The traditional security model operates on a fundamental assumption: organizations can patch vulnerabilities before attackers exploit them. This assumption collapses when confronted with the operational reality of enterprise IT environments, where patch cycles typically span 30 to 90 days for critical systems. During this window, attackers operate freely within exposed infrastructure. (Source: Csoonline)
Key Insight: The traditional security model operates on a fundamental assumption: organizations can patch vulnerabilities before attackers exploit them.
The mathematics of exposure reveal the scale of this problem. According to Sandra Joyce at this year's RSA Conference, the median time between initial access and handoff to secondary threat groups has plummeted from eight hours in 2022 to just 22 seconds in 2025. This compression means attackers achieve their objectives before most organizations even detect the initial compromise, let alone deploy patches.
Consider how this timeline mismatch plays out in practice. A critical vulnerability gets disclosed on a Tuesday. Attackers begin scanning for exposed systems within hours. By Wednesday, automated exploitation campaigns are active. Meanwhile, enterprise change management processes require testing in development environments, approval from change advisory boards, and scheduled maintenance windows that might not arrive for weeks. The gap between attacker speed and defender process has become a chasm.
The structural barriers to rapid patching run deeper than process delays. Production systems cannot tolerate the downtime risk of untested patches. Healthcare organizations cannot take critical patient monitoring systems offline without extensive planning. Financial institutions must coordinate patches across interconnected trading platforms where a single misconfiguration could halt billions in transactions. Manufacturing facilities operate on continuous production schedules where unplanned downtime costs thousands per minute.
Even when organizations achieve rapid patching, the model assumes defenders know what needs patching. Zero-day vulnerabilities operate outside this framework entirely. Attackers exploit unknown vulnerabilities for months or years before disclosure. During this period, no amount of patch management discipline provides protection because no patch exists.
The evolution of attack ecosystems compounds these timing challenges. As Joyce noted, cyber operations now function as parallel ecosystems where access brokers, operators, and monetization specialists work simultaneously rather than sequentially. An access broker might sell initial entry while the purchasing group already positions ransomware and data exfiltration tools. Traditional patch cycles assume linear attack progression that no longer reflects operational reality.
Artificial intelligence accelerates this already compressed timeline. Joyce warned that "agentic approaches for exploit development will allow adversaries to outpace human-driven controls." AI-powered tools can identify vulnerable systems, craft exploits, and execute attacks faster than human defenders can analyze alerts, much less deploy patches.
"The median time between initial access and the handoff to the secondary threat group has dropped from eight hours in 2022 to just 22 seconds in 2025."
This timing mismatch explains why purely reactive defense strategies fail against modern threats. Glenn Gerstell, former NSA general counsel, stated bluntly: "What we've been doing for the past 20 years hasn't been working. We have been inherently playing catch-up on defense... and the gap is getting wider." The gap he describes isn't a failure of execution but a structural limitation of the reactive model itself.
The solution isn't abandoning patch management but recognizing its limitations as a standalone strategy. Patches remain essential for closing known vulnerabilities and reducing attack surface. However, they cannot address the operational window where attackers exploit unpatched systems or the extended period where zero-days operate undetected. This reality drives the shift toward proactive cyber operations that seek to disrupt attackers before they reach vulnerable systems rather than racing to patch after exploitation begins.
The Threat Hunting Mindset: From Detection to Disruption
The fundamental assumption underlying traditional security operations centers needs revision. While SOC teams excel at responding to alerts and investigating incidents, they operate from a reactive premise: waiting for security tools to detect malicious activity. Threat hunting inverts this model entirely, starting from the assumption that adversaries have already breached perimeter defenses and are operating undetected within the network.
This shift in mindset transforms how security teams allocate resources and structure operations. Rather than waiting for alerts from security information and event management (SIEM) systems or endpoint detection platforms, threat hunters actively search for indicators that existing tools miss. The approach acknowledges a harsh reality articulated by Glenn Gerstell, former NSA general counsel: "We have been inherently playing catch-up on defense... and the gap is getting wider."
Modern threat hunting employs three distinct methodologies, each addressing different aspects of the detection challenge. Hypothesis-driven hunting begins with specific assumptions about adversary behavior, often mapped to MITRE ATT&CK framework techniques. Hunters might hypothesize that attackers are using PowerShell for persistence, then systematically examine PowerShell execution logs across the environment for anomalous patterns. This approach leverages threat intelligence about known tactics, techniques, and procedures (TTPs) to guide focused investigations.
Analytics-driven hunting takes a different path, using statistical analysis and machine learning to identify deviations from established baselines. Security teams build behavioral profiles of normal network traffic, user activity, and system processes, then hunt for outliers that traditional signature-based tools would miss. A sudden spike in DNS queries from a workstation, unusual data transfers between segments, or processes spawning at irregular intervals all become hunting grounds for potential compromise.
Intelligence-driven hunting incorporates external threat feeds and industry-specific indicators to focus efforts on the most relevant threats. When threat intelligence reveals that a particular adversary group is targeting organizations in your sector using specific infrastructure or malware families, hunters proactively search for those indicators within their environment. This approach transforms threat intelligence from a passive feed into an active detection capability.
The technical requirements for effective threat hunting extend far beyond traditional SOC capabilities. Hunters need comprehensive log aggregation that captures not just security events but granular system telemetry: process creation chains, registry modifications, network connections at the socket level, and file system activity. They require platforms that can correlate events across disparate data sources and maintain historical context for months or years, not just the typical 30-90 day retention of many SIEM deployments.
Equally important are the analytical skills that distinguish threat hunters from incident responders. While responders react to confirmed incidents, hunters must recognize subtle patterns that suggest compromise without triggering false positives. They need deep understanding of operating system internals, network protocols, and adversary tradecraft. They must differentiate between legitimate administrative tools being used maliciously and actual administrative activity.
John Hultquist from Google's Threat Intelligence Group captures this proactive stance: "Active defense is looking for opportunities outside of the castle walls, before the actor shows up inside or starts hitting the castle walls." For organizations building threat hunting capabilities, this means accepting that prevention has already failed somewhere and detection must evolve from passive alerting to active pursuit.
Building a Threat Hunting Program: Immediate vs. Long-Term Actions
The operational reality of threat hunting demands a structured progression from basic visibility to advanced detection capabilities. Organizations cannot leap directly to sophisticated hunting operations without first establishing fundamental data collection and analysis infrastructure.
Immediate Actions (Weeks 1-4): Establishing Hunting Prerequisites
Your first priority centers on log centralization and retention policies. Without comprehensive visibility across endpoints, network traffic, and authentication systems, hunting becomes impossible. Audit your current logging infrastructure to ensure collection from domain controllers, proxy servers, email gateways, and critical applications. Verify that logs retain data for at least 90 days—the average dwell time for advanced persistent threats.
Develop a hunting hypothesis backlog based on your specific threat model and industry vertical. Rather than generic scenarios, craft hypotheses targeting techniques relevant to your environment: "Attackers are using PowerShell to download second-stage payloads from compromised WordPress sites" or "Threat actors are creating scheduled tasks for persistence after business hours." Document these hypotheses with expected indicators, data sources required, and potential business impact.
Assign clear hunting responsibilities within your existing team structure. This doesn't require dedicated hunters initially—designate specific team members to conduct weekly four-hour hunting sessions using documented hypotheses. Rotate responsibilities to build institutional knowledge across the team.
Short-Term Implementation (Months 2-3): First Operational Hunts
Deploy behavioral analytics tools that complement your existing security information and event management (SIEM) platform. User and entity behavior analytics (UEBA) solutions identify deviations from baseline activity patterns, while network detection and response (NDR) platforms reveal anomalous traffic flows between internal systems. These tools surface hunting leads that manual analysis would miss.
Conduct your first hypothesis-driven hunt targeting specific tactics, techniques, and procedures (TTPs). Focus on lateral movement detection by searching for: unusual Remote Desktop Protocol connections between workstations, service creation events on multiple systems within short timeframes, or Windows Management Instrumentation (WMI) commands executed remotely. Query your endpoint detection and response (EDR) platform for PowerShell commands containing base64-encoded strings longer than 100 characters—a common obfuscation technique.
Document every finding systematically, including false positives. Create detection rules for confirmed malicious patterns and update your security controls to prevent recurrence. Track metrics from each hunt: number of systems analyzed, suspicious activities identified, confirmed compromises discovered, and time from hypothesis to conclusion.
Long-Term Capability Development (6+ Months): Institutional Hunting Maturity
Build institutional hunting capability through formal training, tool investment, and process refinement. Establish a threat intelligence integration pipeline that automatically generates hunting hypotheses from indicators of compromise and adversary techniques. Commercial threat intelligence platforms provide structured data feeds compatible with SIEM and EDR query languages.
Measure hunting program effectiveness through specific metrics: reduction in median dwell time from initial compromise to detection, number of previously undetected threats discovered per quarter, and percentage of hunts yielding actionable security improvements. Track the ratio of proactive discoveries through hunting versus reactive detection through alerts—mature programs achieve 30-40% proactive discovery rates.
Develop automated hunting playbooks that execute recurring searches for high-value indicators. Script regular queries for suspicious registry modifications, unusual network connections from system processes, or privilege escalation attempts. This automation frees hunters to pursue complex, multi-stage attack scenarios that require human analysis and correlation across disparate data sources.
Integrating Threat Hunting with Your Patch Management Workflow
The convergence of threat hunting and patch management creates operational intelligence that neither discipline achieves independently. When hunters discover active exploitation patterns within your environment, that intelligence transforms patch prioritization from a vulnerability scoring exercise into a threat-informed defense strategy.
Consider how threat hunting data reshapes traditional patching workflows. Your hunting team identifies suspicious PowerShell activity consistent with credential harvesting techniques. This discovery immediately elevates patches for Windows Credential Guard and LSASS protection mechanisms, regardless of their Common Vulnerability Scoring System (CVSS) ratings. The hunting evidence proves adversaries are actively targeting authentication systems in your specific environment.
Sandra Joyce's revelation at this year's RSA Conference that initial access to secondary threat group handoff now occurs in just 22 seconds fundamentally changes how organizations must approach vulnerability management. Traditional monthly patch cycles become inadequate when adversaries operate at machine speed. Threat hunting provides the contextual intelligence to identify which vulnerabilities adversaries are actually exploiting versus those that remain theoretical risks.
Key Insight: Sandra Joyce's revelation at this year's RSA Conference that initial access to secondary threat group handoff now occurs in just 22 seconds fundamentally changes how organizations must approach vulnerability management.
The operational workflow begins with threat intelligence feeding hunting hypotheses. Your team receives indicators that access brokers are selling credentials for organizations in your sector. This intelligence drives targeted hunts for abnormal authentication patterns, particularly focusing on service accounts and privileged users. When hunters detect anomalous Kerberos ticket requests suggesting Kerberoasting activity, this finding immediately triggers several parallel actions.
First, the hunting team develops detection logic to identify similar attack patterns across the environment. They search for service principal names (SPNs) associated with user accounts, unusual ticket-granting service (TGS) request volumes, and accounts with weak encryption types. These hunting queries become permanent detection rules in your security information and event management platform.
Second, the patch management team receives this hunting intelligence and reprioritizes their deployment schedule. Patches addressing Kerberos delegation vulnerabilities move to emergency deployment status. Configuration changes to enforce AES encryption for Kerberos become mandatory rather than recommended. The hunting evidence transforms abstract vulnerability scores into concrete exploitation risk.
Post-patch validation represents the critical feedback loop between these disciplines. After deploying Kerberos hardening measures, hunters conduct focused searches for evidence of pre-patch exploitation. They examine authentication logs from before the patch deployment, looking for indicators that adversaries successfully extracted service tickets. This retrospective hunting identifies potential compromise that occurred during the vulnerability window.
Glenn Gerstell's observation that "the bad guys have the advantage" underscores why this integrated approach matters. Adversaries know which vulnerabilities they're actively exploiting. Without threat hunting intelligence, defenders patch blindly based on theoretical risk scores that may not reflect actual threat activity in their environment.
The integration extends beyond individual vulnerabilities to systemic weaknesses. When hunters consistently find evidence of lateral movement through specific protocols or services, this pattern data informs architectural decisions about network segmentation and access controls. Hunting outcomes become inputs for strategic security investments, not just tactical patching decisions.
This unified approach addresses what Adam Maruyama identifies as the coordination challenge in proactive cyber operations. While large platform providers like Google and Microsoft can disrupt adversary infrastructure, enterprises must focus on denying adversaries the exploitation opportunities they seek. Threat hunting identifies what adversaries want; patch management denies them that access.
Threat Hunting to Patch Management Workflow
Detection Indicators and Hunting Queries for Proactive Defense
The operational shift toward proactive cyber defense demands detection capabilities that identify adversary preparation activities before they execute their primary objectives. While traditional security monitoring waits for malicious payloads or data exfiltration attempts, proactive detection focuses on the reconnaissance and staging behaviors that precede actual attacks.
Glenn Gerstell's observation that defenders are "inherently playing catch-up" becomes actionable when you instrument your environment to detect pre-attack behaviors. These patterns emerge consistently across threat actors because certain reconnaissance activities remain necessary regardless of the adversary's sophistication level.
Access Broker Reconnaissance Patterns
The ecosystem model described by Sandra Joyce, where access brokers operate in parallel with exploitation specialists, creates distinctive authentication anomalies. Monitor for service accounts authenticating from new source IP addresses outside normal business hours. These accounts typically show dormant periods followed by sudden bursts of activity across multiple systems.
Configure detection logic to flag service accounts that suddenly query Active Directory groups they've never accessed before. Access brokers probe for high-value targets by enumerating group memberships, particularly focusing on Domain Admins, Enterprise Admins, and custom privileged groups unique to your environment.
Pre-Exploitation Directory Mapping
Before adversaries can execute the compressed attack chains Joyce described—where handoffs occur in just 22 seconds—they must understand your network topology. This reconnaissance generates measurable patterns in LDAP query volumes and SMB traffic.
Track baseline LDAP query rates per user account over 30-day windows. Legitimate administrative tools generate predictable query patterns, while reconnaissance tools create statistical anomalies. When a single account generates LDAP queries exceeding three standard deviations from their baseline, investigate immediately.
Monitor SMB connections attempting to access SYSVOL and NETLOGON shares from workstations that don't typically require domain controller access. These connections often precede credential harvesting attempts, as attackers search for Group Policy Preferences containing embedded passwords.
Credential Access Detection Logic
The shift toward proactive defense requires detecting credential theft attempts before attackers achieve lateral movement. Focus detection efforts on processes attempting to access LSASS memory space from unusual parent processes.
Implement detection for processes spawned by Word, Excel, or Outlook that subsequently access LSASS. Legitimate business applications rarely require this access pattern, making it a high-fidelity indicator of exploitation attempts. Similarly, monitor for unsigned processes reading from LSASS memory, as most legitimate administrative tools are digitally signed.
Lateral Movement Precursors
Adam Maruyama's emphasis on jurisdictional complexity becomes relevant when detecting lateral movement preparation. Attackers test authentication paths before executing their primary objectives, creating detectable patterns in Windows authentication logs.
Configure alerts for accounts generating Type 3 (network) logons to more than 10 unique systems within a 5-minute window. This pattern indicates automated lateral movement tools probing for accessible systems. Combine this with detection for accounts that fail authentication to multiple systems before succeeding, suggesting password spraying or credential testing.
The proactive cyber model Joyce outlined requires detecting WMI execution attempts from non-administrative accounts. While WMI provides legitimate remote administration capabilities, attackers leverage it for stealthy code execution. Alert on WMI processes spawned by accounts without documented administrative responsibilities, particularly when those processes create new services or scheduled tasks.
Measuring Hunting Success: Metrics That Matter
The operational value of threat hunting emerges only when organizations measure concrete security improvements rather than activity metrics. While traditional security operations focus on incident counts and response times, proactive hunting requires fundamentally different success indicators that demonstrate actual risk reduction.
John Hultquist from Google's Threat Intelligence Group emphasizes that effective disruption requires "operations that will have a longer-lasting effect on adversaries." This principle applies equally to measuring hunting effectiveness—success means creating lasting improvements in your defensive posture, not generating more alerts.
Mean Time to Detect: The Speed Advantage
Your primary hunting metric should track how quickly you identify adversary activity compared to automated detection systems. Establish a baseline by documenting current detection times for confirmed incidents, then measure improvement as hunting operations mature. When hunters discover threats that automated tools missed, calculate the time differential between initial compromise indicators and hunting discovery.
Effective programs typically achieve detection within 72 hours of initial access for hunted behaviors, compared to industry averages exceeding 200 days for unguided detection. Track this metric by threat category—credential harvesting, persistence mechanisms, lateral movement—to identify where hunting provides maximum value.
Adversary Dwell Time Reduction
Dwell time measurement requires correlating hunting discoveries with forensic timelines to determine how long attackers operated before detection. As Sandra Joyce noted, the compression of attack timelines means "the median time between initial access and the handoff to the secondary threat group has dropped from eight hours in 2022 to just 22 seconds in 2025."
This acceleration demands equally rapid detection. Mature hunting programs should target sub-30-day dwell times for sophisticated threats, with stretch goals approaching single-digit days for known attack patterns. Calculate dwell time from the earliest forensic artifact to hunting discovery, not from when automated tools eventually alert.
Hunt Hypothesis Validation Rate
Not every hunting expedition discovers active threats—and that's acceptable. What matters is the percentage of hypothesis-driven hunts that uncover evidence of attempted or successful adversary techniques. A healthy validation rate falls between 15-25%, indicating hypotheses are neither too broad (finding nothing) nor too narrow (only confirming known compromises).
Track validation rates by hypothesis category. Environmental anomaly hunts might yield 30-40% findings, while advanced persistent threat hunts might produce 5-10% positive results. Both provide value when properly scoped.
Time to Remediation After Discovery
Hunting success extends beyond detection to include how quickly you eliminate discovered threats. Measure the elapsed time from threat confirmation to complete remediation, including root cause elimination and verification of no remaining adversary presence.
Target remediation within 24-48 hours for active threats, extending to 5-7 days for complex multi-system compromises. Compare these timelines against incidents discovered through traditional alerting to demonstrate hunting's contribution to faster containment.
Realistic Performance Targets
A mature hunting program with dedicated resources should generate 1-2 significant findings monthly per full-time hunter. "Significant" means discovering previously unknown adversary activity, identifying gaps in existing detection coverage, or uncovering policy violations that create exploitable vulnerabilities.
Avoid measuring success through volume metrics like alerts generated, logs analyzed, or hours spent hunting. These activity indicators reveal effort, not effectiveness. Similarly, counting false positives or benign anomalies inflates metrics without improving security outcomes.
