What is SOC threat hunting?
SOC threat hunting is a proactive cybersecurity practice where analysts actively search for signs of malicious activity that bypass traditional security controls. This means security teams don't wait for alerts—they go looking for threats that might be hiding in your environment.
Unlike automated detection systems that rely on known signatures and rules, threat hunting uses human intuition and investigative skills to find sophisticated attackers. These attackers often use legitimate tools and blend in with normal network activity.
The process happens within your Security Operations Center and focuses on finding advanced persistent threats that could remain undetected for months. Threat hunters analyze patterns, investigate anomalies, and follow their instincts to uncover threats that automated systems miss.
Cloud Attack Retrospective Report
In this report, we examine how threat actors target cloud environments and provide practical guidance on how Wiz helps detect and mitigate these threats.
How SOC threat hunting works
The threat hunting process starts with a trigger that initiates the investigation. This could be an unusual network pattern, new threat intelligence about attacker techniques, or simply a hypothesis that an analyst wants to test.
During the investigation phase, hunters collect and analyze data from multiple sources including logs, endpoint tools, and network traffic. They look for indicators of attack and behavioral patterns that match known adversary tactics. This phase requires deep technical knowledge and the ability to connect seemingly unrelated events.
The resolution phase covers containment, eradication, and recovery following NIST incident response guidelines. Hunters work with incident response teams to isolate affected systems, remove attacker access, and restore normal operations. They also feed findings back into the SOC by creating new detection rules and recommending hardening steps like configuration changes, identity permission adjustments, or network segmentation.
Key phases include:
Trigger identification: Anomalies, threat intelligence, or analyst hypotheses spark investigations
Data collection: Gathering evidence from logs, endpoints, and network sources
Pattern analysis: Connecting events to identify potential attack sequences
Threat validation: Confirming whether suspicious activity represents a real threat
Response coordination: Working with incident response teams to contain and remediate
Agentless visibility accelerates hunts: Modern threat hunting requires pivoting quickly across cloud logs, identity permissions, runtime telemetry, and asset relationships. Agentless platforms that collect this data without deploying agents to every workload enable faster hypothesis testing—hunters can query across your entire cloud environment in seconds rather than waiting for agent deployment or dealing with coverage gaps in ephemeral resources.
SOC threat hunting methodologies and techniques
Threat hunters use several proven methodologies to uncover hidden threats. Each approach provides a different way to analyze your environment and search for malicious activity.
Hypothesis-driven hunting
This method involves creating specific theories about potential threats based on your knowledge of attackers and your environment. You might hypothesize that an attacker is using PowerShell for lateral movement, then search for unusual PowerShell activity across your network.
IOC/IOA-based hunting
Hunters search for known indicators of compromise (IOCs) like malicious IP addresses or file hashes, and indicators of attack (IOAs) that represent behavioral patterns. Because adversary behaviors often overlap across threat groups, effective hunts emphasize tactics, techniques, and procedures (TTPs) rather than relying solely on static IOCs.
IOA vs IOC: Key differences explained
Indicators of compromise are forensic artifacts that prove a security breach has already happened. Think of IOCs as digital fingerprints left behind at a crime scene—they're specific pieces of evidence that confirm an attacker was in your system.
Read more
Analytics-driven hunting
This technique uses machine learning and statistical analysis to find anomalies in large datasets. By establishing normal behavior baselines, you can flag deviations that might indicate security threats.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.
MITRE ATT&CK framework hunting
The MITRE ATT&CK framework provides a knowledge base of adversary tactics and techniques. Hunters systematically search for evidence of specific ATT&CK techniques (e.g., T1078 Valid Accounts for credential access, T1098 Account Manipulation for persistence) and map coverage to the MITRE ATT&CK for Cloud Matrix, which includes cloud-specific techniques like T1552.005 Cloud Instance Metadata API abuse.
Additional hunting techniques:
Data querying: Deep analysis of security logs using powerful query languages
Cluster analysis: Grouping similar events to identify unusual patterns
Stack counting: Finding statistical outliers through frequency analysis
Cloud-native hunting scenarios
Cloud environments require hunting techniques tailored to cloud-specific attack patterns and telemetry sources.
Anomalous federated role assumptions: Hunt for unusual AWS STS AssumeRole API calls in CloudTrail where external accounts assume roles in your environment, especially from unexpected IP addresses or at unusual times.
Risky service principal usage: Search Azure Sign-in Logs for service principals accessing resources outside their normal pattern, such as a CI/CD service principal suddenly accessing production databases.
Suspicious service account key creation: Query GCP Audit Logs for service account key creation events, especially for high-privilege accounts, as attackers often create keys for persistence.
Kubernetes privilege escalation: Analyze Kubernetes audit logs for ClusterRoleBinding or RoleBinding changes that grant cluster-admin or elevated permissions to suspicious service accounts.
Metadata service abuse: Hunt for unusual access patterns to cloud metadata services (169.254.169.254) from compute instances, which attackers use to steal credentials.
Public storage exposure with access anomalies: Correlate publicly accessible S3 buckets or Azure Blob containers with unusual access patterns in CloudTrail or Azure Storage Logs, indicating potential data exfiltration.
Why SOC threat hunting matters for modern security operations
Traditional security tools struggle with sophisticated attackers who can remain hidden in networks for extended periods. These threats use advanced techniques like zero-day exploits and living-off-the-land tactics that blend with normal administrative activity, making them difficult to detect through automated means alone.
Cloud environments create additional challenges with their dynamic infrastructure and ephemeral workloads. Attackers exploit this complexity to hide their activities and avoid detection by signature-based security controls.
Threat hunting addresses these gaps by proactively searching for threats before they cause significant damage. This approach reduces the time attackers spend in your environment and minimizes the potential impact of successful breaches.
Modern security challenges addressed:
Advanced persistent threats: Long-term, stealthy attacks that evade automated detection
Cloud-native attacks: Threats designed specifically for cloud environments
Living-off-the-land techniques: Using legitimate tools for malicious purposes
Zero-day exploits: Previously unknown vulnerabilities with no existing signatures
Threat hunting and compliance requirements
Threat hunting helps organizations meet monitoring and detection requirements across major compliance frameworks:
ISO 27001 requires continuous monitoring and anomaly detection (Controls A.8.16 and A.5.24). Threat hunting provides evidence of proactive monitoring beyond automated tools.
SOC 2 Trust Services Criteria CC7.2 and CC7.3 mandate monitoring for security events and anomalies. Documented hunt activities and findings demonstrate compliance with these criteria.
NIST Cybersecurity Framework and NIST SP 800-53 include continuous monitoring (DE.CM family) and incident analysis (IR family) controls. Threat hunting satisfies these requirements by actively searching for indicators of compromise.
PCI DSS 4.0 Requirement 10 mandates log monitoring and anomaly detection. Threat hunting provides additional assurance beyond automated log analysis.
Zero Trust Architecture (NIST SP 800-207) requires continuous monitoring and validation. Threat hunting operationalizes the "never trust, always verify" principle by actively searching for threats that bypass perimeter controls.
Document hunt activities, findings, and remediation actions to provide auditors with evidence of proactive security monitoring.
Threat hunting framework: A cloud security best practice guide
Threat hunting frameworks provide structured, repeatable methodologies for proactively searching for hidden threats that have bypassed traditional security defenses in cloud environments.
Read more
SOC threat hunting tools and platforms
Effective threat hunting requires powerful tools that provide deep visibility and analytical capabilities. You'll need an integrated stack of technologies rather than relying on a single solution.
SIEM platforms
Security Information and Event Management systems aggregate log data from across your enterprise. They provide centralized platforms for analysis and querying, which forms the foundation of most hunting activities.
EDR solutions
Endpoint Detection and Response tools give you detailed visibility into individual endpoints. They record process execution, network connections, and file modifications, providing the granular data needed to trace attacker activity.
Network traffic analysis tools
These tools monitor network communications to identify suspicious patterns and data exfiltration attempts. They help you understand how attackers move across your network infrastructure.
Threat intelligence platforms
Threat intelligence tools aggregate threat intelligence from various sources, providing current information on new vulnerabilities and attacker techniques. This intelligence often serves as the starting point for developing hunting hypotheses.
Cloud-native detection tools
Purpose-built cloud security tools analyze cloud provider logs—including AWS CloudTrail and VPC Flow Logs, Azure Activity Logs and Sign-in Logs, GCP Audit Logs, and Kubernetes audit logs—plus runtime signals to detect cloud-specific threats like unauthorized API calls, privilege escalation, and lateral movement.
Security orchestration platforms
SOAR platforms automate repetitive investigation tasks, allowing analysts to focus on complex analysis. They can automatically enrich data, run queries, and initiate response actions when threats are confirmed.
Graph-based context reduces investigation time: Platforms that model relationships between vulnerabilities, identities, network exposure, data sensitivity, and runtime behavior accelerate hypothesis validation. Instead of manually correlating data from separate tools, hunters see how a compromised service account connects to sensitive databases through specific network paths and permissions—the complete attack path in a single view. This contextual approach reduces investigation time from hours to minutes and eliminates false leads.
Implementing threat hunting in your SOC
Building a successful threat hunting program requires more than just purchasing tools—even as analysts project strong market growth for threat hunting platforms. Focus on developing processes, building skills, and creating repeatable methodologies that scale with your team.
Start by establishing clear objectives that align with your organization's specific risks. Focus on scenarios that would have the biggest impact, such as protecting critical data or essential infrastructure components.
Build a skilled team with diverse backgrounds including security analysis, cloud architecture, and forensic investigation experience. The best threat hunters combine technical skills with curiosity and deep understanding of attacker mindsets.
Develop standardized hunting playbooks that outline steps for specific types of investigations. These playbooks ensure consistency and make your program scalable as you add new team members.
Implementation best practices:
Blast radius prioritization: Focus hunts on threats that could materially impact the business by incorporating identity exposure, external reachability, and data sensitivity. For example, prioritize investigating a compromised service account with admin rights to production databases over a developer workstation with no access to sensitive data. Calculate blast radius by mapping what an attacker could access if they fully compromised each asset—this shows which hunts deserve immediate attention versus which can wait.
Skill development: Invest in training that covers both technical skills and threat landscape knowledge
Process documentation: Create repeatable methodologies that new team members can follow
Metrics tracking: Measure program effectiveness through threat discovery rates and detection improvements
Code-to-cloud traceability for permanent fixes: When hunts confirm security issues, trace them back to their source—whether that's infrastructure-as-code templates, CI/CD pipeline configurations, or container base images. For example, if you discover overly permissive IAM roles during a hunt, trace back to the Terraform module that created them and fix the template so future deployments don't recreate the risk. This approach fixes root causes, not just symptoms, and prevents the same issues from recurring.
Measuring threat hunting program effectiveness
Track metrics across four categories to demonstrate value and drive continuous improvement:
Discovery metrics:
Threats discovered that evaded automated detection
Hypotheses validated vs. total hypotheses tested
Mean time from threat entry to hunter discovery
Detection improvement metrics:
New detection rules created from hunt findings
False positive rate of hunt-derived detections
Percentage of MITRE ATT&CK for Cloud techniques covered
Operational impact metrics:
Reduction in attacker dwell time (baseline vs. current)
Mean time to detect (MTTD) for critical asset compromises
Mean time to respond (MTTR) improvement from better detections
Coverage metrics:
Percentage of critical assets included in regular hunts
Percentage of high-risk attack paths investigated
Hunt frequency by asset tier (crown jewels vs. general infrastructure)
Report these metrics monthly to security leadership, showing trends over time and correlating hunt activities with security posture improvements.
How Wiz Defend transforms SOC threat hunting capabilities
Traditional threat hunting often involves manually piecing together clues from dozens of different security tools. Wiz changes this by providing a unified platform that understands the complex relationships in your cloud environment.
The Wiz Security Graph maps your cloud infrastructure by connecting vulnerabilities, permissions, network exposure, sensitive data, and runtime signals into a unified view. This means hunts start with real attack paths—like seeing how an internet-exposed container with a critical vulnerability connects to a database containing customer PII through specific IAM roles—rather than investigating isolated alerts without context.
Wiz Defend's lightweight eBPF sensor delivers real-time runtime visibility with minimal performance impact (typically under 2% CPU overhead on average), allowing you to monitor production workloads without degrading application performance. You can detect suspicious behaviors like lateral movement and privilege escalation as they happen, rather than discovering them days or weeks later.
The Automated Investigation Graph correlates cloud events and runtime telemetry into a single investigation timeline with blast radius visualization. When you investigate suspicious activity, you immediately see the complete sequence of events—API calls, process executions, network connections—plus what the attacker could access if they fully compromised the affected resources. This reduces investigation time from hours to minutes.
Wiz capabilities that enhance threat hunting:
Behavioral detection: Identifies living-off-the-cloud techniques that bypass traditional security controls
Cloud-to-code traceability: Traces threats back to source code for permanent fixes
Threat intelligence integration: Provides intelligence-driven starting points for targeted hunts
Attack path visualization: Shows how attackers could move through your environment
Ready to shift from reactive alerts to proactive hunting? See how unified cloud context, automated investigations, and code-to-cloud traceability accelerate threat discovery and enable permanent fixes—get a demo.
