Threat hunting used to be a luxury — something only well-resourced security teams could justify, and even then only quarterly. In 2026, that economics has changed. Tools like Dropzone AI Threat Hunter compress what used to be 40-hour cross-tool hunts into 60-to-90-minute federated runs. The 250+ hunt packs mapped to MITRE ATT&CK that ship with such platforms have made systematic, continuous hunting feasible for mid-market organisations, not just enterprises.
The shift is real. The methodology, however, has not changed — it has only become accessible. This article is the working hunting methodology our team applies with regulated Malaysian clients in 2026.
What threat hunting is (and is not)
Threat hunting is the proactive search for adversary activity that has not generated alerts. The premise is that sophisticated attackers specifically design their tradecraft to avoid alerts — so a defence posture that only responds to alerts has a structural blind spot.
Threat hunting is not alert triage, incident response, or red teaming. It is a separate discipline with its own cadence, methodology, and success criteria. Mature security organisations run all four functions in parallel.
The hypothesis-driven model
Effective hunting starts with a specific hypothesis grounded in adversary tradecraft, not in available data. The difference matters. A hunt that starts with "let's look at our logs and see what's interesting" produces noise. A hunt that starts with "Volt Typhoon-style actors would persist through scheduled tasks (T1053.005) on inactive infrastructure accounts; let's confirm we have no such persistence" produces signal.
Good hypotheses share four characteristics:
- Specific. Tied to a concrete technique, ideally with a MITRE ATT&CK ID.
- Testable. The data needed to confirm or refute the hypothesis exists somewhere in your telemetry.
- Falsifiable. A clear answer of "no, we found no evidence of this" is possible and valuable.
- Actionable. If the hypothesis is confirmed, you know what incident response steps follow.
The five-phase hunt
The 5-phase threat hunt
Phase 1: Hypothesis selection
Choose hypotheses based on threat intelligence (recent CISA advisories, sector-specific reports), known coverage gaps in your detection stack, and high-impact attack paths in your environment. Maintain a rotating hypothesis library — quarterly hunts should not repeat the same questions.
Phase 2: Data scoping
Identify which data sources contain evidence relevant to the hypothesis. Confirm the data exists, is accessible, and covers the time window of interest. Many hunts fail at this phase because the necessary telemetry was not retained.
Phase 3: Investigation
Query the relevant data sources. Filter aggressively for the specific technique pattern. Distinguish between expected administrative activity and the narrower set of activity that does not match any documented business process. This phase is where AI-augmented tooling provides the most leverage — agents can query across multiple data sources simultaneously and surface anomalies for human review.
Phase 4: Validation
Investigate findings in context. Most positives are benign. Confirm true positives by correlating with additional data sources — if you find suspected malicious scheduled task activity, also check authentication, process execution, and network connectivity for the same time window.
Phase 5: Output and detection engineering
Every hunt produces three outputs: an answer to the hypothesis (positive or negative), at least one new continuous detection rule, and at least one identified visibility gap with a remediation owner. A hunt that does not produce these three outputs has not been completed.
MITRE ATT&CK as the hunting backbone
Every hunt should explicitly cite the ATT&CK techniques it covers, both before the hunt (in the hypothesis) and after (in the detection rules produced). Over a year of hunting, this builds a coverage map showing exactly which adversary techniques your detection stack reliably catches and which it does not.
Most organisations starting this discipline discover the same pattern of gaps. Initial Access and Execution tactics are typically well-covered. Defense Evasion (TA0005), Credential Access (TA0006), and Discovery (TA0007) are typically thin. Lateral Movement (TA0008) and Collection (TA0009) often have substantial gaps. Exfiltration (TA0010) is frequently invisible. These gaps are exactly where APT and nation-state actors spend the majority of their time.
The AI augmentation layer
The most material shift in 2025–2026 is AI agents that perform federated hunts across multiple data sources. The pattern: an LLM-based agent reads a hypothesis, queries the relevant log sources (SIEM, EDR, identity, cloud, network), correlates findings, and presents a ranked list of suspicious patterns for human review. Where a manual cross-tool hunt previously took 30–40 hours, a federated agent hunt takes 60–90 minutes for the same hypothesis depth.
This is not "AI replaces hunters." It is "hunters direct strategy and judge findings; agents handle the data correlation work that previously consumed most of the hunting time." The economics of continuous hunting now make sense at organisational scales where it previously did not.
Where to start if you have no hunting programme
- Pick three hypotheses from recent CISA advisories that are relevant to your sector.
- Confirm the data needed to test them exists in your telemetry. If it does not, the first output of your hunting programme is the visibility gap.
- Run a manual hunt on one hypothesis. Document the methodology, the time taken, and the gaps surfaced.
- Schedule a recurring quarterly cadence. Maintain a rotating hypothesis library so coverage builds over time.
- Consider AI-augmented hunting tools once the manual methodology is established — the tools amplify good methodology and break ineffective methodology.
For Malaysian teams building this capability formally, our AI Agentic Security programme covers the methodology, the MITRE ATT&CK alignment, and the AI-augmented tooling end-to-end. HRDC SBL-KHAS claimable for eligible employers.
