The Business Case for Hunting

The hunt-to-detection pipeline as compounding investment

Hunting is not an expense. It is a self-funding mechanism that compounds over time. Each hunt campaign costs four to eight analyst hours and produces at minimum one documented finding and one detection rule. Each detection rule converts a known-unknown (a technique you know about but cannot automatically detect) into a known-known (a technique with a firing rule). That conversion is permanent. That technique is now covered automatically, forever, at zero additional cost per detection.

Twelve campaigns per year at an average of six hours each equals 72 analyst hours. At an average fully loaded analyst cost of $80 per hour ($160,000 annual salary with benefits and overhead), the annual program cost is approximately $5,760. In return, the program produces 12 or more detection rules, measurable coverage improvement, documented findings for compliance evidence, and behavioral baselines that improve the entire SOC's environmental knowledge.

IBM's 2025 Cost of a Data Breach Report found the global average breach cost at $4.44 million ($10.22 million in the US), with organizations using AI-powered security tools saving approximately $1.9 million per incident compared to those without. Cost differentials between internally detected breaches and an externally notified breach is approximately $1 million. A hunting program that discovers one intrusion before external notification pays for itself immediately and operates at a surplus for the remaining year.

Compounding is what makes the investment case. In Year 1, hunting produces 12 detection rules covering 12 previously unmonitored techniques. In Year 2, those 12 rules fire automatically while hunting produces 12 more rules covering 12 additional techniques. By Year 3, the organization has 36 hunt-derived detection rules operating automatically, coverage has improved by 30 or more percentage points, and the program has produced three years of documented findings for audit evidence. The investment from Year 1 continues to generate detection value in Year 3 at zero marginal cost.

Each year's hunt-derived rules continue operating automatically. The cost stays flat while the cumulative detection coverage grows.

What hunting does not cost

The cost model is favorable because hunting uses infrastructure that already exists. The Sentinel workspace is deployed. The KQL engine is available. The data is ingested and retained. The analyst is on payroll. Hunting adds no licensing cost, no additional data ingestion cost, no tooling procurement, and no infrastructure build.

Compare this to the other security investments Phil evaluates every quarter. A new EDR platform costs $15 to $30 per endpoint per year. A managed detection and response service costs $40,000 to $200,000 annually. A penetration test costs $15,000 to $50,000 per engagement. A hunting program costs the analyst's hourly rate multiplied by the hours allocated. For NE at 4 hours per week, that totals $16,640 per year (4 hours times 52 weeks times $80 fully loaded hourly rate). Even at that higher estimate, hunting costs less than a single EDR license renewal. That is less than the annual cost of a single EDR seat across NE's 865 endpoints.

When hunting finds nothing

A hunt that produces no evidence of the hypothesized activity is not a failed hunt. The negative finding has four documented values that justify the time investment.

Uncertainty reduction: before the hunt, you did not know whether OAuth consent phishing was active in your environment. After the hunt, you have a documented answer. That answer reduces uncertainty from "unknown" to "tested and not found in the lookback window." Uncertainty reduction has direct risk management value: it narrows the set of threats you need to worry about and lets you allocate resources to the gaps you have not yet tested.

Audit evidence: the documented hunt record demonstrates proactive monitoring. ISO 27001 auditors, Cyber Essentials assessors, and insurance underwriters value evidence of proactive testing over evidence of reactive alerting. A documented hunt record that says "we tested for OAuth consent phishing and found no evidence in the past 90 days" is stronger audit evidence than a policy document that says "we monitor for application-based threats." The hunt record is stronger audit evidence than a policy document.

Behavioral baseline: the hunting query that returned 500 legitimate OAuth consent events now defines what normal looks like. The next time the query runs, any deviation from that baseline is immediately suspicious. The baseline improves with each execution.

Detection rule production: the hunting query converts to an analytics rule. Whether the hunt found malicious activity or not, the query that tested for it can now run automatically. The technique is permanently monitored at zero additional cost. This is the hunt-to-detection pipeline operating on negative findings.

Three communication formats

The technical argument convinces security practitioners. Leadership requires translation. Three formats address three audiences and three decision points.

A 60-second elevator pitch works in hallway conversations, Slack threads, and the opening of a longer presentation. Structure: problem, solution, cost, timeline. Rachel's version for NE: "Our detection rules cover 29% of the attack techniques relevant to our M365 environment. The remaining 71% produces no alert when used against us. A hunting program with one analyst spending four protected hours per week will close that gap by investigating the uncovered techniques and converting each finding into a permanent detection rule. Cost: $5,760 per year in analyst time. No additional tooling. First quarterly report in 90 days." Every element Phil needs is in that pitch to make a decision: a quantified problem, a specific solution, a concrete cost, and a verifiable timeline. Practice it until you can deliver it without notes, because the best opportunities to propose hunting happen without warning.

A 15-minute leadership brief works for budget meetings, quarterly security reviews, and CISO-to-board summaries. Structure it in four sections. Open with the coverage gap because it is a number Phil can compare to industry benchmarks. "Our detection rules cover 29.5% of attack techniques. Industry average is 21%. We're ahead, but 70% of the attack surface produces no alert." This establishes the problem as measurable, not hypothetical.

Follow with what lives in the gap using two specific M365 techniques from Section 0.3. Choose techniques Phil can visualize: an attacker stealing a session token and owning the account permanently, or an attacker reading every email in a mailbox through an OAuth application that survives password resets. Name the business consequence: "If this happens to our CFO's account during a fundraising round, the exposure is measured in millions." Present the cost model with the IBM breach cost differential to establish the payback threshold. IBM's $4.44 million average breach cost makes $5,760 in annual hunting investment look like rounding error. Close with what the program produces: quarterly reports showing coverage improvement, detection rules deployed, and findings documented. Quarterly reports prove the investment is working.

A one-page business case works for formal budget requests, investment committee submissions, and audit trail documentation. Seven sections, each two to three sentences. Problem: coverage gap quantified with the actual ratio from your Sentinel query. Solution: structured hunting program with a defined methodology and quarterly deliverables. Resource requirement: which analyst, how many hours, which days. Annual cost: calculated from your organization's fully loaded analyst rate. Expected output: campaigns per quarter, detection rules per quarter, projected coverage improvement. ROI: program cost versus the IBM breach cost differential, framed as "the program pays for itself with one compressed intrusion." Recommendation: approve specific hours starting a specific date, with Day 90 as the first checkpoint.

The language translation problem

Common failure in hunting proposals: is speaking in security language to a business audience. Phil does not know what ATT&CK is. He does not care about T1098.003. He cares about business risk, cost, and measurable outcomes.

Translate every technical concept into a business consequence. "Coverage gap" becomes "blind spots in our security monitoring where an attacker could operate without us knowing." "Dwell time" becomes "how many days an attacker has access to our data before we detect them." "Hunt-to-detection pipeline" becomes "each investigation produces a permanent improvement to our automated monitoring." "Negative finding" becomes "confirmed that we're not currently compromised by this specific attack method, documented for the auditor."

Name the alternative. When Phil asks "what happens if we don't do this?", the answer is specific: "The 70% of our attack surface with no automated detection stays unmonitored. If an attacker uses one of those techniques, we find out when a customer, regulator, or law enforcement tells us. The average cost difference between internal detection and external notification is $1 million per incident." Doing nothing is not cost-free. It means accepting the risk of external notification and the cost difference that comes with it." Framing the decision as active risk acceptance rather than passive continuation of the status quo changes the conversation. Phil is no longer deciding whether to spend money on hunting. He is deciding whether to formally accept the risk of operating with 70% of the attack surface unmonitored and put that acceptance on the record.

If NE recently experienced an incident, leverage it. "Last quarter's BEC incident cost us $340,000 in wire transfer fraud and investigation fees. The attacker was in the environment for 23 days. A hunting program running the hypothesis that our first campaign would have tested would have found the persistence mechanisms on Day 3, limiting the exposure to three days instead of 23. The cost of 90 days of hunting is less than 2% of what that single incident cost us."