close banner

Threat Hunting


    What is Threat Hunting?

    Threat hunting is the practice of an organization’s security operations center (SOC) to proactively search for cyber threats that are lurking undetected in an organization’s network. Also known as “cyberthreat” hunting, a SOC process proactively searches for malicious actors, previously unknown or ongoing non-remediated threats, in an enterprise’s environment that might have slipped past its initial endpoint security defenses.

    What are the benefits of Threat Hunting?

    • Effective threat hunting reduces the time an attacker spends in an organization’s network (i.e., weeks, or even months) and the amount of damage done by the attacker.
    • Threat hunters may use network detection and response (NDR) tools with artificial intelligence (AI) and/ or machine learning (ML) to correlate multiple actions and recognizes various indicators of compromise (IOC). Hunters can receive automated alerts that are risk-scored and MITRE ATT&CK labeled for easy categorization of suspicious activity.
    • Threat hunters comb through security data and search for hidden malware or attackers. They search for patterns of suspicious activity that a computer might have missed or judged to be resolved but isn’t. They also help patch an enterprise’s security system to prevent that type of cyberattack from recurring.

    What is an example of a threat hunting exercise?

    One example is an unstructured hunt. It is initiated based on a trigger, one of many indicators of compromise. This trigger often causes a hunter to look for pre- and post-detection patterns. For example, a hunter observes a user accessing a domain in the network that is not commonly used. Guiding their approach, the hunter can research as far back as the data retention, and previously associated offenses allow.

    Related Products


    Network Performance
    Management Software


    Extend Network


    Packet Capture
    and Analysis

    Related Glossary Terms

    Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.

    Flow monitoring aims to give IT teams information about the traffic that crosses through their network as well as how their network is performing on a daily basis.

    Network detection and response (NDR) platforms use technology that continuously monitors and detects anomalies and malicious activity on corporate networks using machine learning (ML) and data analytics. NDR platforms enables enterprises to monitor all network traffic, allowing them to react and respond to all threats.

    IEEE 802.3 is a combination of standards and protocols defined by the Institute of Electrical and Electronics Engineers (IEEE).

    IPFIX was developed by the Internet Engineering Task Force (IETF) in 2013.