Sign In
In this section

The Hunt Cycle — A Structured Methodology

3-4 hours · Module 1 · Free
Every hunt starts with a testable question about attacker behavior Stage 1 — Hypothesis Generation Stage 1 of 5
A hypothesis is a specific, testable statement about adversary activity in your environment. Good hypotheses come from threat intelligence, ATT&CK techniques, and organizational risk. Bad hypotheses come from vague concerns and gut feelings.
Which tables contain the evidence your hypothesis predicts Stage 2 — Scoping and Data Identification Stage 2 of 5
Scoping determines which data sources to query, what time window to search, and what entity types to examine. A poorly scoped hunt wastes time querying irrelevant tables. A well-scoped hunt reaches its conclusion efficiently.
Query · refine · query · refine — the analysis loop Stage 3 — Iterative Collection and Analysis Stage 3 of 5
Hunting is iterative. The first query produces initial results. The analyst examines, refines, pivots, and queries again. Each iteration narrows toward a finding or exhausts the hypothesis. The hunt cycle is not linear — it loops until conclusive.
Positive finding or validated absence — both are results Stage 4 — Conclusion Documentation Stage 4 of 5
Every hunt produces a conclusion. A positive finding triggers incident response. A validated absence confirms the technique is not currently present — and produces a query that can run again next cycle. Undocumented hunts produce zero institutional value.
Successful hunts become detection rules — the hunting-to-detection pipeline Stage 5 — Detection Conversion Stage 5 of 5
The query that found a threat becomes the detection rule that catches it automatically next time. The hunting-to-detection pipeline is how hunting programs compound their value over time — each hunt either finds a threat or improves future detection.

The Hunt Cycle: A Structured Methodology

Most analysts who hunt do it ad hoc. They open Advanced Hunting, write a query based on something they read in a threat report that morning, scan the results, and move on. If the query returns nothing interesting, the hunt is "done." If it returns something suspicious, they investigate — but without a framework for determining whether the suspicious result is actually a finding or noise they do not yet understand.

Ad hoc hunting is better than no hunting. But it has three problems that prevent it from producing consistent, measurable value. It is not documented, so the organization cannot learn from it. It is not structured, so the analyst cannot distinguish between "no threat present" and "wrong query." And it does not produce detection rules, so the same technique must be hunted again next month because no automated coverage was created.

The Hunt Cycle replaces ad hoc querying with a structured, repeatable, documented process. Six steps. Every campaign module in this course follows them. Every hunt you run after completing this course follows them. The structure is what makes hunting an organizational capability rather than an individual skill.

The six steps

1. Hypothesize — Formulate a specific, testable prediction about attacker behavior in your environment. Not a question ("are there threats?") but a prediction ("compromised accounts will show authentication from IPs not in the user's 30-day baseline").

2. Scope — Define what you are searching, where, and when. Data sources, time window, target population. Boundaries set before the first query runs.

3. Collect — Execute KQL queries. Iterative — start broad, narrow based on results. Document every query, not just the ones that produced findings.

4. Analyze — Separate legitimate activity from suspicious activity using contextual enrichment. This is where hunting judgment lives.

5. Conclude — Confirm or refute the hypothesis. Document the finding — positive or negative. Escalate to IR if compromise is found.

6. Convert — Turn validated hunt queries into detection rules. What you hunted today, you detect automatically tomorrow.

Start with TH1.1 to learn how to formulate hypotheses that produce results.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You understand the detection gap and the hunt cycle.

TH0 showed you what detection rules fundamentally cannot catch. TH1 gave you the hypothesis-driven methodology that closes that gap. Now you run the hunts.

  • 10 complete hunt campaigns — from hypothesis through KQL execution through finding disposition, each campaign based on a real TTP
  • 70 production hunt queries — every one mapped to MITRE ATT&CK and tested against realistic telemetry
  • Advanced KQL for hunting — UEBA composite risk scoring, retroactive IOC sweeps, and hunt management metrics
  • Hypothesis-Driven Hunt Toolkit lab pack — 30 days of realistic M365 and endpoint telemetry with multiple attack patterns seeded in
  • TH16 — Scaling hunts across a team — the operating model for a production hunt program
Unlock the full course with Premium See Full Syllabus
← Previous Next →