Threat Hunting

Security Operations 🛡️ • Threats ⚠️ • Sec+ Glossary 📖 • Difficulty: premium

What is Threat Hunting?

Threat hunting is the proactive process of searching for signs of malicious activity that may be present in an environment even though no clear alert or confirmed incident has yet been raised.

Examples

A security analyst searches endpoint data for signs of credential dumping after learning that a threat actor is targeting similar organizations.
A SOC team reviews unusual PowerShell use across employee devices to see whether an attacker is abusing legitimate tools to stay hidden.

Discover 🔎

Most security teams spend a lot of time responding to alerts. A tool detects something unusual, an analyst reviews it, and the team decides whether it is harmless or dangerous. Threat hunting is different. Instead of waiting for an alarm, the team goes looking for danger on purpose.

That matters because attackers do not always trigger obvious alerts. Some move carefully, use legitimate tools, blend into normal activity, or exploit gaps in monitoring. If defenders rely only on whatever security tools happen to flag automatically, some malicious activity may remain hidden for far too long. Threat hunting exists to reduce that gap.

Remember: Threat hunting is proactive. The team is not waiting to be told there is a problem. It is actively looking for one.

Summary 📝

Threat hunting is the proactive search for malicious activity that may be present even when no clear alert has been raised. It helps defenders find hidden threats, improve visibility, and strengthen future detections. Its value comes from structured investigation, good telemetry, and the willingness to look beyond what automated tools already report.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.