Threat hunting is the proactive process of searching for threats that evade existing security tools. It involves analysing data, developing hypotheses, and investigating patterns to identify suspicious activity before it causes harm.
Table of Contents
What Is Threat Hunting?
Threat hunting is a proactive cybersecurity practice focused on identifying threats that evade automated detection tools. Instead of waiting for alerts, threat hunting involves actively searching for suspicious behaviours, weak signals, or anomalies that may indicate an attacker is already present in the environment.
Threat hunting assumes that breaches can and do occur, even in well-defended environments. Hunters analyse telemetry across endpoints, networks, identities, and cloud services to uncover malicious activity that blends into normal operations. This often includes detecting credential abuse, living-off-the-land techniques, lateral movement, and persistence mechanisms that do not trigger traditional alerts.
Unlike automated detection, threat hunting relies on human-led reasoning supported by data, analytics, and threat intelligence. Over time, effective threat hunting reduces attacker dwell time, improves detection logic, and strengthens overall security posture by feeding insights back into SOC operations and detection engineering.
Why Threat Hunting Matters in Cybersecurity
Attackers are getting better at avoiding detection. They use techniques like fileless malware, remote access tools, and credential abuse to blend in with legitimate activity. These methods often bypass traditional security systems.
Relying on alerts alone can leave gaps. Threat hunting addresses this by identifying threats early, often before clear indicators emerge. Unlike reactive methods that rely on alerts, threat hunting focuses on stealthy, persistent techniques that may not trigger automated defences.
As a result, threat hunting reduces dwell time, limits impact, and helps organisations respond faster. This benefit is reflecting in the fact that the number of organisations that employ formal threat hunting methodologies grew to 64% in 2024, according to the SANs threat hunting survey.
Threat Hunting vs. Incident Response
Threat hunting and incident response serve different purposes:
Threat hunting is proactive. It involves actively looking for signs of potential compromise based on assumptions or weak signals.
Incident response is reactive. It begins after a breach is detected and focuses on containment, investigation, and recovery.
The two can work together, but they follow different timelines. Hunting, for instance, may uncover incidents before they trigger alerts, allowing earlier intervention. When an issue that threat hunting missed arises, incident response frameworks step in after the breach.
Threat Hunting vs. Threat Intelligence
Threat intelligence provides context to security. It includes data on known threats—such as ransomware or malware strains.
Threat hunting, on the other hand, applies this information to live environments. It looks for signs that similar behaviours are unfolding inside an organisation.
While separate, the two disciplines reinforce each other. Mature SOC teams use threat intelligence to guide hunts, and in turn, threat hunting can identify new threats to feed back into intelligence platforms.
Threat Hunting Methodologies
Threat hunting usually follows a structured approach.
Hypothesis-Driven Hunting
In hypothesis-driven hunting, analysts start with an assumption about potential malicious activity. For example, “An attacker may be using stolen credentials to move laterally within finance systems.” The hunter then queries relevant data sources to prove or disprove the hypothesis. This approach is structured, repeatable, and well suited to organisations with strong telemetry and experienced analysts.
Intelligence-Driven Hunting
Intelligence-driven hunting is guided by external or internal threat intelligence. Hunters use reports on active adversaries, malware campaigns, or attack techniques to search for related behaviours in their own environment. This methodology helps organisations focus on relevant threats and aligns hunting efforts with real-world attacker activity.
Analytics-Driven Hunting
Analytics-driven hunting relies on statistical analysis, baselining, and behavioural analytics to surface anomalies. Instead of starting with a specific hypothesis, hunters examine deviations from normal activity such as unusual login times, abnormal data transfers, or rare process executions. This approach is effective for uncovering unknown or novel threats.
Situational or Reactive Hunting
Situational hunting is triggered by events such as new vulnerabilities, public breach disclosures, or changes in the threat landscape. For example, hunters may proactively search for exploitation activity after a critical vulnerability is announced. While reactive in nature, this approach is still proactive compared to traditional alert-based response.
Indicators of Attack vs. Indicators of Compromise
Threat hunting often focuses on behavioural evidence rather than static indicators.
- Indicators of Compromise (IOCs) are artefacts linked to known attacks, such as malicious file hashes, IP addresses, or domain names. While useful for detection, IOCs are often short-lived and easy for attackers to change.
- Indicators of Attack (IOAs) focus on attacker behaviour and techniques. Examples include suspicious PowerShell usage, abnormal privilege escalation, or unusual authentication patterns. IOAs are particularly valuable in threat hunting because they identify how attackers operate rather than the specific tools they use.
Effective threat hunting prioritises IOAs, as they are more resilient against evasion and better aligned with modern attack techniques.
Threat Hunting Techniques
Threat hunting techniques describe how analysts investigate data to uncover threats.
- TTP analysis
Hunters analyse adversary tactics, techniques, and procedures using frameworks like MITRE ATT&CK. This allows teams to systematically search for known attack behaviours across the environment. - Outlier detection
This technique focuses on identifying activity that deviates from established baselines. Examples include rare command executions, abnormal data access, or unusual login patterns for a specific user or system. - Time-based correlation
Attackers often perform actions over time to avoid detection. Time-based correlation connects related events across endpoints, identities, and networks to reveal attack chains that would otherwise appear benign in isolation. - Domain and business context analysis
Hunters apply knowledge of business operations to distinguish between legitimate activity and suspicious behaviour. Understanding how systems and users normally operate is critical to accurate threat hunting.
Threat Hunting Tools
Threat hunting tools provide the visibility and analytical capabilities needed to support investigations.
SIEM platforms
SIEMs centralise logs from across the environment and enable querying, correlation, and timeline analysis. They are often the starting point for threat hunting activities.
XDR platforms
XDR solutions correlate telemetry from endpoints, email, cloud, identity, and network layers. This cross-domain visibility helps surface complex attack patterns and reduces investigative blind spots.
Threat intelligence platforms
These tools provide context on adversaries, malware, and campaigns. Hunters use intelligence to guide hypotheses and prioritise investigations.
Scripting and detection engineering tools
Tools such as YARA and Sigma allow hunters to create custom detection logic and reusable queries tailored to their environment.
Threat hunting data sources
Effective hunting depends on access to high-quality data, including endpoint telemetry, network traffic, identity logs, and cloud audit trails. The depth and retention of this data directly impact hunting effectiveness.
Platforms like Trend Vision One provide integrated access to these data sources, enabling analysts to pivot quickly and investigate threats across multiple layers.
Real-World Threat Hunting Examples & Case Studies
Credential Abuse in Microsoft 365
A global logistics firm noticed unusual login patterns in Microsoft 365. Threat hunters used location-based filtering and audit logs to trace back to a compromised partner account. The account had been used to send phishing emails internally.
Living-Off-the-Land Techniques in Enterprise Environments
In a recent Trend Micro threat-hunting research casenews article, threat hunters investigated persistent command-line activity across several high-privilege endpoints. Analysis revealed abuse of legitimate tools such as PowerShell and WMI to establish backdoors without dropping files.
This technique, known as "living off the land," is designed to avoid detection by security software. It remains one of the most common challenges in enterprise threat detection.
Supply Chain Compromise
A Trend Micro Vision One customer identified anomalous DNS requests tied to a trusted third-party vendor. Deeper inspection showed the vendor’s environment had been compromised and was being used for lateral movement.
How to Build a Threat Hunting Framework
A threat hunting framework provides a structured approach for proactively identifying threats that evade automated detection. Rather than relying on ad hoc investigations, a defined threat hunting process ensures hunts are repeatable, measurable, and aligned with organisational risk.
The following threat hunting lifecycle outlines how security teams can build and operationalise an effective threat hunting framework.
Step 1: Define a Threat Hunting Hypothesis
Every threat hunt starts with a clear hypothesis. This is a testable assumption about potential malicious activity based on threat intelligence, known attacker techniques, environmental risk, or recent incidents.
For example, a hypothesis might focus on credential abuse in cloud environments or lateral movement using built-in administrative tools. Effective hypotheses are specific, actionable, and mapped to adversary behaviour frameworks such as MITRE ATT&CK.
Step 2: Scope and Prepare Relevant Data
Once a hypothesis is defined, analysts identify the data sources required to validate it. Threat hunting data may include endpoint telemetry, authentication logs, network traffic, DNS activity, or cloud audit trails.
Scoping ensures that investigations focus on relevant systems and timeframes. Analysts also verify data quality, coverage, and retention to avoid gaps that could weaken conclusions.
Step 3: Investigate and Pivot Across Telemetry
During the investigation phase, hunters analyse data using queries, behavioural filters, and correlation techniques. When suspicious activity is identified, analysts pivot to related signals such as associated accounts, processes, or network connections.
Threat hunting is inherently iterative. Initial findings often lead to new questions, expanded scope, or refined hypotheses as patterns emerge.
Step 4: Validate Findings and Assess Impact
Hunters determine whether the evidence supports or disproves the original hypothesis. If malicious activity is confirmed, analysts assess the scope of the threat, identify affected assets, and evaluate attacker persistence and movement.
If no supporting evidence is found, the hypothesis may be refined or documented as a negative result, which still contributes to organisational understanding and detection maturity.
Step 5: Escalate and Respond to Confirmed Threats
Confirmed threats are escalated to incident response teams with full context. This includes timelines, affected systems, attacker techniques, and recommended containment actions.
Clear escalation paths ensure that threat hunting findings transition quickly into remediation, reducing dwell time and limiting potential impact.
Step 6: Feed Insights into Detection and Telemetry
One of the most critical steps in a threat hunting framework is feedback. Behaviours identified during hunts are translated into new detection logic, analytics, or alerting rules within SIEM, XDR, or EDR platforms.
Hunts also highlight visibility gaps, prompting improvements in logging, telemetry collection, or sensor deployment.
Step 7: Document Outcomes and Refine the Process
Each hunt should be documented, including the hypothesis, data sources, investigation steps, findings, and lessons learned. Retrospective analysis allows teams to apply new detection logic to historical data, uncovering missed activity or extended dwell time.
Over time, this continuous improvement loop strengthens the threat hunting framework, improves detection coverage, and aligns proactive threat hunting more closely with evolving attacker techniques.
How to Get Started with Cyber Threat Hunting
When getting started, focus on visibility here first:
- Identify priority assets (e.g. finance, executive, critical infrastructure)
- Ensure logging is enabled across endpoints, identity, and cloud
- Begin with one hypothesis per week
- Use ATT&CK to guide technique-based searches
- Record findings and refine queries over time
Trend Micro’s Proactive Threat Hunting Software
Trend Vision One provides advanced capabilities for threat hunting:
- Cross-layer telemetry from endpoints, email, cloud, and network
- Automatic mapping to MITRE techniques
- Risk-based scoring to prioritise threats
- Integrated threat intelligence for context
- Search and pivot tools for proactive investigations
It supports security teams in detecting stealthy attacks, reducing dwell time, and uncovering threats before they escalate.
Frequently Asked Questions (FAQ's)
What is threat hunting in cybersecurity?
Threat hunting is the proactive process of searching for threats that evade automated security tools using manual investigation and hypothesis testing.
What does a threat hunter do?
A threat hunter proactively detects, investigates, and mitigates cyber threats within networks, preventing breaches and enhancing organizational security.
How does threat hunting differ from incident response?
Threat hunting is proactive and happens before an incident is confirmed; incident response is reactive and begins after detection.
How is threat hunting different from threat intelligence?
Threat intelligence provides known threat data; threat hunting applies this intelligence to identify suspicious activity in live environments.
What is a hypothesis in threat hunting?
- A hypothesis is an educated assumption used to guide the investigation, such as detecting lateral movement in a specific network segment.
What are Indicators of Attack (IOAs) vs. Indicators of Compromise (IOCs)?
IOAs focus on behaviours and tactics; IOCs are forensic evidence of past attacks like file hashes or IP addresses.
What tools are used in threat hunting?
Tools include SIEMs, XDR platforms, threat intelligence feeds, and scripting utilities like YARA or Sigma.
What data sources support effective threat hunting?
- Useful data includes endpoint telemetry, network logs, identity records, and cloud audit trails.
Can you provide real-world examples of threat hunting?
- Examples include detecting compromised Microsoft 365 accounts, PowerShell abuse for persistence, and vendor-related supply chain attacks.
How can organisations build a threat hunting framework?
- Establish roles, define repeatable workflows, and align with frameworks like MITRE ATT&CK and NIST.
What is Trend Micro Vision One’s role in threat hunting?
- It offers cross-layer telemetry, automated detection, MITRE mapping, and context-rich investigations to support threat hunters.