Glossary
What Is Threat Hunting?
Threat hunting is the proactive, hypothesis-driven search for adversaries inside an environment — under the assumption that prevention will fail and that automated detection has missed something. Hunters start with a hypothesis ("if X actor were here, we would see Y"), gather evidence, and either confirm an intrusion or sharpen detection for next time.
How Hunting Differs from Alerting
Alerting reacts to predefined signatures. Hunting starts from a hypothesis about adversary behavior — usually informed by threat intelligence, the MITRE ATT&CK matrix, or the hunter's read of recent incidents. The point is to find what the alerts missed.
A Typical Hunting Loop
- Form a hypothesis ("an actor with this TTP would touch DNS records that look like this").
- Translate the hypothesis into queries against logs, EDR data, network telemetry, or external infrastructure data.
- Investigate hits — separate true positives from noise.
- If something is found: incident response. If nothing is found: harden the hypothesis, codify the queries as new detections.
The Data Hunters Need
- Endpoint telemetry — process trees, command lines, file writes, registry changes.
- Network telemetry — flows, DNS, TLS metadata, proxy logs.
- Authentication logs — sign-ins, lateral movement, anomalous credential use.
- External infrastructure data — passive DNS, BGP, WHOIS, certificate transparency, threat feeds.
The last category is often missing. Internal logs tell you what happened on your network. External infrastructure data tells you what the attacker is using outside it.
Pyramid of Pain Implications
Hunters who chase only IOCs (hashes, IPs) are always one rotation behind. Hunters who chase TTPs (the way an actor stages and rotates infrastructure) catch attacks that survive IOC churn.
Hunting with Whisper
Whisper gives hunters a single graph for external infrastructure context. Pivot from a SIEM alert's domain to its full footprint — co-hosted domains, ASN history, registrant overlap — without leaving the investigation. Read more about use cases or browse the Cypher cookbook.