During a weekly threat-management meeting, a SOC analyst notes that the SIEM has produced no critical alerts in the last 24 hours, yet external reports indicate new nation-state tactics targeting similar organizations. The analyst formulates a hypothesis, gathers host telemetry, and iteratively queries EDR data to uncover activity that has not triggered existing detection logic. Which security operation is the analyst performing?
The analyst is engaging in threat hunting, a proactive and hypothesis-driven search through network, endpoint, and log data to discover malicious activity that existing controls have not detected. Unlike threat-intelligence analysis, which focuses on collecting and contextualizing information about adversaries, threat hunting actively probes local data for hidden compromise before an incident is confirmed. Incident-response containment and continuous vulnerability scanning are reactive or preventive measures that occur after threats are detected or focus on weaknesses rather than finding undetected attackers.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What tools or techniques are commonly used in threat hunting?
Open an interactive chat with Bash
How does threat hunting differ from threat intelligence?
Open an interactive chat with Bash
What skills are required to be effective at threat hunting?