I’m not a Threat Hunter, but I’ve worked with some brilliant ones and have a solid understanding of how the process works and how much value Threat Hunters bring. This article isn’t about telling you how to do your job. It’s a set of suggestions from me, a journeyman Red Teamer, on a few things I’d like to see Threat Hunters try.

Hopefully, one of these ideas ignites your fire.

1.) Threat Hunt Your LLMs

This only works if you have private LLMs or applications that act as intermediaries but there are two primary scenarios to look at:

Scenario 1: The internal threat
Like many people, I now use LLMs for a lot of tasks I once turned to search engines for. The kind of tasks that you know, or know is possible, but cannot remember. A lot of these prompts are not explicitly malicious, but edge case malicious as a composite. A Threat Hunter should be able to spot a malicious insider by analyzing the composite behavior of prompts. Examples might include:

• “How do I use this AZ connection string?”
  

• “List all domain controllers with PowerShell”
  

• “Create a regex to extract AccountKey from files”
  

• “How do I check the msdsKeyCredential value”
  
  

Scenario 2: The external threat
As part of a Red Team engagement, we once phished a Cloud Architect out of their tokens (thanks evilginx). This gave us access to their Copilot session, and I realized what a beautiful assistant Copilot would be to an attacker. Prompts like:

• “Who do I email the most?”
  

• “What attachments have I made on emails recently?”
  

• “Have I had any conversations about credentials, sensitive materials or objectives recently?”
  

These are probably not questions your Cloud Architect should be asking their Copilot.

Bonus thought: This kind of hunting doesn't have to sacrifice user privacy. You can resubmit prompts to an internal LLM to get a malicious likelihood score without exposing them to another person, or design the system prompt to request scoring inline and extract it before it is returned to the user. It won't be free, but it is feasible.

2.) Tabletop the Perfect Storm, Then Hunt It

The Red Team, your penetration testers, your incident responders, and even your security architects know where the weaknesses and blind spots are in your organization. If I were a Threat Hunter, I would gather those insights, combine them into a “Very Bad Day” scenario, map it onto the MITRE ATT&CK framework, and then hunt that scenario to completion. This would let you tell the stories of how a Perfect Storm hasn’t happened yet (hopefully), possibly was caught in the act, and how you’ve built detections to prevent that particular Perfect Storm from happening.

This probably isn’t something you can do every quarter, or maybe even every year, but it should be good for at least one large, high-impact hunt. It also has the added benefits of building stronger relationships with other teams and positioning the Threat Hunter as a kind of shadow Enterprise Architect. If there are weaknesses or systemic issues you want to highlight but can’t get traction on, this might be the opportunity you’ve been waiting for.

3.) Use Your Red Team as a Hypothesis Engine

Red Teams are often asked whether a given set of TTPs are possible or detectable in the current organization. Learn to use your Red Team by reframing that question into: Can you make this technique undetectable?

When given that framing, the Red Team will often discover which variations of a technique are detected and, more importantly, how to bypass those detections. This naturally produces valuable insight for Threat Hunters. Instead of just validating detections, you’ve shifted to building hypotheses based on real, tested evasions.

Your Red Team may already be interpreting your requests this way. For example, if you ask them to emulate an APT group, a good Red Team will be attempting to level-up those TTPs so that they are undetectable. But this article isn’t about how Red Teams think — it’s about how you, the Threat Hunter, can think about them.

It’s said that the Supreme Court doesn’t decide cases, it answers questions. I’m suggesting you use your Red Team the same way. Think of them as question answering infrastructure. Ask them targeted questions that generate real-world, high-quality hypotheses. Then go hunt them.

4.) Metric Madness

A Threat Hunt relevant metric that’s been on my mind lately is the non-security telemetry detection rate. Let me explain.

What percentage of your malicious detections come from outside your security infrastructure or tooling? I’m talking about logs that aren’t generated by your EDR, SIEM, WAF or “firewalls”. Things like Active Directory and Azure AD logs, DNS records, proxy traffic, and cloud platform logs.

I can’t think of a better way to measure the effectiveness of a Threat Hunter than to quantify, over time, what percentage of threat detections originate from sources outside the security stack. This metric could be used to show that you’re really hunting and not babysitting the alert queue. A rise in this percentage tells the story of how increasingly effective the Threat Hunters are, maintaining the same percentage shows the continued relevance of the Threat Hunters, and a decrease means... it was never a good metric anyway.

Catching malicious activity against AD that Defender for Identity or CrowdStrike Identity cannot detect will be the feather in your cap, might as well build an easy to automate metric around it.

Sincere apologies to all the Threat Hunters who already track this metric, I am an outsider after all.

5.) Threat Hunt the Retired Detection Rules

The last and weakest idea I will propose to you is that every disabled, trimmed, or too noisy rule was once written for a reason. Quite possibly by people who no longer work there, who didn’t even write down why they created it, or turned it down but left it readable. Turning the underlying behavior into a threat hunt is a can’t-lose hypothesis.

• If you find something, the rule was prematurely disabled.
  

• If you don’t find something, you validated the SIEM or SOAR management (or NDR or WAF or whatever it was).
  

• It’s entirely possible that threats are hiding in the silence that was created.

Thanks to the THOR Collective for giving me a wall and community to throw ideas at.