Hunt Cadence and Scheduling

If hunting time is not protected, it does not happen

Hunting competes with alert triage for the same analyst hours. Alert triage always wins that competition because alerts are immediate and visible. An unresolved alert generates notifications, appears on dashboards, and triggers escalation timers. An unexecuted hunt is invisible. Nobody notices it did not happen until the quarterly review reveals the gap.

Calendar blocks are the only defense. A hunting session must be treated with the same seriousness as an on-call shift. The analyst assigned to hunt is not available for alert triage during those hours. If a severity-high alert fires, another analyst handles it. If the team is too short-staffed to spare anyone for four hours, the hunting session is rescheduled to a specific date within the same week, not deferred to "when things calm down." Alert volume does not calm down. It fluctuates within a range, and hunting must be scheduled within that range.

NE's fix was structural. Rachel designated hunting blocks as "protected time" in the SOC schedule, identical in priority to on-call rotations. She assigned a backup analyst for alert coverage during each hunting session. When the hunting analyst is pulled for a genuine P1 incident (not a medium-severity alert that could wait), the session reschedules within the same period. Three consecutive cancellations trigger a workload review, not a hunting program cancellation.

Figure TH1.9a — Three cadence models. Choose based on team size and alert volume. All produce detection rules; cadence determines the speed of coverage improvement.

Sizing the right cadence

Alert volume determines which cadence your team can sustain. Before committing to a model, measure your current operational load. Run a query that counts daily incident volume over the past 30 days and calculates the average, peak, and minimum.

// Daily incident volume over 30 days — size your hunt cadence
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize DailyCount = count() by bin(TimeGenerated, 1d)
| summarize
    AvgDaily = round(avg(DailyCount), 1),
    PeakDaily = max(DailyCount),
    MinDaily = min(DailyCount)

If your 3-person SOC handles 10-15 incidents per day, pulling one analyst for 4 hours weekly leaves two analysts handling the full queue. If that queue regularly exceeds their capacity, the weekly model will fail within the first month. Biweekly gives the same analyst 10 working days between hunt sessions, which most 3-person teams can absorb.

NE's query returned an average of 11 incidents per day with a peak of 18. At that volume, Tom and Priya can cover alert triage while one analyst hunts for a 4-hour block, but not every week. Rachel chose biweekly: four to six hours every two weeks. Twelve to twenty-four campaigns per year. Enough to produce measurable coverage improvement without creating chronic understaffing in alert triage. After six months, the hunt metrics demonstrated enough value that Rachel approved a fourth SOC analyst, which made weekly cadence sustainable.

Start conservative. A biweekly cadence sustained for 12 months produces more coverage improvement than a weekly cadence abandoned after 3 months. Consistency matters more than frequency. Upgrade to weekly only when you have evidence that the team can sustain it without cancellations.

Structuring the hunt block

A 4-hour hunt block is not 4 hours of writing KQL. Effective hunt sessions follow a deliberate structure that allocates time across preparation, execution, and documentation.

First 30 minutes: preparation. Review the hypothesis from the backlog. Confirm the scope dimensions (data sources, time window, entity boundary). Check with a peer if one is available (review point 1 from Section 1.10). Verify that the required data tables are populated and the retention covers the planned time window. Open your hunt record template and fill in the hypothesis, source, and scope sections before running any queries.

Middle 2.5-3 hours: execution. Run the iterative query funnel from Section 1.3. Start with the orientation query. Work through indicator, refinement, enrichment, and pivot queries. Document each query and its results in the hunt record as you go, not after the session. If you find a confirmed compromise, prepare the escalation package from Section 1.5 and hand off to IR. If you reach the end of the funnel with no findings, proceed to conclusion documentation.

Time management during execution matters. A common failure is spending 90 minutes refining a single query that returns ambiguous results when the analyst should have moved to the next funnel step after 30 minutes. Set a mental checkpoint at each hour. At the one-hour mark, you should have completed orientation and indicator queries. At the two-hour mark, you should be in enrichment or pivot. If you are still debugging the orientation query at hour two, the data source may not contain the telemetry your hypothesis requires, and the hunt should be documented as inconclusive with a recommendation to address the data gap before retrying.

Final 30-60 minutes: documentation and conversion. Write the hunt conclusion. If refuted, begin the detection rule conversion from Section 1.6. If confirmed, ensure the escalation package is complete. Submit the hunt record for peer review (review point 2 from Section 1.10). Update the hypothesis backlog to reflect the completed hunt and any new hypotheses generated during the session.

Skipping the preparation and documentation phases is the most common time management failure. Analysts who jump straight into queries at minute one produce undocumented hunts that cannot be reviewed, reproduced, or converted into detection rules. Analysts who stop querying at minute 240 without documenting their conclusions produce findings that exist only in their memory. Both failures waste the time investment.

Rotational versus dedicated hunting

Rotational means every senior analyst takes a turn as the designated hunter. Tom hunts this cycle, Priya hunts next cycle, and so on. Rotational hunting builds hunting skills across the team, prevents single-point-of-failure dependency, and ensures multiple analysts develop environmental knowledge from the hunting perspective. It also provides continuity when someone leaves or is unavailable.

Rotational programs require one additional discipline: knowledge transfer between rotations. When Tom completes a hunt cycle and Priya takes over for the next one, Priya needs to know which hypotheses Tom explored, which data sources showed unexpected gaps, and which environmental baselines Tom observed. Without this handoff, each rotation starts from zero context. NE handles this with a 15-minute handoff at the start of each rotation where the outgoing hunter walks the incoming hunter through the current state of the hypothesis backlog, any incomplete investigations, and observations about data quality or coverage gaps discovered during the last cycle. Shared hunt records (Section 1.7) make most of this information self-documenting, but the verbal handoff captures tacit knowledge that records miss.

Dedicated means one analyst (or a small team) hunts full-time without rotating through alert triage. Dedicated hunters build the deepest environmental knowledge and the fastest query fluency. They recognize normal patterns from memory because they examine the same data daily. The cost is that it requires staffing most teams cannot afford, creates a single point of failure, and leaves the rest of the team without hunting experience.

For most organizations, start rotational. Build hunting into every senior analyst's expected skill set. If the program produces enough value to justify dedicated headcount, the hunt metrics from Section 1.10 provide the evidence for that hiring decision. NE started rotational. After 12 months of documented results (18 hunts completed, 11 detection rules deployed, 2 confirmed compromises found), Rachel used the metrics to justify requesting a dedicated threat hunter in the next budget cycle.

Aligning cadence to threat intelligence

Hunt scheduling should respond to threat intelligence, not follow an arbitrary calendar. When a credible threat report describes a technique targeting your sector, schedule a hunt for that technique within the next cycle. Do not wait for the next quarterly planning window.

NE runs a hybrid cadence: biweekly scheduled hunts drawn from the prioritized backlog, plus ad hoc intelligence-driven hunts triggered by threat reports, vendor advisories, or peer organization breach notifications. Scheduled hunts provide consistent coverage improvement. Ad hoc hunts provide responsiveness. Both produce detection rules through the same Section 1.6 conversion workflow.

A program that responds exclusively to advisories hunts whatever is in the news rather than what matters for the organization's specific environment. A program that follows only the backlog misses emerging threats that intelligence would have flagged. Biweekly scheduled hunts from the backlog, with one ad hoc slot per month reserved for intelligence-driven work, gives NE both consistency and agility.

Consider a concrete example. In February 2026, Microsoft published an advisory describing EvilTokens, a phishing-as-a-service platform that commoditized device code flow attacks. Rachel reads the advisory on a Tuesday morning. NE's next scheduled backlog hunt is on Thursday. She checks the backlog: the Thursday hunt targets T1059 (command-line execution anomalies), which scores 18 on the priority model. Device code flow abuse scores 24 (high relevance because NE has no detection rule, high severity because the technique persists through password resets, high data availability because SigninLogs captures the AuthenticationProtocol field). Rachel replaces the Thursday backlog hunt with the higher-priority intelligence-driven hunt. T1059 moves to the next cycle, not to the bottom of the list.

Notice that Rachel did not cancel the backlog hunt entirely. She replaced one hunt with a higher-priority alternative and rescheduled the displaced hunt. Intelligence-driven hunts should preempt, not consume, the scheduled cadence. If every cycle is consumed by reactive advisory-driven hunting, the backlog never advances and systematic coverage improvement stalls. Reserving one ad hoc slot per month while protecting the remaining scheduled hunts gives NE the balance between responsiveness and systematic coverage growth.

Track the ratio over time. If more than half of your completed hunts in a quarter are ad hoc, the backlog is stagnating. If fewer than one in four is intelligence-driven, the program may be missing emerging threats. NE's target ratio is roughly 70% backlog-driven and 30% intelligence-driven, adjusted each quarter based on the volume and relevance of incoming threat reports.