Trace Id is missing
Skip to main content
Microsoft Security

What is cyber threat hunting?

Cyber threat hunting is the process of proactively searching for unknown or undetected threats across an organization’s network, endpoints, and data.

How cyber threat hunting works

Cyber threat hunting utilizes threat hunters to preemptively search for potential threats and attacks within a system or network. Doing so allows for agile, efficient responses to increasingly complex, human-operated cyberattacks. While traditional cybersecurity methods identify security breaches after the fact, cyber threat hunting operates under the assumption that a breach has occurred, and can identify, adapt, and respond to potential threats immediately upon detection.

Sophisticated attackers can breach an organization and remain undetected for extended periods of time—days, weeks, or even longer. Adding cyber threat hunting to your existing profile of security tools, like endpoint detection and response (EDR) and security information and event management (SIEM), can help you prevent and remediate attacks that might otherwise go undetected by automated security tools.

Automated threat hunting

Cyber threat hunters can automate certain aspects of the process by using machine learning, automation, and AI. Taking advantage of solutions like SIEM and EDR can help threat hunters streamline hunting procedures by monitoring, detecting, and responding to potential threats. Threat hunters can create and automate different playbooks to respond to different threats, thereby easing the burden on IT teams whenever similar attacks arise.

Tools and techniques for cyber threat hunting

Threat hunters have numerous tools at their disposal, including solutions like SIEM and XDR, which are designed to work together.

  • SIEM: A solution that collects data from multiple sources with real-time analysis, SIEM can provide threat hunters with clues about potential threats.
  • Extended detection and response (XDR): Threat hunters can use XDR, which provides threat intelligence and automated attack disruption, to achieve greater visibility into threats.
  • EDR: EDR, which monitors end-user devices also provides threat hunters with a powerful tool, giving them insight into potential threats within all of an organization’s endpoints.

Three types of cyber threat hunting

Cyber threat hunting typically takes one of the following three forms:

Structured: In a structured hunt, threat hunters look for suspicious tactics, techniques, and procedures (TTPs) that suggest potential threats. Rather than approaching the data or system and looking for breachers, the threat hunter creates a hypothesis about a potential attacker’s method and methodically works to identify symptoms of that attack. Because structured hunting is a more proactive approach, IT professionals who employ this tactic can often intercept or stop attackers quickly.

Unstructured: In an unstructured hunt, the cyber threat hunter searches for an indicator of compromise (IoC) and conducts the search from this starting point. Because the threat hunter can go back and search historical data for patterns and clues, unstructured hunts can sometimes identify previously undetected threats that may still place the organization at risk.

Situational: Situational threat hunting prioritizes specific resources or data within the digital ecosystem. If an organization assesses that particular employees or assets are the highest risks, it can direct cyber threat hunters to concentrate efforts or preventing or remediating attacks against these vulnerable people, datasets, or endpoints.

Threat hunting steps and implementation

Cyber threat hunters often follow these basic steps when investigating and remediating threats and attacks:

  1. Create a theory or hypothesis about a potential threat. Threat hunters might start by identifying an attacker’s common TTPs.
  2. Conduct research. Threat hunters investigate the organization’s data, systems, and activities— a SIEM solution can be a useful tool—and collect and process relevant information.
  3. Identify the trigger. Research findings and other security tools can help threat hunters distinguish a starting point for their investigation.
  4. Investigate the threat. Threat hunters use their research and security tools to determine if the threat is malicious.
  5. Respond and remediate. Threat hunters take action to resolve the threat.

Types of threats hunters can detect

Cyber threat hunting has the capacity to identify a wide range of different threats, including the following:

  • Malware and viruses: Malware impedes the use of normal devices by gaining unauthorized access to endpoint devices. Phishing attacks, spyware, adware, trojans, worms, and ransomware are all examples of malware. Viruses, some of the more common forms of malware, are designed to interfere with a device’s normal operation by recording, corrupting, or deleting its data before spreading to other devices on a network.
  • Insider threats: Insider threats stem from individuals with authorized access to an organization’s network. Whether through malicious actions or inadvertent or negligent behaviors, these insiders misuse or cause harm to the organization’s networks, data, systems, or facilities.
  • Advanced persistent threats: Sophisticated actors who breach an organization’s network and remain undetected for a period of time represent advanced persistent threats. These attackers are skilled and often well-resourced.
    Social engineering attacks: Cyberattackers can use manipulation and deception to mislead an organization’s employees into giving away access or sensitive information. Common social engineering attacks include phishing, baiting, and scareware.


Cyber threat hunting best practices

When implementing a cyber threat hunting protocol at your organization, keep the following best practices in mind:

  • Give threat hunters full visibility into your organization. Threat hunters are most successful when they understand the big picture.
  • Maintain complementary security tools like SIEM, XDR, and EDR. Cyber threat hunters rely on automations and data provided by these tools to identify threats more quickly and with greater context for faster resolution.
  • Stay informed on the latest emerging threats and tactics. Attackers and their tactics are constantly evolving—make sure your threat hunters have the most up-to-date resources on current trends.
  • Train employees to identify and report suspicious behaviors. Reduce the possibility of insider threats by keeping your people informed.
  • Implement vulnerability management to reduce your organization’s overall risk exposure.

Why threat hunting is important for organizations

As malicious actors become increasingly sophisticated in their methods of attack, it is vital for organizations to invest in proactive cyber threat hunting. Complementary to more passive forms of threat protection, cyber threat hunting closes security gaps, allowing organizations to remediate threats that would otherwise go undetected. Intensifying threats from complex attackers mean that organizations must bolster their defenses to maintain trust in their ability to handle sensitive data and reduce costs associated with security breaches.

Products like Microsoft Sentinel can help you stay ahead of threats by collecting, storing, and accessing historical data at cloud scale, streamlining investigations, and automating common tasks. These solutions can provide cyber threat hunters with powerful tools to help keep your organization protected.

Learn more about Microsoft Security

Microsoft Sentinel

See and stop threats across your entire enterprise with intelligent security analytics.

Microsoft Defender Experts for Hunting

Extend proactive threat hunting beyond the endpoint.

Microsoft Defender Threat Intelligence

Help protect your organization from modern adversaries and threats such as ransomware.


Detect, investigate, and respond to threats across your entire digital estate.

Frequently asked questions

  • An example of cyber threat hunting is a hypothesis-based hunt in which the threat hunter identifies suspected tactics, techniques, and procedures an attacker might use, then searches for evidence of them within an organization’s network.

  • Threat detection is an active, often automated, approach to cybersecurity, while threat hunting is a proactive, non-automated approach.

  • A security operations center (SOC) is a centralized function or team, either onsite or outsourced, responsible for improving an organization’s cybersecurity posture and preventing, detecting, and responding to threats. Cyber threat hunting is one of the tactics SOCs use to identify and remediate threats.

  • Cyber threat hunting tools are software resources available to IT teams and threat hunters to help detect and remediate threats. Examples of threat hunting tools include things like antivirus and firewall protections, EDR software, SIEM tools, and data analytics.

  • The main purpose of cyber threat hunting is to proactively detect and remediate sophisticated threats and attacks before they harm the organization.

  • Cyber threat intelligence is the information and data cybersecurity software collects, often automatically, as part of its security protocols to better protect against cyberattacks. Threat hunting involves taking information gathered from threat intelligence and using it to inform hypotheses and actions to search for and remediate threats.

Follow Microsoft