100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Threat Hunting

AdvancedTechnique9.5K learners

Threat hunting is the proactive, human-led practice of searching through an organization's systems and networks for signs of malicious activity that automated detection tools may have missed.

Definition

Threat hunting is the proactive, human-led practice of searching through an organization's systems and networks for signs of malicious activity that automated detection tools may have missed.

Overview

Most security detection is reactive by design: a SIEM rule fires, an Endpoint Detection and Response (EDR) agent flags a process, and an analyst investigates the alert. Threat hunting flips this model — instead of waiting for an alert, a skilled analyst forms a hypothesis ("an attacker may be using a specific legitimate admin tool to move laterally") and actively searches through logs, endpoint telemetry, and network data to prove or disprove it, regardless of whether any automated tool has raised an alarm. This proactive approach exists because sophisticated attackers, particularly those behind advanced persistent threats, are specifically skilled at evading signature-based and even behavior-based automated detection — often using legitimate administrative tools already present on a system ("living off the land") rather than obviously malicious malware. Threat hunters draw on Threat Intelligence about known attacker tactics, techniques, and procedures to inform which hypotheses are worth investigating, and rely heavily on the rich telemetry produced by EDR and SIEM platforms as their raw material for investigation. When a hunt uncovers a genuine, previously undetected technique, the finding is typically converted into a new automated detection rule, so that future occurrences of the same technique are caught without requiring another manual hunt — a feedback loop conceptually similar to what happens during Purple Team exercises. Because it requires deep expertise and significant time investment, threat hunting is typically a capability found in more mature security programs — larger organizations with dedicated Security Operations Center staff, or purchased as a managed service — rather than something every organization performs regularly in-house.

Key Concepts

  • Proactive, hypothesis-driven search for threats rather than reactive alert response
  • Targets sophisticated attackers who evade automated signature and behavior detection
  • Relies heavily on EDR and SIEM telemetry as raw investigative material
  • Informed by threat intelligence about known attacker tactics and techniques
  • Successful hunts are converted into new automated detection rules
  • Requires significant analyst expertise and time investment
  • Typically found in more mature security programs or delivered as a managed service

Use Cases

Searching for attackers using legitimate admin tools to move laterally undetected
Investigating a hypothesis formed from newly published threat intelligence
Uncovering long-dwelling, previously undetected compromises
Converting manual hunt findings into new, automated detection rules
Validating that automated detection tools are catching known attacker techniques
Supplementing reactive SOC operations with proactive investigation

Frequently Asked Questions