TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Detection

What Is Threat Hunting? A Practical Guide

Threat hunting assumes attackers are already inside and goes looking for them. Learn the core methodologies, a repeatable process, example hypotheses, and how to start.

8 min readUpdated

Threat hunting is the proactive, human-driven practice of searching through networks and systems to detect threats that have evaded automated security tools. Instead of waiting for an alert, threat hunters assume the adversary is already inside and go looking for them. It's one of the most effective ways to catch sophisticated attackers — especially advanced persistent threats — who are specifically designed to slip past signature-based defenses.

The core philosophy is simple but powerful: prevention eventually fails, and detection has gaps, so assume compromise and hunt for it. This "assume breach" mindset shifts a security team from reactive to proactive.

Why threat hunting matters

Automated tools — antivirus, EDR, SIEM rules — are excellent at catching known threats, but they have blind spots. A determined adversary using novel TTPs, legitimate credentials and "living off the land" techniques can operate for months without tripping a single alert. Industry research consistently shows attackers dwell in networks for weeks before discovery. Threat hunting attacks that dwell time directly, finding intruders that tools missed and turning each discovery into new automated detections.

The three main hunting methodologies

1. Hypothesis-driven hunting

The most common and structured approach. The hunter forms a testable hypothesis — usually informed by threat intelligence about a new technique or active campaign — and then searches the environment to prove or disprove it. Example: "If an actor targeting our sector uses scheduled tasks for persistence, are there any anomalous scheduled tasks across our endpoints?"

2. Indicator- or intelligence-based hunting

The hunter takes fresh indicators of compromise or known-bad TTPs from threat intelligence and searches historical and current data for matches. When new IOCs from a campaign are published, hunting retroactively can reveal that the attacker was already present.

3. Anomaly- and baseline-driven hunting

The hunter establishes what "normal" looks like — typical processes, network flows, login patterns — and then investigates statistical outliers. This can surface novel attacks with no known indicators at all, though it requires good baseline data and generates more leads to triage.

A repeatable threat-hunting process

Effective hunts follow a loop, not a one-off scramble:

  1. Trigger / hypothesis. Start with a question, usually driven by intelligence, a new ATT&CK technique, or an anomaly.
  2. Scope the hunt. Decide which data sources, time ranges and assets are relevant.
  3. Collect & investigate. Query logs, endpoint data and network telemetry to test the hypothesis.
  4. Analyze findings. Determine whether the activity is benign, suspicious or malicious — and pivot on what you find.
  5. Respond. If you find a real threat, hand off to incident response to contain and eradicate it.
  6. Operationalize. Turn what you learned into a permanent automated detection so the same threat never requires a manual hunt again.

That final step is what makes hunting compounding: every hunt either finds a threat or improves your automated coverage.

Example hunting hypotheses

Good hypotheses are specific and testable. A few examples:

  • "Are any user accounts authenticating from two distant geographic locations within an impossible travel window?"
  • "Is any host beaconing to an external IP at a fixed interval, suggesting command-and-control?"
  • "Are common system tools (PowerShell, wmic, certutil) being used in unusual ways indicative of living-off-the-land techniques?"
  • "Following a published campaign, do any of these TTPs appear in our environment over the last 90 days?"

What you need to hunt

Successful hunting rests on three pillars:

  • Data. Rich, centralized telemetry — endpoint (EDR), network, authentication and cloud logs — with enough retention to look back.
  • Tools. A way to query that data at scale: a SIEM, EDR with hunting capabilities, or a data platform.
  • People and intelligence. Skilled analysts who understand attacker behavior, fed by current threat intelligence to know what to hunt for.

That last ingredient is decisive. Hunting without intelligence is hunting blind; you need to know which techniques and campaigns are active to form sharp hypotheses.

Threat hunting vs incident response vs monitoring

  • Monitoring is automated and reactive — tools generate alerts.
  • Threat hunting is human and proactive — analysts search for what alerts missed.
  • Incident response kicks in once a threat is confirmed — containing and eradicating it.

Hunting sits between monitoring and response, continuously testing the assumption that your automated defenses are sufficient.

The threat-hunting maturity model

Hunting capability develops in stages, and it helps to know where you sit. A widely referenced model (originated by David Bianco) describes increasing levels of maturity:

  • Level 0 — Initial: the team relies almost entirely on automated alerts, with little or no proactive hunting and minimal data collection.
  • Level 1 — Minimal: the team collects some data and incorporates threat-intelligence indicators into searches, but hunting is mostly indicator-driven.
  • Level 2 — Procedural: the team follows hunting procedures created by others and routinely collects substantial data.
  • Level 3 — Innovative: hunters create their own new hunting techniques and analytics rather than only following procedures.
  • Level 4 — Leading: the majority of successful hunting procedures are automated, freeing analysts to focus on novel threats.

The progression makes an important point: the goal of hunting isn't to hunt forever by hand. As you mature, you continuously automate what you've learned, pushing repeatable hunts down into your detection stack so analysts can keep climbing toward the newest, hardest threats. Most teams should aim to move steadily from indicator-driven hunting toward hypothesis- and analytics-driven hunting as their data and skills grow.

How to get started

  1. Centralize your data. You can't hunt for what you can't see — start by collecting endpoint and authentication logs.
  2. Adopt ATT&CK. Use it to structure hypotheses and track which techniques you've hunted for.
  3. Feed your hunts with intelligence. Let current threat reporting drive what you look for this week.
  4. Start small and document. Run one focused hunt, record the process and outcome, and build a library of repeatable hunts.
  5. Automate the wins. Convert every successful hunt into a detection.

The bottom line

Threat hunting flips security from waiting for alerts to actively pursuing hidden adversaries — the most reliable way to catch the sophisticated attackers that automated tools miss. The fuel for great hunts is timely intelligence: knowing which techniques and campaigns are active right now so you can form precise hypotheses. Our live threat intelligence feed aggregates breaking research from dozens of authoritative sources and ranks it by priority, giving hunters a constant stream of fresh, high-signal leads to turn into hunts.

Frequently asked questions

What is threat hunting in cybersecurity?

Threat hunting is the proactive, human-driven practice of searching through systems and networks to find threats that have evaded automated security tools. Hunters assume an adversary is already inside and look for evidence of them, rather than waiting for an alert.

What are the main threat-hunting methodologies?

The three main approaches are hypothesis-driven hunting (testing an intelligence-informed theory), indicator/intelligence-based hunting (searching for known IOCs or TTPs), and anomaly-based hunting (investigating deviations from a normal baseline).

What is the difference between threat hunting and threat detection?

Threat detection is largely automated and reactive — tools generate alerts on known patterns. Threat hunting is proactive and human-led — analysts search for malicious activity that automated detection missed, then turn discoveries into new automated detections.

What do you need to start threat hunting?

Three things: rich centralized telemetry (endpoint, network, authentication and cloud logs with sufficient retention), tools to query that data at scale (a SIEM or EDR), and skilled analysts fed by current threat intelligence to know what to hunt for.

Related threat intel guides

FundamentalsWhat Is Threat Intelligence? A Complete GuideDetectionIndicators of Compromise (IOCs): The Complete GuideFrameworksThe MITRE ATT&CK Framework, ExplainedThreat ActorsWhat Is an Advanced Persistent Threat (APT)?