The Threat Hunting Hypothesis Defined ?

Human intelligence gives us the liberty of interpreting things as per our own will and understanding. This is the drawback of our free-thinking since in this way truth will be relative rather than absolute. The same goes for the Hypothesis based hunting term. Many people, organizations, and hunters use it as per their understanding.

Things get complicated when two different ideas or interpretations collide with each other. Threat hunting is a relatively new technology that has no standards defined. In this article, we will try to normalize the definition of the Hypothesis based hunting

What is a Hypothesis?

The first thing we need to understand is that the threat hunting hypothesis is scientific Hypothesis. As per the Britannica

“scientific Hypothesis, an idea that proposes a tentative explanation about a phenomenon or a narrow set of phenomena observed in the natural world.”

let’s break down this definition in the realm of cyber security with some additional characteristics of threat hunting hypotheses based on the comment of other experts.

1. Hypothesis is an idea

it is quite trivial to understand the above statement in the real world but in the cyber security world, the idea needs the ground of valid observations and profound explanations. As explained by Robert M. Lee and David Bianco in the SANS white paper Generating Hypothesis for successful Threat Hunting.

The idea needs to be driven from the valid observation of the hunter or on the predictions based on the complex analysis of the APT threat and internal alert assessment.

2. Hypothesis must be testable

This is a key characteristic of the Hypothesis. Hunter must be able to test his\her Hypothesis in the network for example consider the following case.

“A new zero-day released for the PHP which only affects version 8.x , this news reaches to the new joiner Bob in threat hunting team. Bob decided to hunt for this zero-day. The rest of the day bob gathers all kinds of data require to hunt the CVE in the network, at end of the day when Bob reaches the senior hunter, and comes to know that all applications in Bob’s network are running on PHP version 9.x or above. Even though Bob had a good hypothesis it can’t be testable in the current organization.”

A good hunter must be aware of what kind of data is available for the hunt and based on it hunter must decide the Hypothesis.

3. Hypothesis should be flexible to modify or enhance.

Since threat hunting involves human analysis. We should not ignore human psychology while creating and hunting for a hypothesis. Hunters may add a natural bias when they hunt for the adversary.

Although hypotheses guide hunters to look for specific threats at a time it also gives them tunnel vision. This tunneled view can be dangerous if the hunter ignores the critical information which is not related to the current hypothesis, consider the below example to understand it better.

“ Alice decided to hunt for the abuse of regsvr32.exe in the network. She builds a hypothesis around it to check for the signs of abuse of this binary by an adversary. While hunting she ran the query on EDR to check for network connections made by all binaries, while analyzing she notice that notepad.exe is also connecting to the DC on port 389. She completely ignores this behavior since it wasn’t the scope of the hypothesis.”

I also believe that the Hypothesis should not be too specific or too generic. It should cover the major part of the attack or kill chain hunter hunting but should not go beyond the limit.


We tried to generalize the term threat hunting hypothesis by providing some characteristics to it. In the conclusion, we can say the threat hunting hypothesis is an Idea based on the observed events or complex prediction of the future based on threat intelligence, which must be testable and flexible to modification throughout the life cycle.

This could be just another definition of the threat hunting hypothesis, but the main idea behind this term is not what it means but what it does, and it’s kill before getting killed.




Self Learned security professional, mainly focused on windows exploitation, reverse engineering and malware analysis

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Self Learned security professional, mainly focused on windows exploitation, reverse engineering and malware analysis