TH0.15 Your First 90 Days: From Zero to Operating

3-4 hours · Module 0 · Free

Operational Objective

You have the business case, the methodology, the readiness assessment, and the metrics framework. This subsection converts all of it into a week-by-week implementation plan that takes you from "no hunting program" to "operating hunting program with measurable output" in 90 days. Not theoretical — a practical calendar you follow.

Deliverable: A 90-day implementation roadmap with weekly milestones, specific deliverables, and go/no-go checkpoints.

⏱ Estimated completion: 20 minutes

90 days to an operating program

The roadmap assumes you are at HMM0 or HMM1 (TH0.12). You have Sentinel deployed. You have analysts who can write KQL. You have leadership support (TH0.13) or at least implicit approval to dedicate 4+ hours per week. If any of these are missing, address them first — this roadmap starts after the prerequisites from TH0.8 are met.

Weeks 1–2: Foundation

Goal: Confirm readiness and establish baseline metrics.

Week 1:

Run the readiness assessment from TH0.8. Score all five prerequisites. Document gaps.
Run the data source audit from TH0.10. Confirm which tables are ingested. File requests to enable any missing critical tables (AADNonInteractiveUserSignInLogs is the most commonly missing and most impactful).
Run the detection coverage ratio query from TH0.1. Record the numerator, denominator, and ratio. This is your coverage baseline.
Run the dwell time baseline query from TH0.2. Record median, P75, P90. This is your dwell time baseline.

Week 2:

Complete the HMM assessment from TH0.12. Document current level.
Set up the metrics queries from TH0.14 — either as a Sentinel workbook or saved queries. Record baseline values (most will be zero if this is a new program).
Define your hunting cadence: how many hours per week, which analyst(s), which day(s). Block the calendar. Protect the time from the alert queue.
Read TH1 (Hunt Cycle methodology). Internalize the six steps. Print the hunt record template from TH1.7.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
// Week 1 summary query: your hunting program starting position
let coverageNumerator = toscalar(
    SecurityAlert
    | where TimeGenerated > ago(90d)
    | where ProviderName == "ASI Scheduled Alerts"
    | extend Techniques = tostring(
        parse_json(ExtendedProperties).["Techniques"])
    | where isnotempty(Techniques) and Techniques != "[]"
    | summarize by Techniques | count);
let dwellMetrics = SecurityIncident
| where TimeGenerated > ago(180d)
| where Status == "Closed"
| extend EarliestEvidence = todatetime(
    parse_json(tostring(AdditionalData)).firstActivityTimeUtc)
| where isnotempty(EarliestEvidence)
| extend DwellDays = datetime_diff('day', CreatedTime, EarliestEvidence)
| where DwellDays >= 0 and DwellDays < 365
| summarize Median = percentile(DwellDays, 50),
    P90 = percentile(DwellDays, 90);
print CoveredTechniques = coverageNumerator
// Combine with your ATT&CK Navigator denominator for the full ratio
// Record both numbers — they are your Day 0 baseline

Weeks 3–4: ATT&CK Coverage Analysis

Goal: Build your hunt backlog.

Complete TH3 (ATT&CK Coverage Analysis) as your first dedicated hunting activity. This exercise maps your detection rules to ATT&CK, identifies coverage gaps, and produces a prioritized hunt backlog.
The backlog should contain at least 10 hypotheses, each scored by threat relevance × data availability × detection gap severity.
Select the top 3 hypotheses for your first three campaigns. These should be from different technique domains — do not start with three authentication hunts if your gap includes OAuth, email, and privilege escalation.

Weeks 5–8: First Three Campaigns

Goal: Execute three complete hunt campaigns with full documentation and detection rule output.

Week 5–6: Campaign 1.

Execute the full Hunt Cycle from TH1 against your top-priority hypothesis.
Complete the hunt record using the template from TH1.7.
Convert the hunt query to a detection rule (TH1.6). Deploy in report-only mode.
Expected time: 4–6 hours for the hunt, 30 minutes for documentation, 30 minutes for rule conversion.

Week 7: Campaign 2.

Second hypothesis from the backlog. Same process.
The second hunt will be faster — the methodology is now familiar and the analyst has environmental context from Campaign 1.

Week 8: Campaign 3.

Third hypothesis. Same process.
After three campaigns, you have: 3 hunt records (documented), 3 detection rules (deployed in report-only), measurable data for metrics reporting.

Weeks 9–12: Stabilization and First Report

Goal: Validate detection rules, measure program output, and deliver the first quarterly report.

Week 9–10:

Review the three detection rules deployed in report-only mode. Check false positive rates. Tune thresholds and exclusions based on the 14-day validation window. Promote validated rules to production (creating incidents).
Re-run the detection coverage ratio query. The numerator should have increased by 3 (three new techniques now covered). Calculate the new ratio and the improvement.

Week 11–12:

Compile the first quarterly hunting program report using the template from TH0.14.
Report to leadership: coverage improvement, hunts completed, rules produced, any incidents discovered.
Update the backlog: add new hypotheses from any incidents investigated during the 90 days, from threat intelligence consumed, and from environmental changes observed.
Plan the next quarter: select the next 3 campaign hypotheses from the prioritized backlog.

Figure TH0.15 — 90-day hunting program implementation roadmap. Four phases, each with specific deliverables. Total analyst time investment: approximately 30–40 hours over 12 weeks.

The Day 90 checkpoint

After 90 days, you should have:

A readiness assessment with all prerequisites confirmed (or gaps documented and addressed)
Baseline metrics recorded (coverage ratio, dwell time, HMM level)
A prioritized hunt backlog with 10+ hypotheses
3 completed hunt records with full documentation
3 detection rules deployed (or in validation), each covering a technique that previously had no automated detection
Updated coverage ratio showing measurable improvement
A quarterly report delivered to leadership
A plan for the next quarter with the next 3 campaign hypotheses selected

If you have all of these, you are operating at HMM2 (TH0.12). You have a structured, documented, measurable hunting program that produces permanent detection improvement. Scale from here.

Try it yourself

Exercise: Build your 90-day calendar

Open your calendar (or a planning document) and block the following:

Week 1: 4 hours — readiness assessment, data source audit, baseline metrics.

Week 2: 4 hours — HMM assessment, metrics setup, cadence definition, TH1 methodology review.

Weeks 3–4: 6 hours — TH3 ATT&CK coverage analysis (when available), backlog creation.

Weeks 5–8: 6 hours per campaign × 3 = 18 hours — three hunt campaigns with full documentation and rule conversion.

Weeks 9–12: 4 hours — rule validation, re-measurement, quarterly report compilation.

Total: ~36 hours over 12 weeks.** That is 3 hours per week on average. Achievable alongside a full-time SOC role with protected time.

⚠ Compliance Myth: "A hunting program takes 6–12 months to show results"

The myth: Hunting programs are long-term investments that do not produce measurable results for 6–12 months. Leadership should expect a long ramp-up before seeing value.

The reality: The first hunt campaign — which can be completed in week 5 of this roadmap — produces a documented finding (positive or negative) and a detection rule. That is measurable output from week 5. By day 90, the program has produced 3 hunt records, 3 detection rules, and a quantified coverage improvement. The results are immediate and compounding. The “6–12 month” timeline describes organizational culture change and full maturity (HMM3+), not the time to first measurable output. The first output comes in weeks, not months.

Extend this roadmap

The 90-day plan covers the first quarter. Quarters 2–4 follow the same cadence: 3 campaigns per quarter from the prioritized backlog, 3 detection rules produced per quarter, quarterly metrics and report. After four quarters, you have 12 hunt records, 12+ detection rules, and a full year of metrics data showing the coverage trend. That annual dataset is the evidence for expanding the program — more hours, more analysts, or more ambitious campaigns. The first year builds the case. The second year scales it.

📋 Operational Artifact — 90-Day Implementation Checklist

Weeks 1–2: Foundation ☐ Readiness assessment complete (TH0.8) ☐ Data source audit complete (TH0.10) ☐ Coverage baseline recorded: ____% (TH0.1) ☐ Dwell time baseline recorded: median ____ days (TH0.2) ☐ HMM level assessed: ____ (TH0.12) ☐ Metrics dashboard deployed or queries saved (TH0.14) ☐ Hunting cadence defined: ____ hours on ____ day(s) ☐ Hunt Cycle methodology reviewed (TH1)
Weeks 3–4: Backlog ☐ ATT&CK coverage analysis complete (TH3) ☐ Hunt backlog created with 10+ hypotheses ☐ Top 3 hypotheses selected for first three campaigns
Weeks 5–8: Campaigns ☐ Campaign 1: Hunt record complete, detection rule deployed ☐ Campaign 2: Hunt record complete, detection rule deployed ☐ Campaign 3: Hunt record complete, detection rule deployed
Weeks 9–12: Stabilization ☐ Detection rules validated (14-day report-only period reviewed) ☐ Rules promoted to production ☐ Coverage ratio re-measured: ____% (improvement: ____ points) ☐ Quarterly report delivered to leadership ☐ Next quarter hypotheses selected from backlog

References Used in This Subsection

Course cross-references: TH0.1 (coverage), TH0.2 (dwell time), TH0.8 (readiness), TH0.10 (data sources), TH0.12 (HMM), TH0.14 (metrics), TH1 (methodology), TH3 (coverage analysis)

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

← TH0.14 Hunting Program Metrics Dashboard TH0.16 Module Summary →