Cyber Threat Hunting

What threat hunting is

Cyber threat hunting is the proactive, human-driven search for adversary activity that exists within an environment but has not triggered automated detection. It starts from the assumption that the organization may already be compromised — that threats may be present despite the SIEM alerts showing green, the endpoint protection reporting clean, and the network monitoring detecting nothing unusual.

This assumption is not paranoia. It reflects the reality that sophisticated adversaries specifically design their operations to evade automated detection. They use living-off-the-land techniques that blend with legitimate administrative activity. They operate below detection thresholds. They compromise systems in ways that do not match existing signatures. They move slowly enough that behavioral analytics do not flag the progression. The average dwell time for adversaries who are eventually discovered — the time between initial compromise and detection — still measures in weeks or months for organizations without proactive hunting capabilities.

Threat hunting fills the gap between what automated detection can find and what actually exists in the environment. It is a deliberate, hypothesis-driven practice that requires skilled analysts, rich data, and a methodology for converting human intuition and intelligence into systematic investigation.

Organizations that invest in managed detection and response or operate a SOC-as-a-service model typically receive some level of hunting as part of the engagement. For organizations building internal capability, understanding the hunting discipline is essential for evaluating service providers and for developing the skills and data infrastructure that make hunting effective.

Threat hunting vs detection

Understanding the distinction between hunting and detection prevents organizations from conflating two fundamentally different activities and under-investing in one or the other.

Automated detection

Automated detection systems — SIEM platforms, EDR tools, network detection and response (NDR), and cloud security monitoring — operate on predefined logic. They generate alerts when observed activity matches known indicators of compromise (IoCs), violates behavioral baselines, or triggers correlation rules. Detection is reactive: it responds to patterns it has been programmed to recognize.

Detection works well for:

• Known malware signatures and indicators
• Well-documented attack patterns with reliable detection logic
• Volumetric anomalies (unusual traffic spikes, login volumes, data transfers)
• Policy violations (access from blocked geographies, use of prohibited protocols)
• Automated scanning and commodity attacks

Detection struggles with:

• Novel attack techniques without existing signatures
• Living-off-the-land attacks using legitimate tools (PowerShell, WMI, RDP)
• Slow, deliberate adversary operations designed to stay below alerting thresholds
• Sophisticated evasion techniques (obfuscation, encryption, timestomping)
• Insider threats that use authorized access for unauthorized purposes

Threat hunting

Hunting is proactive and human-driven. A hunter starts with a hypothesis — “If an adversary compromised an executive’s credentials, I would expect to see unusual access patterns to sensitive file shares during off-hours” — and investigates data to confirm or refute it. The hypothesis comes from threat intelligence, adversary research, knowledge of the environment, or intuition developed through experience.

Hunting works well for:

• Finding threats that evade automated detection
• Discovering previously unknown attack techniques in the environment
• Identifying misconfigured systems or security gaps that create blind spots
• Validating that detection rules are working as expected
• Building organizational knowledge about adversary behavior

Hunting is not a replacement for detection. It is a complement. Detection handles the high volume of known threats and alerts that require immediate response. Hunting finds the threats that detection misses. A mature security operation runs both simultaneously — detection provides the continuous monitoring layer, and hunting provides the proactive investigation layer.

The hunting loop

Effective threat hunting follows a structured, iterative process. The hunting loop ensures that hunts are systematic rather than random and that every hunt produces either a finding or an improvement to the organization’s detection capability.

Hypothesis generation

Every hunt begins with a hypothesis — a testable statement about adversary activity that might exist in the environment. Good hypotheses are specific, grounded in evidence or intelligence, and scoped to something that can be investigated with available data.

Sources for hypothesis generation:

• Threat intelligence. Reports about adversary groups targeting the organization’s industry, newly observed TTPs, or indicators associated with active campaigns. If a threat intelligence report describes a group using DLL side-loading to establish persistence on financial sector targets, that is a hypothesis for a financial services organization to hunt.
• MITRE ATT&CK framework. Systematic review of ATT&CK techniques reveals gaps in detection coverage. If the organization has no detection for Kerberoasting (T1558.003), a hunt targeting that technique validates whether it has occurred undetected.
• Environmental knowledge. Understanding of the organization’s architecture, user behavior, and normal patterns enables hypotheses about where anomalies would appear. A hunter who knows that a specific service account should only authenticate from two servers can hypothesize that authentication from any other source indicates compromise.
• Previous hunt findings. Earlier hunts often reveal leads that warrant follow-up investigation or adjacent hypotheses.
• Anomalies from detection. Alerts that were investigated and closed as false positives sometimes warrant deeper examination. Patterns of low-confidence alerts may indicate real adversary activity that individually falls below the detection threshold.

Investigation

With a hypothesis defined, the hunter queries and analyzes data to find evidence that supports or refutes it. Investigation is iterative — initial queries may reveal leads that refine the hypothesis or open new lines of inquiry.

Investigation typically involves:

• Querying SIEM, EDR, and log data for indicators associated with the hypothesis
• Analyzing patterns across time (frequency analysis, temporal correlation)
• Examining individual events in detail (process trees, network connections, file modifications)
• Correlating across data sources (endpoint + network + authentication + DNS)
• Comparing observed behavior against known adversary techniques documented in ATT&CK

The investigation phase requires both technical skill and analytical reasoning. Hunters must distinguish signal from noise in large datasets, follow investigative threads without losing the original hypothesis, and recognize when data limitations prevent conclusive determination.

Resolution

Every hunt concludes in one of three outcomes:

• Confirmed threat. The hunt found evidence of actual adversary activity or compromise. Escalate to incident management for containment, eradication, and recovery. Document the finding including indicators, timeline, scope, and technique classification.
• Suspicious activity requiring further investigation. The hunt found activity that is unusual but not conclusively malicious. Scope additional data collection, monitoring, or focused investigation to reach a determination.
• No findings — detection improvement. The hunt did not find evidence of the hypothesized activity. This is not a failure. Convert the hunt’s logic into detection rules, queries, or dashboards that automate future detection of the same technique. Every hunt that does not find a threat should produce a detection improvement.

The resolution phase closes the loop by ensuring that hunting produces lasting value regardless of the outcome. Over time, the accumulation of detection improvements created by resolved hunts systematically closes detection gaps and raises the bar for adversaries.

Hunting methodologies

Threat hunting methodologies provide structure for how hunters generate hypotheses, select targets, and prioritize their efforts. Most hunting programs use a combination of approaches rather than committing exclusively to one.

Intel-driven hunting

Hypotheses are generated from threat intelligence — reports about adversary groups, newly observed attack techniques, shared indicators of compromise, or sector-specific advisories. The hunter takes intelligence about what adversaries are doing elsewhere and looks for evidence of the same activity internally.

Strengths: Directly relevant to the threat landscape. Leverages external visibility that the organization does not have on its own. Produces findings that can be immediately contextualized against known adversary operations.

Limitations: Reactive to intelligence availability. Cannot find threats from adversaries not yet documented by intelligence sources. Effectiveness depends on the quality and timeliness of the intelligence feed.

Analytics-driven hunting

Hypotheses are generated from statistical analysis of the organization’s own data. Hunters look for outliers, anomalies, and patterns that deviate from established baselines — rare process executions, unusual network connections, atypical authentication patterns, or data flows that do not match normal business activity.

Strengths: Can discover novel threats not covered by threat intelligence. Leverages the organization’s unique data to find environment-specific anomalies. Not dependent on external intelligence sources.

Limitations: Requires rich, well-structured data and statistical analysis skills. Produces high volumes of leads that require triage. Baselines must be established and maintained, which is resource-intensive. Normal behavior can be misidentified as suspicious, and suspicious behavior can be misidentified as normal.

Situational hunting

Hypotheses are generated from the organization’s specific situation — a recent configuration change, a new system deployment, a known vulnerability in a critical application, a departing employee with elevated access, or a change in business operations that alters the threat surface. Situational hunting asks: “Given what just changed, what could an adversary exploit, and would I see evidence of it?”

Strengths: Directly tied to the organization’s current risk context. Addresses the threats most likely to materialize given recent changes. Provides security validation for operational decisions.

Limitations: Episodic rather than systematic. Does not provide comprehensive coverage across the threat landscape. Effectiveness depends on the hunter’s knowledge of the organization’s operations.

Tools and data sources

Threat hunting effectiveness is constrained by the data available and the tools used to query and analyze it. A skilled hunter with poor data produces few findings. A mediocre hunter with rich data and good tools can still contribute meaningful value.

Core data sources

• Endpoint detection and response (EDR). Process execution, file operations, registry changes, network connections, loaded modules, and parent-child process relationships. EDR telemetry is the richest single data source for most hunts because adversary activity ultimately executes on endpoints.
• Network telemetry. Network flow data (source, destination, port, protocol, bytes transferred), DNS query logs, proxy logs, and full packet capture for high-value segments. Network data reveals lateral movement, command-and-control communication, and data exfiltration that may not be visible at the endpoint.
• Authentication and access logs. Active Directory logs, SSO/identity provider logs, VPN authentication, and privileged access management records. Authentication data is critical for hunting credential-based attacks, which remain the most common initial access vector.
• Cloud platform logs. Cloud audit logs (AWS CloudTrail, Azure Activity Log, GCP Cloud Audit Logs), resource configuration changes, API calls, and identity federation events. As workloads move to cloud, cloud-native data becomes essential hunting ground.
• Email gateway logs. Inbound and outbound email metadata, attachment analysis, URL click data, and phishing detection events. Email remains the primary delivery vector for initial access.
• Threat intelligence feeds. Indicators of compromise (IPs, domains, file hashes), adversary profiles, TTP documentation, and sector-specific advisories. Intelligence provides context for interpreting findings and generating hypotheses.

Tool categories

• SIEM platforms. Centralized log aggregation and search. Hunters use SIEM for broad queries across data sources, correlation analysis, and historical investigation. Query performance and data retention are critical — hunters regularly search months of historical data.
• EDR platforms. Endpoint-specific investigation tools. Hunters use EDR for process tree analysis, file and registry forensics, memory inspection, and real-time endpoint queries across the fleet.
• Network analysis tools. Packet capture and flow analysis. Used for investigating network-based indicators, analyzing communication patterns, and examining protocol-level behavior.
• Notebook environments. Jupyter notebooks or similar environments for structured analysis workflows that combine queries, visualizations, and documentation in a reproducible format. Mature hunting teams use notebooks to standardize hunt procedures and share analytical techniques.
• MITRE ATT&CK Navigator. Visual mapping tool that tracks which ATT&CK techniques have detection coverage and which have been hunted. Used for identifying coverage gaps and prioritizing future hunts.

Building a hunting program

Building an effective threat hunting program requires investment in people, data, process, and tooling. The investment scales with the organization’s maturity and risk profile, but even organizations with modest security budgets can establish foundational hunting capabilities.

Start with detection maturity

Threat hunting is most effective when the organization already has solid detection fundamentals — centralized logging, configured alerting, and basic incident response procedures. Hunting on top of a weak detection foundation produces findings that cannot be acted upon because the response capability does not exist. Ensure the security incident management process can receive and act on hunting escalations before investing in hunting capacity.

Define the scope

Not every organization needs a full-time hunting team. Scope the program to the organization’s risk profile:

• Foundational. One or two security analysts dedicate a portion of their time to structured hunting, conducting one to two hunts per month focused on high-priority ATT&CK techniques. Uses existing SIEM and EDR data.
• Established. Dedicated part-time or full-time hunters conducting weekly hunts. Expanded data sources, structured hypothesis management, and systematic ATT&CK coverage tracking.
• Advanced. Full-time hunting team with dedicated data infrastructure, custom tooling, threat intelligence integration, and continuous hunting operations. Produces detection engineering output that continuously improves automated detection.

Build the data foundation

Hunting capability is directly proportional to data availability. Prioritize:

1. EDR deployment across all endpoints with telemetry collection enabled
2. Authentication log centralization with at least 90 days retention
3. Network flow data from critical segments
4. DNS query logging
5. Cloud platform audit logs
6. Extended retention (180+ days) for all data sources

Establish the process

Formalize the hunting workflow:

• Hypothesis backlog management (how hypotheses are generated, prioritized, and tracked)
• Hunt documentation standards (what gets recorded during and after each hunt)
• Escalation procedures (how confirmed findings move to incident response)
• Detection engineering handoff (how hunt logic becomes automated detection rules)
• Coverage tracking (which ATT&CK techniques have been hunted and when)

Develop the team

Hunting requires a specific skill set that combines security knowledge, data analysis, and investigative reasoning. Develop hunters through:

• ATT&CK-based training on adversary techniques
• Hands-on practice with the organization’s data and tooling
• Participation in hunting communities and shared exercises
• Pairing junior analysts with experienced hunters
• Regular review of published hunt reports from the security community

Metrics

Measuring hunting program effectiveness requires metrics that capture both output (what hunting produces) and impact (what hunting changes about the organization’s security posture). Organizations already tracking cybersecurity KPIs can integrate hunting metrics into their existing measurement framework.

Activity metrics

• Hunts completed per period. Basic throughput measure. Track monthly and quarterly to ensure consistent cadence.
• Hypotheses generated vs. investigated. Measures the pipeline efficiency. A large backlog of uninvestigated hypotheses indicates capacity constraints.
• Data sources queried per hunt. Hunts that use multiple data sources produce richer findings. Single-source hunts have limited visibility.
• Hours invested per hunt. Tracks resource allocation and helps calibrate hunt scope and complexity.

Outcome metrics

• Findings per hunt. Count of confirmed threats, suspicious activities, and misconfigurations discovered. Not every hunt produces findings, but a program that never finds anything is either hunting in the wrong places or has insufficient data.
• Threat severity distribution. Categorize findings by severity to assess whether hunting is finding significant threats or only low-priority anomalies.
• Mean time to identify (MTTI) for hunt-discovered threats vs. detection-discovered threats. Compares how quickly threats are identified through hunting versus waiting for automated detection. Hunting should identify threats that would have dwelled longer without intervention.
• Dwell time for hunt-discovered threats. How long the threat was present before the hunt found it. Shorter dwell times over time indicate improving hunting effectiveness.

Impact metrics

• New detection rules created from hunt findings. The most important long-term metric. Every hunt should produce either a finding or a detection improvement. Track the cumulative number of detection rules created or refined based on hunting activity.
• ATT&CK technique coverage improvement. Measure the percentage of relevant ATT&CK techniques with validated detection or hunting coverage over time. Hunting should systematically close coverage gaps.
• False positive reduction. Hunting often reveals that existing detection rules generate false positives for specific environmental patterns. Tuning recommendations from hunting improve detection precision.
• Recurrence rate. Track whether the same technique or adversary behavior is found in subsequent hunts after detection rules were created. Low recurrence indicates effective detection engineering; high recurrence indicates detection rules are not working.

For strategic context on building detection and response capabilities that go beyond reactive security, see Cyber War…and Peace.