* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Product Features](https://www2.paloaltonetworks.com/blog/security-operations/category/product-features/)
* Prowling the Wilds --- Upgr...

# Prowling the Wilds --- Upgrade Your SOC and Hunt Down Threats

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2024%2F05%2Fupgrade-your-soc-and-hunt-down-threats%2F)  
[](https://twitter.com/share?text=Prowling+the+Wilds+%E2%80%94+Upgrade+Your+SOC+and+Hunt+Down+Threats&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2024%2F05%2Fupgrade-your-soc-and-hunt-down-threats%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2024%2F05%2Fupgrade-your-soc-and-hunt-down-threats%2F&title=Prowling+the+Wilds+%E2%80%94+Upgrade+Your+SOC+and+Hunt+Down+Threats&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2024/05/upgrade-your-soc-and-hunt-down-threats/&ts=markdown)  
\[\](mailto:?subject=Prowling the Wilds — Upgrade Your SOC and Hunt Down Threats)  
Link copied  
By [Unit 42](https://www.paloaltonetworks.com/blog/author/unit-42/?ts=markdown "Posts by Unit 42")  
May 21, 2024  
7 minutes  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)  
[Cortex XSIAM](https://www.paloaltonetworks.com/blog/tag/cortex-xsiam/?ts=markdown)  
[incident response report](https://www.paloaltonetworks.com/blog/tag/incident-response-report/?ts=markdown)  
[SOC](https://www.paloaltonetworks.com/blog/tag/soc/?ts=markdown)

It would be nice to imagine our SOC analysts as the apex predators of the IT jungle, stalking the network perimeter and tracking the scent of trespassing attackers. But, for most SOCs and their analysts, that's far from the reality of their operations. Most are overwhelmed by data points and ill-equipped to correlate and analyze them. Analysts, who wish they could proactively hunt down threats and remediate vulnerabilities, are too busy churning through alerts and documenting false positives. According to our [2024 Unit 42 Incident Response Report](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report), 90% of SOCs say they rely on manual processes.

It's not just a haystack that SOC analysts are combing through; it's a hay mountain. They are sniffing for even a trace of compromise. Forget finding a needle. Most don't even know how many needles there are.

SOC leaders need to outfit their analysts with the right gear and training. [Upgrade your SOC](https://start.paloaltonetworks.com/modernize-your-soc-playbook.html) and analysts, so they can hunt down the threats lurking in your network.

## SOC Analysts Are Burnt Out

Everyone knows there is still a shortage of cybersecurity professionals. Federal initiatives, like [NICE](https://www.nist.gov/itl/applied-cybersecurity/nice), seek and promote "an integrated ecosystem of cybersecurity education, training, and workforce development," but the demand for qualified professionals continues to outpace the supply.

No one feels the strain more than SOC leaders, who struggle to keep their SOC staffed 24/7 with experienced personnel. Analysts are fleeing SOCs in droves, and [industry reports](https://www.infosecurity-magazine.com/news/60-soc-analysts-planning-quit-next/) provide some answers as to why:

* 71% say they're burnt out by SOC work.
* 69% claim their SOC is understaffed.
* 60% say the workload is increasing.
* 64% spend more than half of their time performing manual tasks.
* 66% indicate that the majority of work could be automated.
* 60% said they plan to quit their jobs.

SOC analysts say they spend too much time investigating and reporting false positives. They're overwhelmed by disparate data points and forced to triage alerts. They also claim that reporting is one of their least favorite tasks and consumes most of their time, especially when the majority of reports say "Nothing to see here."

Threat hunting appeals to budding and enthusiastic cybersecurity professionals, but the reality of SOC life sends them searching for new opportunities.

## Why SOC Analysts Are Walking Away

Infosec professionals are typically excited about SOC work; at least in theory. They know that automated processes and smart tools could empower them to make high-level decisions about potential threats.

Most discover, however, that manual processes and poorly tuned tools make the SOC a miserable place to work. Instead of proactively hunting for vulnerabilities and advanced persistent threats on the network, they spend all their time just trying to catch up.

The majority of SOC work revolves around investigating alerts generated by dozens of tools. Consider the extraordinary number of devices in an enterprise organization. Each generates its own logs and produces a data trail that may contain indicators of attack and/or compromise (IOAs and IoCs):

* Firewalls
  * A large number of connection attempts are made from a single IP address in a short period (a potential denial-of-service attack).
  * A user attempts to access a restricted resource from an unauthorized location (potentially compromised account).
* Intrusion Detection System (IDS)
  * A known malware signature is detected on a system (a potential malware infection).
  * A user attempts to exploit a known system vulnerability (potential privilege escalation).
* Security Information and Event Management (SIEM)
  * Multiple failed login attempts occur for a critical system account (a potential brute-force attack).
  * A user account with high privileges accesses sensitive data outside of regular working hours (a potential insider threat).
* Endpoint Detection and Response (EDR)
  * A program attempts to access unauthorized files or folders (potential ransomware encryption).
  * A user's device connects to a known malicious domain (a potential phishing attempt).

The average SOC receives tens of thousands of alerts each day. Without tools that can automatically aggregate and categorize relevant telemetry, SOC analysts are burned out chasing ghosts across treacherous, unmapped terrain.

## Hunting the Wilds

Analysts would prefer to be prowling the wilds and [proactively hunting for threats](https://www.youtube.com/watch?v=yHwDTXt8Vjo).

Threat hunting is the systematic pursuit of hidden threats within your network. It's a multipronged approach that involves fortifying defenses against attackers and flushing out advanced persistent threats (APTs). Hunters employ various tactics:

**Indicators of Attack and Tactics, Techniques and Procedures (TTPs)**

Hunters search for patterns associated with known attacker behavior, such as unusual data exfiltration attempts (large file transfers at odd hours) or reconnaissance activities (probing for vulnerabilities). This often involves analyzing network traffic logs and endpoint activity for suspicious patterns.

**Indicators of Compromise**

These are specific signatures of malware or malicious activity, such as a known command and control (C2) server address or a specific malware hash. Hunters can leverage threat intelligence feeds and internal security data to identify potential IOCs.

**Hypothesis-Driven Hunting**

This involves developing hypotheses about potential threats based on industry trends, intelligence reports or internal security incidents. Hunters then test these hypotheses by searching for specific indicators or patterns within network data.

**Specialized Techniques**

There are various techniques used in threat hunting, such as network traffic analysis, memory forensics and endpoint analysis. The specific techniques used will depend on the nature of the hunt and the available data.

The right tools are crucial for threat hunting. Well-tuned solutions can connect the dots across disparate data sources, helping analysts prioritize legitimate threats for investigation.

For example, security platforms that offer threat-hunting capabilities can automate some tasks, like log analysis and threat correlation, and provide context for analyst investigations with threat intelligence feeds.

## Upgrading SOC Operations

There's just too much data to correlate and analyze --- activity from every device on the network, including nodes that facilitate inbound and outbound traffic from anywhere in the world. Automation is inevitable.

Many SOCs get buried by their tools, triaging alerts that are almost always false positives. SOCs need smart, calibrated tools that can connect thousands of inputs and analyze activity from a multitude of perspectives.

Most SOCs struggle to reconcile insights generated by their tools --- XDR, SOAR, ASM, SIEM, etc. Solutions like [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam) combine these components and connect all the data points to generate legitimate leads.

Cortex XSIAM leverages AI models for advanced analysis that streamlines the decision-making process, which enables analysts to spend less time investigating and documenting dead-end leads, and more time hunting for large game.

## Make the Proactive Shift

A successful threat-hunting program offers several benefits beyond simply identifying and mitigating threats:

* Reduced Dwell Time -- Threat hunting helps identify threats earlier in the attack lifecycle before they can cause significant damage.
* Improved Security Posture -- Threat hunting identifies weaknesses in your security posture. By proactively searching for threats, you can identify and address vulnerabilities before attackers can exploit them.
* Enhanced Threat Intelligence -- Threat hunting can help you develop a deeper understanding of the threats targeting your organization. Leverage the knowledge gained from investigations to improve your security strategy and inform future hunts.
* Boosted Analyst Morale -- Threat hunting empowers analysts by giving them opportunity to proactively use their skills and knowledge. This can help to reduce burnout and improve overall job satisfaction.

Attackers have evolved, leveraging automation and AI to launch more sophisticated campaigns. The modern SOC needs to meet this challenge head-on with superior firepower. SOC analysts should command fleets, not paddle around in a rowboat.

Take a machine-led, human-powered approach to threat hunting. Fight fire with fire -- upgrade your SOC and your analysts with AI-powered tools that give them advantage.

Want to learn more? Find out how [Unit 42 Managed Threat Hunting Services](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting) can help you proactively hunt down threats in your environment. You can also [register for our upcoming workshop](https://www.paloaltonetworks.com/resources/webcasts/investigation-and-threat-hunting-virtual-hands-on-workshop) to sharpen your investigation and threat hunting skills.

*** ** * ** ***

## Related Blogs

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Creating a Security Program with Less Complexity and More Visibility](https://www2.paloaltonetworks.com/blog/2024/05/creating-a-security-program/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Announcing Unit 42 Managed XSIAM --- Redefining 24/7 Managed SecOps](https://www2.paloaltonetworks.com/blog/2025/03/announcing-unit-42-managed-xsiam/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Threat Research](https://www.paloaltonetworks.com/blog/category/threat-research/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Top Three Ways Organizations Were Unprepared for Cyberattacks in 2023](https://www2.paloaltonetworks.com/blog/2024/11/top-three-ways-organizations-were-unprepared-for-cyberattacks-in-2023/)

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Unit 42 Incident Response Retainers Enhance Organizational Resilience](https://www2.paloaltonetworks.com/blog/2024/09/unit-42-incident-response-retainers-enhance-organizational-resilience/)

### [Partner Integrations](https://www.paloaltonetworks.com/blog/security-operations/category/partner-integrations/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Simplify, Scale and Accelerate Your SOC with AI-Driven Security](https://www2.paloaltonetworks.com/blog/2024/01/your-soc-with-ai-driven-security/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### 2023 Unit 42 Attack Surface Threat Report Highlights the Need for ASM](https://www2.paloaltonetworks.com/blog/2023/09/attack-surface-threat-report-highlights-need-for-asm/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language