Latest SANS Threat Hunting Report: shows threat hunters still disagree on what constitutes threat hunting and few dedicated teams exist


SANS Institute, the global leader in cyber security training and certifications, has released the SANS 2019 Threat Hunting Report, which shows that threat hunting is still in its infancy with few dedicated teams in existence and differing views on what constitutes threat hunting and how to hunt.

“Many organisations use an alert-driven approach to threat hunting or use indicators of compromise [IoCs] to guide their hunts,” says Mathias Fuchs, a SANS instructor and co-author of the survey. “It seems that fewer organisations are using hypothesis-driven hunting—and that could leave them vulnerable to dangerous visibility gaps.”

Most respondents report using a variety of reactive approaches to threat hunting, including alerts (40%) or IoCs via a SIEM or other alerting system to find adversary tools or artefacts (57%). Such approaches are excellent supplements, but should not take the place of using proactive hunting techniques. Surprisingly, only 35% of respondents create hypotheses to guide their hunting activities.

Organisations continue to require threat hunters to work in multiple roles. Hunters report having major responsibilities for managing SOC alerts (34%) or incident response and forensics of breaches (26%). Very few organisations have moved to a dedicated hunt team over the past three surveys, indicating that threat hunting—and threat hunting teams—are still in their infancy.

“One reason we aren’t seeing more growth in dedicated threat hunting teams may be that organisations have difficulty measuring the benefits or organisational impact of threat hunting,” posits Josh Lemon, survey co-author and SANS instructor. “Being able to measure and show the performance abilities of a threat hunting team is critical to the life of a team and its engagement by the rest of the business; it’s a metric that can make or break a team, its funding or its objectives.”

While 24% of respondents were unable to determine whether they had measurable improvements as a result of threat hunting, 61% reported having at least an 11% improvement in their overall security posture. Organisations have seen a marked improvement in more robust detections and better coverage across the environment, with 36% claiming significant improvement and another 53% realising some improvement. Other key improvements are attack surface exposure/hardened networks and endpoints, with 35% seeing significant improvement and 58% seeing some improvement, and more accurate detections and fewer false positives, at 32% significant improvement and 51% some improvement.


About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner’s qualifications via over 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system—the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (



Comments are closed.

Do NOT follow this link or you will be banned from the site!