What is threat hunting?
Threat hunting is the active search for cyber threats that are hiding in your network. This means security experts assume attackers have already broken in and are looking for signs of their presence before they cause damage.
Unlike traditional security that waits for alerts, threat hunting starts with a hypothesis. You might think, "An attacker could be using PowerShell to move between our systems." Then you dig through logs, network traffic, and system data to prove or disprove that theory.
The goal is simple: find and contain attackers before they reach valuable data. This is especially critical in cloud environments where, according to a Check Point report, 65% of organizations experienced a cloud-related security incident in the past year, yet only 9% detected it within the first hour. Threat hunters look for subtle signs that automated tools miss, like unusual login patterns or strange file movements. They want to cut down dwell time—how long attackers stay hidden in your systems.
Cyber threat hunting needs deep technical knowledge and the right threat hunting tools. You'll use platforms like SIEM systems, threat detection and response (TDR) tooling, and specialized hunting software to sift through massive amounts of data. The best threat hunting methodology combines human intuition with powerful technology to spot threats that slip past other defenses.
Cloud Attack Report 2025
In this report, we examine how threat actors approached cloud environments in 2025
What is threat intelligence?
Threat intelligence is information about current and potential cyber threats that helps you make better security decisions. This means collecting data from outside sources to understand who might attack you and how they'll do it.
Intelligence analysts gather information from many places: dark web forums, malware reports, vulnerability databases, and threat feeds. They turn this raw data into useful insights about threat actors, their methods, and their targets.
What is threat intelligence used for? It helps you prepare for attacks before they happen. Instead of just reacting to threats, you can set up defenses based on what attackers are actually doing in the wild.
Cyber security threat intelligence comes in three levels:
Strategic intelligence: High-level business risks and trends
Operational intelligence: Details about specific attack campaigns
Tactical intelligence: Specific indicators like malicious IP addresses or file signatures
This structured approach lets security teams move from reactive to proactive defense. You're not just waiting for something bad to happen—you're preparing for what's likely to come.
Core differences between threat hunting and threat intelligence
The main difference is focus and timing. Threat hunting looks inside your network for active threats, while threat intelligence looks outside for potential future threats.
Here's how they differ across key areas:
| Dimension | Threat Hunting | Threat Intelligence |
|---|---|---|
| Primary Focus | Internal network and systems for active threats | External threat landscape and adversary behavior |
| Timing | Proactive search for existing compromises | Proactive gathering of future threat indicators |
| Data Sources | SIEM logs, EDR telemetry, network traffic, cloud audit logs (CloudTrail, Azure Activity, GCP Audit) | Threat feeds, dark web forums, OSINT, vulnerability databases, ISAC reports |
| Typical Outputs | Confirmed incidents, IOCs, attack timelines, remediation actions | Threat reports, adversary profiles, TTPs, strategic risk assessments |
| Core Tools | SIEM (Splunk, Elastic), EDR (CrowdStrike, SentinelOne), network analysis (Zeek, Wireshark) | TIPs (MISP, ThreatConnect), OSINT tools, malware sandboxes |
| Team Skills | Deep technical expertise in forensics, systems, networks, and attacker TTPs | Analytical thinking, research, geopolitical context, business risk assessment |
| Cloud-Specific Logs | CloudTrail, VPC Flow Logs, Kubernetes audit logs, container runtime events | Cloud security bulletins, CSP threat reports, cloud-focused threat feeds |
| MITRE ATT&CK Usage | Validates TTPs found in environment; maps detections to techniques | Curates TTPs by adversary group; informs detection engineering priorities |
Methodology and approach: Threat hunting uses active investigation techniques within your infrastructure. Intelligence uses passive collection and analysis of external data sources.
Scope and focus: Hunters concentrate on internal networks, endpoints, and cloud workloads searching for anomalies. Intelligence teams monitor external threat landscapes, adversary groups, and emerging attack patterns.
Timing and nature: Hunting is reactive to suspected compromises but proactive in searching for them. Intelligence is proactive in gathering information but doesn't directly engage with active threats.
Required skills: Threat hunters need deep technical expertise in systems, networks, and attacker methods. Intelligence analysts require strong analytical capabilities and understanding of business contexts.
Tools and platforms: Hunters rely on SIEM systems, EDR tools, and network analysis platforms. Intelligence teams use threat intelligence platforms, research tools, and vulnerability databases.
How threat hunting and threat intelligence complement each other
The real power comes when threat hunting and intelligence work together. Intelligence provides the context and direction for hunting activities, while hunting validates intelligence and discovers new threat patterns.
Intelligence-driven hunting works like this: threat intelligence reports about specific adversary tactics give hunters concrete ideas to investigate. If intelligence shows a new ransomware group uses certain lateral movement techniques, hunters can search for those exact behaviors in their environment.
Hunting enriches intelligence by feeding discoveries back into the intelligence cycle. When hunters find a previously unknown attack method or indicator, this information improves future threat assessments and helps other organizations prepare for similar attacks.
Shared context improves prioritization because intelligence about which threat actors target your industry helps hunters focus on the most relevant attack scenarios. When findings are visualized on a security graph, teams can see exposure paths, data sensitivity, and identity blast radius in one place. For example, intelligence about ransomware groups targeting exposed databases becomes immediately actionable when hunters can query for internet-exposed resources with database access and sensitive data labels—all in a single view. You don't waste time on every theoretical possibility—you focus on what's actually happening to companies like yours.
Collaborative workflows emerge when intelligence teams provide threat briefings that help hunters understand adversary motivations. Meanwhile, hunters share discoveries that intelligence teams can correlate with external observations. This creates a continuous feedback loop that strengthens your entire security program.
Implementation challenges and best practices
Organizations face several obstacles when implementing both threat hunting and intelligence programs. Understanding these challenges helps you build more effective security operations.
Common challenges include:
Resource constraints: Both disciplines require specialized skills that are scarce in the security industry, with a 2025 SANS Threat Hunting Survey finding that 61% of organizations cite staffing shortages as a primary challenge to effective threat hunting
Tool proliferation: Managing separate platforms for hunting and intelligence creates operational complexity, with a 2025 Thales Cloud Security Study noting an average of 85 SaaS applications per organization, contributing to tool sprawl
Alert fatigue: Without proper context and prioritization, teams become overwhelmed by the volume of potential threats
Measurement difficulties: Quantifying the value of proactive security activities challenges many organizations
Best practices for integration:
Start with intelligence-led priorities: Use threat intelligence to identify which adversaries and techniques pose the greatest risk to your organization
Establish clear workflows: Define how intelligence findings trigger hunting activities and how hunting discoveries update intelligence assessments
Invest in unified platforms: Look for platforms that model relationships across code, pipeline, cloud resources, and runtime to cut tool sprawl and speed investigations. Solutions that provide a single graph of your entire cloud environment—from source code to running workloads—eliminate context switching and enable analysts to pivot from an alert to root cause, ownership, and remediation guidance in one workflow.
Build cross-functional teams: Encourage collaboration between hunters, intelligence analysts, and incident responders
A Practical Guide to Cloud Threat Detection
Go beyond theory with this practical guide to detecting, investigating, and responding to threats in complex cloud environments.
Choosing the right approach for your business
The optimal balance between threat hunting and intelligence depends on your organization's maturity, resources, and risk profile. There's no universal answer—you need a strategy that fits your specific situation.
For organizations starting their journey: Begin with threat intelligence to understand your threat landscape. Focus on automated detection before manual hunting, and consider managed detection and response services if internal expertise is limited.
For mature security programs: Develop dedicated hunting and intelligence teams. Implement advanced hunting methodologies using frameworks like MITRE ATT&CK, and create custom intelligence requirements based on your specific environment.
Cloud-specific considerations matter because cloud environments require adapted approaches for both threat hunting and intelligence due to their dynamic nature and unique attack surfaces. Ensure collection and retention of cloud-native logs to support hypothesis-driven hunts and intelligence validation:
AWS: CloudTrail (API activity), VPC Flow Logs (network traffic), GuardDuty findings, EKS audit logs
Azure: Activity Logs (control plane), NSG Flow Logs (network), Defender for Cloud alerts, AKS diagnostics
GCP: Cloud Audit Logs (admin/data access), VPC Flow Logs, Security Command Center findings, GKE audit logs
Kubernetes: Audit logs (API server activity), Falco runtime alerts, admission controller events
The ephemeral nature of cloud resources (containers that live minutes, serverless functions that execute and disappear) means traditional endpoint detection often falls short. You need cloud-native detection and response capabilities that understand serverless functions, container orchestration, and complex identity configurations across IAM roles, service accounts, and federated access.
Agentless collection paired with a unified security graph helps correlate cloud control-plane events, runtime signals, and identity context—so hunts start with richer hypotheses and intelligence is automatically mapped to real exposure. When findings are visualized on a security graph, teams can see exposure paths, data sensitivity, and identity blast radius in one place, tightening prioritization loops between hunting and intelligence functions.
Key decision factors include:
Industry and threat profile: High-value targets need robust hunting capabilities
Available resources: Intelligence programs typically require fewer technical resources than hunting
Existing security maturity: Build intelligence capabilities first, then add hunting as detection improves
Compliance requirements: Specific frameworks mandate or encourage these activities:
ISO/IEC 27001:2022 Annex A.5.7 (Threat Intelligence) requires organizations to collect and analyze threat intelligence relevant to information security
NIST SP 800-53 Rev. 5 includes RA-10 (Threat Hunting) and SI-5 (Security Alerts and Threat Intelligence)
SOC 2 CC7.2 and CC7.3 require monitoring for security events and analyzing threats
PCI DSS v4.0 Requirement 11.5 mandates detection and response to security incidents, supported by threat intelligence
What is the threat intelligence lifecycle?
The threat intelligence lifecycle is a continuous, six-phase process that transforms raw data about potential cyber threats into refined, actionable intelligence
もっと読む
How Wiz Defend enables both threat hunting and intelligence operations
Wiz Defend brings threat hunting and intelligence together in one platform designed for cloud environments. Instead of juggling separate tools, you get unified visibility and context across your entire cloud infrastructure.
The platform operationalizes threat intelligence through the Threat Center, which automatically flags your exposure to latest vulnerabilities from Wiz Research and third-party feeds. This real-time intelligence integration ensures teams stay informed about emerging threats relevant to their environment.
For threat hunters, Wiz's Investigation Graph transforms thousands of cloud events into unified attack timelines. This eliminates manual investigation work and lets hunters visualize attack paths and understand the full scope of potential compromises without switching between multiple tools. Because investigations live alongside intelligence and posture data, analysts can pivot from an alert to root cause, ownership, and remediation guidance in a single workflow—validating intelligence hypotheses and enriching future threat assessments in one platform.
The Wiz Security Graph enables hypothesis-driven hunting by mapping every cloud resource and relationship. Hunters can test scenarios like "show me exposed containers with database access" to reveal hidden connections that traditional tools miss.
The lightweight eBPF Runtime Sensor provides essential hunting data—including process execution, file integrity monitoring, and network connections—across Linux hosts and containers. For serverless workloads, Wiz Defend correlates cloud audit logs (such as AWS CloudTrail, Azure Activity Logs, GCP Audit Logs) and platform telemetry to deliver runtime-relevant visibility.
Wiz's cloud-to-code traceability maps discovered threats from runtime back to source code, enabling permanent remediation and preventing recurrence. Teams can fix the root cause rather than just addressing symptoms.
The unified platform eliminates tool sprawl by combining cloud detection, investigation workflows, and threat intelligence in a single console. This consolidation reduces complexity and improves collaboration between security functions.
Get a demo to see how unified cloud detection, graph-powered investigations, and code-to-cloud traceability accelerate threat hunting and operationalize threat intelligence in one platform—eliminating tool sprawl while reducing MTTD and dwell time.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.
