David Bianco — Threat Hunting Frameworks⁠‍⁠​‌​‌​​‌‌‍​‌​​‌​‌‌‍​​‌‌​​​‌‍​‌​​‌‌​​‍​​​​​​​‌‍‌​​‌‌​‌​‍‌​​​​​​​‍‌‌​​‌‌‌‌‍‌‌​​​‌​​‍‌‌‌‌‌‌​‌‍‌‌​‌​​​​‍​‌​‌‌‌‌‌‍​‌​​‌​‌‌‍​‌‌​‌​​‌‍‌​‌​‌‌‌​‍​​‌​‌​​​‍‌‌‌​‌​‌‌‍‌​​‌​‌‌‌‍‌​‌‌​​​‌‍‌​‌‌‌‌​​‍​​​​​​‌​‍​​​​‌​‌​‍​‌‌‌​​​​⁠‍⁠

Overview

David Bianco is a SANS instructor with 20+ years in information security, primarily in detection and response. He created two foundational frameworks: the Pyramid of Pain (2013), which prioritizes indicators by adversary impact, and the Threat Hunting Maturity Model, which guides organizations in building hunting capability.

References

• Pyramid of Pain: Original 2013 blog post, SANS documentation
• Threat Hunting Maturity Model: SANS whitepaper
• Profile: https://www.sans.org/profiles/david-bianco

Core Philosophy

"The more pain you cause adversaries, the more effective your detection."

"Hunting is not about finding evil—it's about finding evil that your automated defenses missed."

Bianco's insight: not all indicators are equal. Detecting hash values is trivial for adversaries to evade; detecting their tactics, techniques, and procedures (TTPs) forces them to fundamentally change how they operate.