Threat Hunting Program Guide: Structure, Cadence, and Evidence

What Threat Hunting Is, and What It Is Not

Threat hunting is the proactive, hypothesis-driven search through telemetry for adversary activity the deployed detection library did not surface. It assumes the environment is already compromised somewhere and works to find the evidence rather than waiting for the detection content to alert. The mindset is investigative rather than reactive: the analyst poses a question that the existing rules cannot answer, runs queries to test it, and classifies the outcome. The discipline is not new (it traces to the Sqrrl team that published the original hunt loop in 2015), but the operating practice has matured significantly across the past decade as detection-library coverage stopped scaling with environment complexity.

Threat hunting is not security monitoring. Monitoring reacts to alerts the deployed content raised. Threat hunting is not incident response. IR confirms, contains, and recovers from already-detected compromises. Threat hunting is not detection engineering, although the two are tightly coupled: detection engineering writes and maintains the rule library, and hunting tests where the library does not yet cover. Threat hunting is not penetration testing. Pentests probe whether a control would block an attacker; hunting probes whether an attacker is already past the controls. The four disciplines share the asset map, the telemetry, and the platform, but they run on different cadences, against different inputs, and produce different evidence. A programme that conflates them tends to over-rotate on one at the expense of the others.

A working hunting programme produces three classes of outcome on every cycle: confirmed incidents handed to enterprise incident response with the hunt evidence attached, new or tuned detections handed to detection engineering with the rule logic and test cases, and recorded negative results that bound the coverage claim. A programme without those three outcomes is exploratory analysis, not a programme. The structural difference is the artefact: the hunt has a hypothesis, a scope, a query record, a finding classification, a routing decision, and a closure stamp. The artefact is what the audit reads.

Where Hunting Sits Inside the Wider Operating Model

The most common conceptual confusion in early hunting builds is the boundary with the security operations centre, the managed detection and response (MDR) provider, and the incident response function. Hunting sits upstream of all three. The SOC reacts to the validated alerts the deployed content raised on the customer telemetry stack. MDR is the outsourced packaging of monitoring, triage, and active response. IR confirms, contains, and recovers when a compromise is in scope. Hunting forms a hypothesis about activity that the SOC and MDR would not currently catch, tests it against the telemetry those units rely on, and flows confirmed findings into IR while flowing the rest back into detection engineering as new or tuned content.

The same boundary applies to extended detection and response (XDR), endpoint detection and response (EDR), and network detection and response (NDR): each is a technology category that surfaces alerts on a specific surface. Hunting works across the surfaces with hypotheses the surface-specific detection library was not designed to answer. The relationship with the security information and event management (SIEM) platform is the most operationally important: hunting runs against the long-term searchable record the SIEM maintains, so hunting capacity is directly limited by SIEM retention, parser fidelity, and query performance. Programmes that try to hunt without addressing the data layer first tend to rediscover that detection content is not the bottleneck; telemetry quality is.

Hunting also has a deliberate relationship with threat intelligence platforms (TIPs) and the broader intelligence function. Intelligence-led hunting starts from a CTI report and forms an operational hypothesis from it; the hunt outcome is fed back to the intelligence team as a coverage answer to the intelligence requirement. The relationship also extends to breach and attack simulation (BAS): BAS validates whether detection content fires on a known technique; hunting tests whether an undetected technique is in the environment. The two are complementary, not redundant.

The Hunt Loop: Four Phases on Every Hunt

Every chartered hunt runs through a four-phase loop. The loop has roots in the Sqrrl team's 2015 hunt cycle (Hypothesis, Investigation, Uncovering, Inform and Enrich) and has been extended by PEAK and TaHiTI. The phases run sequentially per hunt but the loop iterates continuously at the programme level. Hunts that skip a phase tend to leak knowledge and stop producing operational change.

The loop is the structural answer to the most common hunting failure mode: hunts that produce stories but no operational change. Each phase exists to remove a specific failure: the hypothesis phase prevents fishing expeditions, the investigation phase prevents lost analyst knowledge, the uncovering phase prevents inconclusive endings, and the inform and enrich phase prevents one-shot value from being lost on the next cycle. Programmes that enforce the four phases on the artefact tend to keep producing operational change across staffing changes; programmes that skip phases tend to need re-founding every two years.

Methodology Choice: PEAK, TaHiTI, or a Documented In-House Variant

Adopting a named methodology is one of the highest-leverage decisions in the foundation phase. The methodology gives the team a shared vocabulary, a shared artefact shape, and a shared expectation for the handoff to detection engineering and IR. Two methodologies dominate the practical literature: PEAK from SURGe (the Splunk threat research team, published 2023) and TaHiTI from a Dutch financial-sector group (published 2018). Programmes that adopt one rather than improvising tend to sustain the cadence across staff changes more reliably.

The methodology choice is reversible but not cheap to reverse. Programmes that change methodology more than once a year tend to lose three to six months of operating momentum each time. The pragmatic recommendation is to pick PEAK if the programme is being founded without a heavy CTI function in place, pick TaHiTI if the programme is being founded inside or adjacent to a working CTI function, and only pick an in-house variant once the programme has run a year of disciplined cycles on one of the published methods and has evidence-backed reasons for the divergence.

Four Hypothesis Types a Balanced Programme Runs

Hypothesis sourcing is the activity that limits the programme's ceiling. Programmes that over-index on one hypothesis source tend to plateau quickly: pure intelligence-led programmes miss in-environment anomalies the CTI feed never names; pure baseline-anomaly programmes miss adversary techniques that hide in normal-looking traffic; pure TTP-led programmes miss the asset-specific weaknesses that do not map cleanly onto ATT&CK. A balanced programme runs the four types across a quarter and tracks the source mix.

Tracking the source mix is itself a programme-level metric. A practical target is roughly balanced thirds across intelligence-led, TTP-based, and the anomaly-or-crown-jewel pair, with deliberate skew in response to a named driver (a sector incident triggering more intelligence-led work for a quarter, an audit driving more TTP-based work, a major release driving more crown-jewel work). The source mix conversation is the conversation the monthly programme review has rather than the "how many hunts did we run" conversation that tends to drive vanity volume.

Staffing Model: Four Role Families That Make the Programme Run

A working hunting programme has four named role families. Headcount depends on scale, the telemetry footprint, and the cadence target. Smaller programmes consolidate roles onto a single analyst; larger programmes split each role across a small team. The roles can sit inside an existing SOC, detection engineering, or threat intelligence team provided the programme has a named lead and a written charter rather than an unnamed shared responsibility.

A practical sizing rule of thumb: an organisation with one SIEM, one EDR, and a small asset footprint runs the programme with a hunting lead plus one hunt analyst, with the detection engineering liaison sitting with an existing detection engineer; an organisation with multiple telemetry sources, a medium asset footprint, and one or two regulatory regimes runs the programme with a lead, two to three analysts, and a named liaison; an organisation with broad telemetry, a large asset footprint, and multiple regulatory regimes runs the programme as a four-to-eight-person unit. The role mapping is usually captured on the existing security RACI template so the operating model is auditable on paper before it is auditable in the record.

The Four-Layer Operating Cadence

The cadence turns the methodology from a document into evidence. Without it, hunting is a project that runs three times a year and is never compared against itself. With it, hunting is a unit that operates against a record with timestamped state changes, recorded outcomes, and reproducible reporting. The four layers are calibrated against operational volume, not against meeting tradition.

Each cadence layer runs against the same record. The daily backlog hygiene works the backlog on the workspace. The weekly hunt cycle closes hunt artefacts on the same workspace. The monthly programme review reads metrics derived from the same workspace. The quarterly methodology review reads the methodology artefacts attached to the same workspace. The activity log captures the timestamped state changes from every cycle so the audit reads the cadence as one continuous record rather than as four separate meeting trails.

Metrics: Five Families the Programme Operates Against

Hunt-volume metrics on their own are vanity. A working programme operates against five metric families. Reporting in each family is anchored to the record so the leadership read is reproducible from the live workspace rather than from an assembled dashboard rebuilt every quarter.

The metrics live on the same record the programme operates on. The monthly programme review reads them from the workspace rather than from a parallel spreadsheet that has to be rebuilt each cycle. Programmes that maintain metric dashboards detached from the record tend to find that the dashboard and the record disagree by month three and the review becomes a reconciliation conversation rather than a decision conversation.

Routing Hunt Findings into the Wider Operating Model

A hunt finding flows into exactly one of four downstream destinations and the destination is recorded on the artefact. Recording the routing decision is the structural answer to the most common hunting failure mode: hunts that produce outcomes that nobody acts on because there is no named recipient.

The routing record is what makes hunting auditable. The audit question is not how many hunts ran; the audit question is what happened as a result of the hunts that ran. A programme that can answer the second question from the record without reconstruction is a programme the audit committee can defend.

Framework Crosswalk and Audit Evidence

A well-operated hunting programme produces evidence read by multiple compliance regimes from one source of truth. The same artefact (hypothesis, scope, queries, outcome, routing) answers each framework rather than each framework forcing a separate evidence assembly.

The framework crosswalk is one artefact maintained on the workspace by programme governance, not seven separate evidence assemblies rebuilt for each audit. The crosswalk also reads alongside the broader security compliance automation workstream so the hunt evidence sits naturally inside the wider audit calendar.

When to Charter a Programme Rather Than Run Ad Hoc Hunts

Not every organisation needs a chartered hunting programme. Six signals indicate that ad hoc hunting has reached its limit and a chartered unit is the right next step. The signals are observable from the existing record without needing to commission an assessment.

• The same hypothesis has been hunted three or more times without a recorded outcome that the next analyst can find.
• Detection coverage of the named ATT&CK technique set cannot be answered from the existing record without analyst recall.
• CTI reading is happening on a cadence but does not produce operational change downstream.
• Hunt outcomes are kept in analyst notebooks and not reliably handed to detection engineering.
• An audit has asked for evidence of proactive threat detection effort and the answer was improvised rather than read from a record.
• The board or audit committee has asked about coverage and the answer was a tool count rather than a coverage claim.

Organisations showing one or two of these signals can run a structured weekly hunting slot inside the existing SOC or detection engineering team without a separate programme charter. Organisations showing four or more typically need a named programme owner, a written charter, an operating cadence, and a record substrate the cadence runs on. Organisations with all six are usually already paying coordination cost without coordination structure: chartering the programme converts that cost into capacity.

Common Failure Modes and How to Avoid Them

Seven failure modes recur across hunting programmes regardless of vertical or scale. Naming them in the charter and reading them at the quarterly methodology review tends to prevent the silent versions from accumulating into a programme stall.

Build Phases: Foundation, Operating, Maturity

A practical build runs across three phases over six to twelve months. Each phase has a named deliverable rather than a generic milestone. Programmes that compress the foundation phase tend to rebuild it after the first quarter when the cadence breaks.

Where SecPortal Fits Inside a Hunting Programme

SecPortal is not a SIEM, not an EDR, not an XDR, not an MDR provider, does not ingest live telemetry, does not run hunting queries against telemetry, does not execute response actions, does not maintain a detection library, and does not ship integrations into Splunk, Microsoft Sentinel, Google Chronicle, IBM QRadar, Sumo Logic, Elastic Security, CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender XDR, Palo Alto Cortex XDR, Jira, ServiceNow, Slack, PagerDuty, Opsgenie, or any SOAR. The programme runs on the SIEM, EDR, XDR, or data lake the organisation already operates. What SecPortal supplies is the record substrate the cadence and the audit reads operate against.

On the operating side, engagement management runs each hunt cycle as a scoped engagement with a named owner, start and end dates, and the cadence record; findings management captures hunt-derived findings with CVSS 3.1 severity, CWE category, asset binding, and the hunt artefact attached; bulk finding import accepts hunt-side outputs from outside tooling in CSV, Nessus, and Burp formats so the programme does not need to re-key results that already exist; retesting workflows pair each hunt-identified weakness to a verified close. The finding overrides mechanism records false positive, accepted risk, and severity adjustment decisions on the same record so the hunt outcome stays auditable across closure.

On the governance side, team management with RBAC scopes access across the hunting lead, hunt analysts, detection engineering liaison, and programme governance roles; MFA enforcement protects the workspace against account compromise; the activity log captures every hunt artefact state change with timestamp and actor for the audit trail and exports as CSV for the audit fieldwork response; document management holds the charter, the methodology document, and the framework crosswalk on the same workspace the cadence runs against.

On the reporting side, AI report generation drafts the per-cycle hunt narrative, the monthly programme review pack, and the leadership summary from the workspace record; compliance tracking maps hunt evidence against ISO 27001, SOC 2, PCI DSS, NIST 800-53, and NIST CSF 2.0 templates; continuous monitoring supports the recurring detection-baseline scans the programme pairs with hunts; and the white-labeled client portal on tenant subdomains supports cross-organisation programme reviews without forcing reviewers onto the main workspace. The platform is the operating record for the programme; the methodology, the cadence, and the hypotheses are decisions the organisation makes.

Putting It Together

A threat hunting programme is a structural answer to a coverage problem. The deployed detection library catches the techniques it was written for; the hunting programme catches the techniques it was not. Done well, the programme produces a coverage answer the audit committee can read, a detection content pipeline the SOC benefits from, and an incident-discovery channel that catches activity the surface-specific tools missed. Done badly, it produces quarterly slides naming intelligence sources the team read.

The build is six to twelve months at a sensible pace. The signal the build is working is not the hunt count, not the meeting volume, and not the tooling investment. It is the outcome mix on the monthly review, the conversion rate at the detection engineering handoff, and the coverage matrix readable from the live record. Programmes that do the structural work and let the cadence drive the record produce hunting capability that survives leadership change and audit fieldwork. Programmes that skip the structural work tend to rebuild after the first material incident or the first audit finding they cannot answer.

The next step is concrete. Name the lead. Pick the methodology. Draft the charter. Land the hunt backlog on a single workspace. Run the first two hunts end to end. The programme starts the moment the record starts.