Catalog
method#Security#Observability#Integration#Reliability

Threat Hunting

A proactive, hypothesis-driven process to detect hidden adversaries within environments, reducing dwell time and improving detection through iterative investigation and telemetry analysis.

Threat Hunting is a proactive method to detect hidden adversaries by hypothesis-driven analysis of telemetry and indicators.
Established
High

Classification

  • High
  • Organizational
  • Organizational
  • Intermediate

Technical context

SIEM/log management (e.g., Splunk, Elastic)Endpoint Detection & Response (EDR) solutionsThreat intelligence feeds and platforms

Principles & goals

Hypothesis-driven approach rather than pure alert responseTelemetry-first: prioritize data quality and visibilityIterative learning and rule improvement
Run
Enterprise, Domain, Team

Use cases & scenarios

Compromises

  • Wrong prioritization may miss true suspicious cases
  • Excessive automation can create analyst blindness
  • Insufficient documentation jeopardizes traceability
  • Regular hypothesis reviews and retrospectives
  • Close collaboration between hunting and detection engineering
  • Prioritize data quality and retention before efficiency optimizations

I/O & resources

  • Endpoint logs and process data
  • Network traffic and proxy logs
  • Threat intelligence and IOC lists
  • Hunt reports with context and TTP mapping
  • Updated detection rules
  • Recommended containment and eradication actions

Description

Threat Hunting is a proactive method to detect hidden adversaries by hypothesis-driven analysis of telemetry and indicators. It combines skilled analysts, detection engineering, and iterative investigation to identify novel threats and reduce dwell time. The method complements automated alerts with human-led discovery and situational context.

  • Reduced dwell time through earlier detection
  • Discovery of new tactics, techniques and procedures (TTPs)
  • Improved detection quality and fewer false positives

  • High personnel and resource effort
  • Dependence on comprehensive telemetry
  • Findings are probabilistic and context-dependent

  • Dwell time

    Average time between compromise and detection.

  • Detection rate of new TTPs

    Proportion of newly identified tactics and techniques per period.

  • False positive rate for hunting hypotheses

    Share of hunting findings that turn out to be non-malicious.

SOC hunt: compromised service account

Case where the hunting team discovered unusual authentication attempts and prevented lateral movement.

Result of a rule validation

Example of iterative rule improvement based on hunting findings and telemetry tests.

Ad-hoc hunt for new malware indicator

Rapid hypothesis formation and historical log search for new IoCs.

1

Identify visibility gaps and prioritize telemetry sources

2

Create hunt playbooks and hypothesis templates

3

Integrate tooling (SIEM, EDR, search)

4

Conduct pilot hunts and validate findings

5

Operationalize: rules, dashboards and escalation paths

⚠️ Technical debt & bottlenecks

  • Outdated log sources and missing instrumentation
  • Proliferation of ad-hoc scripts instead of standardized playbooks
  • Lack of test data for rule validation
Data volume and retentionAnalyst capacityQuality of telemetry
  • Hunting activities without metrics or tracking
  • Automatic blocking without human validation
  • Using outdated IoCs as sole basis
  • Too narrow hypotheses prevent discovery of unknown TTPs
  • Insufficient context data leads to misinterpretation
  • Unprioritized findings overload incident response
Experienced analysts with forensic backgroundKnowledge of network analysis and log correlationAbility to design hypotheses and tests
Comprehensive telemetry (endpoint, network, auth)Centralized log correlation and searchIntegration of threat intelligence
  • Limited log retention due to compliance
  • Access rights to sensitive systems
  • Budget constraints for tooling