Threat Hunting

Definition

Threat hunting is the proactive search for signs of attackers or abnormal activity in an environment, even when no alert has fired. Instead of waiting for security tools to raise alarms, threat hunters assume that something could already be wrong and go looking for evidence in logs, endpoints, and network data.

Threat hunting usually starts with a question or hypothesis. For example:

* Could an attacker be using valid accounts to move between systems
* Are there any hosts reaching out to suspicious domains at odd times
* Is anyone running tools like PowerShell or Rclone in unusual ways

The hunter then:

* Chooses relevant data sources, such as authentication logs, process events, file creation events, DNS, or web traffic
* Writes queries to search for patterns, outliers, or behaviors linked to known attacker techniques
* Reviews the results, filters out normal activity, and focuses on what looks suspicious
* Refines the hypothesis and repeats the process until they can explain what they see

Threat hunting often uses frameworks such as MITRE ATT&CK to guide ideas. For example, a hunter might focus on specific tactics like Initial Access, Lateral Movement, or Command and Control and ask “How would this show up in our data?”

Threat hunting is different from regular alert handling. Alert handling is reactive. You respond to what your tools tell you. Threat hunting is proactive. You lead the investigation by asking questions and using data to look for hidden threats. When hunting is done well, it can:

* Find attackers that are avoiding or bypassing existing detections
* Reveal gaps in logging, monitoring, or controls
* Inspire new detection rules based on what was discovered

The outcome of a hunt is not always a confirmed incident. Sometimes the value is improved understanding of normal behavior and better tuned detections. Over time, threat hunting strengthens both the defender’s skills and the organization’s overall security posture.

Threat Hunting

Definition

Explore More Terms