In depth
Threat hunting is the proactive practice of searching through security telemetry for evidence of adversary activity that did not trigger an automated alert. Where the SOC analyst's day is reactive — wait for an alert, triage it, escalate or close — the threat hunter's day is hypothesis-driven: pick an adversary technique or a tactic, hypothesise what its telemetry footprint would look like in your environment, write the search, and see if anything matches. The output is either (a) an incident, (b) a new detection that codifies the hunt, or (c) a documented "no findings" result that updates the team's coverage map.
The dominant hunting model is the PEAK framework (Prepare, Execute, Act, Knowledge — published by Splunk's SURGe team) or the older TaHiTI methodology. Both share the same structure: select a hunt based on prioritised threat intelligence, formulate the hypothesis precisely ("if an adversary is using DCSync against our domain, we would see Kerberos service ticket requests with replication GUIDs from non-DC hosts"), write the query against the relevant telemetry, analyse the results, and document whether the hunt produced incidents, new detections, or coverage findings.
Good hunts are bounded and specific. "Look for malicious activity" is not a hunt; "look for processes spawned by Excel that subsequently make outbound network connections to never-before-seen domains" is. The MITRE ATT&CK matrix is the structuring vocabulary — hunts are typically organised by sub-technique so that coverage can be tracked against the matrix the same way Purple Team coverage is. Threat-intelligence feeds (especially industry-specific ISAC feeds) drive hunt prioritisation: if an APT is reported using a specific TTP against the target's vertical, that TTP becomes next week's hunt.
Threat hunting requires three preconditions: comprehensive telemetry (EDR, DNS, proxy, identity, cloud control plane), a query environment fast enough to interactively explore that telemetry, and hunters with both attacker knowledge and analyst chops. See EDR, SIEM and red team services.
The dominant hunting model is the PEAK framework (Prepare, Execute, Act, Knowledge — published by Splunk's SURGe team) or the older TaHiTI methodology. Both share the same structure: select a hunt based on prioritised threat intelligence, formulate the hypothesis precisely ("if an adversary is using DCSync against our domain, we would see Kerberos service ticket requests with replication GUIDs from non-DC hosts"), write the query against the relevant telemetry, analyse the results, and document whether the hunt produced incidents, new detections, or coverage findings.
Good hunts are bounded and specific. "Look for malicious activity" is not a hunt; "look for processes spawned by Excel that subsequently make outbound network connections to never-before-seen domains" is. The MITRE ATT&CK matrix is the structuring vocabulary — hunts are typically organised by sub-technique so that coverage can be tracked against the matrix the same way Purple Team coverage is. Threat-intelligence feeds (especially industry-specific ISAC feeds) drive hunt prioritisation: if an APT is reported using a specific TTP against the target's vertical, that TTP becomes next week's hunt.
Threat hunting requires three preconditions: comprehensive telemetry (EDR, DNS, proxy, identity, cloud control plane), a query environment fast enough to interactively explore that telemetry, and hunters with both attacker knowledge and analyst chops. See EDR, SIEM and red team services.