Hypothesis-Driven Hunting
Start from a theory.
Starting From a Theory
Hypothesis-driven hunting begins with a specific, testable theory about how an attacker might be operating in your environment.
A clear hypothesis turns an open-ended search into a focused investigation.
What Makes a Good Hypothesis
A good hypothesis is specific, testable, and grounded in data you can actually collect.
- Bad: attackers might be in our network.
- Good: an attacker is using scheduled tasks for persistence on workstations.
All lessons in this course
- Threat Hunting Mindset
- Hypothesis-Driven Hunting
- Using Logs and Telemetry
- MITRE ATT&CK Mapping