Building a Proactive Threat Hunting Program

‍Meta Description:
Suggested Midjourney Prompt:
Image Alt Text: Cybersecurity team collaborating on threat hunting in a modern SOC

Threat hunting has moved from “nice to have” to an expected capability in mature security operations. SANS’ recent Threat Hunting Survey notes that more organisations are investing in proactive hunting to find anomalous behaviour that traditional tooling misses. CrowdStrike’s 2025 Threat Hunting Report similarly highlights that 81 percent of hands-on-keyboard intrusions they observed were malware-free, relying on stolen credentials and living-off-the-land techniques.

If your organisation relies entirely on signatures, alerts and scheduled scans, those findings should be a concern. The question is not whether to hunt, but how to do so in a structured, sustainable way.

This article outlines a practical model for building a proactive threat hunting program, tailored to mid-sized enterprises that cannot simply copy a large bank’s blueprint.

What threat hunting is (and is not)

Threat hunting is the hypothesis-driven search for signs of malicious activity that have not yet triggered an alert. It is:

• Proactive rather than reactive.
• Centred on adversary behaviours, not specific IOCs.
• A continuous learning process where each hunt improves data, tooling and playbooks.

It is not:

• A replacement for detection engineering or incident response.
• A one-off “sweep” you perform after a major breach.
• A purely manual, artisanal exercise disconnected from your SOC.

Frameworks such as MITRE ATT&CK provide a common language for describing those behaviours and mapping them to telemetry sources. ENISA’s threat landscape work reinforces the need to monitor tactics like discovery, lateral movement and credential access, not just initial payloads.

Step 1: Define the scope and objectives

Before hiring specialist hunters or buying new tools, clarify what success looks like. Typical objectives for a mid-sized organisation include:

• Reducing dwell time for stealthy intrusions.
• Identifying gaps in logging, EDR coverage and identity telemetry.
• Validating that controls detect key adversary techniques relevant to your sector.

Choose a narrow initial scope, for example:

• Identity-focused hunting in Microsoft 365 and Entra ID.
• Endpoint-centric hunting on high-value servers.
• Cloud-focused hunting in one or two critical SaaS platforms.

Link those objectives to measurable outcomes, such as:

• Number of hunts completed per quarter.
• Gaps identified and closed (e.g., missing logs, unmonitored admin accounts).
• Detections or rules improved as a result of hunts.

DACTA Global often works with clients to set this initial scope as part of a broader Cyber Risk Assessment, ensuring that hunting supports business risk reduction rather than becoming a standalone experiment.

Step 2: Build on existing SOC capabilities

Most mid-sized organisations cannot stand up a separate threat hunting team overnight. Instead:

• Assign hunting responsibilities to senior analysts or detection engineers for part of their time.
• Use your existing SIEM, EDR and log management platforms as the primary hunting environment.
• Improve data quality before you attempt advanced hunts. The SANS survey repeatedly highlights poor data quality as a major barrier to effective hunting.

At minimum, ensure you have:

• Centralised logs for authentication, endpoint activity, DNS, proxy and key SaaS platforms.
• Time synchronisation across systems.
• Basic normalisation of events to make querying feasible.

If you use platforms like Elastic Security or similar, vendor hunting guides and pre-built queries can serve as starting points for your own hypotheses.

Step 3: Adopt a structured hunting loop

Unstructured “digging around” in logs rarely scales. Adopting a simple hunting loop helps turn intuition into repeatable process. One practical model breaks hunts into five stages:

1. Hypothesis: Formulate a specific question based on threat intel, recent incidents or ATT&CK techniques.
   • Example: “An attacker is using OAuth-based consent phishing to gain persistent access to Microsoft 365 mailboxes.”
2. Data collection and analysis: Identify which logs and tools can answer the question, and extract a candidate dataset.
3. Deep dive: Pivot into interesting leads, join datasets and enrich with context (asset criticality, user role, geo information).
4. Documentation and reporting: Capture what you did, what you found and recommended improvements.
5. Feedback and iteration: Convert findings into new detections, logging requirements or follow-up hunts.

Over time, this loop becomes a core component of how your SOC improves, not an ad hoc activity.

Step 4: Prioritise use cases based on risk

Not all hunts are equally valuable. To get the most from limited time:

• Align hunting topics with your threat model. Use ENISA, sectoral regulators and vendor reports to understand which threats are most relevant to your industry.
• Start with high-impact scenarios such as:
  • Abuse of privileged accounts.
  • Lateral movement from a single compromised endpoint.
  • Suspicious use of OAuth applications or service principals in cloud environments.
• Map each scenario to relevant ATT&CK tactics and techniques, then ensure you have the telemetry to observe them.

DACTA’s Managed Detection and Response service follows a similar threat-led approach, where hunts are directly derived from current adversary behaviours rather than generic checklists.

Step 5: Integrate hunting with detection engineering

The real ROI of threat hunting comes when findings feed back into detections. For each hunt:

• Turn recurring patterns into new correlation rules, EDR detections or UEBA models.
• Update allowlists and baselines based on benign anomalies you discover.
• Document new queries and techniques in an internal hunting playbook for future reuse.

Over time, this builds a virtuous cycle:

• Threat intel and incidents inspire hunts.
• Hunts reveal detection gaps.
• New detections reduce blind spots and provide better data for further hunting.

Step 6: Measure and communicate value

CISOs need to demonstrate that threat hunting is more than an interesting technical exercise. Useful metrics include:

• Number of high-quality hypotheses tested per quarter.
• Number of previously unknown issues found (misconfigurations, risky accounts, undetected malware).
• Mean time from discovery to remediation of those issues.
• Number of new or improved detection rules derived from hunts.

Complement quantitative metrics with short narratives that explain how specific hunts helped avoid incidents or reduce risk. That language resonates with boards and executive teams.

Where to start

For mid-sized organisations, a realistic starting point might be:

• One or two senior analysts dedicating half a day per week to structured hunts.
• A small initial focus area (for example identity or cloud).
• A basic hunting playbook, with three to five well-defined hypotheses.

From there, you can grow frequency, automate more of the data collection and gradually formalise the function.

If your team lacks capacity or experience, partnering with a provider like DACTA Global for a Threat Hunting Readiness Assessment or co-managed hunts can accelerate the journey while keeping control in your hands.