Writing detections to catch known threats is straightforward, but novel threats that slip past your existing rules require a different approach. That's where proactive threat hunting comes in. When adversaries are discovered through external notification (such as law enforcement, fraud detection, or breach disclosure), they could have had weeks of undetected access to your environment.
Rather than waiting for alerts, threat hunting assumes adversaries have already bypassed your automated controls and actively searches for evidence of their presence. This article shows you how to build that threat hunting capability, even with a small team.
Key Takeaways
Threat hunting is a proactive security approach that assumes compromise and searches for threats before alerts are triggered, fundamentally different from reactive monitoring.
The hunting process follows the scientific method: develop hypotheses from threat intelligence, collect data across multiple sources, investigate patterns, and feed findings back into automated detections.
Small teams should optimize alert triage first, then build hunting capabilities progressively through hypothesis-driven investigations that improve automated detection.
Panther supports the full threat hunting cycle by combining detection-as-code workflows, a security data lake for flexible querying, and AI-assisted triage that compresses investigation time.
What Is Threat Hunting?
Threat hunting is a proactive security practice in which security analysts actively search for threats that have evaded your existing defenses.
To understand why this proactive approach matters, consider how traditional security operations work: an alert fires, you investigate, you respond. This reactive workflow handles known threats effectively, but it fails against sophisticated adversaries who study your detection logic and design their techniques to evade it. Threat hunting flips this model by assuming compromise has already occurred and actively searching for evidence through hypothesis-driven investigation.
The core problem that threat hunting addresses is dwell time: the period adversaries operate undetected in your environment. In 2024, the global median dwell time was 11 days. When the internal security team didn’t detect the intrusion, the dwell time climbed to 26 days before discovery by external entities. Proactive threat hunting is the only rational defense against giving adversaries ample time to escalate privileges, exfiltrate data, and establish persistence in your organization.
Threat hunting is essentially the difference between discovering a breach on your terms versus learning about it after the threat has been active. Organizations that proactively hunt for adversaries have a better chance of finding them before breaches lead to business losses. Every successful hunt either neutralizes an active threat or validates that your defenses are working, turning uncertainty into actionable intelligence that strengthens your security posture over time.
The Differences Between Threat Hunting and Other Security Practices
People often mistake threat hunting with other security practices because they share overlapping goals: finding and stopping threats. The difference lies in timing, methodology, and what triggers the activity. Understanding these distinctions helps you position threat hunting within your broader security operations and avoid duplicating efforts.
Threat Hunting vs. Incident Response
Threat hunting happens before you confirm an incident. You're testing hypotheses about potential compromises based on threat intelligence or environmental observations. Incident response begins after you detect something confirmed through an alert or investigation.
The two practices feed each other in a continuous loop. Findings from the hunting often trigger incident response when you discover active compromises. Meanwhile, investigations during the incident response can reveal detection gaps that inform future hunting hypotheses. A well-run security program uses this feedback loop to improve both capabilities continuously.
Threat Hunting vs. Threat Monitoring
Threat monitoring excels at scale, processing millions of events and surfacing patterns that humans can't match. But it operates on known signatures and alert rules. Threat hunting uses hypothesis-driven investigation, applying new intelligence to previously collected data to identify signs of compromise that automated systems may have missed.
The key distinction comes down to the question each approach answers. Traditional monitoring asks, "What matches our rules?" Threat hunting asks, "What's happening that we don't have rules for yet?" Both are necessary, and effective threat hunting actually strengthens monitoring by generating new detection rules from hunt findings.
Threat Hunting vs. Vulnerability Management
Vulnerability management identifies weaknesses such as unpatched software, misconfigurations, and exposed services before attackers exploit them. Threat hunting assumes exploitation has already occurred and searches for evidence of adversary presence.
The two practices complement each other: vulnerability management reduces your attack surface, while threat hunting catches adversaries who found a way in despite those defenses. When threat hunters discover a breach, root cause analysis often reveals vulnerabilities that need remediation, creating another feedback loop that strengthens your overall security posture.
How Threat Hunting Actually Works
Threat hunting is an intelligence-driven process. External threat intelligence tells you what adversaries are doing in the wild, and you systematically check whether those techniques are present in your environment. Each hunt follows a cycle: consume intelligence, form a hypothesis, investigate your data, and turn findings into automated detections.
1. Start with External Intelligence
Every hunt begins with a trigger from outside your environment. A threat intelligence report describes a new campaign targeting your industry. Security researchers publish details about a novel cloud attack technique. A vendor discloses a vulnerability that's being actively exploited. MITRE ATT&CK documents a TTP you haven't tested for.
These external inputs drive your hypothesis. For example, after reading about a campaign targeting developer credentials in your industry, you might hypothesize: "Compromised developer credentials may enable lateral movement through unusual cross-account AssumeRole operations outside normal deployment patterns."
Strong hypotheses are specific and testable. Weak hypotheses are too broad ("look for suspicious activity") or describe threats you already have automated detection coverage for.
2. Map Intelligence to Your Data
Once you have a hypothesis, identify which data sources in your environment can confirm or refute it. For cross-account lateral movement, you need CloudTrail logs (STS AssumeRole calls), AWS Config (role trust relationships), VPC Flow Logs (network paths), and IAM policies (effective permissions).
Essential data sources for cloud threat hunting include:
Identity and API activity: CloudTrail captures who did what and when, supplemented by identity provider logs from Okta or Azure AD
Network telemetry: VPC Flow Logs show traffic patterns and data transfer volumes
Configuration state: AWS Config tracks security group changes and IAM policy modifications
Endpoint behavior: GuardDuty Runtime Monitoring or Endpoint Detection and Response (EDR) solutions provide process execution and network connections
The more data sources you can correlate, the richer the context for each investigation. A single CloudTrail event showing an AssumeRole call tells you little on its own, but combined with VPC Flow Logs showing unusual network paths and AWS Config showing recent trust policy changes, that same event becomes part of a clear attack narrative.
3. Investigate and Validate
For the lateral movement hypothesis, you'd query CloudTrail for AssumeRole events, filter for cross-account operations, baseline normal deployment patterns, and identify outliers. You might discover a service account assuming roles in accounts it's never accessed before, from IP addresses outside your known infrastructure.
A systematic investigation process includes these steps:
Query CloudTrail for AssumeRole events, filtering for cross-account operations where the requesting account differs from the target role's account
Establish a baseline of normal deployment patterns from historical data
Identify outliers such as service accounts assuming roles in accounts they've never accessed before
Flag requests originating from IP addresses outside your known infrastructure
Correlate findings across CloudTrail (API activity), VPC Flow Logs (network paths), AWS Config (trust policy changes), and GuardDuty (threat indicators)
This approach surfaces cross-account role assumptions, which you can then filter against using known deployment patterns.
Sometimes your hypothesis proves incorrect. You find nothing, or you discover the activity has a legitimate explanation. That's valuable—you've validated that this particular attack path isn't currently active in your environment. Other times, you uncover actual threats: compromised credentials, misconfigured resources, or adversary infrastructure you hadn't detected through automated means.
4. Document Findings and Create Detections
Every hunt should produce new detection rules, improved visibility, or validated confirmation that specific threat vectors are adequately covered. When you discover a technique adversaries are using, write a detection rule so you catch it automatically next time.
Traditional SIEM platforms often require proprietary query languages or complex rule syntax that slows down this feedback loop. Writing a detection rule might mean learning a vendor-specific language, navigating a clunky UI, and waiting for someone with admin access to deploy changes.
Modern SIEM solutions like Panther simplify this process. With Panther, you can write detection rules in Python, SQL, or YAML, depending on your preference and complexity needs. For teams without coding expertise, the AI Detection Builder lets you describe what you want to detect in plain language, and Panther AI writes the detection for you. This lowers the barrier between discovering a technique during a hunt and turning it into a production detection.
Panther also follows a detection-as-code approach, where you manage rules the same way developers manage application code. Store detections in version control, write unit tests to validate logic, review changes through pull requests, and deploy via CI/CD pipelines. This workflow means your one-time hunt finding becomes a tested, version-controlled detection that permanently improves your automated coverage.
For cross-account lateral movement, you need CloudTrail logs (STS AssumeRole calls), AWS Config (role trust relationships), VPC Flow Logs (network paths), and IAM policies (effective permissions). An API call in CloudTrail gains meaning when correlated with network paths, resource configurations, and permissions.
Essential data sources for cloud threat hunting include:
Identity and API activity: CloudTrail captures who did what and when, supplemented by identity provider logs from Okta or Azure AD
Network telemetry: VPC Flow Logs show traffic patterns and data transfer volumes
Configuration state: AWS Config tracks security group changes and IAM policy modifications
Endpoint behavior: GuardDuty Runtime Monitoring or EDR solutions provide process execution and network connections
The more data sources you can correlate, the richer the context for each investigation. A single CloudTrail event showing an AssumeRole call tells you little on its own, but combined with VPC Flow Logs showing unusual network paths and AWS Config showing recent trust policy changes, that same event becomes part of a clear attack narrative.
4 Essential Tools for Threat Hunting
Effective threat hunting requires four categories of tooling: threat intelligence to drive hypotheses, centralized data storage to support investigation, endpoint visibility for host-level activity, and network analysis to detect traffic patterns.
1. Threat Intelligence Platforms
Threat intelligence informs hypothesis generation. When threat actors targeting your industry use specific TTPs, proactively hunt for those indicators. Open-source platforms like MISP and OpenCTI aggregate IOCs, MITRE ATT&CK TTPs, and campaign intelligence.
2. SIEM and Security Data Lakes
A SIEM or security data lake provides the centralized data foundation for threat hunting.. Without it, you're logging into six different consoles, downloading JSON files, and manually piecing together timelines.
SEIMS with security data lakes offer an alternative: store logs in S3 or Snowflake at predictable costs and query directly without moving data. Normalize logs into consistent schemas so you can write queries that work across AWS CloudTrail, Okta, and your application logs without complex parsing logic.
Panther is built on this security data lake architecture, combining centralized storage with flexible querying and detection-as-code workflows. This architecture enables teams to ingest high volumes of data without proportional cost increases, maintain extended retention for historical analysis, and query across all sources without moving data between tools.
Cockroach Labs demonstrates what this looks like in practice. With Panther's security data lake, they gained 365 days of hot storage (up from 30 days with their legacy tool), ingested 5X more logs, and saved over $200K in SecOps costs. That extended retention is critical for threat hunting, which often requires analyzing historical patterns to establish baselines and identify anomalies that span weeks or months.
3. Endpoint Detection and Response (EDR)
EDR tools reveal what's happening inside your EC2 instances and containers by providing visibility for detecting credential dumping, privilege escalation, and host-level persistence mechanisms. Modern EDR captures process execution with command-line arguments, file system changes, network connections from endpoints, and memory access patterns.
For AWS environments, GuardDuty Runtime Monitoring provides agent-based collection for EKS clusters and EC2 instances. Commercial EDR platforms offer deeper forensic capabilities and cross-platform support if you're hunting across cloud, on-premises, and SaaS environments. Integrate endpoint telemetry with centralized data sources to avoid context-switching.
4. Network Traffic Analysis
VPC Flow Logs provide network-layer visibility, including source/destination IPs, ports, and byte counts. This data supports hunting for reconnaissance, data exfiltration, and lateral movement. Route 53 Resolver DNS logs help identify domain generation algorithms and DNS tunneling.
Core Threat Hunting Techniques and Methodologies
Threat hunting encompasses three primary approaches: behavioral analysis, indicator-based hunting, and TTP-based pattern hunting. Each serves distinct purposes, and mature teams employ all three based on available intelligence, data maturity, and environmental context.
1. Behavioral Analysis and Anomaly Detection
This approach excels at detecting abnormal behavior patterns that may indicate account compromise or unauthorized access. It's particularly effective for detecting advanced threats that use living-off-the-land techniques (attacks that use legitimate system tools and credentials rather than custom malware).
To detect anomalies, you first need to know what "normal" looks like — which means establishing baselines requires for users, service accounts, and systems. The challenge is that building accurate baselines requires mature data collection and sufficient historical context. Start with environment mapping and visibility establishment, then move to behavioral baseline development as data collection matures.
2. Indicator-Based Hunting
Indicator of compromise(IOC)-based hunting searches for specific artifacts, including file hashes, IP addresses, domain names, and malware signatures. In AWS, this extends to CloudTrail event patterns representing specific API call sequences. When threat intelligence reports a new campaign, you search your CloudTrail logs for the documented API call sequences they used.
The limitation is that adversaries easily change IOCs. File hashes and domains are trivial to modify. Mature threat hunting focuses on TTPs rather than low-level indicators. Still, when a supply chain compromise or a zero-day exploit becomes public, IOC-based hunting lets you quickly assess whether you're affected.
3. TTP-Based Pattern Hunting
Tactics, techniques, and procedures (TTP)-based hunting focuses on adversary behaviors and patterns rather than specific indicators, providing more resilient detection. Instead of searching for a specific malicious domain, you hunt for patterns: new domains contacted shortly after suspicious authentication attempts, or unusual API call sequences indicating privilege escalation.
MITRE ATT&CK provides the framework. Focus on cloud-specific techniques: log manipulation, exploitation of the Instance Metadata Service, and cross-account role assumption.
Scaling These Techniques with AI
AI-assisted threat hunting extends your team's capacity across all three approaches without expanding headcount. Instead of manually triaging every alert or writing detections from scratch, AI can surface similar past incidents, recommend detection logic based on TTPs, and prioritize investigations by contextual risk.
For behavioral analysis specifically, AI-powered detection platforms accelerate baseline establishment and anomaly identification. Instead of manually reviewing CloudTrail logs to establish baselines, AI can identify normal patterns across identity providers, API usage, and network flows—compressing the baseline development phase from months to weeks.
Panther AI integrates these capabilities directly into the hunting workflow. AI-powered alert triage and summarization provide analysts with full-context explanations rather than black-box verdicts, helping them understand why an alert matters and act faster. The AI Detection Builder lets hunters describe what they want to detect in natural language and generates the complete detection, including code, test cases, and metadata, ready for review and deployment.
Cresta's security team demonstrates this in practice. By implementing Panther AI for alert triage and investigation recommendations, they achieved a 50% reduction in triage times while maintaining thoroughness in investigations. This time compression creates capacity for hypothesis-driven hunting that would otherwise be consumed by managing the alert backlog.
For threat hunters specifically, AI assistance prevents burnout through three mechanisms: automated context gathering across multiple log sources, suggested detection logic based on MITRE ATT&CK mappings, and prioritized investigation queues based on environmental risk. You spend less time on repetitive triage tasks and more time on creative hypothesis development and novel threat pattern discovery.
Getting Started: Building Your Threat Hunting Practice
Threat hunting programs for small teams start with an honest readiness assessment. If you're drowning in alert triage, you won't have capacity for proactive hunting—optimize your alert triage workflows to reduce alert fatigue first.
Start Small with High-Value Targets
Begin by prioritizing based on business impact and gaps in detection capability. Effective hypothesis development requires three inputs: threat intelligence to understand which techniques adversaries are using, business impact analysis to identify which attacks would cause the most damage, and a telemetry assessment to determine what you can actually detect with current tools.
Focus early hunts on attack paths with high business impact—hunt for compromised privileged accounts before hunting for reconnaissance activity. Search for data exfiltration patterns from databases containing customer PII before investigating routine policy violations.
Time-box early hunts. Allocate two to four hours, focus on a specific hypothesis, and document findings regardless of outcome. This promotes sustainable practices rather than open-ended investigations that drag on for days without clear results.
Measure What Matters
Traditional SOC metrics primarily measure reactive operations. Threat hunting requires supplementary metrics that demonstrate both program activity and security outcomes.
Key metrics to track for your threat hunting program include:
Dwell time reduction: Internal discovery consistently reduces dwell time by more than half compared to external notification
Hunt-generated detections: New detection rules created from hunt findings, separate from automated alerts
Prevented incidents: Threats discovered before business impact occurred
Coverage progression: Which MITRE ATT&CK techniques you hunted for over time
Cost per incident reduction: Savings achieved through faster response
For leadership reporting, translate technical findings into business risk language. Don't report "discovered anomalous AssumeRole pattern." Report "identified compromised service account attempting to access production databases containing customer PII, prevented before data access occurred."
Build for Sustainability
Threat hunting transforms reactive security teams into proactive defenders, but for small teams it's a maturity milestone—not a day-one requirement. Start by optimizing alert triage to create capacity. Build comprehensive logging and establish environmental baselines. Then progressively develop hunting capabilities through focused, time-boxed investigations that feed findings back into detection engineering.
The most effective approach combines automated detection with human-driven investigation. Let your SIEM and EDR handle known patterns at scale while preserving human expertise for hypothesis-driven hunts that discover unknown threats. Feed findings back into automated detection through detection-as-code workflows, so each hunt permanently improves your coverage.
Building this capability requires the right foundation: unified security data lakes that enable multi-source correlation without moving data between tools, detection-as-code workflows that turn hunt findings into automated rules, and AI-assisted triage that reduces investigation time so your team can focus on hypothesis-driven discovery rather than alert fatigue.
The goal is to catch threats earlier with each iteration—and that starts with a platform designed to support the full cycle from hypothesis to detection.
Share:
RESOURCES
