Sign In
In this section

TH0.7 The ROI of Hunting

3-4 hours · Module 0 · Free
Operational Objective
Hunting requires analyst hours. Analyst hours cost money. Leadership will ask "what is the return?" — and "we might find bad things" is not a budget justification. This subsection builds the ROI argument in terms leadership understands: the hunt-to-detection pipeline as a self-funding mechanism, measurable metrics that demonstrate value, and the cost comparison between finding a compromise through hunting versus discovering it through external notification.
Deliverable: A quantified ROI framework for hunting that connects proactive hunt hours to detection gap closure, dwell time compression, and incident cost avoidance — with a business case template adapted for your organization.
⏱ Estimated completion: 25 minutes

The question you will be asked

You present the detection gap. Leadership understands. You present the dwell time data. Leadership is concerned. You propose dedicated hunting hours. Leadership asks: "How do we measure whether it is working?"

This is the right question. An operational activity without measurable outcomes is an expense. An operational activity with measurable outcomes is an investment. Hunting must be the latter.

The hunt-to-detection pipeline: the self-funding mechanism

// Hunt discovery rate — what percentage of incidents came from hunting?
SecurityIncident
| where TimeGenerated > ago(180d)
| where Status == "Closed"
| extend DiscoverySource = iff(
    Title has "HUNT-" or tostring(Labels) has "hunt-discovered",
    "Proactive Hunting",
    "Automated Detection")
// Tag hunt-discovered incidents with "HUNT-" prefix or "hunt-discovered" label
// This requires consistent naming when escalating hunt findings to IR
| summarize IncidentCount = count() by DiscoverySource
| extend Percentage = round(100.0 * IncidentCount / toscalar(
    SecurityIncident
    | where TimeGenerated > ago(180d)
    | where Status == "Closed"
    | count), 1)
// Even 5% hunt discovery rate means 5% of incidents would have
// gone undetected without hunting — including potentially the
// highest-impact intrusions with the longest dwell times
Expand for Deeper Context

Every validated hunt produces at least one detection rule. This is not optional — it is the Convert step in the Hunt Cycle (TH1). The detection rule automates the detection going forward: what you hunted for manually this month, a rule detects automatically every hour from now on.

This means hunting has a compounding return. Each hunt campaign:

1. Searches for a specific threat in historical data (immediate value — find compromise or confirm absence) 2. Produces a tested, tuned detection rule (permanent value — the technique is now automatically detected) 3. Reduces the known-unknown layer by one technique (structural value — the detection gap shrinks)

After 12 months of monthly hunting campaigns, the organization has: - 12 completed hunt campaigns with documented findings - 12+ new detection rules deployed, each covering a technique that previously had no automated detection - A measurable reduction in the detection coverage gap (from TH0.1's ratio) - Evidence of any compromises discovered through hunting (which would not have been found otherwise)

The detection rules do not expire. They continue to fire indefinitely. Year 2 of hunting does not re-hunt the same techniques — it hunts the next 12 techniques on the backlog while the first 12 are now automated. The coverage gap closes progressively.

Metrics that demonstrate value

Four metrics matter. Each is directly measurable from your Sentinel workspace.

1. Detection coverage gap closure rate. Baseline your detection coverage ratio (TH0.1) before the hunting program starts. Re-measure quarterly. The ratio should increase as hunts produce new detection rules. If you start at 25% and add 12 rules covering 12 new techniques in a year, and your relevant technique set is 100, your coverage moves from 25% to 37%. That is a 48% improvement in detection coverage directly attributable to hunting.

2. Hunt discovery rate. Of all incidents in the measurement period, what percentage were discovered through proactive hunting rather than automated alerting?

3. Dwell time compression. Compare the median dwell time for incidents discovered through hunting versus incidents discovered through automated detection. If hunting discovers compromises at a median of 3 days while rules discover at a median of 12 days, hunting is compressing dwell time by 9 days per incident. Each compressed day represents avoided attacker activity — data not exfiltrated, persistence not established, lateral movement not completed.

4. Mean time to detect (MTTD) trend. Track MTTD over time. As hunting produces new detection rules, techniques that previously required hunting to discover become automatically detected. MTTD for those techniques drops from "whenever the next hunt runs" to "within the rule's query frequency (typically 5–60 minutes)." MTTD should trend downward as the detection layer expands through hunting outputs.

The cost comparison leadership understands

The most effective ROI argument is not the metrics. It is the cost comparison.

Cost of finding a compromise through hunting: A hunt campaign takes one analyst 4–8 hours. At a fully loaded analyst cost of $60–$80/hour (mid-market), that is $240–$640 per campaign. If the hunt discovers a compromise, the incident response begins at day 3 (when the hunt found it) instead of day 30 (when a rule might eventually have caught it) or day 90 (when external notification might have arrived). The remediation at day 3 is contained — password resets, session revocation, persistence removal. A few hours of focused work.

Cost of finding a compromise through external notification: The average cost of a data breach in 2023 (IBM Cost of a Data Breach Report) was $4.45 million globally, $9.48 million in the United States. Breaches discovered by the organization's own security team cost significantly less than breaches reported by third parties or discovered by the attacker themselves (through a ransom note). The difference — the cost avoided by internal detection versus external notification — is measured in millions.

The arithmetic: 12 hunt campaigns per year at $640 each = $7,680 in analyst time. One compromise discovered through hunting instead of external notification avoids remediation costs, regulatory penalties, legal fees, and reputational damage that dwarf the hunting investment by orders of magnitude. Hunting does not need to find a compromise every month to be worth the investment. It needs to find one compromise per year that would otherwise have gone undetected — and the probability of that increases with every campaign.

What hunting does not cost

A common objection: "We cannot afford to take analysts off the alert queue for hunting." The implicit assumption is that hunting hours come at the expense of alert triage.

This framing is wrong.

Hunting produces detection rules. Detection rules that are well-tuned (because they were built from validated hunt data, not theoretical analysis) produce fewer false positives than rules built without environmental context. Fewer false positives mean fewer wasted analyst hours on the alert queue. The hours "spent" on hunting return as hours saved on alert triage — plus the detection rule itself, which provides permanent coverage.

The calculation: one 8-hour hunt campaign that produces one detection rule. That rule fires 3 times per month with a 90% true positive rate (achievable because it was built from real data). Three high-quality alerts per month replace the zero alerts that existed before (the technique had no rule). The false positives the rule does generate (0.3 per month at 90% precision) are minimal. The analyst time consumed by the new rule is negligible.

Now compare: 8 hours of hunting produced permanent automated coverage of a technique that was previously invisible. The alternative — not hunting, not building the rule — means the technique remains undetected indefinitely. The 8 hours are not a cost. They are an investment that compounds.

HUNT-TO-DETECTION PIPELINE — THE COMPOUNDING RETURN HUNT CAMPAIGN 4-8 analyst hours $240-640 cost FINDINGS DETECTION RULE PERMANENT COVERAGE Automated, 24/7, ongoing $0 marginal cost per detection GAP CLOSES Coverage ratio ↑ Dwell time ↓ COMPOUNDING: 12 campaigns/year → 12+ new rules → permanent gap closure Year 2 hunts different techniques because Year 1 techniques are now automated 12 hunts/year = ~$7,680 analyst time 1 breach discovered internally vs externally = $millions in avoided cost

Figure TH0.7 — The hunt-to-detection pipeline. Each hunt costs hours. Each rule it produces provides permanent coverage at zero marginal cost. The return compounds annually.

The negative finding has value

Not every hunt finds a compromise. Most will not. This is frequently cited as evidence that hunting is not productive: "We hunted for six months and found nothing."

The finding "nothing" is not "nothing." It is documentation that a specific threat technique was searched for across a specific data set over a specific time window and no evidence of compromise was found. That documentation:

Reduces organizational uncertainty. Before the hunt, you did not know whether OAuth consent abuse had occurred in the last 90 days. After the hunt, you know it has not (or at least, you know it has not left evidence in the available telemetry). That reduction in uncertainty has compliance value — it demonstrates proactive security measures — and operational value — it allows you to focus hunting resources on other techniques.

Establishes baselines. A hunt that finds no compromise still produces data about what normal looks like. The authentication pattern hunt that reveals no anomalies also reveals the baseline: normal sign-in volume per user, normal geographic distribution, normal device diversity. That baseline becomes the reference point for future hunts and for anomaly detection.

Validates detection rules. A hunt that examines a technique already covered by a detection rule and finds no evidence that the rule missed validates the rule's effectiveness. The rule is working as intended. That validation is a finding — it confirms that your detection engineering for that technique is sound.

Satisfies audit requirements. Regulatory frameworks and security maturity models increasingly expect evidence of proactive threat monitoring. A hunt log that documents hypotheses tested, data examined, and conclusions reached — even when the conclusion is "no evidence found" — satisfies the requirement in a way that an empty incident queue does not.

Try it yourself

Exercise: Build your hunting ROI model

Estimate the following for your organization:

Hunt cost: Fully loaded hourly cost of an analyst × 6 hours average per hunt campaign × 12 campaigns per year = annual hunting cost: $___

Detection rule value: If each hunt produces 1 detection rule, and each rule provides automated coverage of 1 technique previously unmonitored, then 12 hunts produce 12 techniques of new automated coverage per year. Against a relevant technique set of 100, that is a 12 percentage point improvement in detection coverage annually.

Incident avoidance: If your organization's average incident cost (from your insurance carrier, your CFO, or the IBM Cost of a Data Breach Report for your industry) is $______, then one incident discovered through hunting instead of external notification avoids the cost differential between internal and external discovery. IBM reports that internally detected breaches cost an average of $1 million less than externally notified breaches.

The payback equation: Annual hunting cost ÷ incident cost differential = the fraction of one incident your hunting program needs to prevent or detect early to pay for itself.

For most organizations, the payback is a fraction of a single incident. The hunting program pays for itself the first time it compresses dwell time on one intrusion.

⚠ Compliance Myth: "If threat hunting does not find anything, it was a waste of time"

The myth: Hunting is only productive when it discovers a compromise. If the hunt finds no threats, the hours were wasted.

The reality: A hunt that finds no compromise produces: a negative finding that reduces uncertainty, baseline data for future comparison, detection rule validation, audit documentation, and environmental understanding that improves detection engineering. Every compliance framework that evaluates security maturity — ISO 27001, NIST CSF, SOC 2 — gives credit for proactive monitoring activities regardless of whether they find threats. The absence of findings is a positive indicator, not a failure. It becomes a failure only if you stop hunting because "nothing was found" — because the threats in the known-unknown layer are still there, and the next hunt may find them.

Extend this model

If your organization has a cyber insurance policy, the hunting ROI model has an additional dimension. Many cyber insurance carriers offer premium reductions or improved coverage terms for organizations that demonstrate proactive threat monitoring. A documented hunting program — with a defined cadence, hunt logs, and metrics — may qualify for better terms. Check with your broker. The premium reduction alone may offset the hunting program's analyst cost, making the detection improvement and incident avoidance value pure upside.

📋 Operational Artifact — Hunting ROI Calculator

Annual Hunting Program Cost

Analyst hourly rate (fully loaded): $_____ × 6 hours per campaign × 12 campaigns/year = $_____ /year

Annual Hunting Program Output

Detection rules produced: ~12+ new rules covering 12+ previously unmonitored techniques

Detection coverage improvement: +_____ percentage points (from baseline ratio)

Hunts documented: 12 with full hypothesis, data, findings, and conclusions

Incident Cost Avoidance (per incident discovered through hunting)

Average breach cost (your industry, IBM/Ponemon data): $_____

Internal vs external discovery cost differential: ~$1M (IBM benchmark)

Incidents needed to justify program: Annual cost ÷ cost differential = _____ (typically <1)

Bottom line for leadership: The hunting program costs [annual cost]. It produces permanent detection improvements worth [12 rules × technique value]. It pays for itself the first time it discovers or compresses dwell time on one intrusion that rules would have missed. Every subsequent discovery is pure return.

References Used in This Subsection

  • IBM Security. "Cost of a Data Breach Report 2023." https://www.ibm.com/reports/data-breach — verify URL for 2023 edition
  • Ponemon Institute / IBM. Internal vs external breach discovery cost differential data.
  • ISO/IEC 27001:2022 — Annex A Control A.12.6 (Technical Vulnerability Management), A.5.25 (Assessment and Decision on Information Security Events)
  • NIST Cybersecurity Framework 2.0 — DE.CM (Security Continuous Monitoring), DE.AE (Anomalies and Events)
Decision point

You have time for one hunt this quarter. Do you hunt for the threat in the latest advisory or for the gap in your ATT&CK coverage matrix?

Hunt the coverage gap. Advisories describe threats that are CURRENT but may not target NE. Coverage gaps describe techniques that COULD target NE and would succeed undetected. The coverage gap hunt produces a detection rule (closing the gap permanently). The advisory-driven hunt produces a point-in-time assessment (confirming the specific threat is not present today). Both are valuable — but the coverage gap hunt has a longer-lasting impact because it produces a permanent detection improvement.

A hunt query returns 200 results. You have 4 hours remaining in the hunt window. You can investigate 20 results thoroughly or review all 200 superficially. Which approach produces better hunt outcomes?
Review all 200 — you might miss a critical finding in the 180 you skip.
Investigate 20 thoroughly. A superficial review of 200 results produces 200 'looked at it, seemed okay' assessments that provide no investigative value and no documentation for future reference. A thorough investigation of 20 results produces: confirmed findings (true positives requiring remediation), confirmed benign patterns (documented baselines for future comparison), and inconclusive results (flagged for monitoring). Prioritise the 20 by: highest anomaly score, highest-value assets involved, and highest-risk users involved. Document why the remaining 180 were not investigated and recommend a follow-up hunt with refined query criteria to reduce the result set.
Investigate 20 — but only if they are from the most recent 24 hours.
Neither — refine the query first to reduce the result set below 50.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You understand the detection gap and the hunt cycle.

TH0 showed you what detection rules fundamentally cannot catch. TH1 gave you the hypothesis-driven methodology that closes that gap. Now you run the hunts.

  • 10 complete hunt campaigns — from hypothesis through KQL execution through finding disposition, each campaign based on a real TTP
  • 70 production hunt queries — every one mapped to MITRE ATT&CK and tested against realistic telemetry
  • Advanced KQL for hunting — UEBA composite risk scoring, retroactive IOC sweeps, and hunt management metrics
  • Hypothesis-Driven Hunt Toolkit lab pack — 30 days of realistic M365 and endpoint telemetry with multiple attack patterns seeded in
  • TH16 — Scaling hunts across a team — the operating model for a production hunt program
Unlock the full course with Premium See Full Syllabus
← Previous Next →