Threat Hunting
What is Threat Hunting?
Threat HuntingProactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
Threat hunting is the discipline of assuming compromise and going looking for it. Analysts form hypotheses based on TTPs, threat intelligence, or known weaknesses, then query EDR, SIEM, network, and cloud telemetry to confirm or refute them. Unlike triage, which is reactive and alert-driven, hunting is iterative and exploratory; its goal is to discover both active intrusions and detection gaps that should become new automated rules. Mature programs follow methodologies such as the PEAK framework or hypothesis-driven hunts aligned to MITRE ATT&CK. Outputs include hunt reports, new detections, and improvements to logging and visibility.
● Examples
- 01
Hunting for impossible-travel logons against Microsoft 365 over the past 30 days.
- 02
Hunting hosts where a benign signed binary is unusually loading an unsigned DLL (DLL sideloading).
● Frequently asked questions
What is Threat Hunting?
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections. It belongs to the Defense & Operations category of cybersecurity.
What does Threat Hunting mean?
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
How do you defend against Threat Hunting?
Defences for Threat Hunting typically combine technical controls and operational practices, as detailed in the full definition above.