Microsoft Patents an LLM-Driven Threat Hunting Tool Built Around a Tree Interface

By Patentlyze Team · Updated May 22, 2026

Security investigations are notoriously nonlinear — you chase a lead, it goes cold, and you have to backtrack. Microsoft's new patent describes an LLM-powered system that treats that backtracking as a first-class feature, not an afterthought.

What Microsoft's LLM threat-hunting tree actually does

Imagine you're a security analyst trying to figure out if your company's network was breached. You start following one trail — maybe a suspicious login — and after an hour realize it was a dead end. Now you have to mentally rewind and try a different angle, which is exhausting and error-prone.

Microsoft's patent describes a tool that lets an AI assistant guide that entire investigation. The LLM doesn't just answer questions — it suggests concrete next steps, runs actual code to query logs or pull threat data, and presents those steps as a visual branching tree. If one branch turns into a dead end, you can switch to an alternative branch and the system rolls back its memory to before you went down that path, so the AI's context stays clean and relevant.

Think of it like a GPS that not only reroutes when you miss a turn but also forgets the wrong turn ever happened, so it's not factoring in that detour when it calculates your next move. The result is a more focused, less cluttered investigation workflow.

How the branching context rollback keeps investigations clean

The patent describes a system where a large language model (LLM) is given two things upfront: an investigation context (what's already known — logs, alerts, affected hosts) and an investigation goal (what you're trying to find out). The LLM responds with a list of suggested next steps, including ready-to-run executable code called skills — think API calls, log queries, or enrichment lookups against threat intelligence feeds.

Critically, the LLM doesn't just suggest one path. It proposes parallel branches — step A and step B as alternatives. The analyst can run step A first; the system executes the associated code, collects the output, and feeds that output back to the LLM as cumulative context (the growing record of everything discovered so far). The LLM then suggests further steps informed by that new evidence.

The clever part is branch switching with context rollback. If the analyst decides to abandon branch A and try branch B instead, the system doesn't just run B — it rewinds the LLM's context to exclude everything learned during branch A. This prevents the model from being confused or biased by a trail that turned out to be irrelevant.

• Tree UI: All branches and steps are displayed visually so analysts can see the full investigation map at a glance.
• Skill execution: The LLM outputs actual runnable code, not just text suggestions.
• Context management: Cumulative context is carefully scoped per branch, preventing cross-contamination between investigation paths.

What this means for security analysts doing threat investigations

For security operations center (SOC) analysts, the bottleneck isn't usually knowledge — it's the sheer volume of leads to chase and the cognitive overhead of keeping track of what's been tried. An LLM that not only suggests steps but runs them and remembers what worked could meaningfully cut investigation time. The branch-rollback mechanism is particularly thoughtful: most LLM-assisted tools today just pile context on top of context, which degrades the model's focus over a long session.

This fits squarely into Microsoft's Security Copilot product direction, where AI assists (but doesn't replace) human analysts. If this capability ships, you'd expect it inside Sentinel or Defender — tools that already have the log access and skill infrastructure the patent describes.

Editorial commentary on a publicly published patent application. Not legal advice.