Sign In
In this section

TH0.12 Hunting Maturity Models

3-4 hours · Module 0 · Free
Operational Objective
Organizations need to know where they are before they can plan where to go. The SANS Hunting Maturity Model (HMM) provides a five-level framework for assessing hunting capability — from organizations that do no hunting at all to organizations with fully automated, intelligence-driven continuous hunting. This subsection teaches you to assess your organization's current maturity level honestly and identify the specific actions that move you to the next level.
Deliverable: Your organization's current HMM level and a concrete list of actions required to advance one level.
⏱ Estimated completion: 20 minutes

Where you are determines what you do next

The Hunting Maturity Model, originally defined by David Bianco at Sqrrl (now Amazon) and widely adopted by the SANS community, defines five levels. Most organizations are at HMM0 or HMM1. That is not a criticism — it is the statistical reality. Knowing your level prevents you from attempting Level 3 activities when Level 1 prerequisites are missing.

HMM0 — Initial: no routine data collection or analysis

The organization relies entirely on automated alerting. When an alert fires, someone investigates. When no alert fires, no one looks. There is no proactive component. No analyst time is dedicated to examining data that has not already triggered a rule.

// Quick maturity indicator: do you have evidence of proactive hunting?
// Hunt-derived detection rules are the clearest indicator
SecurityAlert
| where TimeGenerated > ago(365d)
| where ProviderName == "ASI Scheduled Alerts"
| where AlertName startswith "HUNT-"
| summarize
    HuntDerivedRules = dcount(AlertName),
    EarliestRule = min(TimeGenerated),
    LatestRule = max(TimeGenerated)
// HuntDerivedRules = 0 → HMM0 or HMM1 (no hunt-to-detection output)
// HuntDerivedRules = 1-5 → HMM1-HMM2 (some structured hunting)
// HuntDerivedRules = 6+ and spread over months → HMM2+ (sustained program)
// This is a proxy — actual maturity assessment uses all criteria above
Expand for Deeper Context

Most organizations that have deployed Defender XDR and Sentinel but have not formalized proactive operations are at HMM0. The tooling exists. The intent to detect threats exists. The proactive capability does not.

What moves you to HMM1: Ingest the minimum data sources from TH0.10 into a centralized platform (Sentinel or Defender XDR Advanced Hunting). Ensure an analyst can query the data interactively — not just through automated rules.

HMM1 — Minimal: data is searchable, hunting is ad hoc

The data is in Sentinel. An analyst can open Advanced Hunting and run queries. But hunting happens reactively — someone reads a threat report and runs a one-off query, or an incident investigation prompts a wider search. There is no scheduled cadence, no hypothesis backlog, no documentation standard, and no detection rule output from hunts.

This is where many organizations live after deploying a SIEM. The capability to hunt exists. The discipline to hunt does not.

What moves you to HMM2: Establish a structured hunting process. This means: a documented hypothesis generation method (TH1.1), a defined scope standard (TH1.2), an iterative query methodology (TH1.3), a hunt documentation template (TH1.7), and protected analyst time (TH0.8 prerequisite 5). This course provides all of these. Completing TH0 through TH3 and executing your first campaign moves you from HMM1 to HMM2.

HMM2 — Procedural: structured, repeatable hunting process

Hunting follows a documented methodology. Hypotheses are generated from defined sources. Hunts are scoped, executed, analyzed, documented, and — critically — produce detection rules. There is a hunt backlog. There is a cadence (even if modest). Hunt records exist and can be reviewed.

HMM2 is the target for this course. An organization that completes the Hunt Cycle methodology (TH1) and executes campaign modules (TH4TH13) with documented outputs is operating at HMM2.

What moves you to HMM3: Integrate threat intelligence systematically into hypothesis generation. Automate frequently-run hunts as scheduled queries. Build UEBA baselines that generate hypotheses automatically. Track program metrics (TH0.7) and report to leadership. TH14 and TH16 cover the operational and automation content for this transition.

HMM3 — Innovative: TI-driven hunting with automation

Threat intelligence drives hypothesis generation systematically — not ad hoc reading of blogs, but structured TI consumption that produces backlog items within 48 hours of relevant reports. Frequently-executed hunts are automated as scheduled queries (not full analytics rules — they require analyst review but run without manual initiation). Behavioral baselines are deployed and anomalies feed the hunting pipeline. Program metrics are tracked and reported.

Few organizations reach HMM3 without dedicated hunting resources or a mature security operations function.

What moves you to HMM4: Full automation of the hunting pipeline. New hypotheses are generated from TI feeds automatically. Hunt queries are deployed as continuous monitoring. The hunt-to-detection pipeline operates without manual intervention for well-understood technique categories. Human analysts focus on novel hypotheses and edge cases that automation cannot address.

HMM4 — Leading: continuous, automated hunting

The organization has automated the routine hunting activities and focuses human effort on novel, creative hypothesis generation and investigation of the most complex threats. This level is rare — it requires mature automation, rich data, and a team that has been hunting long enough to have automated the repeatable patterns.

Most organizations should not target HMM4 immediately. It is the long-term outcome of a program that starts at HMM1–HMM2 and matures over years.

HUNTING MATURITY MODEL — FIVE LEVELS HMM0: INITIAL No proactive hunting HMM1: MINIMAL Ad hoc, reactive queries HMM2: PROCEDURAL Structured + documented ← THIS COURSE TARGET HMM3: INNOVATIVE TI-driven + automation HMM4: LEADING Continuous + automated

Figure TH0.12 — Hunting Maturity Model. Most organizations are at HMM0–HMM1. This course targets HMM2 (structured, documented, producing detection rules). HMM3–HMM4 are covered in TH14TH16.

Try it yourself

Exercise: Assess your organization's hunting maturity

Answer yes or no to each:

Is hunting data searchable by analysts interactively (not just through automated rules)? If no → HMM0.

Have analysts run hunt queries in the last 90 days? If yes but without a documented methodology, backlog, or cadence → HMM1.

Does hunting follow a documented methodology with hypothesis generation, scoping, collection, analysis, conclusion, and detection rule conversion? Are hunt records produced for every campaign? → HMM2.

Is threat intelligence systematically integrated into hypothesis generation? Are frequently-run hunts automated? Are program metrics tracked? → HMM3.

Is the hunting pipeline continuous and automated, with human effort focused on novel hypotheses? → HMM4.

Your current level determines which modules in this course to prioritize. HMM0→HMM1: focus on TH0.8 prerequisites and TH0.10 data sources. HMM1→HMM2: focus on TH1 (methodology) and TH3 (backlog). HMM2→HMM3: focus on TH14TH16 (operations and automation).

Applying the model honestly

The most common misuse of hunting maturity models is aspirational self-assessment. A team that runs scheduled KQL queries from a shared library is at HMM1 (minimal hunting) — not HMM3 (innovative), regardless of what the team believes. The test is simple: when was the last time a hunt produced a finding that no existing detection rule would have caught? If the answer is "never" or "months ago," the team is executing queries, not hunting. Genuine hunting requires a hypothesis that the current detection library does not cover, a data source that existing rules do not query, and an analytical approach that goes beyond threshold comparison. The maturity model measures capability, not aspiration.

The model also helps set realistic expectations with leadership. A team at HMM1 will not produce original threat intelligence findings. Promising HMM4 capabilities from an HMM1 team creates expectations that cannot be met, eroding leadership confidence in the program. Instead, present the current maturity level honestly and define the investment (training, tooling, time allocation) required to advance one level per quarter. Four quarters of measurable progress builds more leadership confidence than one quarter of overpromised results.

⚠ Compliance Myth: "We need to reach HMM3 to demonstrate compliance with threat monitoring requirements"

The myth: Regulatory frameworks require advanced, TI-driven, automated hunting. HMM2 is not sufficient for compliance.

The reality: No mainstream regulatory framework specifies a hunting maturity level. What frameworks require is evidence of proactive threat monitoring — which HMM2 satisfies. A documented hunting methodology, a backlog of hypotheses, completed hunt records with findings, and detection rules produced from hunts constitute strong evidence for ISO 27001 (A.5.25), NIST CSF 2.0 (DE.CM, DE.AE), SOC 2 (CC7.2), and PCI DSS 4.0 (Requirement 11). HMM3 and HMM4 are operational maturity goals, not compliance requirements. Reach HMM2 first. Demonstrate value. Advance further when the program justifies it.

Extend this model

The HMM is one of several maturity models used in the hunting community. The MITRE Threat-Informed Defense model focuses on ATT&CK integration. The SOC-CMM (SOC Capability Maturity Model) includes hunting as one of several SOC capability domains. If your organization uses a formal maturity framework for SOC assessment, map the HMM levels to the corresponding capability areas in that framework. The mapping is usually straightforward because the underlying concepts — ad hoc → structured → automated → continuous — apply across models.

📋 Operational Artifact — Hunting Maturity Assessment

Organization: _____ | Assessment date: _____ | Assessed by: _____

Current level: HMM ___

Evidence supporting this assessment:

- Hunting data searchable? ☐ Y / ☐ N

- Hunt queries run in last 90 days? ☐ Y / ☐ N

- Documented methodology in use? ☐ Y / ☐ N

- Hunt records produced? ☐ Y / ☐ N

- Detection rules produced from hunts? ☐ Y / ☐ N (count: ___)

- TI systematically driving hypotheses? ☐ Y / ☐ N

- Hunts automated as scheduled queries? ☐ Y / ☐ N

- Program metrics tracked and reported? ☐ Y / ☐ N

Next level target: HMM ___

Actions required: _____

Target date: _____

References Used in This Subsection

Expand for Deeper Context

- Bianco, David. "A Simple Hunting Maturity Model." Sqrrl / SANS. — original HMM framework - SANS Institute. "Threat Hunting Maturity Model." — verify URL for current version - Course cross-references: TH0.8 (prerequisites), TH0.10 (data sources), TH1 (methodology), TH14TH16 (operations and automation)

NE environmental considerations

NE's detection environment includes specific factors that influence this rule's operation:

Device diversity: 768 P2 corporate workstations with full Defender for Endpoint telemetry, 58 P1 manufacturing workstations with basic cloud-delivered protection, and 3 RHEL rendering servers with Syslog-only coverage. Rules targeting DeviceProcessEvents operate with full fidelity on P2 devices but may have reduced visibility on P1 devices. Manufacturing workstations in Sheffield and Sunderland represent a detection gap for endpoint-level detections.

Expand for Deeper Context

Network topology: 11 offices connected via Palo Alto SD-WAN with full-mesh connectivity. The SD-WAN firewall logs feed CommonSecurityLog in Sentinel. Cross-site lateral movement generates firewall allow events that correlate with DeviceLogonEvents — enabling multi-source detection that single-table rules cannot achieve.

User population: 810 users with distinct behavioral profiles — office workers (predictable hours, consistent applications), field engineers (variable hours, travel patterns), IT administrators (elevated privilege, broad access patterns), and manufacturing operators (fixed shifts, limited application access). Each user population has different detection baselines.

Decision point

You have time for one hunt this quarter. Do you hunt for the threat in the latest advisory or for the gap in your ATT&CK coverage matrix?

Hunt the coverage gap. Advisories describe threats that are CURRENT but may not target NE. Coverage gaps describe techniques that COULD target NE and would succeed undetected. The coverage gap hunt produces a detection rule (closing the gap permanently). The advisory-driven hunt produces a point-in-time assessment (confirming the specific threat is not present today). Both are valuable — but the coverage gap hunt has a longer-lasting impact because it produces a permanent detection improvement.

A hunt query returns 200 results. You have 4 hours remaining in the hunt window. You can investigate 20 results thoroughly or review all 200 superficially. Which approach produces better hunt outcomes?
Review all 200 — you might miss a critical finding in the 180 you skip.
Investigate 20 thoroughly. A superficial review of 200 results produces 200 'looked at it, seemed okay' assessments that provide no investigative value and no documentation for future reference. A thorough investigation of 20 results produces: confirmed findings (true positives requiring remediation), confirmed benign patterns (documented baselines for future comparison), and inconclusive results (flagged for monitoring). Prioritise the 20 by: highest anomaly score, highest-value assets involved, and highest-risk users involved. Document why the remaining 180 were not investigated and recommend a follow-up hunt with refined query criteria to reduce the result set.
Investigate 20 — but only if they are from the most recent 24 hours.
Neither — refine the query first to reduce the result set below 50.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You understand the detection gap and the hunt cycle.

TH0 showed you what detection rules fundamentally cannot catch. TH1 gave you the hypothesis-driven methodology that closes that gap. Now you run the hunts.

  • 10 complete hunt campaigns — from hypothesis through KQL execution through finding disposition, each campaign based on a real TTP
  • 70 production hunt queries — every one mapped to MITRE ATT&CK and tested against realistic telemetry
  • Advanced KQL for hunting — UEBA composite risk scoring, retroactive IOC sweeps, and hunt management metrics
  • Hypothesis-Driven Hunt Toolkit lab pack — 30 days of realistic M365 and endpoint telemetry with multiple attack patterns seeded in
  • TH16 — Scaling hunts across a team — the operating model for a production hunt program
Unlock the full course with Premium See Full Syllabus
← Previous Next →