loading
Loading content
loading
Threat hunting assumes an attacker may already be inside and goes looking for them, rather than waiting for an alert to fire. A hunter forms a hypothesis, for example that an adversary is using a scheduled task for persistence, then queries logs, endpoint data, and network telemetry to confirm or rule it out. The work is iterative: each finding sharpens the next question.
Hunting matters because detection coverage is never complete. Attackers use living-off-the-land techniques and valid credentials precisely to slip past signatures, so an environment can hold an intrusion that triggers nothing. Hunting closes that gap by testing for behavior, not just for a known bad hash or domain.
Good hypotheses come from structured knowledge. Hunters map techniques against MITRE ATT&CK to decide what to look for, lean on threat intelligence about active campaigns, and pivot on any indicator of compromise they surface. A hunt that finds a gap also feeds detection engineering, turning a manual catch into a durable automated rule.
In a Trickest workflow, you automate the repetitive collection and enrichment, pulling telemetry, resolving indicators, and correlating sources, so the hunter spends their time on judgment instead of data plumbing.
Related terms