Threat hunting — the threats already inside and hiding
Most organisations wait to be alerted. They install sensors, set thresholds, and respond when an alarm sounds. But by then, attackers have often already been inside for months. Threat hunters operate differently: they go looking. Here is what they find, why traditional alerts fail to catch it, and why your board should care about dwell time.
By Xartrix Security Team9 min read
204 days
average dwell time before a breach is detected â almost 7 months of undetected presence
Mandiant M-Trends 2024
73%
of breaches took months or longer to discover; many organisations never detected them at all
Verizon DBIR 2024
40%
of threat hunting engagements find activity that automated tools and alerts completely missed
Crowdstrike Threat Hunting Services Data
The problem 204 days is too long: the dwell time liability
An attacker breaks into your network in January. By May, they have moved laterally to critical systems, established persistence through a backdoor, and begun staging data for exfiltration. It is not until September â 8 months later â that your security operations centre receives an alert. A hunter, by contrast, would have found them in weeks or days.
This scenario is not hypothetical. The average dwell time (the time between initial compromise and detection) is 204 days across all organisations, and much longer in some sectors. For 7 months of that period, attackers have unrestricted access to your systems, your data, and your intellectual property. During this window, they can:
• Move laterally from compromised endpoints to domain controllers, databases, and critical servers ⢠Harvest credentials from multiple systems for privilege escalation ⢠Copy sensitive data without triggering alerts ⢠Install backdoors and web shells for persistent access ⢠Modify logs and cover their tracks
By the time detection occurs, the breach is often far advanced. The cost is staggering: data has already been stolen, systems are already compromised, and the attacker already has multiple escape routes built in.
The approach What threat hunting is â proactive search instead of passive detection
Threat hunting inverts the traditional security model. Instead of waiting for alerts, hunters actively search for signs of compromise. They assume attackers are already inside and hunt for evidence of their presence. Three approaches:
Hypothesis-Driven Hunting
Hunters develop a hypothesis based on threat intelligence. “Advanced persistent threats targeting our industry use lateral movement via PsExec. Let me search our logs for any unusual PsExec activity.” They query logs, network traffic, and endpoint data to confirm or rule out the hypothesis.
Intelligence-Driven Hunting
Hunters use real-time threat intelligence from industry reports, vendor feeds, and underground forums. When a new attack technique emerges, hunters immediately search for indicators in their environment. They do not wait for their tools to be updated with signatures.
Anomaly-Based Hunting
Hunters search for deviations from normal behaviour. “This user account typically logs in from the London office between 9am and 5pm. Why is it now logging in at 3am from a different country?” Anomalies do not always indicate compromise, but they warrant investigation.
The gap Why your SIEM and EDR alerts miss 40% of threats
Most organisations rely on automated detection: SIEM rules, EDR alerts, and intrusion detection systems. These tools are valuable, but they have a fundamental limitation: they can only detect what they are configured to detect.
Visualization: Detection gap between alerts and threat hunting
Automated tools excel at detecting known patterns. Threat hunters excel at finding novel techniques, behavioural anomalies, and sophisticated attackers who deliberately evade detection rules.
Alert fatigue is the first problem. A typical SOC receives 10,000+ alerts per day. Security analysts investigate the most critical ones; the rest are ignored. Sophisticated attackers know this and design their attacks to generate noise rather than stand out. They blend in with normal traffic, use legitimate tools (Living off the Land), and avoid setting off known signatures.
Zero-days and novel techniques are the second problem. Your SIEM has no signature for an attack that was discovered yesterday. Your EDR cannot detect a privilege escalation technique that was just published. Threat hunters, by contrast, are not bound by signatures. They search for unusual patterns and behaviours, regardless of whether a tool recognises them.
Attacker sophistication is the third problem. Nation-state and advanced cyber-crime groups specifically design their operations to evade automated detection. They study your environment, move slowly and deliberately, disable logging, and cover their tracks. An alert-only strategy is essentially betting that your attackers are not very good.
Real findings What threat hunters discover that alerts miss
Threat hunting engagements consistently uncover threats that automated systems completely missed. Here are the categories most commonly found:
Lateral Movement Patterns
Attackers jump from a compromised endpoint to high-value systems using legitimate tools and credentials. Hunters search for unusual patterns: a normal user account accessing systems it has never touched before, connections from unusual times of day, or access patterns that deviate from baseline behaviour.
Credential Misuse and Privilege Escalation
Stolen or compromised credentials give attackers a path to sensitive data. Hunters correlate logon events, group membership changes, and privilege escalations to find accounts that have been compromised and leveraged for lateral movement.
Data Staging and Exfiltration Prep
Before stealing data, attackers copy it to a staging location, compress it, and prepare it for exfiltration. Hunters search for unusual file access patterns, mass data movements, and archive files created in unexpected locations.
Persistent Backdoors and Web Shells
Attackers install backdoors to maintain access even after the initial vulnerability is patched. Hunters search for suspicious files in web directories, unusual registry entries, scheduled tasks, and persistence mechanisms that automated tools often overlook.
Supply Chain Compromises
Attackers compromise third-party software or vendors to gain access to multiple organisations. Hunters correlate unusual behaviour across supplier tools and monitor for indicators of compromise associated with supply chain attacks.
Insider Threats
Disgruntled employees or contractors may access sensitive systems and data with the intention of theft or sabotage. Hunters search for unusual access patterns, off-hours activity, bulk downloads by non-technical staff, and access to systems outside their job function.
The ROI Threat hunting reduces dwell time and breach costs dramatically
The financial impact is clear. Organisations with active threat hunting programmes reduce dwell time by 90%: from 204 days down to 20 days or less. The consequences are enormous.
Visualization: Financial impact of threat hunting on breach cost
Organisations with threat hunting programmes reduce breach detection time from 204 days to 20 days, reducing average breach cost from $4.2M to $1.3M per incident. The ROI pays for the entire hunting programme within a single prevented breach.
The maths are compelling. An average breach costs $4.45 million (Ponemon Institute 2024). With threat hunting, dwell time reduces by 90%, and breach cost drops proportionally to approximately $1.3 million. A single prevented breach saves $2.9 million. Even if threat hunting costs £150,000â£300,000 per year, the ROI from preventing one breach is immediate and substantial.
Maturity levels Where your organisation stands â and where it needs to go
Threat hunting capability progresses through levels of maturity. Most organisations are at Level 0 or 1. Board-level security requires at least Level 2.
Xartrix automates the hunting process using AI-driven threat simulation and continuous log analysis. Your security team transitions from waiting for quarterly reports to monitoring a live hunting dashboard that runs 24/7. The platform identifies anomalies, correlates suspicious behaviour across systems, and surfaces the highest-confidence findings for analyst investigation. You get Level 3 maturity without needing to hire a team of expert hunters.
Implementation Four phases to establish proactive threat hunting
Building a threat hunting capability does not require a massive investment upfront. Move through these phases:
Phase 1: Establish Baseline Visibility
You cannot hunt for threats if you cannot see your environment. Ensure comprehensive log collection: Windows event logs, DNS queries, network traffic, application logs, and endpoint telemetry. Deploy endpoint detection and response (EDR) across critical systems. This is foundational.
Phase 2: Develop Hunting Hypotheses from Threat Intelligence
Subscribe to threat intelligence feeds relevant to your industry. If you operate in financial services, monitor for threats targeting banks. Extract indicators of compromise (IoCs) and attack techniques. Develop hunting hypotheses: “Advanced persistent threat APT28 uses these tools and techniques. Are they present in our environment?”
Phase 3: Build Repeatable Hunting Playbooks
Document your hunting processes. For each threat hypothesis, create a playbook that defines: (1) the attack technique, (2) where to look for evidence, (3) what normal vs suspicious looks like, and (4) escalation procedures. This turns ad-hoc hunting into a repeatable, scalable process.
Phase 4: Automate and Scale with AI
Once your playbooks are mature, automate them. Deploy automation tools that run your playbooks continuously against your logs. Use AI to detect anomalies and surface the highest-confidence findings for analyst review. Your team moves from conducting manual hunts to managing an automated hunting engine.
For the boardroom Five critical questions about threat hunting
If you are a CEO, CFO, or board member evaluating your security posture, ask your security team these questions:
Question 1
What is our average dwell time, and how do we know? If the answer is “we don’t know” or “over 100 days,” you are operating with significant risk. The industry average is 204 days. You should be below 30 days.
Question 2
Are we hunting for threats proactively, or waiting for alerts? If your security strategy is purely reactive (alerts only), you are betting that attackers are not patient or sophisticated. Threat actors in your sector are both. You need active hunting.
Question 3
How much of our SOC’s time is spent investigating alert fatigue vs conducting actual hunts? If the answer is “90% investigating false positives and 10% on real hunting,” your team is inefficient. Consolidate your alerting. Invest in hunting.
Question 4
Could an attacker hide in our network for 204 days without being detected? Honest answer: yes, probably. That is a board-level risk. Threat hunting is the control that reduces that risk to weeks or days.
Question 5
Are we hunting for threats that our tools cannot detect? If your hunting relies solely on your SIEM and EDR, you are hunting for only known attack patterns. True threat hunting includes hypothesis-driven searches, anomaly detection, and intelligence-driven investigations that go beyond tool capabilities.
Next steps Three ways to launch threat hunting immediately
You do not need to hire a full hunting team or wait for the perfect platform. Start now:
Option 1: Managed Threat Hunting Service
Engage an external threat hunting provider. They bring expertise, tools, and bandwidth. A typical engagement costs £15,000â£30,000 per month but delivers immediate capability. Best for organisations with limited in-house security expertise.
Option 2: Build Internal Capability
Hire or train a threat hunter and implement a hunting platform. Total cost: £80,000â£200,000 per year (salary + tools). This builds internal expertise and scales as your organisation grows. Best for mature security teams.
Option 3: AI-Augmented Hunting Platform
Deploy a continuous threat hunting platform powered by AI. Xartrix and similar platforms automate the bulk of hunting work, making it accessible to smaller teams. Your 2â3 analysts oversee AI-driven hunts instead of conducting them manually. Cost: £30,000â£80,000 annually, depending on scale.
Action item: Schedule a threat hunting assessment within the next 30 days. Whether you conduct it internally or engage an external provider, a baseline assessment reveals what your tools are missing. The findings will inform your investment decisions.
Stop waiting to be breached. Start hunting threats proactively.
Xartrix provides continuous threat hunting powered by AI-driven anomaly detection and hypothesis-driven investigation. Reduce dwell time from months to weeks. Find threats before attackers can cause damage. Move from reactive to proactive security.