Module 0: The Detection Gap — Why Mature SOCs Still Need Hunting
The Detection Gap: Why Mature SOCs Still Need Hunting
Your analytics rules are running. Your detection engineering team ships new rules every sprint. Defender XDR generates incidents automatically. Sentinel fires scheduled alerts around the clock. The dashboard is green. The SOC is staffed. The detections are deployed.
And somewhere in your environment, an attacker has been present for eleven days.
That is the detection gap — the space between what your rules are designed to catch and what is actually happening in your environment. Every organization has one. The size of the gap determines how long an attacker operates undetected, how much data they exfiltrate before you notice, and whether you discover the compromise through your own capability or through a notification from law enforcement, a customer, or the attacker themselves.
This module quantifies the gap, explains why detection engineering alone cannot close it, and builds the operational case for proactive threat hunting as the discipline that addresses what rules structurally cannot.
What this module covers
This module is not an introduction to threat hunting. You already know what hunting is. This module gives you the evidence, the framework, and the organizational language to justify dedicated hunting hours, to explain to leadership why a SOC with mature detection engineering still needs proactive hunting, and to position hunting as a capability that makes your entire security operation permanently better.
By the end of this module you will be able to:
- Quantify your organization’s detection coverage gap against the MITRE ATT&CK techniques relevant to your M365 environment
- Articulate the dwell time problem with industry data specific to your sector
- Explain the structural limitations of detection engineering that hunting addresses
- Map where hunting sits relative to incident response and detection engineering in a mature security operation
- Present the ROI argument for hunting in business terms: detection gap closure, mean-time-to-detect improvement, and incidents discovered through proactive operations
- Assess your organization’s readiness for a hunting program and identify prerequisites that must be in place first
- Adapt the hunt program business case template for your own leadership audience
Who this module is for
This module is written for the SOC analyst, detection engineer, or security lead who operates in a Microsoft 365 environment and wants to move beyond reactive operations. You should be comfortable with Defender XDR, Sentinel, and KQL before proceeding — this course does not teach those foundations.
If you need to build KQL proficiency, start with Mastering KQL on this platform. If you need to understand the M365 security ecosystem, start with M365 Security Operations.
Course structure
Practical Threat Hunting in Microsoft 365 is organized in three phases:
Phase 1 — Hunt Methodology and Advanced Toolcraft (TH0–TH3): The strategic and technical foundation. Why hunting matters organizationally, the structured methodology every subsequent module follows, and advanced KQL patterns that experienced analysts rarely employ. You are here.
Phase 2 — Hunt Campaigns (TH4–TH13): Ten self-contained campaigns, each targeting a specific threat domain in M365. Each module follows the Hunt Cycle methodology from TH1. Every exercise runs against your own environment. Your findings are real.
Phase 3 — Hunt Operations (TH14–TH16): Building and sustaining a hunt program. Cadence, prioritization, documentation, leadership reporting, automation, and continuous hunting. The content that transforms individual hunting skill into organizational capability.
Prerequisites
- Working KQL proficiency (you can write
summarize,join,let,extend, andmake-serieswithout reference documentation) - Familiarity with Defender XDR Advanced Hunting and Sentinel
- Access to an M365 environment (production or developer tenant)
- SOC analyst experience or equivalent operational background
This is an intermediate-to-advanced course. If the prerequisites above describe your current capability, you are in the right place.