Sign In

TH0.12 Hunting Maturity Models

3-4 hours · Module 0 · Free
Operational Objective
Organizations need to know where they are before they can plan where to go. The SANS Hunting Maturity Model (HMM) provides a five-level framework for assessing hunting capability — from organizations that do no hunting at all to organizations with fully automated, intelligence-driven continuous hunting. This subsection teaches you to assess your organization's current maturity level honestly and identify the specific actions that move you to the next level.
Deliverable: Your organization's current HMM level and a concrete list of actions required to advance one level.
⏱ Estimated completion: 20 minutes

Where you are determines what you do next

The Hunting Maturity Model, originally defined by David Bianco at Sqrrl (now Amazon) and widely adopted by the SANS community, defines five levels. Most organizations are at HMM0 or HMM1. That is not a criticism — it is the statistical reality. Knowing your level prevents you from attempting Level 3 activities when Level 1 prerequisites are missing.

HMM0 — Initial: no routine data collection or analysis

The organization relies entirely on automated alerting. When an alert fires, someone investigates. When no alert fires, no one looks. There is no proactive component. No analyst time is dedicated to examining data that has not already triggered a rule.

Most organizations that have deployed Defender XDR and Sentinel but have not formalized proactive operations are at HMM0. The tooling exists. The intent to detect threats exists. The proactive capability does not.

What moves you to HMM1: Ingest the minimum data sources from TH0.10 into a centralized platform (Sentinel or Defender XDR Advanced Hunting). Ensure an analyst can query the data interactively — not just through automated rules.

HMM1 — Minimal: data is searchable, hunting is ad hoc

The data is in Sentinel. An analyst can open Advanced Hunting and run queries. But hunting happens reactively — someone reads a threat report and runs a one-off query, or an incident investigation prompts a wider search. There is no scheduled cadence, no hypothesis backlog, no documentation standard, and no detection rule output from hunts.

This is where many organizations live after deploying a SIEM. The capability to hunt exists. The discipline to hunt does not.

What moves you to HMM2: Establish a structured hunting process. This means: a documented hypothesis generation method (TH1.1), a defined scope standard (TH1.2), an iterative query methodology (TH1.3), a hunt documentation template (TH1.7), and protected analyst time (TH0.8 prerequisite 5). This course provides all of these. Completing TH0 through TH3 and executing your first campaign moves you from HMM1 to HMM2.

HMM2 — Procedural: structured, repeatable hunting process

Hunting follows a documented methodology. Hypotheses are generated from defined sources. Hunts are scoped, executed, analyzed, documented, and — critically — produce detection rules. There is a hunt backlog. There is a cadence (even if modest). Hunt records exist and can be reviewed.

HMM2 is the target for this course. An organization that completes the Hunt Cycle methodology (TH1) and executes campaign modules (TH4–TH13) with documented outputs is operating at HMM2.

What moves you to HMM3: Integrate threat intelligence systematically into hypothesis generation. Automate frequently-run hunts as scheduled queries. Build UEBA baselines that generate hypotheses automatically. Track program metrics (TH0.7) and report to leadership. TH14 and TH16 cover the operational and automation content for this transition.

HMM3 — Innovative: TI-driven hunting with automation

Threat intelligence drives hypothesis generation systematically — not ad hoc reading of blogs, but structured TI consumption that produces backlog items within 48 hours of relevant reports. Frequently-executed hunts are automated as scheduled queries (not full analytics rules — they require analyst review but run without manual initiation). Behavioral baselines are deployed and anomalies feed the hunting pipeline. Program metrics are tracked and reported.

Few organizations reach HMM3 without dedicated hunting resources or a mature security operations function.

What moves you to HMM4: Full automation of the hunting pipeline. New hypotheses are generated from TI feeds automatically. Hunt queries are deployed as continuous monitoring. The hunt-to-detection pipeline operates without manual intervention for well-understood technique categories. Human analysts focus on novel hypotheses and edge cases that automation cannot address.

HMM4 — Leading: continuous, automated hunting

The organization has automated the routine hunting activities and focuses human effort on novel, creative hypothesis generation and investigation of the most complex threats. This level is rare — it requires mature automation, rich data, and a team that has been hunting long enough to have automated the repeatable patterns.

Most organizations should not target HMM4 immediately. It is the long-term outcome of a program that starts at HMM1–HMM2 and matures over years.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

// Quick maturity indicator: do you have evidence of proactive hunting?
// Hunt-derived detection rules are the clearest indicator
SecurityAlert
| where TimeGenerated > ago(365d)
| where ProviderName == "ASI Scheduled Alerts"
| where AlertName startswith "HUNT-"
| summarize
    HuntDerivedRules = dcount(AlertName),
    EarliestRule = min(TimeGenerated),
    LatestRule = max(TimeGenerated)
// HuntDerivedRules = 0  HMM0 or HMM1 (no hunt-to-detection output)
// HuntDerivedRules = 1-5  HMM1-HMM2 (some structured hunting)
// HuntDerivedRules = 6+ and spread over months  HMM2+ (sustained program)
// This is a proxy  actual maturity assessment uses all criteria above
HUNTING MATURITY MODEL — FIVE LEVELSHMM0: INITIALNo proactive huntingHMM1: MINIMALAd hoc, reactive queriesHMM2: PROCEDURALStructured + documented← THIS COURSE TARGETHMM3: INNOVATIVETI-driven + automationHMM4: LEADINGContinuous + automated

Figure TH0.12 — Hunting Maturity Model. Most organizations are at HMM0–HMM1. This course targets HMM2 (structured, documented, producing detection rules). HMM3–HMM4 are covered in TH14–TH16.

Try it yourself

Exercise: Assess your organization's hunting maturity

Answer yes or no to each:

Is hunting data searchable by analysts interactively (not just through automated rules)? If no → HMM0.

Have analysts run hunt queries in the last 90 days? If yes but without a documented methodology, backlog, or cadence → HMM1.

Does hunting follow a documented methodology with hypothesis generation, scoping, collection, analysis, conclusion, and detection rule conversion? Are hunt records produced for every campaign? → HMM2.

Is threat intelligence systematically integrated into hypothesis generation? Are frequently-run hunts automated? Are program metrics tracked? → HMM3.

Is the hunting pipeline continuous and automated, with human effort focused on novel hypotheses? → HMM4.

Your current level determines which modules in this course to prioritize. HMM0→HMM1: focus on TH0.8 prerequisites and TH0.10 data sources. HMM1→HMM2: focus on TH1 (methodology) and TH3 (backlog). HMM2→HMM3: focus on TH14–TH16 (operations and automation).

⚠ Compliance Myth: "We need to reach HMM3 to demonstrate compliance with threat monitoring requirements"

The myth: Regulatory frameworks require advanced, TI-driven, automated hunting. HMM2 is not sufficient for compliance.

The reality: No mainstream regulatory framework specifies a hunting maturity level. What frameworks require is evidence of proactive threat monitoring — which HMM2 satisfies. A documented hunting methodology, a backlog of hypotheses, completed hunt records with findings, and detection rules produced from hunts constitute strong evidence for ISO 27001 (A.5.25), NIST CSF 2.0 (DE.CM, DE.AE), SOC 2 (CC7.2), and PCI DSS 4.0 (Requirement 11). HMM3 and HMM4 are operational maturity goals, not compliance requirements. Reach HMM2 first. Demonstrate value. Advance further when the program justifies it.

Extend this model

The HMM is one of several maturity models used in the hunting community. The MITRE Threat-Informed Defense model focuses on ATT&CK integration. The SOC-CMM (SOC Capability Maturity Model) includes hunting as one of several SOC capability domains. If your organization uses a formal maturity framework for SOC assessment, map the HMM levels to the corresponding capability areas in that framework. The mapping is usually straightforward because the underlying concepts — ad hoc → structured → automated → continuous — apply across models.

📋 Operational Artifact — Hunting Maturity Assessment

Organization: _____ | Assessment date: _____ | Assessed by: _____

Current level: HMM ___

Evidence supporting this assessment:

  • Hunting data searchable? ☐ Y / ☐ N
  • Hunt queries run in last 90 days? ☐ Y / ☐ N
  • Documented methodology in use? ☐ Y / ☐ N
  • Hunt records produced? ☐ Y / ☐ N
  • Detection rules produced from hunts? ☐ Y / ☐ N (count: ___)
  • TI systematically driving hypotheses? ☐ Y / ☐ N
  • Hunts automated as scheduled queries? ☐ Y / ☐ N
  • Program metrics tracked and reported? ☐ Y / ☐ N

Next level target: HMM ___ Actions required: _____ Target date: _____

References Used in This Subsection

  • Bianco, David. “A Simple Hunting Maturity Model.” Sqrrl / SANS. — original HMM framework
  • SANS Institute. “Threat Hunting Maturity Model.” — verify URL for current version
  • Course cross-references: TH0.8 (prerequisites), TH0.10 (data sources), TH1 (methodology), TH14–TH16 (operations and automation)
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← TH0.11 The Human Factor: What Makes a Good Hunter TH0.13 Building the Leadership Case →