® 
Threat Hunting
Definition
Threat hunting is the proactive search for hidden threats and attackers already present in a network, but not yet picked up by automated detection systems.
Threat hunting is the proactive search for cyber threats that existing automated security systems have failed to detect. According to the SANS Institute 2024 Threat Hunting Survey, 73% of organisations with a threat hunting programme report discovering threats that would otherwise have gone unnoticed.
How does threat hunting work?
Unlike traditional security monitoring that waits for alerts, threat hunting begins with a hypothesis: what if an attacker is already present in the network? The threat hunter formulates a hypothesis based on threat intelligence, known TTPs of threat actors or anomalies in network data. The hunter then systematically searches logs, endpoint telemetry, network traffic and other data sources for evidence supporting or refuting the hypothesis. This requires deep knowledge of attack techniques, the organisation's IT landscape and the tools to analyse large volumes of data.
Types of threat hunting
Hypothesis-driven hunting starts with an assumption based on new threat intelligence or an identified risk. IOC-driven hunting searches for known indicators of compromise in the environment. Anomaly-driven hunting uses machine learning and statistical analysis to identify abnormal behaviour that may indicate a breach. TTP-driven hunting specifically looks for known attack techniques from the MITRE ATT&CK framework.
Impact on organisations
Organisations relying solely on automated detection miss on average 20-30% of advanced attacks that penetrate their environment. APT groups and sophisticated ransomware operators use techniques specifically designed to evade detection rules. Threat hunting fills this gap by adding human intelligence and creativity to automated systems. NIS2 requires organisations in critical sectors to implement adequate detection capabilities. Organisations with an active threat hunting programme detect breaches on average 50% faster, according to the Mandiant M-Trends 2024 report.
Protection
Effective threat hunting requires access to high-quality telemetry data from endpoints, network and cloud. EDR and XDR platforms form the technical foundation. Threat intelligence feeds provide context on current threats and TTPs. The MITRE ATT&CK framework structures the search strategy. A dedicated threat hunting team combines technical expertise with threat landscape knowledge. Findings are translated into new detection rules that strengthen automated systems.
How DEFION helps
DEFION provides Managed Threat Hunting as part of its MDR services. Experienced threat hunters proactively search the IT environment for indicators of advanced threats. Findings are translated into concrete detection improvements and recommendations.