Skip to content

What is threat hunting, and how does it differ from waiting for alerts?

Short answer

Threat hunting is the proactive, hypothesis-driven practice of searching telemetry for adversary activity that existing detections missed. Unlike alert triage — which is reactive and waits for a tool to fire — hunting starts from a question ('if an attacker did X, what evidence would I see?'), tests it against data, and either finds something or produces a new detection. It assumes prevention and alerting are imperfect and that a determined adversary may already be inside.

Threat hunting starts from an uncomfortable assumption: your preventive controls and your alerts are not perfect, and a capable adversary may already be operating inside the environment without tripping anything. Hunting is the deliberate effort to find that adversary before they finish their objective.

Proactive vs reactive

Alert triage is reactive: a tool decides something is suspicious, an alert fires, and an analyst responds. It only catches what someone already wrote a rule for. Threat hunting is proactive: the hunter goes looking for activity that no rule describes yet, working through data the SOC already collects.

Hypothesis-driven

A good hunt is not aimless log-staring. It begins with a testable hypothesis, often phrased as: "If an attacker were doing X in our environment, what artifacts would that leave, and where?" For example, "if an adversary is using a LOLBin for download, I should see certutil or bitsadmin making outbound connections to non-corporate hosts." The hunter then queries telemetry to confirm or refute it.

What success looks like

A hunt that finds no compromise is still valuable if it produces something durable: a new detection rule, a documented coverage gap, an improved baseline, or confidence that a technique is not present. The worst outcome is a hunt that leaves no reusable artifact.

Why this matters

Interviewers want to hear that you understand hunting as a discipline — assume breach, form a hypothesis, test it against real data, and feed results back into detection. Candidates who conflate hunting with "reading alerts harder" or "running a scanner" reveal they have not done it.

Likely follow-ups

  • Where do you get the hypotheses you hunt on?
  • What is a good output of a hunt that finds nothing malicious?
  • How do you measure whether a hunting program is working?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.