* [Blog](https://www2.paloaltonetworks.com/blog) * [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/) * [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * How to Start Threat Hunti... # How to Start Threat Hunting [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F06%2Fcortex-start-threat-hunting%2F) [](https://twitter.com/share?text=How+to+Start+Threat+Hunting&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F06%2Fcortex-start-threat-hunting%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2020%2F06%2Fcortex-start-threat-hunting%2F&title=How+to+Start+Threat+Hunting&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2020/06/cortex-start-threat-hunting/&ts=markdown) \[\](mailto:?subject=How to Start Threat Hunting) Link copied By [Mark Brozek](https://www.paloaltonetworks.com/blog/author/mark-brozek/?ts=markdown "Posts by Mark Brozek") Jun 29, 2020 5 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown) [managed threat hunting](https://www.paloaltonetworks.com/blog/tag/managed-threat-hunting/?ts=markdown) [SOC](https://www.paloaltonetworks.com/blog/tag/soc/?ts=markdown) [Threat Hunting](https://www.paloaltonetworks.com/blog/tag/threat-hunting/?ts=markdown) We've just wrapped up our first ever **Inside the Hunt** **Virtual Threat Hunting Summit** and were blown away by the fantastic engagement from everyone who attended ([here's the replay](https://start.paloaltonetworks.com/inside-the-hunt-virtual-summit.html?utm_source=blog) if you missed it). Of the many great questions submitted by the audience, one stood out most prominently: ![Learning to start threat hunting can be fun, and this image shows threat hunters illustrated in the style of a video game to make the point.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/06/XDRgame.png) ## **"How do I start threat hunting?"** We've seen time and time again that building a threat hunting program is a challenge for companies of all sizes, both due to the relentless demands already placed on security teams and due to the range of skills and expertise required to be effective. We caught up with our threat hunting panelists (and consulted our [go-to security operations manual](https://start.paloaltonetworks.com/elements-of-security-operations.html)), and came up with the following tips to help you get started: #### Assemble Your Team Our panelists agreed: The perfect threat hunter rarely exists. Threat hunting requires skills ranging from threat intelligence analysis, malware analysis, penetration testing, data science, machine learning and business analysis, plus knowledge of all the systems and data in place at the organization. Threat hunters must also be great communicators who can share their findings and help support the business case for continued threat hunting resources. Rather than trying to create (or hire) individual rockstar threat hunters who can do all of this, you are better served assembling a team made up of curious, analytical problem solvers who possess these skills collectively and are interested in developing them further. Another important trait of successful threat hunters is a desire to keep learning. Threats constantly evolve, so threat hunters must commit to keeping their knowledge up to date by following researchers, engaging in online communities and attending industry forums, allowing them to learn about new tactics and vulnerabilities. *Our panelists discuss their strategies for sharpening their threat hunting skills.* Once you've identified your team members, you must put the process and structure in place for them to be able to hunt. Most organizations cannot afford dedicated hunting staff but need to allot committed time for threat hunting. This can be allocated as a few hours per day or week, or people on the team can be tasked with threat hunting for specific time periods on a rotating schedule. Does your team lack the skills or the time to dedicate to threat hunting? You may be a candidate for a [managed threat hunting service](https://www.paloaltonetworks.com/blog/2020/05/cortex-xdr-managed-threat-hunting/). #### Get Your Data In Order Per panelist Andre Ludwig, Chief Product Officer of Bricata, "No data, no hunt." Having the right logging infrastructure -- including detection capabilities [across endpoint, network and cloud](https://www.paloaltonetworks.com/cortex/cortex-xdr) -- is a foundational step to enable threat hunting. Any gaps in your visibility open you up to vulnerabilities that your threat hunters will have no way to find. These logging tools generally will aggregate data in a [data lake](https://www.paloaltonetworks.com/blog/2019/09/cortex-data-lake/), which is where threat hunting is most often performed. Your threat hunters will be more efficient if the data is consistent, structured and flexible for all the ways they want to use it -- much of which is driven by auto-tagging using security tools such as a NGFW. Threat hunters typically will require query access to a data lake, APIs and visualization tools to perform their hunts. #### Develop a Hypothesis, Then Test It Structured hunting tends to be the most useful approach for organizations. This takes the form of goal-oriented sprints that last no longer than two weeks. Each hunt should start with a piece of intelligence and a hypothesis. This could be a new vulnerability or threat that should be investigated to see if it impacts the organization or an unusual behavior. It could also be as simple as following up on a malware outbreak to make sure it has been fully remediated. Then, threat hunters conduct some form of pen testing, simulation or red team exercise to see what they can discover. Teams may uncover misconfigurations, vulnerabilities and malicious activity through these exercises. Structured hunting should be process-driven but follow an agile methodology. Hunters should understand what automated processes, alerts and behavior analysis have already been performed on the data so as not to duplicate efforts. Threat hunting can lead down many rabbit holes, which requires agility -- but there should be a formal process in place to guide the hunt and pull back from the rabbit holes as needed. If the two weeks are exhausted without progress, then you must move on. #### Remediate and Document At the end of the hunt, documentation should be shared with the SOC (and with relevant business stakeholders) about what was done in the hunt and what was learned. If a conclusion was reached, then updated prevention should be fed back into the controls to automatically detect or block the threat. The hunt may also end when the two-week hunt period has been exhausted without a conclusion, which still requires documentation about what was done. *Our panelists offer additional advice for organizations that want to start threat hunting.* ## **Learn More About Threat Hunting** This is just one of the many topics our panelists shared their insights on. [Watch the replay of our Inside the Hunt Virtual Threat Hunting Summit today](https://start.paloaltonetworks.com/inside-the-hunt-virtual-summit.html?utm_source=blog) for more useful information and tips that will help level up your organization's threat hunting capabilities. *** ** * ** *** ## Related Blogs ### [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown) [#### Physical Hack, Insider Threat: Busted by Cortex XDR Managed Threat Hunting](https://www2.paloaltonetworks.com/blog/2020/06/cortex-insider-threat/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Threat Hunting to Find the Good Stuff](https://www2.paloaltonetworks.com/blog/2023/10/threat-hunting-to-find-the-good-stuff/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Auto-Quarantine Phishing Threats with Cortex XSOAR and Cofense Vision](https://www2.paloaltonetworks.com/blog/security-operations/auto-quarantine-phishing-threats-with-cortex-xsoar-and-cofense-vision/) ### [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown) [#### Build a Champion SOC with Best in Class Threat Intelligence from VirusTotal and Cortex XSOAR](https://www2.paloaltonetworks.com/blog/security-operations/virustotal-welcome-xsoar-marketplace/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Hunting Confluence Atlassian RCE (CVE-2021-26084) by the Cortex XDR Managed Threat Hunting Experts](https://www2.paloaltonetworks.com/blog/security-operations/hunting-confluence-atlassian-rce-cve-2021-26084-by-the-cortex-xdr-managed-threat-hunting-experts/) [#### From The Hunter Diaries - Detecting C2 Servers](https://www2.paloaltonetworks.com/blog/security-operations/from-the-hunter-diaries-detecting-c2-servers/) ### Subscribe to the Blog! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language