledge, and the power of AI necessary to bridge the gap between a weak signal and a confirmed breach, stopping attackers earlier and faster.

What is Trellix SecondSight?

Trellix SecondSight is our native threat-hunting service designed to empower organizations and  augment your existing security program.  SecondSight was created as a direct response to customer feedback to address resource challenges stemming from a lack of budget and constraints on cybersecurity expertise in the industry. It integrates Trellix technology with research from the Trellix Advanced Research Center (ARC) team, who pore through terabytes of data and thousands of campaigns to determine how attackers operate.

SecondSight brings human-in-the-loop hunting by experts from the ARC Threat Intelligence team to augment your Security Operations Center (SOC) with elite human hunters. Seasoned Trellix threat hunters proactively hunt within low-confidence signals to find what might otherwise go unnoticed.  They leverage our massive threat intelligence database, deep expertise in mapping out attacker activities, and specialized knowledge of our products to uncover hidden threats, giving our customers the power of a team that has a proven track record of bringing down major attacker groups.  

SecondSight: Advancing threat hunting without additional resources

Leveraging the deep telemetry of Trellix Endpoint Enterprise, Trellix Email Security Cloud, and Trellix NDR, SecondSight hunters don't just wait for high-severity alerts. By augmenting rather than replacing existing SOC efforts, SecondSight ensures that Trellix customers benefit from 24/7 global human oversight, specialized forensic expertise, and a proactive notification model that turns raw product data into decisive defensive action.

SecondSight is a force multiplier that works in parallel with your existing team.  While your analysts focus on monitoring and managing your environment, Trellix hunters work in parallel, giving additional oversight across your Endpoint Enterprise, Email Security, and NDR product telemetry to ensure that subtle, sophisticated movements don't go unnoticed.

Why SecondSight matters 

I know from firsthand experience that automated products are excellent at surfacing telemetry and weak signals. However, attackers often hide in the noise of legitimate administrative activity.  SecondSight reduces risk through faster discovery of stealthy attacks and provides immediate ROI by activating expert hunting on existing Trellix investments without the cost of additional headcount.

It offers direct augmentation from Trellix experts and provides clear notifications that explain the "why" behind a suspicious signal, helping the analyst distinguish between administrative noise and normal operations to zero in on attacker intent.  This speeds time to response, minimizing impact, improving security posture, and allowing you to remediate with speed and accuracy. 

SecondSight is also being leveraged by Trellix to bring additional value to our customers.  We recently published the first iteration of our bi-annual SecondSight report, highlighting the top five critical campaigns that the ARC team has observed, underscoring what threats should be top of mind. 

How is SecondSight packaged?

In order to provide benefits to all of our customers, SecondSight is available as two packages, with the core package included at no cost for certain products.

• SecondSight Core is included at no additional cost for Endpoint Enterprise, Email Security Cloud, and NDR customers and includes threat hunting and proactive notifications via the Trellix Thrive service portal.
  
  Trellix hunters specialize in identifying the single "needle"—the subtle, low-confidence signal—that represents a real threat. By sifting through the gray space of your product data, they find the critical evidence of an intruder that automated filters might overlook as background noise.
• SecondSight Enterprise includes additional features and is currently available as a paid-for add-on for Endpoint Enterprise and Email Security Cloud customers.
  
  It includes additional prioritized hunting, the ability to submit threat-hunting requests, the ability to request verification hunts (a follow-up hunt to verify that a threat has been remediated), and weekly reports of threat hunting activity. SecondSight Enterprise includes 4 Custom Hunts and 4 Validation Hunts per quarter, so that you can task our hunters to investigate specific concerns within your telemetry or confirm that a remediation effort was 100% successful.

Links to additional information: https://www.trellix.com/products/secondsight/