Hypothesis-driven hunting
Assume breach; hunt what alerts miss.
Automated detection catches the threats you anticipated; threat hunting finds the ones you did not. It is proactive, hypothesis-driven investigation that assumes a breach has already happened and goes looking for it in the telemetry, rather than waiting for an alert.
Hypothesis-driven, assume-breach
A hunt starts from a testable hypothesis, usually derived from adversary behavior: "an attacker is using valid accounts for lateral movement", "there is persistence via a scheduled task", "someone is staging data for exfiltration". You then search your telemetry to prove or disprove it — examining process trees, authentication patterns, network flows, or cloud API activity for evidence. This is fundamentally different from alert monitoring: you are not reacting to a rule that fired, you are actively probing where an attacker would be if they were already inside. The assume-breach mindset is what drives the effort.
# Hypothesis: an attacker is using a valid service account from a NEW location# to access secrets it has never touched before.## Search (conceptual): join auth + secret-access telemetry# secret_access# | where principal_type == "service_account"# | join baseline on principal# | where source_asn not in baseline.usual_asns# or secret not in baseline.usual_secrets# ⇒ investigate the outliers — are they legitimate, or an intruder?## A "no results" hunt still has value: it validates the hypothesis or reveals# you lack the telemetry to answer it (a visibility gap to close).
Hunts become detections
The point of hunting is not just to catch the current intruder — it is to turn each finding into durable, automated coverage. When a hunt uncovers a technique, you write a tested detection for it so it is caught automatically next time; when a hunt finds nothing but reveals you could not answer the hypothesis, you have discovered a visibility gap to close. This is the loop that makes detection engineering mature: humans hunt for the unknown, and the pipeline automates what they find. Document hunts so they are repeatable and coverage is tracked over time, converting a series of one-off investigations into a growing program.