Threat Hunting \u00e2\u0080\u0094 The threats already inside and hiding | Xartrix<\/title>\n<meta name=\"description\" content=\"Most organisations wait to be alerted. Threat hunters go looking. Here is what they find and why it matters to the boardroom \u00e2\u0080\u0094 and why dwell time is a liability.\">\n<link rel=\"preconnect\" href=\"https:\/\/fonts.googleapis.com\">\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=Syne:wght@400;600;700;800&family=DM+Sans:ital,wght@0,300;0,400;0,500;1,300&display=swap\" rel=\"stylesheet\">\n\n\n<script type=\"application\/ld+json\">\n{\n \"@context\": \"https:\/\/schema.org\",\n \"@type\": \"Article\",\n \"headline\": \"Threat hunting \u00e2\u0080\u0094 the threats already inside and hiding\",\n \"description\": \"Most organisations wait to be alerted. Threat hunters go looking. Here is what they find and why it matters.\",\n \"author\": { \"@type\": \"Organization\", \"name\": \"Xartrix Security\", \"url\": \"https:\/\/xartrix.com\" },\n \"publisher\": { \"@type\": \"Organization\", \"name\": \"Xartrix Security\", \"url\": \"https:\/\/xartrix.com\" },\n \"datePublished\": \"2025-03-01\",\n \"dateModified\": \"2025-03-01\",\n \"mainEntityOfPage\": \"https:\/\/xartrix.com\/en\/blogs\/threat-hunting\/\",\n \"keywords\": [\"threat hunting\", \"dwell time\", \"security operations\", \"proactive detection\", \"threat intelligence\", \"breach prevention\", \"SOC operations\", \"insider threats\", \"lateral movement\"],\n \"articleSection\": \"Cybersecurity\",\n \"wordCount\": 2850\n}\n<\/script>\n\n<style>\n *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }\n\n :root {\n --bg: #070c1a;\n --surface: #0c1526;\n --card: #101e36;\n --border: #1c2e50;\n --border-hi: #2a4270;\n --teal: #00d9a7;\n --teal-dim: #00a880;\n --teal-glow: rgba(0,217,167,0.10);\n --amber: #f5b731;\n --red: #f04055;\n --blue-soft: #3b7cf4;\n --text: #dce8ff;\n --text-muted: #6b84ad;\n --text-dim: #3e5070;\n --font-head: 'Syne', sans-serif;\n --font-body: 'DM Sans', sans-serif;\n }\n\n html { font-size: 16px; scroll-behavior: smooth; }\n\n body {\n background: var(--bg);\n color: var(--text);\n font-family: var(--font-body);\n font-weight: 400;\n line-height: 1.75;\n -webkit-font-smoothing: antialiased;\n }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 NAV \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n nav.topbar {\n position: sticky; top: 0; z-index: 100;\n background: rgba(7,12,26,0.92);\n backdrop-filter: blur(14px);\n border-bottom: 0.5px solid var(--border);\n padding: 0 2rem;\n display: flex; align-items: center; justify-content: space-between;\n height: 60px;\n }\n .nav-logo {\n font-family: var(--font-head); font-size: 1.15rem; font-weight: 700;\n color: var(--text); text-decoration: none; letter-spacing: .02em;\n }\n .nav-logo span { color: var(--teal); }\n .nav-links { display: flex; gap: 2rem; list-style: none; }\n .nav-links a { font-size: .85rem; color: var(--text-muted); text-decoration: none; transition: color .2s; }\n .nav-links a:hover { color: var(--teal); }\n .nav-cta {\n background: var(--teal); color: #070c1a; border: none; cursor: pointer;\n font-family: var(--font-body); font-size: .8rem; font-weight: 500;\n padding: 7px 18px; border-radius: 6px; text-decoration: none;\n transition: opacity .2s;\n }\n .nav-cta:hover { opacity: .85; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 LAYOUT \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .page-wrap { max-width: 800px; margin: 0 auto; padding: 0 1.5rem; }\n .wide-wrap { max-width: 1000px; margin: 0 auto; padding: 0 1.5rem; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 SERIES BREADCRUMB \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .series-bar {\n max-width: 800px; margin: 0 auto;\n padding: 1rem 1.5rem 0;\n display: flex; align-items: center; gap: .5rem;\n font-size: .78rem; color: var(--text-dim);\n flex-wrap: wrap;\n }\n .series-bar a {\n color: var(--text-dim); text-decoration: none;\n border-bottom: 0.5px solid transparent;\n transition: color .2s, border-color .2s;\n }\n .series-bar a:hover { color: var(--teal); border-color: var(--teal); }\n .series-bar .current { color: var(--teal); font-weight: 500; }\n .series-bar .sep { opacity: .4; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 HERO \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .hero {\n padding: 4rem 1.5rem 4rem;\n max-width: 800px; margin: 0 auto;\n position: relative;\n }\n .hero-category {\n display: inline-flex; align-items: center; gap: 8px;\n font-size: .75rem; font-weight: 500; letter-spacing: .1em; text-transform: uppercase;\n color: var(--teal); margin-bottom: 1.5rem;\n }\n .hero-category::before {\n content: ''; display: block; width: 28px; height: 1px; background: var(--teal);\n }\n .hero h1 {\n font-family: var(--font-head);\n font-size: clamp(2rem, 5vw, 3rem);\n font-weight: 800; line-height: 1.15;\n letter-spacing: -.02em;\n margin-bottom: 1.25rem;\n color: #fff;\n }\n .hero h1 em { font-style: normal; color: var(--teal); }\n .hero-lead {\n font-size: 1.1rem; font-weight: 300; color: var(--text-muted);\n max-width: 640px; line-height: 1.7; margin-bottom: 2rem;\n }\n .hero-meta {\n display: flex; align-items: center; gap: 1.5rem;\n font-size: .8rem; color: var(--text-dim);\n border-top: 0.5px solid var(--border);\n padding-top: 1.25rem;\n }\n .hero-meta .dot { width: 4px; height: 4px; border-radius: 50%; background: var(--border-hi); }\n .reading-time { color: var(--teal); }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 STAT OPENER \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .stat-opener {\n background: var(--card);\n border: 0.5px solid var(--border);\n border-left: 3px solid var(--red);\n border-radius: 10px;\n padding: 1.5rem 2rem;\n margin: 0 auto 3.5rem;\n max-width: 800px;\n display: grid; grid-template-columns: 1fr 1fr 1fr;\n gap: 1px;\n }\n .stat-opener > div { padding: 0 1.5rem; position: relative; }\n .stat-opener > div + div::before {\n content: ''; position: absolute; left: 0; top: 10%; height: 80%;\n width: 0.5px; background: var(--border);\n }\n .stat-opener .s-num {\n font-family: var(--font-head); font-size: 2.2rem; font-weight: 800;\n line-height: 1; margin-bottom: .25rem;\n }\n .s-num.red { color: var(--red); }\n .s-num.amber { color: var(--amber); }\n .s-num.teal { color: var(--teal); }\n .stat-opener .s-label { font-size: .8rem; color: var(--text-muted); line-height: 1.4; }\n .stat-opener .s-source { font-size: .7rem; color: var(--text-dim); margin-top: .35rem; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 PROSE \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .prose { max-width: 800px; margin: 0 auto; }\n .prose p { margin-bottom: 1.5rem; color: var(--text-muted); font-size: 1rem; }\n .prose p strong { color: var(--text); font-weight: 500; }\n .prose h2 {\n font-family: var(--font-head); font-size: 1.6rem; font-weight: 700;\n color: #fff; letter-spacing: -.01em; margin: 3rem 0 1rem;\n line-height: 1.25;\n }\n .prose h2 .h2-num {\n display: inline-block; font-size: .7rem; font-weight: 600;\n color: var(--teal); letter-spacing: .1em; text-transform: uppercase;\n border: 0.5px solid var(--teal); border-radius: 4px;\n padding: 2px 8px; vertical-align: middle; margin-right: .6rem;\n position: relative; top: -2px;\n }\n .prose h3 {\n font-family: var(--font-head); font-size: 1.1rem; font-weight: 600;\n color: var(--text); margin: 2rem 0 .75rem;\n }\n .callout {\n background: var(--teal-glow);\n border: 0.5px solid rgba(0,217,167,0.25);\n border-radius: 10px;\n padding: 1.25rem 1.5rem;\n margin: 2rem 0;\n font-size: .95rem; color: var(--text-muted);\n }\n .callout strong { color: var(--teal); font-weight: 500; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 SECTION DIVIDER \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .section-div {\n border: none; border-top: 0.5px solid var(--border);\n margin: 3.5rem 0;\n }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 VIZ CARDS \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .viz-card {\n background: var(--card);\n border: 0.5px solid var(--border);\n border-radius: 12px;\n margin: 2.5rem 0;\n overflow: hidden;\n }\n .viz-label {\n font-size: .7rem; letter-spacing: .09em; text-transform: uppercase;\n color: var(--text-dim); font-weight: 500;\n padding: .75rem 1.5rem;\n border-bottom: 0.5px solid var(--border);\n display: flex; align-items: center; gap: 8px;\n }\n .viz-label::before {\n content: ''; display: block; width: 6px; height: 6px;\n border-radius: 50%; background: var(--teal);\n }\n .viz-inner { padding: 1.5rem; }\n .viz-caption {\n font-size: .78rem; color: var(--text-dim); line-height: 1.5;\n padding: .75rem 1.5rem 1rem;\n border-top: 0.5px solid var(--border);\n }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 WIDE VIZ CARD \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .viz-wide {\n max-width: 1000px; margin: 2.5rem auto;\n background: var(--card);\n border: 0.5px solid var(--border);\n border-radius: 12px;\n overflow: hidden;\n }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 KEY STAT BLOCK \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .stat-grid {\n display: grid; grid-template-columns: repeat(auto-fit, minmax(180px,1fr));\n gap: 1px; background: var(--border);\n border: 0.5px solid var(--border); border-radius: 12px; overflow: hidden;\n margin: 2.5rem 0;\n }\n .stat-cell {\n background: var(--card);\n padding: 1.25rem 1.5rem;\n }\n .stat-cell .sc-num {\n font-family: var(--font-head); font-size: 1.8rem; font-weight: 800;\n line-height: 1; margin-bottom: .4rem;\n }\n .sc-num.t { color: var(--teal); }\n .sc-num.a { color: var(--amber); }\n .sc-num.r { color: var(--red); }\n .stat-cell .sc-label { font-size: .82rem; color: var(--text-muted); line-height: 1.45; }\n .stat-cell .sc-src { font-size: .7rem; color: var(--text-dim); margin-top: .3rem; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 ANSWER BLOCK \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .answer-block {\n border-left: 2px solid var(--teal-dim);\n padding: 1rem 1.25rem;\n margin: 1.5rem 0;\n background: rgba(0,168,128,0.05);\n border-radius: 0 8px 8px 0;\n }\n .answer-block .q {\n font-size: .75rem; font-weight: 500; letter-spacing: .08em;\n text-transform: uppercase; color: var(--teal-dim); margin-bottom: .5rem;\n }\n .answer-block .a { font-size: .97rem; color: var(--text-muted); }\n .answer-block .a strong { color: var(--text); font-weight: 500; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 AI ADVANTAGE CALLOUT \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .ai-callout {\n background: rgba(0,217,167,0.04);\n border: 1px solid rgba(0,217,167,0.18);\n border-radius: 10px;\n padding: 1.25rem 1.5rem;\n margin: 2.5rem 0;\n display: flex; gap: 1rem; align-items: flex-start;\n }\n .ai-callout .ai-icon {\n flex-shrink: 0; width: 36px; height: 36px;\n background: rgba(0,217,167,0.12); border-radius: 8px;\n display: flex; align-items: center; justify-content: center;\n font-family: var(--font-head); font-size: .8rem; font-weight: 700; color: var(--teal);\n }\n .ai-callout .ai-title {\n font-family: var(--font-head); font-size: .85rem; font-weight: 600;\n color: var(--teal); margin-bottom: .3rem;\n }\n .ai-callout .ai-body { font-size: .9rem; color: var(--text-muted); line-height: 1.6; }\n .ai-callout .ai-body strong { color: var(--text); font-weight: 500; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 COMPARISON TABLE \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .compare-table { width: 100%; border-collapse: collapse; font-size: .88rem; }\n .compare-table th {\n text-align: left; padding: .75rem 1rem;\n font-family: var(--font-head); font-size: .78rem; font-weight: 600;\n text-transform: uppercase; letter-spacing: .06em;\n border-bottom: 0.5px solid var(--border-hi);\n }\n .compare-table th:first-child { color: var(--text-muted); }\n .compare-table th.th-teal { color: var(--teal); }\n .compare-table th.th-dim { color: var(--text-dim); }\n .compare-table td {\n padding: .7rem 1rem; border-bottom: 0.5px solid var(--border);\n vertical-align: top; color: var(--text-muted); line-height: 1.4;\n }\n .compare-table td:first-child { color: var(--text); font-weight: 500; font-size: .85rem; }\n .compare-table .yes { color: var(--teal); }\n .compare-table .no { color: var(--text-dim); }\n .compare-table tr:last-child td { border-bottom: none; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 CTA \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .cta-section {\n background: linear-gradient(135deg, #0c1526 0%, #101e36 100%);\n border: 0.5px solid var(--border-hi);\n border-radius: 16px;\n padding: 3rem 2.5rem;\n text-align: center; margin: 4rem 0;\n position: relative; overflow: hidden;\n }\n .cta-section::before {\n content: ''; position: absolute;\n top: -80px; left: 50%; transform: translateX(-50%);\n width: 300px; height: 300px; border-radius: 50%;\n background: radial-gradient(circle, rgba(0,217,167,0.08) 0%, transparent 70%);\n pointer-events: none;\n }\n .cta-section h2 {\n font-family: var(--font-head); font-size: 1.7rem; font-weight: 800;\n color: #fff; margin-bottom: .75rem;\n }\n .cta-section p { color: var(--text-muted); margin-bottom: 1.75rem; max-width: 500px; margin-left: auto; margin-right: auto; }\n .btn-primary {\n display: inline-block;\n background: var(--teal); color: #070c1a;\n font-family: var(--font-body); font-size: .9rem; font-weight: 500;\n padding: 12px 28px; border-radius: 8px; text-decoration: none;\n transition: opacity .2s, transform .15s;\n }\n .btn-primary:hover { opacity: .88; transform: translateY(-1px); }\n .btn-ghost {\n display: inline-block; margin-left: 1rem;\n background: transparent; color: var(--text-muted);\n font-family: var(--font-body); font-size: .9rem; font-weight: 400;\n padding: 12px 22px; border-radius: 8px; text-decoration: none;\n border: 0.5px solid var(--border-hi);\n transition: border-color .2s, color .2s;\n }\n .btn-ghost:hover { border-color: var(--teal); color: var(--teal); }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 RELATED POSTS \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .related-posts {\n max-width: 800px; margin: 0 auto;\n padding: 0 1.5rem 2rem;\n }\n .related-posts h3 {\n font-family: var(--font-head); font-size: 1rem; font-weight: 600;\n color: var(--text-dim); margin-bottom: 1rem;\n }\n .related-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }\n .related-card {\n background: var(--card);\n border: 0.5px solid var(--border);\n border-radius: 10px;\n padding: 1.25rem 1.5rem;\n text-decoration: none;\n transition: border-color .2s;\n }\n .related-card:hover { border-color: var(--teal); }\n .rc-label { font-size: .7rem; color: var(--text-dim); letter-spacing: .08em; text-transform: uppercase; margin-bottom: .4rem; }\n .rc-title { font-family: var(--font-head); font-size: .92rem; font-weight: 600; color: var(--text); line-height: 1.35; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 FOOTER \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n footer {\n border-top: 0.5px solid var(--border);\n padding: 2rem 1.5rem;\n text-align: center;\n font-size: .78rem; color: var(--text-dim);\n }\n footer a { color: var(--teal); text-decoration: none; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 SVG SHARED \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .chart-svg { width: 100%; height: auto; display: block; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 PROGRESS ANIMATION \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n @keyframes growBar { from { width: 0; } to { width: var(--w); } }\n .bar-fill { animation: growBar 1.2s ease-out forwards; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 FADE IN \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n @keyframes fadeUp { from { opacity:0; transform:translateY(16px); } to { opacity:1; transform:translateY(0); } }\n .hero h1, .hero-lead, .hero-meta { animation: fadeUp .6s ease both; }\n .hero-lead { animation-delay: .1s; }\n .hero-meta { animation-delay: .2s; }\n\n @media (max-width: 600px) {\n .stat-opener { grid-template-columns: 1fr; gap: 1rem; }\n .stat-opener > div + div::before { display: none; }\n .nav-links { display: none; }\n .btn-ghost { display: none; }\n .related-grid { grid-template-columns: 1fr; }\n .ai-callout { flex-direction: column; }\n }\n<\/style>\n<\/head>\n<body>\n\n\n<nav class=\"topbar\">\n <a class=\"nav-logo\" href=\"https:\/\/xartrix.com\">X<span>artrix<\/span><\/a>\n <ul class=\"nav-links\">\n <li><a href=\"https:\/\/xartrix.com\/en\/services\/\">Services<\/a><\/li>\n <li><a href=\"https:\/\/xartrix.com\/en\/about-us\/\">About<\/a><\/li>\n <li><a href=\"https:\/\/xartrix.com\/en\/pricing\/\">Pricing<\/a><\/li>\n <li><a href=\"https:\/\/xartrix.com\/en\/contact\/\">Contact<\/a><\/li>\n <\/ul>\n <a class=\"nav-cta\" href=\"https:\/\/xartrix.com\/en\/contact\/\">Start Free Trial<\/a>\n<\/nav>\n\n\n\n<div class=\"series-bar\">\n <a href=\"https:\/\/xartrix.com\/en\/blogs\/what-is-a-managed-soc\/\">Post 1a: Managed SOC<\/a>\n <span class=\"sep\">\/<\/span>\n <a href=\"https:\/\/xartrix.com\/en\/blogs\/soc-cost-comparison\/\">Post 1b: SOC Costs<\/a>\n <span class=\"sep\">\/<\/span>\n <a href=\"https:\/\/xartrix.com\/en\/blogs\/cyber-threat-intelligence\/\">Post 2: Threat Intelligence<\/a>\n <span class=\"sep\">\/<\/span>\n <a href=\"https:\/\/xartrix.com\/en\/blogs\/penetration-testing\/\">Post 3a: Penetration Testing<\/a>\n <span class=\"sep\">\/<\/span>\n <a href=\"https:\/\/xartrix.com\/en\/blogs\/testing-frequency\/\">Post 3b: Testing Frequency<\/a>\n <span class=\"sep\">\/<\/span>\n <span class=\"current\">Post 4: Threat Hunting<\/span>\n <span class=\"sep\">\/<\/span>\n <span>Post 5: Incident Response<\/span>\n<\/div>\n\n\n\n<header class=\"hero\">\n <div class=\"hero-category\">Threat Hunting · Executive Guide<\/div>\n <h1>Threat hunting <em>— the threats already inside and hiding<\/em><\/h1>\n <p class=\"hero-lead\">\n Most organisations wait to be alerted. They install sensors, set thresholds, and respond when an alarm sounds. But by then, attackers have often already been inside for months. Threat hunters operate differently: they go looking. Here is what they find, why traditional alerts fail to catch it, and why your board should care about dwell time.\n <\/p>\n <div class=\"hero-meta\">\n <span>By Xartrix Security Team<\/span>\n <span class=\"dot\"><\/span>\n <span class=\"reading-time\">9 min read<\/span>\n <span class=\"dot\"><\/span>\n <span><\/span>\n <\/div>\n<\/header>\n\n\n\n<div class=\"stat-opener page-wrap\">\n <div>\n <div class=\"s-num red\">204 days<\/div>\n <div class=\"s-label\">average dwell time before a breach is detected \u00e2\u0080\u0094 almost 7 months of undetected presence<\/div>\n <div class=\"s-source\">Mandiant M-Trends 2024<\/div>\n <\/div>\n <div>\n <div class=\"s-num amber\">73%<\/div>\n <div class=\"s-label\">of breaches took months or longer to discover; many organisations never detected them at all<\/div>\n <div class=\"s-source\">Verizon DBIR 2024<\/div>\n <\/div>\n <div>\n <div class=\"s-num teal\">40%<\/div>\n <div class=\"s-label\">of threat hunting engagements find activity that automated tools and alerts completely missed<\/div>\n <div class=\"s-source\">Crowdstrike Threat Hunting Services Data<\/div>\n <\/div>\n<\/div>\n\n\n\n<main class=\"prose page-wrap\">\n\n \n <h2><span class=\"h2-num\">The problem<\/span> 204 days is too long: the dwell time liability<\/h2>\n\n <p>\n An attacker breaks into your network in January. By May, they have moved laterally to critical systems, established persistence through a backdoor, and begun staging data for exfiltration. It is not until September \u00e2\u0080\u0094 8 months later \u00e2\u0080\u0094 that your security operations centre receives an alert. A hunter, by contrast, would have found them in weeks or days.\n <\/p>\n\n <p>\n This scenario is not hypothetical. The average dwell time (the time between initial compromise and detection) is 204 days across all organisations, and much longer in some sectors. <strong>For 7 months of that period, attackers have unrestricted access to your systems, your data, and your intellectual property.<\/strong> During this window, they can:\n <\/p>\n\n <p>\n • Move laterally from compromised endpoints to domain controllers, databases, and critical servers \u00e2\u0080\u00a2 Harvest credentials from multiple systems for privilege escalation \u00e2\u0080\u00a2 Copy sensitive data without triggering alerts \u00e2\u0080\u00a2 Install backdoors and web shells for persistent access \u00e2\u0080\u00a2 Modify logs and cover their tracks\n <\/p>\n\n <p>\n By the time detection occurs, the breach is often far advanced. The cost is staggering: data has already been stolen, systems are already compromised, and the attacker already has multiple escape routes built in.\n <\/p>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">The approach<\/span> What threat hunting is \u00e2\u0080\u0094 proactive search instead of passive detection<\/h2>\n\n <p>\n Threat hunting inverts the traditional security model. Instead of waiting for alerts, hunters actively search for signs of compromise. They assume attackers are already inside and hunt for evidence of their presence. Three approaches:\n <\/p>\n\n <div class=\"answer-block\">\n <div class=\"q\">Hypothesis-Driven Hunting<\/div>\n <div class=\"a\"><strong>Hunters develop a hypothesis based on threat intelligence.<\/strong> “Advanced persistent threats targeting our industry use lateral movement via PsExec. Let me search our logs for any unusual PsExec activity.” They query logs, network traffic, and endpoint data to confirm or rule out the hypothesis.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Intelligence-Driven Hunting<\/div>\n <div class=\"a\"><strong>Hunters use real-time threat intelligence from industry reports, vendor feeds, and underground forums.<\/strong> When a new attack technique emerges, hunters immediately search for indicators in their environment. They do not wait for their tools to be updated with signatures.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Anomaly-Based Hunting<\/div>\n <div class=\"a\"><strong>Hunters search for deviations from normal behaviour.<\/strong> “This user account typically logs in from the London office between 9am and 5pm. Why is it now logging in at 3am from a different country?” Anomalies do not always indicate compromise, but they warrant investigation.<\/div>\n <\/div>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">The gap<\/span> Why your SIEM and EDR alerts miss 40% of threats<\/h2>\n\n <p>\n Most organisations rely on automated detection: SIEM rules, EDR alerts, and intrusion detection systems. These tools are valuable, but they have a fundamental limitation: they can only detect what they are configured to detect.\n <\/p>\n\n <div class=\"viz-card\">\n <div class=\"viz-label\">Visualization: Detection gap between alerts and threat hunting<\/div>\n <div class=\"viz-inner\">\n <svg viewBox=\"0 0 800 350\" class=\"chart-svg\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n \n <rect width=\"800\" height=\"350\" fill=\"#070c1a\"\/>\n\n \n <text x=\"400\" y=\"30\" font-family=\"Syne\" font-size=\"16\" font-weight=\"700\" fill=\"#dce8ff\" text-anchor=\"middle\">What Automated Alerts Miss vs What Threat Hunters Find<\/text>\n\n \n <circle cx=\"250\" cy=\"160\" r=\"90\" fill=\"#3b7cf4\" opacity=\"0.2\" stroke=\"#3b7cf4\" stroke-width=\"2\"\/>\n <text x=\"250\" y=\"140\" font-family=\"Syne\" font-size=\"13\" font-weight=\"600\" fill=\"#3b7cf4\" text-anchor=\"middle\">Automated Alerts<\/text>\n <text x=\"250\" y=\"165\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#6b84ad\" text-anchor=\"middle\">Known attack<\/text>\n <text x=\"250\" y=\"180\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#6b84ad\" text-anchor=\"middle\">patterns matched<\/text>\n <text x=\"250\" y=\"200\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"middle\">(60% of threats)<\/text>\n\n \n <text x=\"400\" y=\"165\" font-family=\"DM Sans\" font-size=\"11\" fill=\"#dce8ff\" text-anchor=\"middle\">Detected by<\/text>\n <text x=\"400\" y=\"180\" font-family=\"DM Sans\" font-size=\"11\" fill=\"#dce8ff\" text-anchor=\"middle\">both methods<\/text>\n\n \n <circle cx=\"550\" cy=\"160\" r=\"90\" fill=\"#00d9a7\" opacity=\"0.2\" stroke=\"#00d9a7\" stroke-width=\"2\"\/>\n <text x=\"550\" y=\"140\" font-family=\"Syne\" font-size=\"13\" font-weight=\"600\" fill=\"#00d9a7\" text-anchor=\"middle\">Threat Hunting<\/text>\n <text x=\"550\" y=\"165\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#6b84ad\" text-anchor=\"middle\">Anomalies,<\/text>\n <text x=\"550\" y=\"180\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#6b84ad\" text-anchor=\"middle\">novel techniques,<\/text>\n <text x=\"550\" y=\"195\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#6b84ad\" text-anchor=\"middle\">suspicious behaviour<\/text>\n <text x=\"550\" y=\"215\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"middle\">(40% missed by alerts)<\/text>\n\n \n <rect x=\"50\" y=\"290\" width=\"700\" height=\"50\" fill=\"rgba(0,217,167,0.08)\" stroke=\"rgba(0,217,167,0.25)\" stroke-width=\"0.5\" rx=\"6\"\/>\n <text x=\"400\" y=\"310\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#dce8ff\" text-anchor=\"middle\"><tspan font-weight=\"500\">Key insight:<\/tspan> Sophisticated attackers deliberately avoid triggering alerts. Threat hunting finds<\/text>\n <text x=\"400\" y=\"328\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#dce8ff\" text-anchor=\"middle\">what your SIEM rules are not looking for.<\/text>\n <\/svg>\n <\/div>\n <div class=\"viz-caption\">Automated tools excel at detecting known patterns. Threat hunters excel at finding novel techniques, behavioural anomalies, and sophisticated attackers who deliberately evade detection rules.<\/div>\n <\/div>\n\n <p>\n <strong>Alert fatigue is the first problem.<\/strong> A typical SOC receives 10,000+ alerts per day. Security analysts investigate the most critical ones; the rest are ignored. Sophisticated attackers know this and design their attacks to generate noise rather than stand out. They blend in with normal traffic, use legitimate tools (Living off the Land), and avoid setting off known signatures.\n <\/p>\n\n <p>\n <strong>Zero-days and novel techniques are the second problem.<\/strong> Your SIEM has no signature for an attack that was discovered yesterday. Your EDR cannot detect a privilege escalation technique that was just published. Threat hunters, by contrast, are not bound by signatures. They search for unusual patterns and behaviours, regardless of whether a tool recognises them.\n <\/p>\n\n <p>\n <strong>Attacker sophistication is the third problem.<\/strong> Nation-state and advanced cyber-crime groups specifically design their operations to evade automated detection. They study your environment, move slowly and deliberately, disable logging, and cover their tracks. An alert-only strategy is essentially betting that your attackers are not very good.\n <\/p>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">Real findings<\/span> What threat hunters discover that alerts miss<\/h2>\n\n <p>\n Threat hunting engagements consistently uncover threats that automated systems completely missed. Here are the categories most commonly found:\n <\/p>\n\n <div class=\"answer-block\">\n <div class=\"q\">Lateral Movement Patterns<\/div>\n <div class=\"a\"><strong>Attackers jump from a compromised endpoint to high-value systems using legitimate tools and credentials.<\/strong> Hunters search for unusual patterns: a normal user account accessing systems it has never touched before, connections from unusual times of day, or access patterns that deviate from baseline behaviour.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Credential Misuse and Privilege Escalation<\/div>\n <div class=\"a\"><strong>Stolen or compromised credentials give attackers a path to sensitive data.<\/strong> Hunters correlate logon events, group membership changes, and privilege escalations to find accounts that have been compromised and leveraged for lateral movement.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Data Staging and Exfiltration Prep<\/div>\n <div class=\"a\"><strong>Before stealing data, attackers copy it to a staging location, compress it, and prepare it for exfiltration.<\/strong> Hunters search for unusual file access patterns, mass data movements, and archive files created in unexpected locations.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Persistent Backdoors and Web Shells<\/div>\n <div class=\"a\"><strong>Attackers install backdoors to maintain access even after the initial vulnerability is patched.<\/strong> Hunters search for suspicious files in web directories, unusual registry entries, scheduled tasks, and persistence mechanisms that automated tools often overlook.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Supply Chain Compromises<\/div>\n <div class=\"a\"><strong>Attackers compromise third-party software or vendors to gain access to multiple organisations.<\/strong> Hunters correlate unusual behaviour across supplier tools and monitor for indicators of compromise associated with supply chain attacks.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Insider Threats<\/div>\n <div class=\"a\"><strong>Disgruntled employees or contractors may access sensitive systems and data with the intention of theft or sabotage.<\/strong> Hunters search for unusual access patterns, off-hours activity, bulk downloads by non-technical staff, and access to systems outside their job function.<\/div>\n <\/div>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">The ROI<\/span> Threat hunting reduces dwell time and breach costs dramatically<\/h2>\n\n <p>\n The financial impact is clear. Organisations with active threat hunting programmes reduce dwell time by 90%: from 204 days down to 20 days or less. The consequences are enormous.\n <\/p>\n\n <div class=\"viz-card\">\n <div class=\"viz-label\">Visualization: Financial impact of threat hunting on breach cost<\/div>\n <div class=\"viz-inner\">\n <svg viewBox=\"0 0 800 300\" class=\"chart-svg\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n \n <rect width=\"800\" height=\"300\" fill=\"#070c1a\"\/>\n\n \n <line x1=\"80\" y1=\"250\" x2=\"750\" y2=\"250\" stroke=\"#1c2e50\" stroke-width=\"1\"\/>\n <line x1=\"80\" y1=\"50\" x2=\"80\" y2=\"250\" stroke=\"#1c2e50\" stroke-width=\"1\"\/>\n\n \n <text x=\"60\" y=\"255\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"end\">$0M<\/text>\n <text x=\"60\" y=\"205\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"end\">$2M<\/text>\n <text x=\"60\" y=\"155\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"end\">$4M<\/text>\n <text x=\"60\" y=\"105\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"end\">$6M<\/text>\n\n \n <line x1=\"80\" y1=\"200\" x2=\"750\" y2=\"200\" stroke=\"#1c2e50\" stroke-width=\"0.5\" opacity=\"0.5\"\/>\n <line x1=\"80\" y1=\"150\" x2=\"750\" y2=\"150\" stroke=\"#1c2e50\" stroke-width=\"0.5\" opacity=\"0.5\"\/>\n <line x1=\"80\" y1=\"100\" x2=\"750\" y2=\"100\" stroke=\"#1c2e50\" stroke-width=\"0.5\" opacity=\"0.5\"\/>\n\n \n <rect x=\"150\" y=\"70\" width=\"80\" height=\"180\" fill=\"#f04055\" opacity=\"0.7\"\/>\n <text x=\"190\" y=\"270\" font-family=\"DM Sans\" font-size=\"11\" fill=\"#6b84ad\" text-anchor=\"middle\">No Hunting<\/text>\n <text x=\"190\" y=\"285\" font-family=\"DM Sans\" font-size=\"9\" fill=\"#3e5070\" text-anchor=\"middle\">(204 days)<\/text>\n <text x=\"190\" y=\"45\" font-family=\"Syne\" font-size=\"14\" font-weight=\"600\" fill=\"#f04055\" text-anchor=\"middle\">$4.2M<\/text>\n\n \n <rect x=\"380\" y=\"195\" width=\"80\" height=\"55\" fill=\"#00d9a7\" opacity=\"0.7\"\/>\n <text x=\"420\" y=\"270\" font-family=\"DM Sans\" font-size=\"11\" fill=\"#6b84ad\" text-anchor=\"middle\">With Hunting<\/text>\n <text x=\"420\" y=\"285\" font-family=\"DM Sans\" font-size=\"9\" fill=\"#3e5070\" text-anchor=\"middle\">(20 days)<\/text>\n <text x=\"420\" y=\"165\" font-family=\"Syne\" font-size=\"14\" font-weight=\"600\" fill=\"#00d9a7\" text-anchor=\"middle\">$1.3M<\/text>\n\n \n <line x1=\"280\" y1=\"110\" x2=\"330\" y2=\"110\" stroke=\"#f5b731\" stroke-width=\"2\"\/>\n <line x1=\"280\" y1=\"105\" x2=\"280\" y2=\"115\" stroke=\"#f5b731\" stroke-width=\"2\"\/>\n <line x1=\"330\" y1=\"105\" x2=\"330\" y2=\"115\" stroke=\"#f5b731\" stroke-width=\"2\"\/>\n <text x=\"305\" y=\"95\" font-family=\"DM Sans\" font-size=\"11\" fill=\"#f5b731\" font-weight=\"500\" text-anchor=\"middle\">$2.9M saved<\/text>\n <text x=\"305\" y=\"130\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#f5b731\" text-anchor=\"middle\">per breach<\/text>\n\n \n <text x=\"400\" y=\"310\" font-family=\"DM Sans\" font-size=\"9\" fill=\"#3e5070\" text-anchor=\"middle\">Based on Ponemon 2024: average breach cost $4.45M. Cost scales with dwell time. Hunting reduces dwell time 90%.<\/text>\n <\/svg>\n <\/div>\n <div class=\"viz-caption\">Organisations with threat hunting programmes reduce breach detection time from 204 days to 20 days, reducing average breach cost from $4.2M to $1.3M per incident. The ROI pays for the entire hunting programme within a single prevented breach.<\/div>\n <\/div>\n\n <p>\n <strong>The maths are compelling.<\/strong> An average breach costs $4.45 million (Ponemon Institute 2024). With threat hunting, dwell time reduces by 90%, and breach cost drops proportionally to approximately $1.3 million. A single prevented breach saves $2.9 million. Even if threat hunting costs \u00c2\u00a3150,000\u00e2\u0080\u0093\u00c2\u00a3300,000 per year, the ROI from preventing one breach is immediate and substantial.\n <\/p>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">Maturity levels<\/span> Where your organisation stands \u00e2\u0080\u0094 and where it needs to go<\/h2>\n\n <p>\n Threat hunting capability progresses through levels of maturity. Most organisations are at Level 0 or 1. Board-level security requires at least Level 2.\n <\/p>\n\n <table class=\"compare-table\">\n <thead>\n <tr>\n <th>Maturity Level<\/th>\n <th>Hunting Cadence<\/th>\n <th>Tools & Data<\/th>\n <th>Team Size<\/th>\n <th>Dwell Time Reduction<\/th>\n <\/tr>\n <\/thead>\n <tbody>\n <tr>\n <td><strong>Level 0: Reactive Only<\/strong><\/td>\n <td>None (alerts only)<\/td>\n <td>SIEM alerts, basic EDR<\/td>\n <td>1\u00e2\u0080\u00932 analysts<\/td>\n <td>None (204+ days)<\/td>\n <\/tr>\n <tr>\n <td><strong>Level 1: Ad-Hoc Hunting<\/strong><\/td>\n <td>Quarterly exercises<\/td>\n <td>SIEM, EDR, threat intel feeds<\/td>\n <td>2\u00e2\u0080\u00933 analysts<\/td>\n <td>Moderate (100\u00e2\u0080\u0093150 days)<\/td>\n <\/tr>\n <tr>\n <td><strong>Level 2: Structured Programme<\/strong><\/td>\n <td>Monthly hunting cycles<\/td>\n <td>Dedicated hunting platform, rich logs, threat intel integration<\/td>\n <td>3\u00e2\u0080\u00935 dedicated hunters<\/td>\n <td>Significant (30\u00e2\u0080\u009350 days)<\/td>\n <\/tr>\n <tr>\n <td><strong>Level 3: AI-Augmented Continuous<\/strong><\/td>\n <td>Continuous automated + weekly analyst review<\/td>\n <td>AI-driven threat simulation, real-time log analysis, automated detection<\/td>\n <td>2\u00e2\u0080\u00933 analysts (AI handles bulk of work)<\/td>\n <td>Dramatic (10\u00e2\u0080\u009320 days)<\/td>\n <\/tr>\n <\/tbody>\n <\/table>\n\n <div class=\"ai-callout\">\n <div class=\"ai-icon\">AI<\/div>\n <div>\n <div class=\"ai-title\">Xartrix Achieves Level 3 Maturity<\/div>\n <div class=\"ai-body\">\n Xartrix automates the hunting process using AI-driven threat simulation and continuous log analysis. Your security team transitions from waiting for quarterly reports to monitoring a live hunting dashboard that runs 24\/7. The platform identifies anomalies, correlates suspicious behaviour across systems, and surfaces the highest-confidence findings for analyst investigation. You get Level 3 maturity without needing to hire a team of expert hunters.\n <\/div>\n <\/div>\n <\/div>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">Implementation<\/span> Four phases to establish proactive threat hunting<\/h2>\n\n <p>\n Building a threat hunting capability does not require a massive investment upfront. Move through these phases:\n <\/p>\n\n <div class=\"answer-block\">\n <div class=\"q\">Phase 1: Establish Baseline Visibility<\/div>\n <div class=\"a\"><strong>You cannot hunt for threats if you cannot see your environment.<\/strong> Ensure comprehensive log collection: Windows event logs, DNS queries, network traffic, application logs, and endpoint telemetry. Deploy endpoint detection and response (EDR) across critical systems. This is foundational.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Phase 2: Develop Hunting Hypotheses from Threat Intelligence<\/div>\n <div class=\"a\"><strong>Subscribe to threat intelligence feeds relevant to your industry.<\/strong> If you operate in financial services, monitor for threats targeting banks. Extract indicators of compromise (IoCs) and attack techniques. Develop hunting hypotheses: “Advanced persistent threat APT28 uses these tools and techniques. Are they present in our environment?”<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Phase 3: Build Repeatable Hunting Playbooks<\/div>\n <div class=\"a\"><strong>Document your hunting processes.<\/strong> For each threat hypothesis, create a playbook that defines: (1) the attack technique, (2) where to look for evidence, (3) what normal vs suspicious looks like, and (4) escalation procedures. This turns ad-hoc hunting into a repeatable, scalable process.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Phase 4: Automate and Scale with AI<\/div>\n <div class=\"a\"><strong>Once your playbooks are mature, automate them.<\/strong> Deploy automation tools that run your playbooks continuously against your logs. Use AI to detect anomalies and surface the highest-confidence findings for analyst review. Your team moves from conducting manual hunts to managing an automated hunting engine.<\/div>\n <\/div>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">For the boardroom<\/span> Five critical questions about threat hunting<\/h2>\n\n <p>\n If you are a CEO, CFO, or board member evaluating your security posture, ask your security team these questions:\n <\/p>\n\n <div class=\"answer-block\">\n <div class=\"q\">Question 1<\/div>\n <div class=\"a\"><strong>What is our average dwell time, and how do we know?<\/strong> If the answer is “we don’t know” or “over 100 days,” you are operating with significant risk. The industry average is 204 days. You should be below 30 days.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Question 2<\/div>\n <div class=\"a\"><strong>Are we hunting for threats proactively, or waiting for alerts?<\/strong> If your security strategy is purely reactive (alerts only), you are betting that attackers are not patient or sophisticated. Threat actors in your sector are both. You need active hunting.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Question 3<\/div>\n <div class=\"a\"><strong>How much of our SOC’s time is spent investigating alert fatigue vs conducting actual hunts?<\/strong> If the answer is “90% investigating false positives and 10% on real hunting,” your team is inefficient. Consolidate your alerting. Invest in hunting.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Question 4<\/div>\n <div class=\"a\"><strong>Could an attacker hide in our network for 204 days without being detected?<\/strong> Honest answer: yes, probably. That is a board-level risk. Threat hunting is the control that reduces that risk to weeks or days.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Question 5<\/div>\n <div class=\"a\"><strong>Are we hunting for threats that our tools cannot detect?<\/strong> If your hunting relies solely on your SIEM and EDR, you are hunting for only known attack patterns. True threat hunting includes hypothesis-driven searches, anomaly detection, and intelligence-driven investigations that go beyond tool capabilities.<\/div>\n <\/div>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">Next steps<\/span> Three ways to launch threat hunting immediately<\/h2>\n\n <p>\n You do not need to hire a full hunting team or wait for the perfect platform. Start now:\n <\/p>\n\n <div class=\"answer-block\">\n <div class=\"q\">Option 1: Managed Threat Hunting Service<\/div>\n <div class=\"a\"><strong>Engage an external threat hunting provider.<\/strong> They bring expertise, tools, and bandwidth. A typical engagement costs \u00c2\u00a315,000\u00e2\u0080\u0093\u00c2\u00a330,000 per month but delivers immediate capability. Best for organisations with limited in-house security expertise.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Option 2: Build Internal Capability<\/div>\n <div class=\"a\"><strong>Hire or train a threat hunter and implement a hunting platform.<\/strong> Total cost: \u00c2\u00a380,000\u00e2\u0080\u0093\u00c2\u00a3200,000 per year (salary + tools). This builds internal expertise and scales as your organisation grows. Best for mature security teams.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Option 3: AI-Augmented Hunting Platform<\/div>\n <div class=\"a\"><strong>Deploy a continuous threat hunting platform powered by AI.<\/strong> Xartrix and similar platforms automate the bulk of hunting work, making it accessible to smaller teams. Your 2\u00e2\u0080\u00933 analysts oversee AI-driven hunts instead of conducting them manually. Cost: \u00c2\u00a330,000\u00e2\u0080\u0093\u00c2\u00a380,000 annually, depending on scale.<\/div>\n <\/div>\n\n <div class=\"callout\">\n <strong>Action item:<\/strong> Schedule a threat hunting assessment within the next 30 days. Whether you conduct it internally or engage an external provider, a baseline assessment reveals what your tools are missing. The findings will inform your investment decisions.\n <\/div>\n\n<\/main>\n\n\n\n<div class=\"cta-section page-wrap\">\n <h2>Stop waiting to be breached. Start hunting threats proactively.<\/h2>\n <p>\n Xartrix provides continuous threat hunting powered by AI-driven anomaly detection and hypothesis-driven investigation. Reduce dwell time from months to weeks. Find threats before attackers can cause damage. Move from reactive to proactive security.\n <\/p>\n <a class=\"btn-primary\" href=\"https:\/\/xartrix.com\/en\/contact\/\">Schedule a Demo<\/a>\n <a class=\"btn-ghost\" href=\"https:\/\/xartrix.com\/en\/pricing\/\">View Pricing<\/a>\n<\/div>\n\n\n\n<div class=\"related-posts\">\n <h3>Continue reading<\/h3>\n <div class=\"related-grid\">\n <a class=\"related-card\" href=\"https:\/\/xartrix.com\/en\/blogs\/testing-frequency\/\">\n <div class=\"rc-label\">Previous · Testing Frequency<\/div>\n <div class=\"rc-title\">How often should you test your defences? \u00e2\u0080\u0094 the case for continuous security testing<\/div>\n <\/a>\n <a class=\"related-card\" href=\"https:\/\/xartrix.com\/en\/blogs\/penetration-testing\/\">\n <div class=\"rc-label\">Earlier · Penetration Testing<\/div>\n <div class=\"rc-title\">Penetration testing \u00e2\u0080\u0094 what it is, what it finds, and why your business cannot skip it<\/div>\n <\/a>\n <\/div>\n<\/div>\n\n\n\n<footer>\n <p>© 2026 Xartrix Security · <a href=\"https:\/\/xartrix.com\">xartrix.com<\/a> · <a href=\"https:\/\/xartrix.com\/en\/contact\/\">Contact<\/a><\/p>\n<\/footer>\n\n<\/body>\n<\/html>\n<\\!-- \/wp:html -->\n","protected":false},"excerpt":{"rendered":"<p>Threat Hunting \u00e2\u0080\u0094 The threats already inside and hiding | Xartrix Xartrix Services About Pricing Contact Start Free Trial Post […]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":54,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"class_list":["post-105","page","type-page","status-publish","hentry"],"yoast_head":"\n<title>Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xartrix.com\/en\/blogs\/threat-hunting\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix\" \/>\n<meta property=\"og:description\" content=\"Threat Hunting \u00e2\u0080\u0094 The threats already inside and hiding | Xartrix Xartrix Services About Pricing Contact Start Free Trial Post […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xartrix.com\/en\/blogs\/threat-hunting\/\" \/>\n<meta property=\"og:site_name\" content=\"Xartrix\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-24T22:48:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xartrix.com\/wp-content\/uploads\/2026\/03\/xartrix-og-image-1200x630-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xartrix.com\/blogs\/threat-hunting\/\",\"url\":\"https:\/\/xartrix.com\/blogs\/threat-hunting\/\",\"name\":\"Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix\",\"isPartOf\":{\"@id\":\"https:\/\/xartrix.com\/#website\"},\"datePublished\":\"2026-03-24T19:29:07+00:00\",\"dateModified\":\"2026-03-24T22:48:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xartrix.com\/blogs\/threat-hunting\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xartrix.com\/blogs\/threat-hunting\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xartrix.com\/blogs\/threat-hunting\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xartrix.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Insights for Business Leaders\",\"item\":\"https:\/\/xartrix.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Threat Hunting \u2014 The Threats Already Inside and Hiding\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xartrix.com\/#website\",\"url\":\"https:\/\/xartrix.com\/\",\"name\":\"Xartrix\",\"description\":\"AI-Driven Managed SOC Services for Modern Businesses\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xartrix.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n","yoast_head_json":{"title":"Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xartrix.com\/en\/blogs\/threat-hunting\/","og_locale":"en_US","og_type":"article","og_title":"Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix","og_description":"Threat Hunting \u00e2\u0080\u0094 The threats already inside and hiding | Xartrix Xartrix Services About Pricing Contact Start Free Trial Post […]","og_url":"https:\/\/xartrix.com\/en\/blogs\/threat-hunting\/","og_site_name":"Xartrix","article_modified_time":"2026-03-24T22:48:12+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/xartrix.com\/wp-content\/uploads\/2026\/03\/xartrix-og-image-1200x630-1.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/xartrix.com\/blogs\/threat-hunting\/","url":"https:\/\/xartrix.com\/blogs\/threat-hunting\/","name":"Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix","isPartOf":{"@id":"https:\/\/xartrix.com\/#website"},"datePublished":"2026-03-24T19:29:07+00:00","dateModified":"2026-03-24T22:48:12+00:00","breadcrumb":{"@id":"https:\/\/xartrix.com\/blogs\/threat-hunting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xartrix.com\/blogs\/threat-hunting\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xartrix.com\/blogs\/threat-hunting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xartrix.com\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Insights for Business Leaders","item":"https:\/\/xartrix.com\/blogs\/"},{"@type":"ListItem","position":3,"name":"Threat Hunting \u2014 The Threats Already Inside and Hiding"}]},{"@type":"WebSite","@id":"https:\/\/xartrix.com\/#website","url":"https:\/\/xartrix.com\/","name":"Xartrix","description":"AI-Driven Managed SOC Services for Modern Businesses","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xartrix.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"brizy_media":[],"_links":{"self":[{"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/pages\/105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/comments?post=105"}],"version-history":[{"count":3,"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/pages\/105\/revisions"}],"predecessor-version":[{"id":152,"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/pages\/105\/revisions\/152"}],"up":[{"embeddable":true,"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/pages\/54"}],"wp:attachment":[{"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/media?parent=105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":105,"date":"2026-03-24T19:29:07","date_gmt":"2026-03-24T19:29:07","guid":{"rendered":"https:\/\/xartrix.com\/?page_id=105"},"modified":"2026-03-24T22:48:12","modified_gmt":"2026-03-24T22:48:12","slug":"threat-hunting","status":"publish","type":"page","link":"https:\/\/xartrix.com\/en\/blogs\/threat-hunting\/","title":{"rendered":"Threat Hunting \u2014 The Threats Already Inside and Hiding"},"content":{"rendered":"\n<\\!-- wp:html -->\n\n\n\n\nThreat Hunting \u00e2\u0080\u0094 The threats already inside and hiding | Xartrix<\/title>\n<meta name=\"description\" content=\"Most organisations wait to be alerted. Threat hunters go looking. Here is what they find and why it matters to the boardroom \u00e2\u0080\u0094 and why dwell time is a liability.\">\n<link rel=\"preconnect\" href=\"https:\/\/fonts.googleapis.com\">\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=Syne:wght@400;600;700;800&family=DM+Sans:ital,wght@0,300;0,400;0,500;1,300&display=swap\" rel=\"stylesheet\">\n\n\n<script type=\"application\/ld+json\">\n{\n \"@context\": \"https:\/\/schema.org\",\n \"@type\": \"Article\",\n \"headline\": \"Threat hunting \u00e2\u0080\u0094 the threats already inside and hiding\",\n \"description\": \"Most organisations wait to be alerted. Threat hunters go looking. Here is what they find and why it matters.\",\n \"author\": { \"@type\": \"Organization\", \"name\": \"Xartrix Security\", \"url\": \"https:\/\/xartrix.com\" },\n \"publisher\": { \"@type\": \"Organization\", \"name\": \"Xartrix Security\", \"url\": \"https:\/\/xartrix.com\" },\n \"datePublished\": \"2025-03-01\",\n \"dateModified\": \"2025-03-01\",\n \"mainEntityOfPage\": \"https:\/\/xartrix.com\/en\/blogs\/threat-hunting\/\",\n \"keywords\": [\"threat hunting\", \"dwell time\", \"security operations\", \"proactive detection\", \"threat intelligence\", \"breach prevention\", \"SOC operations\", \"insider threats\", \"lateral movement\"],\n \"articleSection\": \"Cybersecurity\",\n \"wordCount\": 2850\n}\n<\/script>\n\n<style>\n *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }\n\n :root {\n --bg: #070c1a;\n --surface: #0c1526;\n --card: #101e36;\n --border: #1c2e50;\n --border-hi: #2a4270;\n --teal: #00d9a7;\n --teal-dim: #00a880;\n --teal-glow: rgba(0,217,167,0.10);\n --amber: #f5b731;\n --red: #f04055;\n --blue-soft: #3b7cf4;\n --text: #dce8ff;\n --text-muted: #6b84ad;\n --text-dim: #3e5070;\n --font-head: 'Syne', sans-serif;\n --font-body: 'DM Sans', sans-serif;\n }\n\n html { font-size: 16px; scroll-behavior: smooth; }\n\n body {\n background: var(--bg);\n color: var(--text);\n font-family: var(--font-body);\n font-weight: 400;\n line-height: 1.75;\n -webkit-font-smoothing: antialiased;\n }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 NAV \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n nav.topbar {\n position: sticky; top: 0; z-index: 100;\n background: rgba(7,12,26,0.92);\n backdrop-filter: blur(14px);\n border-bottom: 0.5px solid var(--border);\n padding: 0 2rem;\n display: flex; align-items: center; justify-content: space-between;\n height: 60px;\n }\n .nav-logo {\n font-family: var(--font-head); font-size: 1.15rem; font-weight: 700;\n color: var(--text); text-decoration: none; letter-spacing: .02em;\n }\n .nav-logo span { color: var(--teal); }\n .nav-links { display: flex; gap: 2rem; list-style: none; }\n .nav-links a { font-size: .85rem; color: var(--text-muted); text-decoration: none; transition: color .2s; }\n .nav-links a:hover { color: var(--teal); }\n .nav-cta {\n background: var(--teal); color: #070c1a; border: none; cursor: pointer;\n font-family: var(--font-body); font-size: .8rem; font-weight: 500;\n padding: 7px 18px; border-radius: 6px; text-decoration: none;\n transition: opacity .2s;\n }\n .nav-cta:hover { opacity: .85; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 LAYOUT \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .page-wrap { max-width: 800px; margin: 0 auto; padding: 0 1.5rem; }\n .wide-wrap { max-width: 1000px; margin: 0 auto; padding: 0 1.5rem; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 SERIES BREADCRUMB \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .series-bar {\n max-width: 800px; margin: 0 auto;\n padding: 1rem 1.5rem 0;\n display: flex; align-items: center; gap: .5rem;\n font-size: .78rem; color: var(--text-dim);\n flex-wrap: wrap;\n }\n .series-bar a {\n color: var(--text-dim); text-decoration: none;\n border-bottom: 0.5px solid transparent;\n transition: color .2s, border-color .2s;\n }\n .series-bar a:hover { color: var(--teal); border-color: var(--teal); }\n .series-bar .current { color: var(--teal); font-weight: 500; }\n .series-bar .sep { opacity: .4; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 HERO \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .hero {\n padding: 4rem 1.5rem 4rem;\n max-width: 800px; margin: 0 auto;\n position: relative;\n }\n .hero-category {\n display: inline-flex; align-items: center; gap: 8px;\n font-size: .75rem; font-weight: 500; letter-spacing: .1em; text-transform: uppercase;\n color: var(--teal); margin-bottom: 1.5rem;\n }\n .hero-category::before {\n content: ''; display: block; width: 28px; height: 1px; background: var(--teal);\n }\n .hero h1 {\n font-family: var(--font-head);\n font-size: clamp(2rem, 5vw, 3rem);\n font-weight: 800; line-height: 1.15;\n letter-spacing: -.02em;\n margin-bottom: 1.25rem;\n color: #fff;\n }\n .hero h1 em { font-style: normal; color: var(--teal); }\n .hero-lead {\n font-size: 1.1rem; font-weight: 300; color: var(--text-muted);\n max-width: 640px; line-height: 1.7; margin-bottom: 2rem;\n }\n .hero-meta {\n display: flex; align-items: center; gap: 1.5rem;\n font-size: .8rem; color: var(--text-dim);\n border-top: 0.5px solid var(--border);\n padding-top: 1.25rem;\n }\n .hero-meta .dot { width: 4px; height: 4px; border-radius: 50%; background: var(--border-hi); }\n .reading-time { color: var(--teal); }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 STAT OPENER \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .stat-opener {\n background: var(--card);\n border: 0.5px solid var(--border);\n border-left: 3px solid var(--red);\n border-radius: 10px;\n padding: 1.5rem 2rem;\n margin: 0 auto 3.5rem;\n max-width: 800px;\n display: grid; grid-template-columns: 1fr 1fr 1fr;\n gap: 1px;\n }\n .stat-opener > div { padding: 0 1.5rem; position: relative; }\n .stat-opener > div + div::before {\n content: ''; position: absolute; left: 0; top: 10%; height: 80%;\n width: 0.5px; background: var(--border);\n }\n .stat-opener .s-num {\n font-family: var(--font-head); font-size: 2.2rem; font-weight: 800;\n line-height: 1; margin-bottom: .25rem;\n }\n .s-num.red { color: var(--red); }\n .s-num.amber { color: var(--amber); }\n .s-num.teal { color: var(--teal); }\n .stat-opener .s-label { font-size: .8rem; color: var(--text-muted); line-height: 1.4; }\n .stat-opener .s-source { font-size: .7rem; color: var(--text-dim); margin-top: .35rem; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 PROSE \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .prose { max-width: 800px; margin: 0 auto; }\n .prose p { margin-bottom: 1.5rem; color: var(--text-muted); font-size: 1rem; }\n .prose p strong { color: var(--text); font-weight: 500; }\n .prose h2 {\n font-family: var(--font-head); font-size: 1.6rem; font-weight: 700;\n color: #fff; letter-spacing: -.01em; margin: 3rem 0 1rem;\n line-height: 1.25;\n }\n .prose h2 .h2-num {\n display: inline-block; font-size: .7rem; font-weight: 600;\n color: var(--teal); letter-spacing: .1em; text-transform: uppercase;\n border: 0.5px solid var(--teal); border-radius: 4px;\n padding: 2px 8px; vertical-align: middle; margin-right: .6rem;\n position: relative; top: -2px;\n }\n .prose h3 {\n font-family: var(--font-head); font-size: 1.1rem; font-weight: 600;\n color: var(--text); margin: 2rem 0 .75rem;\n }\n .callout {\n background: var(--teal-glow);\n border: 0.5px solid rgba(0,217,167,0.25);\n border-radius: 10px;\n padding: 1.25rem 1.5rem;\n margin: 2rem 0;\n font-size: .95rem; color: var(--text-muted);\n }\n .callout strong { color: var(--teal); font-weight: 500; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 SECTION DIVIDER \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .section-div {\n border: none; border-top: 0.5px solid var(--border);\n margin: 3.5rem 0;\n }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 VIZ CARDS \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .viz-card {\n background: var(--card);\n border: 0.5px solid var(--border);\n border-radius: 12px;\n margin: 2.5rem 0;\n overflow: hidden;\n }\n .viz-label {\n font-size: .7rem; letter-spacing: .09em; text-transform: uppercase;\n color: var(--text-dim); font-weight: 500;\n padding: .75rem 1.5rem;\n border-bottom: 0.5px solid var(--border);\n display: flex; align-items: center; gap: 8px;\n }\n .viz-label::before {\n content: ''; display: block; width: 6px; height: 6px;\n border-radius: 50%; background: var(--teal);\n }\n .viz-inner { padding: 1.5rem; }\n .viz-caption {\n font-size: .78rem; color: var(--text-dim); line-height: 1.5;\n padding: .75rem 1.5rem 1rem;\n border-top: 0.5px solid var(--border);\n }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 WIDE VIZ CARD \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .viz-wide {\n max-width: 1000px; margin: 2.5rem auto;\n background: var(--card);\n border: 0.5px solid var(--border);\n border-radius: 12px;\n overflow: hidden;\n }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 KEY STAT BLOCK \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .stat-grid {\n display: grid; grid-template-columns: repeat(auto-fit, minmax(180px,1fr));\n gap: 1px; background: var(--border);\n border: 0.5px solid var(--border); border-radius: 12px; overflow: hidden;\n margin: 2.5rem 0;\n }\n .stat-cell {\n background: var(--card);\n padding: 1.25rem 1.5rem;\n }\n .stat-cell .sc-num {\n font-family: var(--font-head); font-size: 1.8rem; font-weight: 800;\n line-height: 1; margin-bottom: .4rem;\n }\n .sc-num.t { color: var(--teal); }\n .sc-num.a { color: var(--amber); }\n .sc-num.r { color: var(--red); }\n .stat-cell .sc-label { font-size: .82rem; color: var(--text-muted); line-height: 1.45; }\n .stat-cell .sc-src { font-size: .7rem; color: var(--text-dim); margin-top: .3rem; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 ANSWER BLOCK \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .answer-block {\n border-left: 2px solid var(--teal-dim);\n padding: 1rem 1.25rem;\n margin: 1.5rem 0;\n background: rgba(0,168,128,0.05);\n border-radius: 0 8px 8px 0;\n }\n .answer-block .q {\n font-size: .75rem; font-weight: 500; letter-spacing: .08em;\n text-transform: uppercase; color: var(--teal-dim); margin-bottom: .5rem;\n }\n .answer-block .a { font-size: .97rem; color: var(--text-muted); }\n .answer-block .a strong { color: var(--text); font-weight: 500; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 AI ADVANTAGE CALLOUT \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .ai-callout {\n background: rgba(0,217,167,0.04);\n border: 1px solid rgba(0,217,167,0.18);\n border-radius: 10px;\n padding: 1.25rem 1.5rem;\n margin: 2.5rem 0;\n display: flex; gap: 1rem; align-items: flex-start;\n }\n .ai-callout .ai-icon {\n flex-shrink: 0; width: 36px; height: 36px;\n background: rgba(0,217,167,0.12); border-radius: 8px;\n display: flex; align-items: center; justify-content: center;\n font-family: var(--font-head); font-size: .8rem; font-weight: 700; color: var(--teal);\n }\n .ai-callout .ai-title {\n font-family: var(--font-head); font-size: .85rem; font-weight: 600;\n color: var(--teal); margin-bottom: .3rem;\n }\n .ai-callout .ai-body { font-size: .9rem; color: var(--text-muted); line-height: 1.6; }\n .ai-callout .ai-body strong { color: var(--text); font-weight: 500; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 COMPARISON TABLE \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .compare-table { width: 100%; border-collapse: collapse; font-size: .88rem; }\n .compare-table th {\n text-align: left; padding: .75rem 1rem;\n font-family: var(--font-head); font-size: .78rem; font-weight: 600;\n text-transform: uppercase; letter-spacing: .06em;\n border-bottom: 0.5px solid var(--border-hi);\n }\n .compare-table th:first-child { color: var(--text-muted); }\n .compare-table th.th-teal { color: var(--teal); }\n .compare-table th.th-dim { color: var(--text-dim); }\n .compare-table td {\n padding: .7rem 1rem; border-bottom: 0.5px solid var(--border);\n vertical-align: top; color: var(--text-muted); line-height: 1.4;\n }\n .compare-table td:first-child { color: var(--text); font-weight: 500; font-size: .85rem; }\n .compare-table .yes { color: var(--teal); }\n .compare-table .no { color: var(--text-dim); }\n .compare-table tr:last-child td { border-bottom: none; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 CTA \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .cta-section {\n background: linear-gradient(135deg, #0c1526 0%, #101e36 100%);\n border: 0.5px solid var(--border-hi);\n border-radius: 16px;\n padding: 3rem 2.5rem;\n text-align: center; margin: 4rem 0;\n position: relative; overflow: hidden;\n }\n .cta-section::before {\n content: ''; position: absolute;\n top: -80px; left: 50%; transform: translateX(-50%);\n width: 300px; height: 300px; border-radius: 50%;\n background: radial-gradient(circle, rgba(0,217,167,0.08) 0%, transparent 70%);\n pointer-events: none;\n }\n .cta-section h2 {\n font-family: var(--font-head); font-size: 1.7rem; font-weight: 800;\n color: #fff; margin-bottom: .75rem;\n }\n .cta-section p { color: var(--text-muted); margin-bottom: 1.75rem; max-width: 500px; margin-left: auto; margin-right: auto; }\n .btn-primary {\n display: inline-block;\n background: var(--teal); color: #070c1a;\n font-family: var(--font-body); font-size: .9rem; font-weight: 500;\n padding: 12px 28px; border-radius: 8px; text-decoration: none;\n transition: opacity .2s, transform .15s;\n }\n .btn-primary:hover { opacity: .88; transform: translateY(-1px); }\n .btn-ghost {\n display: inline-block; margin-left: 1rem;\n background: transparent; color: var(--text-muted);\n font-family: var(--font-body); font-size: .9rem; font-weight: 400;\n padding: 12px 22px; border-radius: 8px; text-decoration: none;\n border: 0.5px solid var(--border-hi);\n transition: border-color .2s, color .2s;\n }\n .btn-ghost:hover { border-color: var(--teal); color: var(--teal); }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 RELATED POSTS \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .related-posts {\n max-width: 800px; margin: 0 auto;\n padding: 0 1.5rem 2rem;\n }\n .related-posts h3 {\n font-family: var(--font-head); font-size: 1rem; font-weight: 600;\n color: var(--text-dim); margin-bottom: 1rem;\n }\n .related-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }\n .related-card {\n background: var(--card);\n border: 0.5px solid var(--border);\n border-radius: 10px;\n padding: 1.25rem 1.5rem;\n text-decoration: none;\n transition: border-color .2s;\n }\n .related-card:hover { border-color: var(--teal); }\n .rc-label { font-size: .7rem; color: var(--text-dim); letter-spacing: .08em; text-transform: uppercase; margin-bottom: .4rem; }\n .rc-title { font-family: var(--font-head); font-size: .92rem; font-weight: 600; color: var(--text); line-height: 1.35; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 FOOTER \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n footer {\n border-top: 0.5px solid var(--border);\n padding: 2rem 1.5rem;\n text-align: center;\n font-size: .78rem; color: var(--text-dim);\n }\n footer a { color: var(--teal); text-decoration: none; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 SVG SHARED \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n .chart-svg { width: 100%; height: auto; display: block; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 PROGRESS ANIMATION \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n @keyframes growBar { from { width: 0; } to { width: var(--w); } }\n .bar-fill { animation: growBar 1.2s ease-out forwards; }\n\n \/* \u00e2\u0094\u0080\u00e2\u0094\u0080 FADE IN \u00e2\u0094\u0080\u00e2\u0094\u0080 *\/\n @keyframes fadeUp { from { opacity:0; transform:translateY(16px); } to { opacity:1; transform:translateY(0); } }\n .hero h1, .hero-lead, .hero-meta { animation: fadeUp .6s ease both; }\n .hero-lead { animation-delay: .1s; }\n .hero-meta { animation-delay: .2s; }\n\n @media (max-width: 600px) {\n .stat-opener { grid-template-columns: 1fr; gap: 1rem; }\n .stat-opener > div + div::before { display: none; }\n .nav-links { display: none; }\n .btn-ghost { display: none; }\n .related-grid { grid-template-columns: 1fr; }\n .ai-callout { flex-direction: column; }\n }\n<\/style>\n<\/head>\n<body>\n\n\n<nav class=\"topbar\">\n <a class=\"nav-logo\" href=\"https:\/\/xartrix.com\">X<span>artrix<\/span><\/a>\n <ul class=\"nav-links\">\n <li><a href=\"https:\/\/xartrix.com\/en\/services\/\">Services<\/a><\/li>\n <li><a href=\"https:\/\/xartrix.com\/en\/about-us\/\">About<\/a><\/li>\n <li><a href=\"https:\/\/xartrix.com\/en\/pricing\/\">Pricing<\/a><\/li>\n <li><a href=\"https:\/\/xartrix.com\/en\/contact\/\">Contact<\/a><\/li>\n <\/ul>\n <a class=\"nav-cta\" href=\"https:\/\/xartrix.com\/en\/contact\/\">Start Free Trial<\/a>\n<\/nav>\n\n\n\n<div class=\"series-bar\">\n <a href=\"https:\/\/xartrix.com\/en\/blogs\/what-is-a-managed-soc\/\">Post 1a: Managed SOC<\/a>\n <span class=\"sep\">\/<\/span>\n <a href=\"https:\/\/xartrix.com\/en\/blogs\/soc-cost-comparison\/\">Post 1b: SOC Costs<\/a>\n <span class=\"sep\">\/<\/span>\n <a href=\"https:\/\/xartrix.com\/en\/blogs\/cyber-threat-intelligence\/\">Post 2: Threat Intelligence<\/a>\n <span class=\"sep\">\/<\/span>\n <a href=\"https:\/\/xartrix.com\/en\/blogs\/penetration-testing\/\">Post 3a: Penetration Testing<\/a>\n <span class=\"sep\">\/<\/span>\n <a href=\"https:\/\/xartrix.com\/en\/blogs\/testing-frequency\/\">Post 3b: Testing Frequency<\/a>\n <span class=\"sep\">\/<\/span>\n <span class=\"current\">Post 4: Threat Hunting<\/span>\n <span class=\"sep\">\/<\/span>\n <span>Post 5: Incident Response<\/span>\n<\/div>\n\n\n\n<header class=\"hero\">\n <div class=\"hero-category\">Threat Hunting · Executive Guide<\/div>\n <h1>Threat hunting <em>— the threats already inside and hiding<\/em><\/h1>\n <p class=\"hero-lead\">\n Most organisations wait to be alerted. They install sensors, set thresholds, and respond when an alarm sounds. But by then, attackers have often already been inside for months. Threat hunters operate differently: they go looking. Here is what they find, why traditional alerts fail to catch it, and why your board should care about dwell time.\n <\/p>\n <div class=\"hero-meta\">\n <span>By Xartrix Security Team<\/span>\n <span class=\"dot\"><\/span>\n <span class=\"reading-time\">9 min read<\/span>\n <span class=\"dot\"><\/span>\n <span><\/span>\n <\/div>\n<\/header>\n\n\n\n<div class=\"stat-opener page-wrap\">\n <div>\n <div class=\"s-num red\">204 days<\/div>\n <div class=\"s-label\">average dwell time before a breach is detected \u00e2\u0080\u0094 almost 7 months of undetected presence<\/div>\n <div class=\"s-source\">Mandiant M-Trends 2024<\/div>\n <\/div>\n <div>\n <div class=\"s-num amber\">73%<\/div>\n <div class=\"s-label\">of breaches took months or longer to discover; many organisations never detected them at all<\/div>\n <div class=\"s-source\">Verizon DBIR 2024<\/div>\n <\/div>\n <div>\n <div class=\"s-num teal\">40%<\/div>\n <div class=\"s-label\">of threat hunting engagements find activity that automated tools and alerts completely missed<\/div>\n <div class=\"s-source\">Crowdstrike Threat Hunting Services Data<\/div>\n <\/div>\n<\/div>\n\n\n\n<main class=\"prose page-wrap\">\n\n \n <h2><span class=\"h2-num\">The problem<\/span> 204 days is too long: the dwell time liability<\/h2>\n\n <p>\n An attacker breaks into your network in January. By May, they have moved laterally to critical systems, established persistence through a backdoor, and begun staging data for exfiltration. It is not until September \u00e2\u0080\u0094 8 months later \u00e2\u0080\u0094 that your security operations centre receives an alert. A hunter, by contrast, would have found them in weeks or days.\n <\/p>\n\n <p>\n This scenario is not hypothetical. The average dwell time (the time between initial compromise and detection) is 204 days across all organisations, and much longer in some sectors. <strong>For 7 months of that period, attackers have unrestricted access to your systems, your data, and your intellectual property.<\/strong> During this window, they can:\n <\/p>\n\n <p>\n • Move laterally from compromised endpoints to domain controllers, databases, and critical servers \u00e2\u0080\u00a2 Harvest credentials from multiple systems for privilege escalation \u00e2\u0080\u00a2 Copy sensitive data without triggering alerts \u00e2\u0080\u00a2 Install backdoors and web shells for persistent access \u00e2\u0080\u00a2 Modify logs and cover their tracks\n <\/p>\n\n <p>\n By the time detection occurs, the breach is often far advanced. The cost is staggering: data has already been stolen, systems are already compromised, and the attacker already has multiple escape routes built in.\n <\/p>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">The approach<\/span> What threat hunting is \u00e2\u0080\u0094 proactive search instead of passive detection<\/h2>\n\n <p>\n Threat hunting inverts the traditional security model. Instead of waiting for alerts, hunters actively search for signs of compromise. They assume attackers are already inside and hunt for evidence of their presence. Three approaches:\n <\/p>\n\n <div class=\"answer-block\">\n <div class=\"q\">Hypothesis-Driven Hunting<\/div>\n <div class=\"a\"><strong>Hunters develop a hypothesis based on threat intelligence.<\/strong> “Advanced persistent threats targeting our industry use lateral movement via PsExec. Let me search our logs for any unusual PsExec activity.” They query logs, network traffic, and endpoint data to confirm or rule out the hypothesis.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Intelligence-Driven Hunting<\/div>\n <div class=\"a\"><strong>Hunters use real-time threat intelligence from industry reports, vendor feeds, and underground forums.<\/strong> When a new attack technique emerges, hunters immediately search for indicators in their environment. They do not wait for their tools to be updated with signatures.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Anomaly-Based Hunting<\/div>\n <div class=\"a\"><strong>Hunters search for deviations from normal behaviour.<\/strong> “This user account typically logs in from the London office between 9am and 5pm. Why is it now logging in at 3am from a different country?” Anomalies do not always indicate compromise, but they warrant investigation.<\/div>\n <\/div>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">The gap<\/span> Why your SIEM and EDR alerts miss 40% of threats<\/h2>\n\n <p>\n Most organisations rely on automated detection: SIEM rules, EDR alerts, and intrusion detection systems. These tools are valuable, but they have a fundamental limitation: they can only detect what they are configured to detect.\n <\/p>\n\n <div class=\"viz-card\">\n <div class=\"viz-label\">Visualization: Detection gap between alerts and threat hunting<\/div>\n <div class=\"viz-inner\">\n <svg viewBox=\"0 0 800 350\" class=\"chart-svg\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n \n <rect width=\"800\" height=\"350\" fill=\"#070c1a\"\/>\n\n \n <text x=\"400\" y=\"30\" font-family=\"Syne\" font-size=\"16\" font-weight=\"700\" fill=\"#dce8ff\" text-anchor=\"middle\">What Automated Alerts Miss vs What Threat Hunters Find<\/text>\n\n \n <circle cx=\"250\" cy=\"160\" r=\"90\" fill=\"#3b7cf4\" opacity=\"0.2\" stroke=\"#3b7cf4\" stroke-width=\"2\"\/>\n <text x=\"250\" y=\"140\" font-family=\"Syne\" font-size=\"13\" font-weight=\"600\" fill=\"#3b7cf4\" text-anchor=\"middle\">Automated Alerts<\/text>\n <text x=\"250\" y=\"165\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#6b84ad\" text-anchor=\"middle\">Known attack<\/text>\n <text x=\"250\" y=\"180\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#6b84ad\" text-anchor=\"middle\">patterns matched<\/text>\n <text x=\"250\" y=\"200\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"middle\">(60% of threats)<\/text>\n\n \n <text x=\"400\" y=\"165\" font-family=\"DM Sans\" font-size=\"11\" fill=\"#dce8ff\" text-anchor=\"middle\">Detected by<\/text>\n <text x=\"400\" y=\"180\" font-family=\"DM Sans\" font-size=\"11\" fill=\"#dce8ff\" text-anchor=\"middle\">both methods<\/text>\n\n \n <circle cx=\"550\" cy=\"160\" r=\"90\" fill=\"#00d9a7\" opacity=\"0.2\" stroke=\"#00d9a7\" stroke-width=\"2\"\/>\n <text x=\"550\" y=\"140\" font-family=\"Syne\" font-size=\"13\" font-weight=\"600\" fill=\"#00d9a7\" text-anchor=\"middle\">Threat Hunting<\/text>\n <text x=\"550\" y=\"165\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#6b84ad\" text-anchor=\"middle\">Anomalies,<\/text>\n <text x=\"550\" y=\"180\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#6b84ad\" text-anchor=\"middle\">novel techniques,<\/text>\n <text x=\"550\" y=\"195\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#6b84ad\" text-anchor=\"middle\">suspicious behaviour<\/text>\n <text x=\"550\" y=\"215\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"middle\">(40% missed by alerts)<\/text>\n\n \n <rect x=\"50\" y=\"290\" width=\"700\" height=\"50\" fill=\"rgba(0,217,167,0.08)\" stroke=\"rgba(0,217,167,0.25)\" stroke-width=\"0.5\" rx=\"6\"\/>\n <text x=\"400\" y=\"310\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#dce8ff\" text-anchor=\"middle\"><tspan font-weight=\"500\">Key insight:<\/tspan> Sophisticated attackers deliberately avoid triggering alerts. Threat hunting finds<\/text>\n <text x=\"400\" y=\"328\" font-family=\"DM Sans\" font-size=\"12\" fill=\"#dce8ff\" text-anchor=\"middle\">what your SIEM rules are not looking for.<\/text>\n <\/svg>\n <\/div>\n <div class=\"viz-caption\">Automated tools excel at detecting known patterns. Threat hunters excel at finding novel techniques, behavioural anomalies, and sophisticated attackers who deliberately evade detection rules.<\/div>\n <\/div>\n\n <p>\n <strong>Alert fatigue is the first problem.<\/strong> A typical SOC receives 10,000+ alerts per day. Security analysts investigate the most critical ones; the rest are ignored. Sophisticated attackers know this and design their attacks to generate noise rather than stand out. They blend in with normal traffic, use legitimate tools (Living off the Land), and avoid setting off known signatures.\n <\/p>\n\n <p>\n <strong>Zero-days and novel techniques are the second problem.<\/strong> Your SIEM has no signature for an attack that was discovered yesterday. Your EDR cannot detect a privilege escalation technique that was just published. Threat hunters, by contrast, are not bound by signatures. They search for unusual patterns and behaviours, regardless of whether a tool recognises them.\n <\/p>\n\n <p>\n <strong>Attacker sophistication is the third problem.<\/strong> Nation-state and advanced cyber-crime groups specifically design their operations to evade automated detection. They study your environment, move slowly and deliberately, disable logging, and cover their tracks. An alert-only strategy is essentially betting that your attackers are not very good.\n <\/p>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">Real findings<\/span> What threat hunters discover that alerts miss<\/h2>\n\n <p>\n Threat hunting engagements consistently uncover threats that automated systems completely missed. Here are the categories most commonly found:\n <\/p>\n\n <div class=\"answer-block\">\n <div class=\"q\">Lateral Movement Patterns<\/div>\n <div class=\"a\"><strong>Attackers jump from a compromised endpoint to high-value systems using legitimate tools and credentials.<\/strong> Hunters search for unusual patterns: a normal user account accessing systems it has never touched before, connections from unusual times of day, or access patterns that deviate from baseline behaviour.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Credential Misuse and Privilege Escalation<\/div>\n <div class=\"a\"><strong>Stolen or compromised credentials give attackers a path to sensitive data.<\/strong> Hunters correlate logon events, group membership changes, and privilege escalations to find accounts that have been compromised and leveraged for lateral movement.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Data Staging and Exfiltration Prep<\/div>\n <div class=\"a\"><strong>Before stealing data, attackers copy it to a staging location, compress it, and prepare it for exfiltration.<\/strong> Hunters search for unusual file access patterns, mass data movements, and archive files created in unexpected locations.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Persistent Backdoors and Web Shells<\/div>\n <div class=\"a\"><strong>Attackers install backdoors to maintain access even after the initial vulnerability is patched.<\/strong> Hunters search for suspicious files in web directories, unusual registry entries, scheduled tasks, and persistence mechanisms that automated tools often overlook.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Supply Chain Compromises<\/div>\n <div class=\"a\"><strong>Attackers compromise third-party software or vendors to gain access to multiple organisations.<\/strong> Hunters correlate unusual behaviour across supplier tools and monitor for indicators of compromise associated with supply chain attacks.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Insider Threats<\/div>\n <div class=\"a\"><strong>Disgruntled employees or contractors may access sensitive systems and data with the intention of theft or sabotage.<\/strong> Hunters search for unusual access patterns, off-hours activity, bulk downloads by non-technical staff, and access to systems outside their job function.<\/div>\n <\/div>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">The ROI<\/span> Threat hunting reduces dwell time and breach costs dramatically<\/h2>\n\n <p>\n The financial impact is clear. Organisations with active threat hunting programmes reduce dwell time by 90%: from 204 days down to 20 days or less. The consequences are enormous.\n <\/p>\n\n <div class=\"viz-card\">\n <div class=\"viz-label\">Visualization: Financial impact of threat hunting on breach cost<\/div>\n <div class=\"viz-inner\">\n <svg viewBox=\"0 0 800 300\" class=\"chart-svg\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n \n <rect width=\"800\" height=\"300\" fill=\"#070c1a\"\/>\n\n \n <line x1=\"80\" y1=\"250\" x2=\"750\" y2=\"250\" stroke=\"#1c2e50\" stroke-width=\"1\"\/>\n <line x1=\"80\" y1=\"50\" x2=\"80\" y2=\"250\" stroke=\"#1c2e50\" stroke-width=\"1\"\/>\n\n \n <text x=\"60\" y=\"255\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"end\">$0M<\/text>\n <text x=\"60\" y=\"205\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"end\">$2M<\/text>\n <text x=\"60\" y=\"155\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"end\">$4M<\/text>\n <text x=\"60\" y=\"105\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#3e5070\" text-anchor=\"end\">$6M<\/text>\n\n \n <line x1=\"80\" y1=\"200\" x2=\"750\" y2=\"200\" stroke=\"#1c2e50\" stroke-width=\"0.5\" opacity=\"0.5\"\/>\n <line x1=\"80\" y1=\"150\" x2=\"750\" y2=\"150\" stroke=\"#1c2e50\" stroke-width=\"0.5\" opacity=\"0.5\"\/>\n <line x1=\"80\" y1=\"100\" x2=\"750\" y2=\"100\" stroke=\"#1c2e50\" stroke-width=\"0.5\" opacity=\"0.5\"\/>\n\n \n <rect x=\"150\" y=\"70\" width=\"80\" height=\"180\" fill=\"#f04055\" opacity=\"0.7\"\/>\n <text x=\"190\" y=\"270\" font-family=\"DM Sans\" font-size=\"11\" fill=\"#6b84ad\" text-anchor=\"middle\">No Hunting<\/text>\n <text x=\"190\" y=\"285\" font-family=\"DM Sans\" font-size=\"9\" fill=\"#3e5070\" text-anchor=\"middle\">(204 days)<\/text>\n <text x=\"190\" y=\"45\" font-family=\"Syne\" font-size=\"14\" font-weight=\"600\" fill=\"#f04055\" text-anchor=\"middle\">$4.2M<\/text>\n\n \n <rect x=\"380\" y=\"195\" width=\"80\" height=\"55\" fill=\"#00d9a7\" opacity=\"0.7\"\/>\n <text x=\"420\" y=\"270\" font-family=\"DM Sans\" font-size=\"11\" fill=\"#6b84ad\" text-anchor=\"middle\">With Hunting<\/text>\n <text x=\"420\" y=\"285\" font-family=\"DM Sans\" font-size=\"9\" fill=\"#3e5070\" text-anchor=\"middle\">(20 days)<\/text>\n <text x=\"420\" y=\"165\" font-family=\"Syne\" font-size=\"14\" font-weight=\"600\" fill=\"#00d9a7\" text-anchor=\"middle\">$1.3M<\/text>\n\n \n <line x1=\"280\" y1=\"110\" x2=\"330\" y2=\"110\" stroke=\"#f5b731\" stroke-width=\"2\"\/>\n <line x1=\"280\" y1=\"105\" x2=\"280\" y2=\"115\" stroke=\"#f5b731\" stroke-width=\"2\"\/>\n <line x1=\"330\" y1=\"105\" x2=\"330\" y2=\"115\" stroke=\"#f5b731\" stroke-width=\"2\"\/>\n <text x=\"305\" y=\"95\" font-family=\"DM Sans\" font-size=\"11\" fill=\"#f5b731\" font-weight=\"500\" text-anchor=\"middle\">$2.9M saved<\/text>\n <text x=\"305\" y=\"130\" font-family=\"DM Sans\" font-size=\"10\" fill=\"#f5b731\" text-anchor=\"middle\">per breach<\/text>\n\n \n <text x=\"400\" y=\"310\" font-family=\"DM Sans\" font-size=\"9\" fill=\"#3e5070\" text-anchor=\"middle\">Based on Ponemon 2024: average breach cost $4.45M. Cost scales with dwell time. Hunting reduces dwell time 90%.<\/text>\n <\/svg>\n <\/div>\n <div class=\"viz-caption\">Organisations with threat hunting programmes reduce breach detection time from 204 days to 20 days, reducing average breach cost from $4.2M to $1.3M per incident. The ROI pays for the entire hunting programme within a single prevented breach.<\/div>\n <\/div>\n\n <p>\n <strong>The maths are compelling.<\/strong> An average breach costs $4.45 million (Ponemon Institute 2024). With threat hunting, dwell time reduces by 90%, and breach cost drops proportionally to approximately $1.3 million. A single prevented breach saves $2.9 million. Even if threat hunting costs \u00c2\u00a3150,000\u00e2\u0080\u0093\u00c2\u00a3300,000 per year, the ROI from preventing one breach is immediate and substantial.\n <\/p>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">Maturity levels<\/span> Where your organisation stands \u00e2\u0080\u0094 and where it needs to go<\/h2>\n\n <p>\n Threat hunting capability progresses through levels of maturity. Most organisations are at Level 0 or 1. Board-level security requires at least Level 2.\n <\/p>\n\n <table class=\"compare-table\">\n <thead>\n <tr>\n <th>Maturity Level<\/th>\n <th>Hunting Cadence<\/th>\n <th>Tools & Data<\/th>\n <th>Team Size<\/th>\n <th>Dwell Time Reduction<\/th>\n <\/tr>\n <\/thead>\n <tbody>\n <tr>\n <td><strong>Level 0: Reactive Only<\/strong><\/td>\n <td>None (alerts only)<\/td>\n <td>SIEM alerts, basic EDR<\/td>\n <td>1\u00e2\u0080\u00932 analysts<\/td>\n <td>None (204+ days)<\/td>\n <\/tr>\n <tr>\n <td><strong>Level 1: Ad-Hoc Hunting<\/strong><\/td>\n <td>Quarterly exercises<\/td>\n <td>SIEM, EDR, threat intel feeds<\/td>\n <td>2\u00e2\u0080\u00933 analysts<\/td>\n <td>Moderate (100\u00e2\u0080\u0093150 days)<\/td>\n <\/tr>\n <tr>\n <td><strong>Level 2: Structured Programme<\/strong><\/td>\n <td>Monthly hunting cycles<\/td>\n <td>Dedicated hunting platform, rich logs, threat intel integration<\/td>\n <td>3\u00e2\u0080\u00935 dedicated hunters<\/td>\n <td>Significant (30\u00e2\u0080\u009350 days)<\/td>\n <\/tr>\n <tr>\n <td><strong>Level 3: AI-Augmented Continuous<\/strong><\/td>\n <td>Continuous automated + weekly analyst review<\/td>\n <td>AI-driven threat simulation, real-time log analysis, automated detection<\/td>\n <td>2\u00e2\u0080\u00933 analysts (AI handles bulk of work)<\/td>\n <td>Dramatic (10\u00e2\u0080\u009320 days)<\/td>\n <\/tr>\n <\/tbody>\n <\/table>\n\n <div class=\"ai-callout\">\n <div class=\"ai-icon\">AI<\/div>\n <div>\n <div class=\"ai-title\">Xartrix Achieves Level 3 Maturity<\/div>\n <div class=\"ai-body\">\n Xartrix automates the hunting process using AI-driven threat simulation and continuous log analysis. Your security team transitions from waiting for quarterly reports to monitoring a live hunting dashboard that runs 24\/7. The platform identifies anomalies, correlates suspicious behaviour across systems, and surfaces the highest-confidence findings for analyst investigation. You get Level 3 maturity without needing to hire a team of expert hunters.\n <\/div>\n <\/div>\n <\/div>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">Implementation<\/span> Four phases to establish proactive threat hunting<\/h2>\n\n <p>\n Building a threat hunting capability does not require a massive investment upfront. Move through these phases:\n <\/p>\n\n <div class=\"answer-block\">\n <div class=\"q\">Phase 1: Establish Baseline Visibility<\/div>\n <div class=\"a\"><strong>You cannot hunt for threats if you cannot see your environment.<\/strong> Ensure comprehensive log collection: Windows event logs, DNS queries, network traffic, application logs, and endpoint telemetry. Deploy endpoint detection and response (EDR) across critical systems. This is foundational.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Phase 2: Develop Hunting Hypotheses from Threat Intelligence<\/div>\n <div class=\"a\"><strong>Subscribe to threat intelligence feeds relevant to your industry.<\/strong> If you operate in financial services, monitor for threats targeting banks. Extract indicators of compromise (IoCs) and attack techniques. Develop hunting hypotheses: “Advanced persistent threat APT28 uses these tools and techniques. Are they present in our environment?”<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Phase 3: Build Repeatable Hunting Playbooks<\/div>\n <div class=\"a\"><strong>Document your hunting processes.<\/strong> For each threat hypothesis, create a playbook that defines: (1) the attack technique, (2) where to look for evidence, (3) what normal vs suspicious looks like, and (4) escalation procedures. This turns ad-hoc hunting into a repeatable, scalable process.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Phase 4: Automate and Scale with AI<\/div>\n <div class=\"a\"><strong>Once your playbooks are mature, automate them.<\/strong> Deploy automation tools that run your playbooks continuously against your logs. Use AI to detect anomalies and surface the highest-confidence findings for analyst review. Your team moves from conducting manual hunts to managing an automated hunting engine.<\/div>\n <\/div>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">For the boardroom<\/span> Five critical questions about threat hunting<\/h2>\n\n <p>\n If you are a CEO, CFO, or board member evaluating your security posture, ask your security team these questions:\n <\/p>\n\n <div class=\"answer-block\">\n <div class=\"q\">Question 1<\/div>\n <div class=\"a\"><strong>What is our average dwell time, and how do we know?<\/strong> If the answer is “we don’t know” or “over 100 days,” you are operating with significant risk. The industry average is 204 days. You should be below 30 days.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Question 2<\/div>\n <div class=\"a\"><strong>Are we hunting for threats proactively, or waiting for alerts?<\/strong> If your security strategy is purely reactive (alerts only), you are betting that attackers are not patient or sophisticated. Threat actors in your sector are both. You need active hunting.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Question 3<\/div>\n <div class=\"a\"><strong>How much of our SOC’s time is spent investigating alert fatigue vs conducting actual hunts?<\/strong> If the answer is “90% investigating false positives and 10% on real hunting,” your team is inefficient. Consolidate your alerting. Invest in hunting.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Question 4<\/div>\n <div class=\"a\"><strong>Could an attacker hide in our network for 204 days without being detected?<\/strong> Honest answer: yes, probably. That is a board-level risk. Threat hunting is the control that reduces that risk to weeks or days.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Question 5<\/div>\n <div class=\"a\"><strong>Are we hunting for threats that our tools cannot detect?<\/strong> If your hunting relies solely on your SIEM and EDR, you are hunting for only known attack patterns. True threat hunting includes hypothesis-driven searches, anomaly detection, and intelligence-driven investigations that go beyond tool capabilities.<\/div>\n <\/div>\n\n <hr class=\"section-div\">\n\n \n <h2><span class=\"h2-num\">Next steps<\/span> Three ways to launch threat hunting immediately<\/h2>\n\n <p>\n You do not need to hire a full hunting team or wait for the perfect platform. Start now:\n <\/p>\n\n <div class=\"answer-block\">\n <div class=\"q\">Option 1: Managed Threat Hunting Service<\/div>\n <div class=\"a\"><strong>Engage an external threat hunting provider.<\/strong> They bring expertise, tools, and bandwidth. A typical engagement costs \u00c2\u00a315,000\u00e2\u0080\u0093\u00c2\u00a330,000 per month but delivers immediate capability. Best for organisations with limited in-house security expertise.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Option 2: Build Internal Capability<\/div>\n <div class=\"a\"><strong>Hire or train a threat hunter and implement a hunting platform.<\/strong> Total cost: \u00c2\u00a380,000\u00e2\u0080\u0093\u00c2\u00a3200,000 per year (salary + tools). This builds internal expertise and scales as your organisation grows. Best for mature security teams.<\/div>\n <\/div>\n\n <div class=\"answer-block\">\n <div class=\"q\">Option 3: AI-Augmented Hunting Platform<\/div>\n <div class=\"a\"><strong>Deploy a continuous threat hunting platform powered by AI.<\/strong> Xartrix and similar platforms automate the bulk of hunting work, making it accessible to smaller teams. Your 2\u00e2\u0080\u00933 analysts oversee AI-driven hunts instead of conducting them manually. Cost: \u00c2\u00a330,000\u00e2\u0080\u0093\u00c2\u00a380,000 annually, depending on scale.<\/div>\n <\/div>\n\n <div class=\"callout\">\n <strong>Action item:<\/strong> Schedule a threat hunting assessment within the next 30 days. Whether you conduct it internally or engage an external provider, a baseline assessment reveals what your tools are missing. The findings will inform your investment decisions.\n <\/div>\n\n<\/main>\n\n\n\n<div class=\"cta-section page-wrap\">\n <h2>Stop waiting to be breached. Start hunting threats proactively.<\/h2>\n <p>\n Xartrix provides continuous threat hunting powered by AI-driven anomaly detection and hypothesis-driven investigation. Reduce dwell time from months to weeks. Find threats before attackers can cause damage. Move from reactive to proactive security.\n <\/p>\n <a class=\"btn-primary\" href=\"https:\/\/xartrix.com\/en\/contact\/\">Schedule a Demo<\/a>\n <a class=\"btn-ghost\" href=\"https:\/\/xartrix.com\/en\/pricing\/\">View Pricing<\/a>\n<\/div>\n\n\n\n<div class=\"related-posts\">\n <h3>Continue reading<\/h3>\n <div class=\"related-grid\">\n <a class=\"related-card\" href=\"https:\/\/xartrix.com\/en\/blogs\/testing-frequency\/\">\n <div class=\"rc-label\">Previous · Testing Frequency<\/div>\n <div class=\"rc-title\">How often should you test your defences? \u00e2\u0080\u0094 the case for continuous security testing<\/div>\n <\/a>\n <a class=\"related-card\" href=\"https:\/\/xartrix.com\/en\/blogs\/penetration-testing\/\">\n <div class=\"rc-label\">Earlier · Penetration Testing<\/div>\n <div class=\"rc-title\">Penetration testing \u00e2\u0080\u0094 what it is, what it finds, and why your business cannot skip it<\/div>\n <\/a>\n <\/div>\n<\/div>\n\n\n\n<footer>\n <p>© 2026 Xartrix Security · <a href=\"https:\/\/xartrix.com\">xartrix.com<\/a> · <a href=\"https:\/\/xartrix.com\/en\/contact\/\">Contact<\/a><\/p>\n<\/footer>\n\n<\/body>\n<\/html>\n<\\!-- \/wp:html -->\n","protected":false},"excerpt":{"rendered":"<p>Threat Hunting \u00e2\u0080\u0094 The threats already inside and hiding | Xartrix Xartrix Services About Pricing Contact Start Free Trial Post […]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":54,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"class_list":["post-105","page","type-page","status-publish","hentry"],"yoast_head":"\n<title>Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xartrix.com\/en\/blogs\/threat-hunting\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix\" \/>\n<meta property=\"og:description\" content=\"Threat Hunting \u00e2\u0080\u0094 The threats already inside and hiding | Xartrix Xartrix Services About Pricing Contact Start Free Trial Post […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xartrix.com\/en\/blogs\/threat-hunting\/\" \/>\n<meta property=\"og:site_name\" content=\"Xartrix\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-24T22:48:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xartrix.com\/wp-content\/uploads\/2026\/03\/xartrix-og-image-1200x630-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xartrix.com\/blogs\/threat-hunting\/\",\"url\":\"https:\/\/xartrix.com\/blogs\/threat-hunting\/\",\"name\":\"Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix\",\"isPartOf\":{\"@id\":\"https:\/\/xartrix.com\/#website\"},\"datePublished\":\"2026-03-24T19:29:07+00:00\",\"dateModified\":\"2026-03-24T22:48:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xartrix.com\/blogs\/threat-hunting\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xartrix.com\/blogs\/threat-hunting\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xartrix.com\/blogs\/threat-hunting\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xartrix.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Insights for Business Leaders\",\"item\":\"https:\/\/xartrix.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Threat Hunting \u2014 The Threats Already Inside and Hiding\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xartrix.com\/#website\",\"url\":\"https:\/\/xartrix.com\/\",\"name\":\"Xartrix\",\"description\":\"AI-Driven Managed SOC Services for Modern Businesses\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xartrix.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n","yoast_head_json":{"title":"Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xartrix.com\/en\/blogs\/threat-hunting\/","og_locale":"en_US","og_type":"article","og_title":"Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix","og_description":"Threat Hunting \u00e2\u0080\u0094 The threats already inside and hiding | Xartrix Xartrix Services About Pricing Contact Start Free Trial Post […]","og_url":"https:\/\/xartrix.com\/en\/blogs\/threat-hunting\/","og_site_name":"Xartrix","article_modified_time":"2026-03-24T22:48:12+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/xartrix.com\/wp-content\/uploads\/2026\/03\/xartrix-og-image-1200x630-1.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/xartrix.com\/blogs\/threat-hunting\/","url":"https:\/\/xartrix.com\/blogs\/threat-hunting\/","name":"Threat Hunting \u2014 The Threats Already Inside and Hiding - Xartrix","isPartOf":{"@id":"https:\/\/xartrix.com\/#website"},"datePublished":"2026-03-24T19:29:07+00:00","dateModified":"2026-03-24T22:48:12+00:00","breadcrumb":{"@id":"https:\/\/xartrix.com\/blogs\/threat-hunting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xartrix.com\/blogs\/threat-hunting\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xartrix.com\/blogs\/threat-hunting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xartrix.com\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Insights for Business Leaders","item":"https:\/\/xartrix.com\/blogs\/"},{"@type":"ListItem","position":3,"name":"Threat Hunting \u2014 The Threats Already Inside and Hiding"}]},{"@type":"WebSite","@id":"https:\/\/xartrix.com\/#website","url":"https:\/\/xartrix.com\/","name":"Xartrix","description":"AI-Driven Managed SOC Services for Modern Businesses","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xartrix.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"brizy_media":[],"_links":{"self":[{"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/pages\/105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/comments?post=105"}],"version-history":[{"count":3,"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/pages\/105\/revisions"}],"predecessor-version":[{"id":152,"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/pages\/105\/revisions\/152"}],"up":[{"embeddable":true,"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/pages\/54"}],"wp:attachment":[{"href":"https:\/\/xartrix.com\/en\/wp-json\/wp\/v2\/media?parent=105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}