Category: Security Operations

Threat Hunting

Also known as: Cyber Threat Hunting

Simply put

Threat hunting is a proactive cybersecurity practice where security professionals actively search through networks and systems to find hidden threats that have not been detected by automated security tools. Rather than waiting for alerts, threat hunters look for signs of malicious activity that may already be present but unnoticed. This approach helps organizations identify and respond to threats before they cause significant damage.

Formal definition

Threat hunting is a proactive, analyst-driven cybersecurity discipline that involves iteratively searching an organization's network and endpoints for indicators of compromise (IOCs), adversary tactics, techniques, and procedures (TTPs), and other evidence of previously unknown or ongoing threats. It combines elements of digital forensics, incident response, and threat intelligence to identify malicious activity that has evaded existing automated detection mechanisms. The process typically relies on hypothesis-driven investigation, behavioral analysis, and anomaly detection performed by specialized security analysts who leverage telemetry data, logs, and endpoint visibility tools. Threat hunting is inherently a runtime and operational activity, as it depends on access to live or recent network and system data rather than static code analysis. Its effectiveness is bounded by the quality and completeness of available telemetry, the skill of the analysts involved, and the scope of data collection across the environment.

Why it matters

Automated detection tools, including intrusion detection systems, SIEM platforms, and endpoint protection suites, are effective at catching known threat signatures and well-characterized attack patterns. However, sophisticated adversaries frequently employ novel techniques, living-off-the-land tactics, and slow-moving campaigns specifically designed to evade these automated defenses. Threat hunting addresses this critical gap by placing skilled analysts in an active investigative role, searching for evidence of compromise that may have persisted undetected for days, weeks, or even months. Without this proactive discipline, organizations risk prolonged dwell times during which attackers can escalate privileges, move laterally, and exfiltrate sensitive data.

The value of threat hunting is particularly evident in application security and software supply chain contexts, where compromised dependencies, backdoored build artifacts, or tampered deployment pipelines may not trigger conventional alerts. A threat hunter examining anomalous network telemetry, unusual process behavior on build servers, or unexpected outbound connections from production workloads can surface evidence of supply chain compromise that static analysis and automated monitoring would typically miss. By combining threat intelligence with behavioral analysis, threat hunting enables organizations to detect and contain threats before they cause significant operational or reputational damage.

Because threat hunting is fundamentally a human-driven activity, its effectiveness scales with organizational investment in skilled analysts, quality telemetry, and mature processes. Organizations that treat threat hunting as an ongoing discipline, rather than an ad hoc exercise, are better positioned to adapt to evolving adversary tradecraft and to continuously refine their automated detection capabilities based on hunting findings.

Who it's relevant to

Security Operations Center (SOC) Analysts and Threat Hunters

SOC analysts and dedicated threat hunters are the primary practitioners of this discipline. They use hypothesis-driven investigation and behavioral analysis to identify threats that automated alerting mechanisms have missed, and their findings directly improve detection engineering and incident response posture.

CISOs and Security Leaders

Security executives need to understand threat hunting as a strategic capability that complements automated defenses. Building and resourcing a threat hunting program requires investment in skilled personnel, telemetry infrastructure, and threat intelligence, and its outputs can inform risk assessments and security roadmaps.

Application Security Engineers

AppSec professionals benefit from threat hunting insights, particularly when hunts uncover compromised application components, anomalous behavior in production workloads, or evidence of supply chain tampering that static analysis and automated scanning tools cannot detect without runtime context.

DevSecOps and Platform Engineering Teams

Teams responsible for build pipelines, deployment infrastructure, and production environments should collaborate with threat hunters, as anomalies in CI/CD systems, container orchestration platforms, and cloud environments are increasingly targeted by adversaries and may only be surfaced through proactive investigation.

Incident Response Teams

Incident responders work closely with threat hunters, as hunting activities frequently transition into active incident response when genuine compromises are discovered. The intelligence and context gathered during a hunt accelerates containment and remediation efforts.

Inside Threat Hunting

Hypothesis-Driven Investigation

A proactive approach where analysts formulate hypotheses about potential threats or attacker behaviors within their environment and then systematically search for evidence to confirm or refute those hypotheses, rather than waiting for automated alerts.

Indicators of Compromise (IoCs)

Observable artifacts such as file hashes, IP addresses, domain names, or behavioral patterns that suggest a system or network may have been compromised. Hunters use known IoCs as starting points to search for evidence of intrusion across telemetry sources.

Tactics, Techniques, and Procedures (TTPs)

Frameworks describing adversary behavior at various levels of abstraction, commonly mapped to models like MITRE ATT&CK. Threat hunters use TTP knowledge to identify patterns of attacker activity that may evade signature-based detection.

Telemetry and Log Analysis

The collection and examination of data from endpoints, network traffic, application logs, authentication systems, and other sources to identify anomalous or suspicious activity that may indicate an active or past compromise.

Baseline and Anomaly Detection

Establishing normal behavioral baselines for users, systems, and applications, then identifying deviations from those baselines that may indicate malicious activity. This technique helps surface threats that do not match known signatures.

Threat Intelligence Integration

The incorporation of external and internal threat intelligence feeds, reports, and contextual data to inform hunting hypotheses, prioritize investigation targets, and correlate findings with known adversary campaigns.

Iterative Refinement of Detection Rules

A key output of threat hunting where findings from hunts are used to create or improve automated detection rules, alerting logic, and monitoring coverage, thereby strengthening the organization's overall detection posture over time.

Common questions

Answers to the questions practitioners most commonly ask about Threat Hunting.

Is threat hunting the same as monitoring alerts from a SIEM or intrusion detection system?

No. Alert-driven monitoring is a reactive process that responds to predefined rules and signatures. Threat hunting is a proactive, hypothesis-driven activity where analysts actively search for threats that may have evaded existing detection mechanisms. While hunters may use SIEM data as one input, the discipline involves formulating hypotheses about attacker behavior and investigating evidence that automated tools have not flagged.

Does threat hunting replace the need for automated detection tools and vulnerability scanning?

It does not. Threat hunting complements automated detection rather than replacing it. Automated tools handle known signatures, rules-based alerting, and high-volume log correlation, which would be impractical to perform manually. Threat hunting addresses the gaps these tools leave, such as novel attack techniques, living-off-the-land tactics, and slow-moving intrusions that do not trigger predefined thresholds. Both capabilities are necessary for a mature security posture.

What data sources are typically needed to support effective threat hunting in application security contexts?

Effective threat hunting typically requires access to application logs, authentication and access control records, API call logs, network flow data, endpoint telemetry, and software supply chain metadata such as dependency manifests and build pipeline audit trails. The richness and retention period of these data sources directly affect the scope of hunts. Organizations should ensure logging is sufficiently detailed and normalized before investing heavily in hunting operations.

How should an organization structure threat hunting hypotheses, particularly for application-layer threats?

Hypotheses should be specific, testable, and grounded in threat intelligence or known attacker tradecraft. For application-layer threats, examples include hypothesizing that an attacker may be exfiltrating data through a specific API endpoint, that a compromised dependency is establishing outbound connections to unusual domains, or that credential stuffing is occurring against authentication services at rates below automated detection thresholds. Each hypothesis should define what evidence would confirm or refute it and which data sources are relevant.

What are the key skills and organizational prerequisites for starting a threat hunting program?

At minimum, an organization needs analysts with knowledge of attacker techniques (such as those cataloged in MITRE ATT&CK), familiarity with the organization's application architecture, and proficiency in querying and correlating log data. Organizational prerequisites include mature logging infrastructure, baseline visibility into normal application and network behavior, and management support for dedicating analyst time to hunting rather than purely reactive incident response. Starting with focused, time-boxed hunts is a common approach for teams building this capability incrementally.

How should findings from threat hunts be operationalized to improve ongoing detection?

When a hunt identifies a previously undetected threat pattern or confirms a hypothesis, the findings should be converted into new detection rules, SIEM correlation logic, or automated alerts so that the same technique does not require manual hunting in the future. Additionally, findings may inform updates to application security controls, incident response playbooks, and threat models. Documenting hunt methodologies and outcomes also helps refine future hypotheses and provides evidence of the program's value to stakeholders.

Common misconceptions

Threat hunting is the same as incident response or alert triage.

Threat hunting is a proactive, hypothesis-driven activity that takes place before alerts fire, seeking threats that have evaded existing detection mechanisms. Incident response and alert triage are reactive processes that begin after a detection or alert has already occurred. While the skill sets overlap, the intent and workflow are fundamentally different.

Automated tools and SIEM queries alone constitute threat hunting.

While threat hunting relies heavily on tooling, telemetry platforms, and query languages, the distinguishing element is the human-driven analytical process of forming hypotheses and creatively exploring data. Pure automation without human-driven investigation is better described as automated detection, not hunting.

Threat hunting is only relevant to network and infrastructure security, not application security.

Threat hunting is increasingly applicable to application security contexts, where hunters may search for evidence of exploitation in application logs, look for signs of supply chain compromise in build pipelines, or investigate anomalous API behavior. Application-layer telemetry is a valuable and often underutilized data source for hunting activities.

Best practices

Define clear, testable hypotheses before beginning each hunt, grounded in threat intelligence, known TTPs, or observed environmental changes, to maintain focus and enable measurable outcomes.

Ensure broad and high-fidelity telemetry collection across endpoints, networks, applications, and identity systems, as gaps in data coverage directly limit the scope and effectiveness of any hunting effort.

Map hunting activities to frameworks such as MITRE ATT&CK to systematically track which adversary techniques have been investigated and identify coverage gaps in both hunting and automated detection.

Document all hunt findings, including negative results, and use them to refine automated detection rules, update baselines, and improve logging and monitoring configurations.

Incorporate application-layer data sources, such as application logs, API access patterns, CI/CD pipeline events, and dependency management records, into the hunting program to extend coverage into the software supply chain.

Conduct regular retrospectives on completed hunts to evaluate hypothesis quality, identify telemetry gaps discovered during the process, and continuously improve the maturity of the hunting program.