Hypothesis-driven hunting

Assume breach; hunt what alerts miss.

Advanced30 min · lesson 7 of 15

Automated detection catches the threats you anticipated; threat hunting finds the ones you did not. It is proactive, hypothesis-driven investigation that assumes a breach has already happened and goes looking for it in the telemetry, rather than waiting for an alert.

Hypothesis-driven, assume-breach

A hunt starts from a testable hypothesis, usually derived from adversary behavior: "an attacker is using valid accounts for lateral movement", "there is persistence via a scheduled task", "someone is staging data for exfiltration". You then search your telemetry to prove or disprove it — examining process trees, authentication patterns, network flows, or cloud API activity for evidence. This is fundamentally different from alert monitoring: you are not reacting to a rule that fired, you are actively probing where an attacker would be if they were already inside. The assume-breach mindset is what drives the effort.

a hunt is a hypothesis plus a query
# Hypothesis: an attacker is using a valid service account from a NEW location
# to access secrets it has never touched before.
#
# Search (conceptual): join auth + secret-access telemetry
# secret_access
# | where principal_type == "service_account"
# | join baseline on principal
# | where source_asn not in baseline.usual_asns
# or secret not in baseline.usual_secrets
# ⇒ investigate the outliers — are they legitimate, or an intruder?
#
# A "no results" hunt still has value: it validates the hypothesis or reveals
# you lack the telemetry to answer it (a visibility gap to close).

Hunts become detections

The point of hunting is not just to catch the current intruder — it is to turn each finding into durable, automated coverage. When a hunt uncovers a technique, you write a tested detection for it so it is caught automatically next time; when a hunt finds nothing but reveals you could not answer the hypothesis, you have discovered a visibility gap to close. This is the loop that makes detection engineering mature: humans hunt for the unknown, and the pipeline automates what they find. Document hunts so they are repeatable and coverage is tracked over time, converting a series of one-off investigations into a growing program.

The hunting loop
1hypothesis
assume-breach, ATT&CK-derived
2search telemetry
prove or disprove
3finding or gap
intruder found, or visibility gap
4codify
new tested detection / new telemetry
Hunting finds the undetected; codifying the findings turns each hunt into permanent, automated coverage.
A hunt with no output is a missed opportunity
Hunting that ends at "we looked and found nothing" wastes the effort. Every hunt should produce something durable — a new detection, a tuning, or a documented visibility gap to fix — otherwise you rediscover the same blind spots repeatedly instead of building coverage.