On a Tuesday morning in March, a threat hunter at a regional healthcare system noticed something odd. Three different endpoints had queried the same external domain within a four-hour window. None of the queries triggered existing detection rules. The domain was not on any threat intelligence blocklist. The queries used standard DNS over port 53. From the SIEM’s perspective, the activity was unremarkable.
The hunter disagreed. The three endpoints belonged to different departments — radiology, human resources, and facilities management. They had no business reason to contact the same external host. The domain had been registered eleven days earlier. The pattern was consistent with command-and-control beaconing, but the traffic volume was too low and too irregular for any automated detection to flag.
Over the next six hours, the hunter traced the activity to a compromised vendor management portal. An attacker had used stolen credentials to access the portal, planted a web shell, and was using it to enumerate the network and stage data for exfiltration. If the hunter had not pursued the initial anomaly, the exfiltration would likely have completed within 48 hours.
This is threat hunting: the proactive, hypothesis-driven search for threats that automated detection has missed. It is the most intellectually demanding function in a security operations center, and it is becoming the most critical.
What Threat Hunting Actually Is
The SANS Institute defines threat hunting as “a proactive and iterative approach to detecting, isolating, and defeating adversaries operating within an enterprise’s environment.” The key words are proactive and iterative. Threat hunting is not alert triage. It is not incident response. It is not vulnerability scanning. It is a structured process that begins with a hypothesis about adversary behavior and ends with either a confirmed threat, a new detection rule, or documented understanding of benign activity.
NIST Special Publication 800-150 references threat hunting indirectly through its discussion of proactive intelligence utilization. The document describes a maturity model for threat intelligence that moves from reactive consumption of indicators of compromise to proactive hypothesis generation and testing. Threat hunting operates at the highest end of this maturity spectrum.
The MITRE ATT&CK framework has become the organizing structure for threat hunting operations. Because ATT&CK catalogs adversary tactics, techniques, and procedures in a standardized taxonomy, hunters can use it to formulate precise hypotheses. Rather than searching broadly for “suspicious activity,” a hunter might hypothesize that “an adversary is using scheduled tasks for persistence, mapped to ATT&CK T1053.005.” This specificity allows the hunter to query relevant data sources directly — Windows event logs for scheduled task creation, process execution records for unusual task commands — rather than sifting through undifferentiated telemetry.
The Hunting Methodology
Effective threat hunting follows a structured methodology. The SANS course SEC530, “Threat Hunting and Incident Response,” teaches a four-phase process: trigger, investigate, resolve, and document.
The trigger is the hypothesis that initiates the hunt. Triggers come from three sources. Intelligence-driven triggers originate from external threat intelligence — a report about a new adversary technique, an advisory from CISA about active exploitation, or an ISAC bulletin about campaigns targeting the organization’s industry. Situational triggers come from internal observations — an anomaly in network traffic, an unusual authentication pattern, or a gap in detection coverage that a hunter identifies during routine work. Analytical triggers come from structured analysis of existing data — statistical modeling that identifies outliers, clustering that reveals unexpected patterns, or anomaly detection that surfaces data points outside normal distributions.
CISA’s “Hunt and Incident Response for Critical Infrastructure” advisory, published in February 2024 as AA24-054A, recommends that organizations establish a regular hunting cadence of at least one structured hunt per week. The advisory notes that “adversaries increasingly employ techniques designed to evade automated detection, making proactive hunting essential for identifying persistent access that has been established within the environment.”
The investigation phase is where the hunter tests the hypothesis against available data. This phase requires deep familiarity with the organization’s telemetry sources. A hunter investigating a hypothesis about credential dumping needs to know which endpoints log LSASS access events, whether those logs are being forwarded to the SIEM, and what the baseline pattern of LSASS access looks like in the environment. This contextual knowledge is why threat hunting cannot be effectively outsourced or performed by analysts who lack familiarity with the specific environment.
The resolution phase determines whether the hypothesis was confirmed. If a threat is found, the hunter initiates the incident response process. If no threat is found, the hunt produces one of two outcomes: a documented understanding of why the behavior is benign, or a new detection rule that closes the gap the hunt identified. Both outcomes have lasting value. Documented benign baselines prevent future analysts from investigating the same activity. New detection rules extend the automated detection capability, reducing the surface area that future hunters must cover.
The documentation phase ensures that the hunt’s methodology, findings, and outcomes are recorded for institutional reference. This documentation feeds back into the hunting program by identifying patterns across multiple hunts, refining hypotheses, and building a knowledge base that accelerates future investigations.
Tools and Data Sources
Threat hunting requires access to telemetry that goes beyond what standard SIEM dashboards provide. Endpoint telemetry is the most critical data source. Process execution logs, registry modifications, network connections, file creation events, and memory access patterns provide the granular visibility that hunters need to identify sophisticated adversary behavior. EDR platforms like CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint collect this data, but the hunter needs the ability to query it flexibly rather than relying on pre-built detection rules.
Network telemetry complements endpoint data. Full packet capture is ideal but impractical for most organizations due to storage costs. NetFlow data, DNS query logs, proxy logs, and TLS certificate information provide sufficient visibility for most hunting hypotheses when correlated with endpoint data. Network detection and response platforms like Vectra AI, ExtraHop, and Darktrace supplement traditional network telemetry with behavioral analytics that can surface anomalous traffic patterns.
Threat intelligence platforms provide the external context that informs hunting hypotheses. Recorded Future, CrowdStrike Falcon Intelligence, Mandiant Advantage, and open-source platforms like MISP and OpenCTI give hunters access to adversary profiles, indicators of compromise, and tactical reports that can be mapped to the organization’s environment.
Elastic Security has gained significant adoption as a hunting platform because its query language, KQL, provides flexible access to indexed telemetry without requiring analysts to write complex SQL or learn proprietary query syntax. The Elastic Common Schema normalizes data from diverse sources into a unified format, enabling cross-source correlation that would be difficult in a traditional SIEM.
The People Problem
Threat hunters are the most difficult SOC role to recruit and retain. The position requires a combination of skills that is rare: deep technical knowledge of operating systems, networking, and adversary tradecraft; analytical thinking capable of generating and testing hypotheses; and the patience to pursue leads that may not yield results.
The SANS 2024 SOC Survey found that only 12 percent of organizations surveyed had a dedicated threat hunting team. Most organizations that hunt at all assign the function to their most senior analysts as a periodic activity alongside other responsibilities. This part-time approach limits the volume and sophistication of hunting operations.
The GIAC Certified Threat Hunter certification, offered by SANS, has become the standard credential for validating hunting skills. The certification requires demonstrated ability to formulate hypotheses, select appropriate data sources, execute structured investigations, and document findings. As of 2024, approximately 2,800 professionals held the certification globally — a small fraction of the estimated need.
The Return on Investment
Measuring the value of threat hunting is difficult because the most important outcomes are negative — threats that were detected and neutralized before they caused damage. But several metrics provide useful indicators.
Mean time to detect for hunting-detected incidents is typically longer than for alert-detected incidents because hunting identifies threats that have already evaded automated detection and are operating within the environment. This sounds counterintuitive, but it reflects the nature of the threats hunting addresses: advanced adversaries who have established persistent access and are operating slowly and carefully. Without hunting, these threats remain undetected indefinitely.
The number of new detection rules generated by hunting operations is a forward-looking metric. Each new rule extends the automated detection capability, reducing the burden on future hunters and improving the organization’s baseline security posture. Organizations with mature hunting programs typically generate five to fifteen new detection rules per month from hunting activities.
The MITRE Engage framework, published as a complement to ATT&CK, provides a structure for measuring the impact of proactive defense activities including threat hunting. The framework categorizes defensive actions into three groups: deny, disrupt, and degrade. Hunting contributes primarily to the deny category — identifying and eliminating adversary access before it can be used for offensive purposes.
Hunting in 2026 and Beyond
The threat landscape continues to evolve in ways that make hunting more necessary. Living-off-the-land techniques — where adversaries use legitimate administrative tools rather than custom malware — generate telemetry that blends with normal activity. Automated detection struggles to distinguish a legitimate PowerShell script from a malicious one when both use the same interpreter, the same commands, and the same network paths.
CISA’s “Top Routinely Exploited Vulnerabilities” advisory, updated annually, consistently shows that adversaries exploit known vulnerabilities for months or years after patches are available. This persistence means that even organizations with strong patch management programs face adversaries who have established footholds through previously unpatched systems. Hunting is the mechanism for finding those footholds.
The organizations that invest in structured, resourced threat hunting programs are not wasting money on speculative activity. They are building the detection capability that will identify the next intrusion that their automated systems miss. The question is not whether their environment contains undetected threats. The question is whether they will find them before the adversary finishes the job.
