What is threat hunting?

Threat hunting represents a fundamental shift from reactive security monitoring to proactive adversary pursuit. Threat hunting is a proactive cybersecurity activity where security teams actively search for hidden threats inside their environment that have evaded existing security controls. Rather than waiting for alerts to fire, threat hunters actively search through organizational data using hypothesis-driven investigations to uncover malicious activity that evaded automated defenses. This discipline combines threat intelligence, forensic analysis, and investigative tradecraft to reduce the time attackers spend undetected in your environment.

Modern threat hunting operates at the intersection of security and data engineering, requiring high-fidelity telemetry across logs, metrics, and traces, cloud audit events, and security findings. Threat hunters analyze this data to identify tactics, techniques, and procedures (TTPs) mapped to frameworks like MITRE ATT&CK®, focusing on adversary behaviors rather than just indicators of compromise.

Organizations recognize that traditional perimeter defenses and signature-based detection miss sophisticated threats. Threat hunting fills this gap by leveraging human intuition and domain expertise to spot anomalous patterns in data that automated systems might overlook. The challenge lies in building the data foundation and analytical capabilities to make hunting effective at scale.

Threat hunting addresses critical blind spots in modern security architectures. Advanced persistent threats often use living-off-the-land techniques, leveraging legitimate administrative tools and processes to blend into normal activity. These attacks can persist undetected for months, making proactive hunting essential for early detection and response.

Cloud and Kubernetes environments present unique hunting opportunities and challenges. Attackers frequently target identity systems, exploit excessive permissions, and abuse control plane access for lateral movement.

Effective cloud hunting requires comprehensive telemetry from cloud audit logs, VPC flow logs, DNS queries, and Kubernetes audit events. For example, hunters might investigate unusual identity federation activity, anomalous cross-account role assumptions, or suspicious kubectl commands that suggest control plane compromise.

Different industries face distinct threat landscapes that shape hunting strategies. While specific priorities vary by sector, the common thread is the need to hunt for identity abuse, lateral movement, and data exfiltration patterns that automated tools miss.

The common thread across sectors is the need to hunt for identity abuse, lateral movement, and data exfiltration, which are all behavioral patterns that are difficult to assess at scale. Signals like unusual authentication, privilege escalation, or after-hours data access are well-understood, but distinguishing a legitimate administrator from an attacker requires context that is hard to automate reliably. Machine learning tools have made meaningful inroads here, but they carry their own burdens: high false positive rates, significant tuning requirements, and a dependence on clean baseline data that many organizations struggle to maintain. Human hunters bring the contextual judgment that fills the remaining gap.

Modern threat hunting programs face significant technical challenges managing the volume, variety, and velocity of telemetry from hybrid and multicloud environments. Schema drift and normalization across diverse data sources create friction for analysts who need to correlate evidence quickly during investigations.

Ephemeral infrastructure makes it harder to connect related signals. When containers spin up and down rapidly, hunters need systems that can preserve relationships between distributed tracing to reconstruct attack timelines effectively.

Poor data quality and excessive false positives create alert fatigue that impedes analysis and increases the risk of missing true threats. Hunters spend significant time validating and enriching low-fidelity alerts instead of pursuing high-value investigations.

Traditional index-centric analytics tools add latency and cost when hunting at scale, forcing organizations into hot/cold storage architectures that require time-consuming data rehydration for historical analysis.

Threat hunting teams are rarely large enough, and the required skill set spanning data analysis, cloud security, and investigative technique is difficult to hire for. Demonstrating program value compounds the challenge, as teams must build the measurement frameworks to justify continued investment.

IT environment complexity creates tool sprawl that forces analysts to manually reassemble context across multiple systems during investigations. This fragmentation slows hunts and increases the risk of missing connections between related events.

Successful hunting programs start with comprehensive telemetry collection and normalization. Regardless of data collection method, leveraging semantic conventions like OpenTelemetry help unify signals and ensures consistent data interpretation across observability stack, reducing the normalization work that slows analysis.

Organizations should prioritize ingesting cloud audit logs, DNS queries, network flows, and application monitoring traces alongside traditional security events. Through the OpenPipeline® solution, users can ingest, process, and persist observability, security, and business data from any source, in any format, and at any scale. That enables real-time filtering, enrichment, and transformation of this data at massive scale, while preserving context relationships that hunters need for effective investigations.

The Grail® index-free data lakehouse enables real-time analytics across any data type without predefined schemas, allowing hunters to perform iterative queries across large historical datasets using Dynatrace Query Language (DQL).

Security Analytics and Investigations workflows provide structured threat hunting capabilities with branch-based analysis, evidence capture, and rapid pivots across logs, security events, and topology data.

Begin with TTP-based hunting approaches aligned to ATT&CK techniques relevant to your environment. Focus on high-impact scenarios like identity abuse, lateral movement, and data exfiltration.

Dynatrace's threat hunting use cases demonstrates investigating cloud control plane abuse through step-by-step DQL analysis across EKS audit logs, VPC flow logs, and DNS data to identify exfiltration via DNS tunneling.

Convert successful hunts into repeatable detections using automated workflows. Schedule DQL queries to run continuously, generate security events from results, and trigger notifications or remediation actions based on findings.

Integration with solutions such as those offered by ServiceNow enables seamless incident creation and response orchestration when hunts uncover threats requiring immediate action.

Implement attribute-based access control to enforce least-privilege access to sensitive hunting data. Grail permissions enable fine-grained control at bucket, table, record, and field levels.

Enable comprehensive audit logging to track threat hunting activities and maintain compliance. Configure data masking at capture and ingest to protect sensitive information while preserving analytical value.

Modern threat hunting requires more than security expertise. It demands robust data engineering, scalable analytics platforms, and AI for IT operations that enable hunters to focus on investigation rather than data wrangling. Organizations that invest in observability platform capabilities create sustainable competitive advantages in detecting and responding to sophisticated threats. DevSecOps integration ensures security is embedded throughout the development lifecycle, while digital experience monitoring provides visibility into how security events impact user experience. The difference between end-to-end observability and traditional monitoring becomes crucial when implementing comprehensive threat hunting programs that require deep context and analytical capabilities.