Threat Hunter
What is Threat Hunter?
Threat HunterA senior defender who proactively searches enterprise telemetry for adversary activity that has bypassed existing detections, using hypothesis-driven queries, threat intelligence, and behavioral analytics.
A Threat Hunter is a senior defender who proactively searches for malicious activity that has eluded automated detections. The work is hypothesis-driven: starting from MITRE ATT&CK techniques, threat-intelligence reporting, or anomalies in baselines, the hunter pivots through EDR, SIEM, identity, cloud, and network telemetry to confirm or rule out adversary presence. Hunters partner closely with detection engineers to convert successful hunts into durable detections and with incident responders when a hunt becomes an investigation. The role typically sits inside the SOC or a dedicated cyber-defense group, reporting to a SOC manager or head of detection. Common qualifications include several years of Tier 2/3 SOC or DFIR experience and certifications such as GCFA, GCDA, GCIH, or CRTO.
● Examples
- 01
Hunt for living-off-the-land binaries abused by ransomware affiliates across the EDR fleet.
- 02
Search cloud audit logs for unusual cross-account assume-role chains tied to recent Cozy Bear TTPs.
● Frequently asked questions
What is Threat Hunter?
A senior defender who proactively searches enterprise telemetry for adversary activity that has bypassed existing detections, using hypothesis-driven queries, threat intelligence, and behavioral analytics. It belongs to the Roles & Careers category of cybersecurity.
What does Threat Hunter mean?
A senior defender who proactively searches enterprise telemetry for adversary activity that has bypassed existing detections, using hypothesis-driven queries, threat intelligence, and behavioral analytics.
How does Threat Hunter work?
A Threat Hunter is a senior defender who proactively searches for malicious activity that has eluded automated detections. The work is hypothesis-driven: starting from MITRE ATT&CK techniques, threat-intelligence reporting, or anomalies in baselines, the hunter pivots through EDR, SIEM, identity, cloud, and network telemetry to confirm or rule out adversary presence. Hunters partner closely with detection engineers to convert successful hunts into durable detections and with incident responders when a hunt becomes an investigation. The role typically sits inside the SOC or a dedicated cyber-defense group, reporting to a SOC manager or head of detection. Common qualifications include several years of Tier 2/3 SOC or DFIR experience and certifications such as GCFA, GCDA, GCIH, or CRTO.
How do you defend against Threat Hunter?
Defences for Threat Hunter typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Threat Hunter?
Common alternative names include: Cyber threat hunter, Adversary hunter.
● Related terms
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
- roles№ 989
Security Analyst (Tier 1/2/3 SOC)
A Security Operations Center professional who monitors alerts, investigates incidents, and escalates threats, with seniority commonly tiered from Tier 1 triage to Tier 3 advanced investigation.
- roles№ 523
Incident Responder
A specialist who leads or supports the technical response to confirmed security incidents, performing containment, eradication, forensic analysis, and recovery while coordinating with legal, communications, and executives.
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- defense-ops№ 057
APT Group
A named, tracked threat actor (usually state-sponsored) that conducts targeted, long-term, well-resourced intrusion campaigns against specific organisations or sectors.