Threat Hunting: Intelligence & Resources

Threat hunting is the proactive, human-driven search for threats that have evaded automated detection. Rather than waiting for an alert, hunters assume an adversary may already be inside and go looking for them. This page brings together current reporting that informs hunts, with analysis of how to hunt effectively.

Why hunt

Automated tools are excellent at catching known threats but have blind spots. A determined adversary using novel techniques, legitimate credentials and living-off-the-land methods can operate for weeks without tripping an alert. Threat hunting attacks that dwell time directly, finding intruders that tools missed and turning each discovery into a new automated detection.

Methodologies

The most structured approach is hypothesis-driven hunting, where a hunter forms a testable theory — usually informed by threat intelligence about a new technique or campaign — and searches the environment to prove or disprove it. Indicator-based hunting searches for known-bad artifacts and TTPs, and anomaly-based hunting investigates deviations from a normal baseline. The fuel for all three is timely intelligence: hunting without intelligence is hunting blind.

What to watch

• Fresh TTP reporting — new techniques become hunting hypotheses.
• Newly published indicators — search historical logs retroactively to find earlier intrusions.
• Campaigns targeting your sector — the highest-value hunts.

Maturing your hunting

Hunting capability develops from relying on automated alerts, to indicator-driven hunting, to hypothesis- and analytics-driven hunting — continuously automating successful hunts into detections so analysts can focus on the newest threats. Our guides cover threat hunting, threat intelligence vs threat hunting, and indicators of compromise.

The live feed below surfaces breaking research that makes strong hunting leads.