Threat Hunting
Detections catch what you have already thought to look for; threat hunting is the proactive search for what got through them. It starts from a hypothesis — "if an attacker were living off the land here, what would I see?" — and digs through the data to prove or disprove it, assuming the automated detections have gaps because they always do.
This topic teaches hunting as a discipline: hypothesis-driven, ATT&CK-guided, and a feedback loop that turns every hunt into new detections — so the same thing is never hunted manually twice.
Why Hunt
Automated detection has blind spots — novel techniques, living-off-the-land, insider activity — and dwell time is long. Hunting assumes a breach that detection missed and goes looking, closing the gap between "no alerts" and "actually clean." The absence of an alert is not evidence of safety; it is exactly the condition under which a hunt has value.
Hypothesis-Driven Hunting
A good hunt starts from a specific, testable idea grounded in ATT&CK or threat intel — "an adversary using this technique would leave this trace" — not aimless log-staring. The hypothesis focuses the search and defines what success looks like, so the hunt either finds the trace or meaningfully rules it out, rather than wandering until the analyst gives up.
The Data and the Baseline
Hunting needs rich data (the endpoint telemetry and logs of this chapter) and a sense of normal. Much of hunting is separating the anomalous from the merely unusual, which is why baselining and knowing the environment matter as much as the tools — you cannot spot the abnormal process on a host if you have no idea what that host normally runs.
From Hunt to Detection
A hunt that finds something becomes an incident (Chapter 11); a hunt that finds a technique's trace becomes a new automated detection (this chapter), so you never hunt that same thing manually again. This is the hunting flywheel: each hunt permanently expands automated coverage, so the human effort compounds instead of repeating. A hunt for the intruder's living-off-the-land lateral movement that the rules missed becomes a new Sigma rule that catches it next time.
Detection — automated, known patterns, always-on; catches what you have anticipated.
Hunting — human-driven, hypothesis-based, periodic; finds what detection missed and what you did not know to look for. They feed each other: hunts become detections, and detection gaps motivate hunts. Neither replaces the other.
- "Hunting" by staring at dashboards with no hypothesis, which finds nothing repeatably and burns analyst time.
- Hunting without the data or baseline to support it, so anomalies cannot be separated from normal.
- Finding a technique in a hunt and not converting it into an automated detection, so you re-hunt the same thing forever.
- Treating clean automated alerts as proof of safety, ignoring that hunting exists precisely because detection has gaps.
- Running hunts only as a reaction to incidents rather than as a scheduled discipline.
- Hunt from specific, testable hypotheses grounded in ATT&CK and current threat intel.
- Invest in the rich telemetry and environmental baseline that make anomalies distinguishable.
- Close the loop: turn hunt findings into automated detections so each hunt permanently expands coverage.
- Schedule hunting as a regular discipline, not a reaction, since dwell time and detection gaps are constant.
- Escalate a hunt that finds an active intrusion straight into incident response (Chapter 11).
Knowledge Check
Why hunt at all if automated detections are in place?
- Automated detection has blind spots, so hunting finds what it missed
- Hunting replaces the need for any automated detection at all
- Automated detection catches everything, so hunting is purely ceremonial
- Hunting is only ever for organizations without a SIEM
What makes a hunt hypothesis-driven rather than aimless?
- It starts from a testable idea of what a technique leaves
- It examines every single log line in strict chronological order
- It only ever runs after an alert has already fired somewhere
- It relies entirely on a single machine-learning model
What is the "hunting flywheel"?
- A hunt's findings become automated detections
- Hunts must be repeated identically every single week forever
- Every hunt always produces one confirmed security incident
- Automated detections get fully replaced by hunting over time
You got correct