What is cloud threat hunting?
Cloud threat hunting is the proactive search for malicious activity across cloud infrastructure, workloads, and identities before automated tools detect it. Unlike traditional threat hunting focused on endpoints, cloud threat hunting targets the control plane, IAM configurations, and ephemeral resources like containers and serverless functions. This approach complements automated detection from EDR, WAF, and CWPP by applying human expertise to uncover threats that signature-based tools miss.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.
How has threat hunting changed in the cloud?
Traditional threat hunting skills don't translate directly to cloud environments. Attackers exploit the cloud control plane using legitimate APIs and stolen credentials rather than deploying malware to endpoints, a tactic observed during the SolarWinds incidents where actors used cloud APIs to move laterally while evading conventional web console logs. Evidence disappears when containers terminate or serverless functions complete execution. Identity becomes the primary attack vector since a compromised IAM role can access resources across regions without ever touching a workload.
These differences require hunters to work with new telemetry sources: cloud audit logs, identity provider events, and runtime signals from ephemeral workloads. The speed matters too. Attackers can move from initial access to data exfiltration in minutes through the control plane, making real-time detection essential.
Key attributes of a cloud threat hunting solution
Proper tooling is key to enable threat hunters to work effectively in this new environment. Below, we cover the primary components any such tool should have.
Real-time monitoring and threat detection
Cloud threat hunting requires visibility across multiple telemetry streams simultaneously. This includes cloud provider audit logs like CloudTrail (including CloudTrail network activity events) and Activity Log, identity provider events from Okta or Entra ID, network flow logs, PaaS service logs, and runtime signals from containers and VMs. Correlating these sources reveals attack patterns that no single log stream can expose.
Speed is non-negotiable. Cloud attackers move through the control plane faster than traditional lateral movement across network segments. A compromised identity can access sensitive data stores within minutes of initial access. Hunters need real-time correlation and immediate response capabilities to match attacker velocity.
Cloud-native user and entity behavioral analysis (UEBA)
Behavioral analysis in cloud environments must account for entities that don't exist in traditional infrastructure. Cloud-native UEBA establishes baselines for IAM roles, service principals, storage buckets, serverless functions, and API access patterns alongside user and machine behavior.
When a developer who normally accesses S3 from a single region suddenly queries a sensitive bucket from an unfamiliar IP at 3 AM, that deviation signals potential credential compromise. Hunters use these behavioral anomalies to identify threats that bypass signature-based detection, especially identity-based attacks where no malware is ever deployed.
Incident response and remediation
Incident response in cloud environments requires actions that don't exist in traditional infrastructure. Hunters may need to revoke IAM credentials, modify security group rules, or isolate workloads through network policy changes rather than unplugging cables or reimaging servers.
The ephemeral nature of cloud resources creates forensic challenges. Containers may terminate before evidence can be collected, and serverless execution logs have limited retention. Effective cloud threat hunting integrates response automation that captures forensic data at the moment of detection rather than after manual triage.
Threat intelligence integration
Cloud-specific threat intelligence differs fundamentally from traditional feeds focused on malware hashes and IP blocklists. Cloud attackers use TTPs mapped to the MITRE ATT&CK Cloud Matrix—which recently refactored cloud platforms to better reflect real-world adversary activity—covering techniques like IMDS credential theft, cross-account role assumption abuse, and data exfiltration through legitimate cloud APIs.
Hunters need intelligence that covers these cloud-native techniques. This includes indicators like unusual AssumeRole patterns, suspicious S3 bucket access from unfamiliar principals, and anomalous API call sequences that suggest reconnaissance. External threat feeds should provide cloud-specific IOCs and behavioral indicators rather than just traditional network-based signatures.
How to Prepare for a Cloud Cyberattack: An Actionable Incident Response Plan Template
A quickstart guide to creating a robust incident response plan - designed specifically for companies with cloud-based deployments.
Benefits of cloud threat hunting
Done properly, cloud threat hunting results in several key advantages that enhance your overall cybersecurity resilience.
| Benefits | Description |
|---|---|
| Early threat detection | Attackers move through cloud control planes in minutes, not hours. Cloud threat hunting matches this speed by validating alerts in real time and detecting indicators of compromise before automated tools catch them. This reduces dwell time and limits blast radius when incidents occur. |
| Enhanced situational awareness | By giving you more insights into your multicloud settings, cloud threat hunting helps you spot new threats, weak points, and security gaps.Organizations can obtain actionable insights into their security posture and prioritize resource allocation. This, in turn, lets them address key security concerns by continuously monitoring and analyzing security telemetry data throughout their cloud infrastructure. |
| Continuous improvement | Cloud threat hunting encourages innovation and constant improvement. Organizations today must adjust to changing threat environments, evolving attack methods, and shifting business needs. Threat hunting equips organizations to handle these demands by giving an accurate view of potential attack vectors in the face of changing technologies, procedures, and tools.Over time, enterprises can also increase the efficacy of their cloud threat hunting skills by implementing enhancement initiatives. |
Intro to forensics in the cloud: A container was compromised. What’s next?
En savoir plus
Challenges to adopting cloud threat hunting
Despite its clear benefits, cloud threat hunting presents several hurdles that organizations must overcome.
| Challenges | Description |
|---|---|
| Multicloud complexity | Handling security on several cloud platforms can get complicated since every platform could have different security features, setups, and logging systems. Ensuring uniform security rules and visibility across many cloud environments can also be difficult. |
| Data visibility and integration | Security teams may find it challenging to obtain a cohesive understanding of their security posture due to telemetry data being dispersed across several platforms. |
| Skills shortage | The hunt for cloud threats necessitates specific knowledge and abilities, such as familiarity with cloud security best practices, threat analysis, incident response, and cloud native security platforms and tools. Unfortunately, a lack of qualified cybersecurity experts with the necessary training and expertise makes it difficult for businesses to create and sustain efficient cloud threat hunting. Plus, they also have to perform continuous upgrading and upskilling. |
| Threat actor sophistication | The sophisticated TTPs employed by malicious actors today involve complex tools and strategies to circumvent detection in multicloud systems. Threat actors in the cloud use stealthy strategies to avoid detection by automated systems. Often, cloud threat actors do not even deploy malware, instead leveraging compromised identities to move laterally through the control plane. These kinds of tactics can often fly under the radar of threat hunters looking for traditional indicators of compromise (IOCs). |
The cloud threat hunting process
Cloud threat hunting follows a structured methodology adapted for dynamic infrastructure. Effective cloud threat hunting requires clear ownership across process steps and collaboration between security operations, cloud engineering, and development teams. Designate specific individuals for monitoring, analysis, and remediation, and establish communication channels that enable rapid context sharing during active investigations.
Data collection: Aggregate telemetry from cloud audit logs, identity provider events, network flow logs, and runtime signals. In multi-cloud environments, a reality for the 63% of organizations using more than one provider, you must normalize data across AWS CloudTrail, Azure Activity Log, and GCP Cloud Audit Logs into a unified schema.
Hypothesis formation: Develop hunting hypotheses based on known cloud TTPs. For example: "Are any service accounts assuming roles outside their normal cross-account patterns?" or "Have any IAM users accessed sensitive S3 buckets from new geographic locations?"
Analysis and triage: Correlate findings across identity, network, and workload context to validate hypotheses. Prioritize based on blast radius: a compromised identity with admin access to production databases requires immediate attention.
Response and remediation: Execute cloud-native containment actions like credential revocation, security group modifications, or workload isolation. Capture forensic evidence from ephemeral resources before they terminate.
Continuous improvement: Review hunting outcomes to refine detection rules and close coverage gaps. Feed validated threats back into automated detection to prevent recurrence.
Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident
En savoir plus
Tools required for cloud threat hunting
Several solutions can help you with your cloud threat hunting efforts. By leveraging these together, organizations can enhance their ability to proactively identify and mitigate security threats, bolstering their cybersecurity posture in the face of evolving threats.
Features and capabilities
Cloud threat hunting tools must handle challenges that traditional security platforms weren't designed for:
Multi-cloud telemetry at scale: Process and correlate events across AWS, Azure, GCP, and other providers without requiring separate tooling for each environment.
Ephemeral resource coverage: Detect and investigate threats in containers, serverless functions, and other short-lived workloads before evidence disappears.
Identity-centric correlation: Connect control plane activity to specific identities, permissions, and data access to understand attack paths through IAM rather than just network flows.
Automated context enrichment: Surface relevant cloud context automatically so analysts don't spend investigation time querying multiple consoles to understand what a workload does or who owns it.
Cloud detection and response (CDR)
These tools offer the ability to detect and respond to security problems in real time by combining security telemetry data from several sources and automating the analysis and correlation.
Cloud native application protection platforms (CNAPPs)
CNAPPs include a variety of instruments designed specifically for cloud settings, including:
Cloud security posture management (CSPM): Security configuration management tools that guarantee compliance with best practices
Vulnerability management: Practices for locating and ranking cloud infrastructure vulnerabilities
Threat hunters in cloud environments can use these instruments to provide vital context about the environment as they investigate.
Cloud infrastructure entitlement management (CIEM)
CIEM solutions assist enterprises in upholding the least privilege principle and reducing identity-related risks—which 59% of organizations identify as insecure identities and risky permissions, by controlling access rights and permissions within cloud environments.
Security information and event management (SIEM)
SIEM tools provide centralized logging and analysis capabilities via threat identification and investigation. They do this by gathering and connecting security events throughout your infrastructure.
Threat intelligence platforms (TIPs)
By offering insights into threats and mitigation strategies from external threat intelligence feeds, TIPs help businesses improve their threat hunting efforts.
Cloud access security broker (CASB)
CASB solutions guarantee a uniform security posture and adherence to legal regulations. They achieve this by enforcing security guidelines and regulations across cloud environments.
How Wiz enables cloud threat hunting
Wiz Defend addresses the core challenges of cloud threat hunting by unifying detection, context, and response in a single platform.
For real-time detection, Wiz correlates cloud audit logs, runtime signals, and network telemetry to identify threats as they unfold. When a suspicious AssumeRole pattern appears in CloudTrail, Wiz automatically enriches it with identity context: What permissions does this role have? What sensitive data can it access? Is the source workload internet-exposed?
This context comes from Wiz's continuous cloud posture analysis. Rather than investigating alerts in isolation, hunters see the full attack path from initial access through potential blast radius. A compromised container becomes a critical finding when Wiz shows it has IAM credentials with access to production databases.
For identity-based threats, Wiz surfaces excessive permissions and unusual access patterns that indicate credential compromise or insider risk. Hunters can trace suspicious API activity back to specific identities and understand exactly what damage is possible before it occurs.
The result is investigation time measured in minutes rather than hours. Wiz automatically generates attack timelines that would otherwise require manual correlation across multiple cloud consoles and security tools.
Get a demo to see how Wiz enables cloud threat hunting across your environment.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.