Sign In

TH0.13 Building the Leadership Case

3-4 hours · Module 0 · Free
Operational Objective
The technical case for hunting is made in TH0.1 through TH0.7. This subsection translates that technical case into the language leadership speaks — risk reduction, cost avoidance, regulatory posture, and measurable outcomes. Three formats for three audiences: a 60-second elevator pitch for informal conversations, a 15-minute leadership brief for scheduled meetings, and a one-page written business case for formal approval.
Deliverable: Three communication formats — elevator pitch, leadership brief, written business case — ready to adapt with your organization's specific data from the exercises in this module.
⏱ Estimated completion: 25 minutes

The audience determines the argument

Technical stakeholders (CISO, security architects) respond to the detection gap data from TH0.1 and the structural limitation arguments from TH0.4. They understand coverage ratios, ATT&CK mappings, and dwell time.

Business stakeholders (CFO, CTO, CEO, board) do not. They respond to risk in financial terms — what does the gap cost us if exploited, what does closing the gap cost, and what is the return on that investment? TH0.7 provides the numbers. This subsection provides the framing.

The mistake most security practitioners make is presenting the technical case to a business audience. A slide showing ATT&CK coverage heatmaps makes the CISO nod. It makes the CFO check their phone.

Format 1: The 60-second elevator pitch

For informal conversations — hallway, executive lunch, Slack message from leadership asking “what should we be doing about threat hunting?”

“Our detection rules cover about [X]% of the attack techniques relevant to our M365 environment. The other [100-X]% is unmonitored — an attacker using those techniques generates no alert. We’re proposing [N] hours per week of structured hunting to address that gap. Each hunt produces a new detection rule, so the coverage improves permanently. Cost is about $[annual cost] per year in analyst time. Payback is the first time hunting finds a compromise before our rules do — which avoids the cost differential between internal discovery and external notification, typically around a million dollars per incident.”

Three elements: the problem (detection gap, quantified), the solution (structured hunting hours), and the return (self-funding through detection rules, with incident avoidance as the financial case).

Format 2: The 15-minute leadership brief

For scheduled meetings — monthly security review, quarterly business review, annual budget planning.

Slide 1 — The gap (2 minutes). “Our analytics rules cover [X]% of the techniques attackers use against M365 environments. [100-X]% of techniques generate no alert. This is not a staffing problem — it is a structural limitation of how detection rules work. Rules catch what we anticipated. The rest requires someone to look.”

Slide 2 — The risk (3 minutes). “The industry median dwell time is 10 days. Our measured median is [Y] days. In those days, an attacker establishes persistence, maps our environment, and executes their objective. At day 1, remediation costs hours. At day 10, it costs weeks. At day 30+, it involves forensics, legal, regulatory notification, and potentially external incident response.”

Slide 3 — The solution (3 minutes). “[N] hours per week of protected analyst time for structured threat hunting. No new tools needed — we use the same Sentinel workspace and KQL queries. Each hunt follows a documented methodology and produces a new detection rule that runs permanently.”

Slide 4 — The numbers (3 minutes). “Annual cost: $[total] in analyst time. Each hunt produces a detection rule worth [technique coverage] in permanent gap closure. 12 hunts per year moves our coverage from [X]% to approximately [X+12]%. The program pays for itself the first time it discovers a compromise before our rules do — one incident of internal vs external discovery avoidance.”

Slide 5 — The ask (2 minutes). “Approve [N] hours per week of protected hunting time starting [date]. First 90 days: readiness assessment, coverage analysis, and three initial campaigns. We report results quarterly.”

Q&A (2 minutes). Common questions and prepared responses from TH0.9 (hunting myths).

Format 3: The one-page business case

For formal approval — budget requests, program proposals, security strategy documents.

The complete template is in the module summary artifact (TH0.16). This subsection provides the framing principles.

Lead with risk, not technology. The first paragraph is about the business risk of undetected intrusions — not about MITRE ATT&CK or detection coverage ratios. Those are supporting evidence, not the headline.

Quantify everything. Coverage ratio: [X]%. Dwell time baseline: [Y] days. Annual program cost: $[Z]. Expected output: [N] detection rules per year. Break-even: [fraction] of one incident.

Name the alternative. The alternative to hunting is not “nothing changes.” The alternative is “the [100-X]% coverage gap remains unmonitored indefinitely, and intrusions in that gap are discovered through external notification (law enforcement, customer complaint, ransom note) rather than internal detection.” That alternative has a cost — the IBM breach cost differential between internal and external discovery. Name it.

Make the ask specific. Not “we should do threat hunting.” Instead: “[N] hours per week of analyst time, protected from the alert queue, starting [date], with quarterly reporting on coverage improvement, hunts completed, and incidents discovered.”

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

// Generate your specific numbers for the leadership case
// Run all three queries and record the outputs
// Query 1: Your detection coverage ratio
let coveredTechniques = SecurityAlert
| where TimeGenerated > ago(90d)
| where ProviderName == "ASI Scheduled Alerts"
| extend Techniques = tostring(
    parse_json(ExtendedProperties).["Techniques"])
| where isnotempty(Techniques) and Techniques != "[]"
| summarize by Techniques
| count;
// Your numerator: ____ techniques covered
// Your denominator (from ATT&CK Navigator): ____ techniques relevant
// Your ratio: ____%

// Query 2: Your dwell time baseline
SecurityIncident
| where TimeGenerated > ago(180d)
| where Status == "Closed"
| extend EarliestEvidence = todatetime(
    parse_json(tostring(AdditionalData)).firstActivityTimeUtc)
| where isnotempty(EarliestEvidence)
| extend DwellDays = datetime_diff('day', CreatedTime, EarliestEvidence)
| where DwellDays >= 0 and DwellDays < 365
| summarize Median = percentile(DwellDays, 50),
    P90 = percentile(DwellDays, 90),
    Count = count()
// Your median: ____ days | P90: ____ days

// Query 3: Your incident volume (for break-even calculation)
SecurityIncident
| where TimeGenerated > ago(365d)
| summarize TotalIncidents = count(),
    HighSeverity = countif(Severity == "High")
// Annual incidents: ____ | High severity: ____
THREE COMMUNICATION FORMATS FOR THREE AUDIENCES60-SECOND PITCHHallway, Slack, informalProblem → Solution → ReturnAny stakeholder, any context15-MINUTE BRIEFSecurity review, budget meeting5 slides: Gap → Risk → Solution→ Numbers → AskCISO, CTO, leadership teamONE-PAGE BUSINESS CASEFormal budget approvalRisk → Quantification → AskCFO, executive committeeLead with risk, not technology. Quantify everything. Name the alternative. Make the ask specific.

Figure TH0.13 — Three communication formats matched to audience and context. Each uses the same underlying data (coverage ratio, dwell time, program cost) but frames it differently.

Try it yourself

Exercise: Draft your elevator pitch

Using the numbers from the KQL queries above (or estimates if you have not run them yet), write your 60-second elevator pitch. Fill in the blanks from the template in this subsection with your actual data.

Then read it aloud. If it takes more than 60 seconds, cut. If it uses technical terms the CFO would not understand (ATT&CK, KQL, Sentinel, analytics rules), replace them with business language (detection system, attack techniques, coverage gap, security monitoring).

Save the pitch. You will use it.

⚠ Compliance Myth: "Leadership will fund hunting once we show them the ATT&CK heatmap"

The myth: The ATT&CK coverage heatmap — red squares for uncovered techniques, green for covered — is a compelling visual that will persuade leadership to fund hunting.

The reality: The heatmap persuades technical stakeholders who understand ATT&CK. Business stakeholders see colored squares without operational context. They do not know that T1098.003 matters more than T1595.001 for their environment, or that a red square represents a specific business risk. The heatmap is supporting evidence for the CISO. The financial case — program cost vs incident cost avoidance — is the argument for the CFO. Use the right evidence for the right audience.

Extend this approach

If your organization has experienced a significant security incident in the past 12–24 months, the leadership case has an additional lever: "If we had been hunting at the time of [incident reference], we would have discovered the attacker [N days] earlier — during the persistence phase rather than the execution phase. The remediation cost, regulatory exposure, and business disruption would have been significantly lower." This is not hypothetical — use the incident's actual dwell time and actual remediation cost to make it concrete. Recent incidents create organizational memory that makes the hunting argument tangible in a way that industry statistics alone cannot.

📋 Operational Artifact — Leadership Communication Quick Reference

Key numbers for leadership (fill in from your environment):

Detection coverage ratio: % (TH0.1 query) Median dwell time: ____ days (TH0.2 query) P90 dwell time: ____ days (the long-tail number) Annual hunting cost: $ ([hours] × [rate] × [campaigns]) Detection rules produced per year: ~12+ Break-even: ____ of one incident (annual cost ÷ breach cost differential)

For CISO: Lead with coverage ratio and dwell time. Show ATT&CK gaps. Emphasize detection rule production. For CFO: Lead with annual cost and break-even. Show cost avoidance. Emphasize self-funding mechanism. For CTO: Lead with no additional tooling. Show integration with existing Sentinel/Defender XDR. Emphasize analyst skill development.

References Used in This Subsection

  • IBM Security. “Cost of a Data Breach Report 2023.” — internal vs external discovery cost differential
  • Course cross-references: TH0.1 (coverage ratio), TH0.2 (dwell time), TH0.7 (ROI model), TH0.9 (myth responses for Q&A)
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← TH0.12 Hunting Maturity Models TH0.14 Hunting Program Metrics Dashboard →