Detection waits for a rule to fire; hunting goes looking. Form a hypothesis about how an attacker would operate, search for evidence, and turn what you find into new detections.
Why: rules only catch what you already thought to write, so threat hunting proactively searches for attacker activity that slipped past detections — starting from the assumption that a breach may already have happened. When: hunt regularly, not just after an alert. Where: hunting finds both active intrusions and detection gaps, which you then close with new rules.
DETECTION reactive — waits for a known-bad pattern to fire an alert
HUNTING proactive — assumes breach and goes searching for the unknown
Every hunt has two possible wins:
1. you FIND something -> incident response
2. you find NOTHING but discover a blind spot -> write a new detectionWhy: effective hunting is hypothesis-driven — you pose a specific, testable idea about how an attacker would behave, then search the data for evidence — rather than aimlessly browsing logs. When: base hypotheses on ATT&CK techniques and threat intel ("if they used technique X, we would see Y"). Where: a good hypothesis names the data you need and what would confirm or refute it.
HYPOTHESIS "An attacker using stolen credentials would log in outside
normal hours from an unusual location, then run discovery
commands (whoami, net group) shortly after."
DATA NEEDED auth logs (time + geo) + process logs (command lines)
SEARCH joins on user+host+time; look for the pattern
RESULT confirm -> investigate as an incident
refute -> refine, or turn the search into a scheduled ruleWhy: a hunt’s value is durable only if its findings become automated — a successful manual hunt should be turned into a scheduled detection so you never have to hunt for that same thing again. When: after any productive hunt, convert the query into a Sigma rule and add it to the ruleset. Where: this feedback loop steadily raises the floor of automated coverage.
The hunting feedback loop:
hunt (manual) ─► find a technique / gap ─► write a detection (Sigma) ─►
automate it ─► free up analysts to hunt the NEXT unknown ─► repeat
Manual effort should never be spent twice on the same pattern.
Yesterday's hunt is today's scheduled alert.