Skip to content
Log in

Threat hunting

Definition

A proactive, human-led process that searches for evidence of adversary activity in an environment under the assumption that automated controls have been evaded. Distinct from alert triage, which responds to events already flagged by detection systems.

Related terms

Dwell time
The period between an attacker gaining initial access and their detection. Reducing dwell time is a primary goal of threat hunting. The...
Escalation Path
The predefined chain of notification and decision-making authority that an incident follows as its severity increases. Documented in the IR plan before...
Hunting hypothesis
A testable statement specifying what adversary behaviour might be present, which data source would show it, and what analytic would surface it....
Indicator of Compromise (IoC)
An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
Managed Security Service Provider (MSSP)
A third-party organisation that delivers security monitoring, tooling, and analyst coverage as a contracted service. Used in fully outsourced and co-managed SOC...
MITRE ATT&CK
A publicly available knowledge base of adversary tactics, techniques, and procedures derived from real-world intrusion observations. Maintained by the MITRE Corporation. Techniques...
Playbook
A documented step-by-step procedure for responding to a specific type of security event. Playbooks standardise analyst behaviour, reduce response time, and ensure...
Security Operations Centre (SOC)
The dedicated team and technology platform responsible for continuous monitoring, detection, analysis, and coordinated response to security events. May be in-house, co-managed,...
SIEM (Security Information and Event Management)
A platform that aggregates log and event data from systems, networks, and applications across an environment, correlates events against detection rules, generates...
Tactics, Techniques, and Procedures (TTPs)
A three-level description of adversary behaviour. Tactics are the high-level goals (initial access, persistence, exfiltration). Techniques are the specific methods (spear-phishing, pass-the-hash)....

Explained in these topics

  • Proactive Threat Hunting MethodologyA proactive, human-led process that searches for evidence of adversary activity in an environment under the assumption that automated controls have been evaded...
  • SOC Structure and the Tier ModelA proactive activity in which analysts search for indicators of compromise or attacker behaviour that automated detection has not yet flagged. Typically perfor...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account