Glossary
Threat Hunting
The proactive search for signs of compromise, known threat actor techniques, and other malicious activity that automated detection might have missed.
Definition
Threat Hunting is the proactive, human-led process of searching through network and security logs for evidence of:
- Threat actors who evaded automated detection
- Reconnaissance activity before attacks
- Known threat actor TTPs (Tactics, Techniques, Procedures)
- Anomalous behavior not covered by detection rules
Unlike detection engineering (automated), threat hunting is manual and driven by human intuition and MITRE ATT&CK knowledge.
Threat Hunting Approach
Hypothesis-Driven Hunting
“We suspect APT28 is targeting our sector with supply chain attacks. Let’s search for indicators of their typical lateral movement techniques (T1021).”
Data-Driven Hunting
“This IP made 1,000 requests to our API in one hour. What was it looking for?”
Technology-Assisted Hunting
Using SIEM queries to systematically search logs for specific techniques.
Effectiveness
Threat hunting is effective because:
- Human judgment – Humans can recognize subtle patterns
- Creativity – Experienced hunters imagine attack scenarios
- Context – Hunters understand business context (which assets matter)
- Continuous improvement – Hunts that find threats feed back into detection engineering