Sign In
In this section

TH0.13 Building the Leadership Case

3-4 hours · Module 0 · Free
Operational Objective
The technical case for hunting is made in TH0.1 through TH0.7. This subsection translates that technical case into the language leadership speaks — risk reduction, cost avoidance, regulatory posture, and measurable outcomes. Three formats for three audiences: a 60-second elevator pitch for informal conversations, a 15-minute leadership brief for scheduled meetings, and a one-page written business case for formal approval.
Deliverable: Three communication formats — elevator pitch, leadership brief, written business case — ready to adapt with your organization's specific data from the exercises in this module.
⏱ Estimated completion: 25 minutes

The audience determines the argument

Technical stakeholders (CISO, security architects) respond to the detection gap data from TH0.1 and the structural limitation arguments from TH0.4. They understand coverage ratios, ATT&CK mappings, and dwell time.

Business stakeholders (CFO, CTO, CEO, board) do not. They respond to risk in financial terms — what does the gap cost us if exploited, what does closing the gap cost, and what is the return on that investment? TH0.7 provides the numbers. This subsection provides the framing.

// Generate your specific numbers for the leadership case
// Run all three queries and record the outputs
// Query 1: Your detection coverage ratio
let coveredTechniques = SecurityAlert
| where TimeGenerated > ago(90d)
| where ProviderName == "ASI Scheduled Alerts"
| extend Techniques = tostring(
    parse_json(ExtendedProperties).["Techniques"])
| where isnotempty(Techniques) and Techniques != "[]"
| summarize by Techniques
| count;
// Your numerator: ____ techniques covered
// Your denominator (from ATT&CK Navigator): ____ techniques relevant
// Your ratio: ____%

// Query 2: Your dwell time baseline
SecurityIncident
| where TimeGenerated > ago(180d)
| where Status == "Closed"
| extend EarliestEvidence = todatetime(
    parse_json(tostring(AdditionalData)).firstActivityTimeUtc)
| where isnotempty(EarliestEvidence)
| extend DwellDays = datetime_diff('day', CreatedTime, EarliestEvidence)
| where DwellDays >= 0 and DwellDays < 365
| summarize Median = percentile(DwellDays, 50),
    P90 = percentile(DwellDays, 90),
    Count = count()
// Your median: ____ days | P90: ____ days

// Query 3: Your incident volume (for break-even calculation)
SecurityIncident
| where TimeGenerated > ago(365d)
| summarize TotalIncidents = count(),
    HighSeverity = countif(Severity == "High")
// Annual incidents: ____ | High severity: ____
Expand for Deeper Context

The mistake most security practitioners make is presenting the technical case to a business audience. A slide showing ATT&CK coverage heatmaps makes the CISO nod. It makes the CFO check their phone.

Format 1: The 60-second elevator pitch

For informal conversations — hallway, executive lunch, Slack message from leadership asking "what should we be doing about threat hunting?"

"Our detection rules cover about [X]% of the attack techniques relevant to our M365 environment. The other [100-X]% is unmonitored — an attacker using those techniques generates no alert. We're proposing [N] hours per week of structured hunting to address that gap. Each hunt produces a new detection rule, so the coverage improves permanently. Cost is about $[annual cost] per year in analyst time. Payback is the first time hunting finds a compromise before our rules do — which avoids the cost differential between internal discovery and external notification, typically around a million dollars per incident."

Three elements: the problem (detection gap, quantified), the solution (structured hunting hours), and the return (self-funding through detection rules, with incident avoidance as the financial case).

Format 2: The 15-minute leadership brief

For scheduled meetings — monthly security review, quarterly business review, annual budget planning.

Slide 1 — The gap (2 minutes). "Our analytics rules cover [X]% of the techniques attackers use against M365 environments. [100-X]% of techniques generate no alert. This is not a staffing problem — it is a structural limitation of how detection rules work. Rules catch what we anticipated. The rest requires someone to look."

Slide 2 — The risk (3 minutes). "The industry median dwell time is 10 days. Our measured median is [Y] days. In those days, an attacker establishes persistence, maps our environment, and executes their objective. At day 1, remediation costs hours. At day 10, it costs weeks. At day 30+, it involves forensics, legal, regulatory notification, and potentially external incident response."

Slide 3 — The solution (3 minutes). "[N] hours per week of protected analyst time for structured threat hunting. No new tools needed — we use the same Sentinel workspace and KQL queries. Each hunt follows a documented methodology and produces a new detection rule that runs permanently."

Slide 4 — The numbers (3 minutes). "Annual cost: $[total] in analyst time. Each hunt produces a detection rule worth [technique coverage] in permanent gap closure. 12 hunts per year moves our coverage from [X]% to approximately [X+12]%. The program pays for itself the first time it discovers a compromise before our rules do — one incident of internal vs external discovery avoidance."

Slide 5 — The ask (2 minutes). "Approve [N] hours per week of protected hunting time starting [date]. First 90 days: readiness assessment, coverage analysis, and three initial campaigns. We report results quarterly."

Q&A (2 minutes). Common questions and prepared responses from TH0.9 (hunting myths).

Format 3: The one-page business case

For formal approval — budget requests, program proposals, security strategy documents.

The complete template is in the module summary artifact (TH0.16). This subsection provides the framing principles.

Lead with risk, not technology. The first paragraph is about the business risk of undetected intrusions — not about MITRE ATT&CK or detection coverage ratios. Those are supporting evidence, not the headline.

Quantify everything. Coverage ratio: [X]%. Dwell time baseline: [Y] days. Annual program cost: $[Z]. Expected output: [N] detection rules per year. Break-even: [fraction] of one incident.

Name the alternative. The alternative to hunting is not "nothing changes." The alternative is "the [100-X]% coverage gap remains unmonitored indefinitely, and intrusions in that gap are discovered through external notification (law enforcement, customer complaint, ransom note) rather than internal detection." That alternative has a cost — the IBM breach cost differential between internal and external discovery. Name it.

Make the ask specific. Not "we should do threat hunting." Instead: "[N] hours per week of analyst time, protected from the alert queue, starting [date], with quarterly reporting on coverage improvement, hunts completed, and incidents discovered."

THREE COMMUNICATION FORMATS FOR THREE AUDIENCES 60-SECOND PITCH Hallway, Slack, informal Problem → Solution → Return Any stakeholder, any context 15-MINUTE BRIEF Security review, budget meeting 5 slides: Gap → Risk → Solution → Numbers → Ask CISO, CTO, leadership team ONE-PAGE BUSINESS CASE Formal budget approval Risk → Quantification → Ask CFO, executive committee Lead with risk, not technology. Quantify everything. Name the alternative. Make the ask specific.

Figure TH0.13 — Three communication formats matched to audience and context. Each uses the same underlying data (coverage ratio, dwell time, program cost) but frames it differently.

Try it yourself

Exercise: Draft your elevator pitch

Using the numbers from the KQL queries above (or estimates if you have not run them yet), write your 60-second elevator pitch. Fill in the blanks from the template in this subsection with your actual data.

Then read it aloud. If it takes more than 60 seconds, cut. If it uses technical terms the CFO would not understand (ATT&CK, KQL, Sentinel, analytics rules), replace them with business language (detection system, attack techniques, coverage gap, security monitoring).

Save the pitch. You will use it.

The language translation problem

Security teams speak in TTPs, MITRE techniques, and detection coverage percentages. Leadership speaks in business risk, financial impact, and competitive advantage. The leadership case must translate: "We have 0% detection coverage for T1021.001 (RDP lateral movement)" becomes "An attacker who compromises one workstation can reach our financial systems undetected because we have no monitoring for the specific technique they use to move between systems. The CHAIN-MESH attack at NE demonstrated this gap — the attacker traversed from Edinburgh to Sheffield manufacturing in 12 minutes without triggering a single alert." The MITRE reference goes in the appendix. The business impact goes in the executive summary.

The queries developed during this exercise become reusable templates in your personal hunting library. Parameterise the hardcoded values (user names, IP addresses, time windows) and add a header comment explaining the hypothesis each query tests. A mature hunting program maintains 50-100 parameterised query templates that any team member can execute — reducing the per-hunt preparation time from hours to minutes and ensuring consistent methodology across analysts.

The most compelling leadership cases include a cost comparison: the cost of the hunting program (analyst time, tooling) versus the cost of a single undetected breach. At NE, the CHAIN-MESH ransomware encrypted 200 engineering files on the manufacturing server. The recovery cost — not including reputational damage — exceeded $225,000. The annual hunting program budget is $57,000. One successful hunt that detects a ransomware precursor before encryption pays for the entire program four times over. Frame the investment in these terms.

⚠ Compliance Myth: "Leadership will fund hunting once we show them the ATT&CK heatmap"

The myth: The ATT&CK coverage heatmap — red squares for uncovered techniques, green for covered — is a compelling visual that will persuade leadership to fund hunting.

The reality: The heatmap persuades technical stakeholders who understand ATT&CK. Business stakeholders see colored squares without operational context. They do not know that T1098.003 matters more than T1595.001 for their environment, or that a red square represents a specific business risk. The heatmap is supporting evidence for the CISO. The financial case — program cost vs incident cost avoidance — is the argument for the CFO. Use the right evidence for the right audience.

Extend this approach

If your organization has experienced a significant security incident in the past 12–24 months, the leadership case has an additional lever: "If we had been hunting at the time of [incident reference], we would have discovered the attacker [N days] earlier — during the persistence phase rather than the execution phase. The remediation cost, regulatory exposure, and business disruption would have been significantly lower." This is not hypothetical — use the incident's actual dwell time and actual remediation cost to make it concrete. Recent incidents create organizational memory that makes the hunting argument tangible in a way that industry statistics alone cannot.

📋 Operational Artifact — Leadership Communication Quick Reference

Key numbers for leadership (fill in from your environment):

Detection coverage ratio: ____% (TH0.1 query)

Median dwell time: ____ days (TH0.2 query)

P90 dwell time: ____ days (the long-tail number)

Annual hunting cost: $____ ([hours] × [rate] × [campaigns])

Detection rules produced per year: ~12+

Break-even: ____ of one incident (annual cost ÷ breach cost differential)

For CISO: Lead with coverage ratio and dwell time. Show ATT&CK gaps. Emphasize detection rule production.

For CFO: Lead with annual cost and break-even. Show cost avoidance. Emphasize self-funding mechanism.

For CTO: Lead with no additional tooling. Show integration with existing Sentinel/Defender XDR. Emphasize analyst skill development.

References Used in This Subsection

  • IBM Security. "Cost of a Data Breach Report 2023." — internal vs external discovery cost differential
  • Course cross-references: TH0.1 (coverage ratio), TH0.2 (dwell time), TH0.7 (ROI model), TH0.9 (myth responses for Q&A)
Decision point

You have time for one hunt this quarter. Do you hunt for the threat in the latest advisory or for the gap in your ATT&CK coverage matrix?

Hunt the coverage gap. Advisories describe threats that are CURRENT but may not target NE. Coverage gaps describe techniques that COULD target NE and would succeed undetected. The coverage gap hunt produces a detection rule (closing the gap permanently). The advisory-driven hunt produces a point-in-time assessment (confirming the specific threat is not present today). Both are valuable — but the coverage gap hunt has a longer-lasting impact because it produces a permanent detection improvement.

A hunt query returns 200 results. You have 4 hours remaining in the hunt window. You can investigate 20 results thoroughly or review all 200 superficially. Which approach produces better hunt outcomes?
Review all 200 — you might miss a critical finding in the 180 you skip.
Investigate 20 thoroughly. A superficial review of 200 results produces 200 'looked at it, seemed okay' assessments that provide no investigative value and no documentation for future reference. A thorough investigation of 20 results produces: confirmed findings (true positives requiring remediation), confirmed benign patterns (documented baselines for future comparison), and inconclusive results (flagged for monitoring). Prioritise the 20 by: highest anomaly score, highest-value assets involved, and highest-risk users involved. Document why the remaining 180 were not investigated and recommend a follow-up hunt with refined query criteria to reduce the result set.
Investigate 20 — but only if they are from the most recent 24 hours.
Neither — refine the query first to reduce the result set below 50.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You understand the detection gap and the hunt cycle.

TH0 showed you what detection rules fundamentally cannot catch. TH1 gave you the hypothesis-driven methodology that closes that gap. Now you run the hunts.

  • 10 complete hunt campaigns — from hypothesis through KQL execution through finding disposition, each campaign based on a real TTP
  • 70 production hunt queries — every one mapped to MITRE ATT&CK and tested against realistic telemetry
  • Advanced KQL for hunting — UEBA composite risk scoring, retroactive IOC sweeps, and hunt management metrics
  • Hypothesis-Driven Hunt Toolkit lab pack — 30 days of realistic M365 and endpoint telemetry with multiple attack patterns seeded in
  • TH16 — Scaling hunts across a team — the operating model for a production hunt program
Unlock the full course with Premium See Full Syllabus
← Previous Next →