Threat Hunting

What Is Threat Hunting?

Threat hunting is the proactive practice of searching through networks, systems, and datasets to find malicious activity that has evaded existing automated detection controls. Unlike alerting systems that wait for rules or signatures to trigger, threat hunting starts with a hypothesis and works backward through available data to confirm or disprove it.

Cyber threat hunting operates on the assumption that adversaries are already in the environment. Traditional detection tools catch known attack patterns, but sophisticated attackers use novel techniques, living-off-the-land tactics, and slow, deliberate movements designed to avoid triggering alerts. 

Threat hunting fills that gap by applying human analysis and investigative reasoning to identify threats that automated systems miss.

Reactive vs. Proactive Security: Where Threat Hunting Fits

Most security operations are reactive. A SIEM generates an alert, an analyst triages it, and the incident response process begins. This model works for known attack patterns but fails against adversaries who deliberately operate below detection thresholds.

Proactive threat hunting inverts this model. Instead of waiting for alerts, hunters form hypotheses about potential attacker behavior based on threat intelligence feeds, industry reports, or knowledge of the environment’s attack surface. They then search the available data to find evidence that supports or refutes the hypothesis.

For example, a hunter might hypothesize that an attacker has established persistence via a scheduled task on a database server. The hunt involves querying endpoint telemetry for newly created scheduled tasks on servers that match that profile, analyzing the task parameters, and correlating with network traffic to identify command-and-control communications.

This proactive approach discovers threats earlier in the attack lifecycle, often before the attacker achieves their objective. It also produces byproducts that improve the reactive layer: new detection rules, tuned alert thresholds, and validated response playbooks.

Common Threat Hunting Methodologies

Threat hunting techniques can be categorized into three primary methodologies, each suited to different scenarios and data availability. These include:

• Hypothesis-driven hunting: The hunter starts with a specific hypothesis about attacker behavior, often informed by threat intelligence or the MITRE ATT&CK framework. The hypothesis guides which data sources to query and what patterns to search for. This is the most structured and repeatable methodology.
• Indicator-based hunting: The hunter searches for known indicators of compromise (IOCs): file hashes, IP addresses, domain names, or registry keys associated with known threat actors. This approach is useful when new threat intelligence is published and the team needs to determine whether they have been affected.
• Anomaly-based hunting: The hunter establishes baselines of normal behavior and searches for deviations. Unusual login times, unexpected process executions, abnormal data transfer volumes, or atypical network connections can all indicate compromise. This methodology is less structured but can surface novel threats that signature-based approaches miss.

Mature hunting programs combine all three. Hypotheses provide focus, indicators provide concrete search targets, and anomaly detection catches what neither of the first two covers.

Key Data Sources Used in Threat Hunting

The effectiveness of a threat hunting process depends directly on the quality and breadth of available data. Hunters need access to data that captures attacker behavior across the kill chain.

Common data sources include:

• Endpoint telemetry: Process creation, file modifications, registry changes, and network connections from endpoint detection tools. This is the single most valuable data source for most hunts.
• Network traffic logs: DNS queries, NetFlow records, proxy logs, and full packet captures provide visibility into lateral movement, data exfiltration, and command-and-control activity.
• Authentication logs: Active Directory logs, VPN logs, and cloud identity provider logs reveal credential abuse, privilege escalation, and anomalous access patterns.
• Application logs: Web server logs, API access logs, and application-level audit trails capture attacker interactions with business applications.
• Cloud and container telemetry: Cloud provider audit logs (CloudTrail, Activity Log), Kubernetes audit logs, and container security observability data cover infrastructure-layer activity in cloud native environments.

Data retention matters. Many attacks involve long dwell times, and hunters need historical data spanning weeks or months to trace an attacker’s full activity chain. Organizations with short retention windows may discover that the evidence they need has already been deleted.

How Threat Hunting Connects to Application Security

Threat hunting security traditionally focuses on network and infrastructure threats, but its principles apply directly to application security as well.

Application-layer threat hunting involves searching for signs of exploitation in application logs, API access patterns, and runtime behavior. A hunt might look for SQL injection patterns in web application logs, anomalous API call sequences that indicate business logic abuse, or signs of credential stuffing against authentication endpoints.

Runtime threat detection tools provide the data layer for application-focused hunts. They capture request-level telemetry, function execution patterns, and data access events that reveal attacker activity within the application itself.

The connection between threat hunting and AppSec also flows in the other direction. Findings from infrastructure-level hunts often implicate applications: a compromised server may reveal that the initial access came through an unpatched application vulnerability, or a lateral movement path may traverse an internal API with weak authentication. These findings feed back into the application security program as evidence of real-world exploitability.

For security teams building mature programs, threat hunting is the feedback loop that validates whether detection, prevention, and response controls are working as intended.

FAQs

What skills does a threat hunter need compared to a SOC analyst?

Threat hunters need strong analytical reasoning, hypothesis formation, familiarity with attacker tactics (MITRE ATT&CK), and the ability to write complex queries across diverse data sources.

Can threat hunting be automated, or does it always require human analysis?

Portions of the threat hunting process can be automated, such as IOC searches and anomaly detection. Hypothesis formation and investigative reasoning still require human judgment.

How is threat hunting different from penetration testing?

Penetration testing simulates attacks to find vulnerabilities. Threat hunting searches for evidence of actual adversary activity already present in the environment.

What is a hypothesis-driven threat hunt, and how does it work?

A hunter forms a hypothesis about likely attacker behavior, selects relevant data sources, queries for supporting evidence, and either confirms the threat or refines the hypothesis.

How do application security tools support the threat hunting workflow?

Application logs, API telemetry, and runtime detection data provide evidence of application-layer attacks that complement network and endpoint data sources used in traditional hunts.