What is Threat Hunting?
Threat Hunting is the proactive and targeted search for signs of cyber threats in systems, networks or endpoints — before they have been detected automatically or have caused damage.
It is a human and analytical activity that uses log data, behavioural analysis and Threat Intelligence to find attackers or anomalous behaviour at an early stage.
🧠 Why is Threat Hunting important?
- Detects advanced attacks that traditional tools miss
- Prevents long-term presence of an attacker (e.g. APT)
- Improves the effectiveness of SIEM, EDR, XDR and SOC
- Supports continuous improvement of Detection & Response
- Aligns with frameworks such as MITRE ATT&CK and Zero Trust
🔍 Typical use cases
| Hunt objective | Example |
|---|---|
| Unknown malware | Look for unusual processes or hashes outside Antivirus detection |
| Lateral movement | Analyse internal RDP or SMB connections |
| Credential misuse | Detect privilege escalation or sessions with leaked passwords |
| Persistence | Search for hidden scheduled tasks, services or registry modifications |
| C2 communication | Analyse DNS tunnelling or unusual outbound traffic |
⚙️ How does Threat Hunting work?
-
Formulate a hypothesis E.g. “Persistence may have been achieved via new scheduled tasks”
-
Collect data Use logs from SIEM, EDR, Firewall, DNS, Windows Event Logs, etc.
-
Carry out analysis Manually or via queries, scripts, threat intelligence and MITRE ATT&CK mapping
-
Validate findings Correlate with other sources, behaviour or context
-
Improve detection rules Convert findings into new SIEM rules or SOAR playbooks
🛠 Examples of tools
- SIEM (Splunk, Microsoft Sentinel, QRadar)
- EDR (CrowdStrike, SentinelOne, Defender for Endpoint)
- YARA rules
- Sysmon / Winlogbeat / Zeek
- MITRE ATT&CK Navigator
- Velociraptor, Osquery
🎯 Proactive vs. reactive
| Threat Hunting | Incident Response |
|---|---|
| Proactive, before detection | Reactive, after a detection or incident |
| Focused on unknown threats | Focused on known attack traces |
| Data-driven and hypothesis-driven | Process-driven and aimed at recovery |
📌 In summary
Threat Hunting is the active search for hidden cyber threats, based on hypotheses, behaviour and data analysis — and forms an essential part of a mature SOC or cybersecurity strategy.