TH1.14 Hunt Cadence and Scheduling Models

3-4 hours · Module 1 · Free

Operational Objective

Hunting without a cadence is ad hoc. Ad hoc hunting produces inconsistent results, unmeasurable output, and eventual abandonment when alert queue pressure consumes the unprotected hours. This subsection defines three cadence models — weekly, biweekly, and monthly — and provides the scheduling mechanics that protect hunting time from the operational demands that will try to consume it.

Deliverable: A cadence model matched to your team size and SOC workload, with calendar integration and escalation protocols for when hunting time is threatened.

⏱ Estimated completion: 20 minutes

If it is not on the calendar, it does not happen

Hunting competes with alert triage for the same analyst hours. Alert triage always wins the competition because alerts are immediate and visible — an unresolved alert feels like a failure. An unexecuted hunt is invisible — nobody notices it did not happen.

The only defense is a calendar block that is treated with the same seriousness as an on-call shift. The analyst doing the hunting is not available for alert triage during those hours. If an alert fires, someone else handles it. If the team is too short-staffed to spare anyone, the hunting session is rescheduled to a specific date within the same week — not “we will do it when things calm down.” Things do not calm down.

Three cadence models

Weekly cadence (4 hours/week). Best for teams of 5+ analysts where one analyst can rotate to hunting duty each week without understaffing the alert queue. Produces the fastest coverage improvement — one campaign can be completed in 1–2 weeks, yielding 24–48 campaigns per year.

Biweekly cadence (4–6 hours every two weeks). Best for teams of 3–5 analysts. The analyst does hunting every other week, with the alternating week fully dedicated to alert triage. Produces 12–24 campaigns per year — sufficient for meaningful coverage improvement.

Monthly cadence (6–8 hours/month). Best for teams of 2–3 analysts or solo practitioners. One dedicated hunting day per month, blocked in advance, protected from the queue. Produces 12 campaigns per year — the minimum viable program from TH0.7.

All three models work. The choice depends on team size, alert volume, and how much time can be reliably protected. A monthly cadence executed consistently is better than a weekly cadence that is interrupted every other week by alert surges.

Rotational versus dedicated

Rotational: Different analysts hunt on different weeks. The hunting backlog and documentation provide continuity — each analyst picks up where the last left off, guided by the backlog priority and prior hunt records.

Advantages: Develops hunting skills across the team. No single point of failure. Distributes the environmental knowledge that hunting builds.

Disadvantages: Each analyst hunts less frequently, so skill development is slower. Context switching between alert triage and hunting introduces startup cost each rotation.

Dedicated: One analyst (or a small team) is permanently assigned to hunting. They do not rotate through alert triage.

Advantages: Deepest skill development. No context switching. Fastest program maturity. The dedicated hunter builds the strongest environmental knowledge because they examine the data every day.

Disadvantages: Requires staffing that most teams cannot afford. Creates a single point of failure. The rest of the team does not develop hunting skills.

Recommendation for most organizations: Start rotational. Build hunting into every senior analyst’s skill set. If the program produces enough value to justify dedicated headcount (TH0.14 metrics provide the evidence), hire or assign a dedicated hunter after 12 months of demonstrated ROI.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
// How much alert volume does your team handle?
// This informs whether you can protect hunting hours
SecurityAlert
| where TimeGenerated > ago(30d)
| summarize
    DailyAlerts = count() / 30.0,
    HighSeverity = countif(AlertSeverity == "High") / 30.0,
    MediumSeverity = countif(AlertSeverity == "Medium") / 30.0
// If DailyAlerts > 50 with a 3-person team, protecting 4 hours
// weekly is difficult — consider biweekly or monthly cadence
// If DailyAlerts < 20, weekly cadence is easily achievable

Figure TH1.14 — Three cadence models. All produce meaningful output. Choose based on team size and alert volume, not ambition.

Try it yourself

Exercise: Select and implement your cadence

Run the alert volume query above. Based on your team size and daily alert volume, select a cadence model.

Block the first hunting session on your calendar — a specific date, a specific 4-hour block, with a specific analyst assigned. Share the calendar block with your SOC lead. If someone tries to reassign the analyst during the hunting block, the calendar entry is the evidence that hunting was scheduled and should not be interrupted without explicit rescheduling.

If the first session gets interrupted, reschedule it within the same week. If it gets interrupted three times, the issue is not hunting — it is alert workload. Address the workload (better tuning, automation, or headcount) before re-establishing the hunting cadence.

⚠ Compliance Myth: "Daily hunting is the gold standard — anything less is insufficient"

The myth: Organizations should hunt every day. Daily hunting is the target that demonstrates mature threat operations.

The reality: Daily hunting is only viable with dedicated hunting teams that do not share alert triage responsibility. For the vast majority of organizations, daily hunting is neither achievable nor necessary. A monthly cadence that produces 12 documented campaigns, 12+ detection rules, and measurable coverage improvement per year is a high-performing hunting program. The metric that matters is not how often you hunt — it is whether hunts are completed, documented, and producing detection rules. A team that hunts monthly and completes every campaign outperforms a team that attempts daily hunting but cancels 80% of sessions due to alert pressure.

Extend this model

TH14 (the Phase 3 operations module) covers cadence management in organizational context — integrating hunting with sprint cycles, aligning hunt campaigns with threat intelligence briefing schedules, and building hunting into SOC team performance metrics. This subsection provides the practical starting point. The operations module provides the scaling framework.

📋 Operational Artifact — Hunting Calendar Template

Cadence: [Weekly / Biweekly / Monthly] Hours per session: [4 / 6 / 8] Day and time: [e.g., “Every other Thursday, 09:00–13:00”] Assigned analyst: [name or rotation schedule] Backup if interrupted: Reschedule to [specific fallback day] in the same period. Escalation if repeatedly interrupted: Raise with SOC lead — the issue is alert workload, not hunting.
Next 3 scheduled sessions:
[Date] — Hypothesis: [ID from backlog] — Analyst: [name]
[Date] — Hypothesis: [ID from backlog] — Analyst: [name]
[Date] — Hypothesis: [ID from backlog] — Analyst: [name]

References Used in This Subsection

Course cross-references: TH0.7 (minimum viable program metrics), TH0.8 (prerequisite 5: protected time), TH0.14 (program metrics), TH14 (Phase 3 operations)

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

← TH1.13 The Hunt-to-Detection Pipeline: Worked End-to-End TH1.15 Quality Assurance: Peer Review and Hunt Validation →