TH0.7 The ROI of Hunting

The hunt-to-detection pipeline as compounding investment

Every validated hunt produces at least one detection rule. This is the Convert step in the Hunt Cycle that TH1 teaches in detail — the mechanism that turns a one-time search into permanent automated coverage. What you hunted for manually this month, a rule detects automatically every hour going forward.

The compounding effect is what separates hunting from every other security investment Phil can make. A penetration test produces a point-in-time report. A red team exercise produces findings that age. A vulnerability scan produces a list that needs re-scanning next quarter. Hunting produces detection rules that fire indefinitely. Each campaign adds a rule. Each rule covers a technique that previously had no automated detection. After 12 months of monthly campaigns, the organization has 12 new rules deployed, 12 documented campaigns with findings, and a measurable reduction in the detection coverage gap from Section 0.1's calculation.

Year 2 does not re-hunt the same techniques. The first 12 are automated now. Year 2 hunts the next 12 techniques on the backlog while the first 12 rules run continuously. By year 3, the organization has produced 36 detection rules covering 36 techniques previously in the known-unknown layer. The investment curve is additive — each year's output builds on the previous year's output without replacement cost.

Figure TH0.7a — Hunt-to-detection pipeline compounding return. Each campaign produces a permanent detection rule. After three years of monthly campaigns, the organization has 36 rules covering techniques that previously had no automated detection.

Four metrics that demonstrate value

Phil needs numbers. These four are directly measurable from any Sentinel workspace, and each one answers a question leadership will ask.

Detection coverage gap closure rate. Baseline your detection coverage ratio (Section 0.1) before the hunting program starts. Re-measure quarterly. If you start at 21% ATT&CK technique coverage — the industry average from the CardinalOps 2025 State of SIEM Detection Risk report — and add 12 rules covering 12 new techniques against a relevant technique set of 100, coverage moves from 21% to 33%. Report it as both the absolute change (12 percentage points) and the relative improvement (57%), because leadership responds to relative improvement more than absolute numbers.

Hunt discovery rate. Of all incidents closed in the measurement period, what percentage were discovered through proactive hunting rather than automated alerting or external notification? An organization with no hunting discovers 100% of incidents through rules or third-party notification. An active hunting program discovers some percentage through hunts — compromises that no existing rule would have caught. Tag hunt-discovered incidents with a "HUNT-" prefix or "hunt-discovered" label when escalating to IR. Even a 5% hunt discovery rate means 5% of the organization's incidents would have gone undetected without hunting.

// Hunt discovery rate — incidents found by hunting vs automated detection
SecurityIncident
| where TimeGenerated > ago(180d)
| where Status == "Closed"
| extend DiscoverySource = iff(
    Title has "HUNT-" or tostring(Labels) has "hunt-discovered",
    "Proactive Hunting",
    "Automated Detection")
| summarize IncidentCount = count() by DiscoverySource
| extend Percentage = round(100.0 * IncidentCount / toscalar(
    SecurityIncident
    | where TimeGenerated > ago(180d)
    | where Status == "Closed"
    | count), 1)

This query splits your closed incidents over six months into two buckets: incidents discovered through proactive hunting versus incidents caught by automated detection. The percentage in each bucket is your hunt discovery rate. Run it quarterly. Track the trend. If the hunting bucket stays at zero, your tagging convention is not working — not your hunting program.

Dwell time compression. Compare the median dwell time for incidents discovered through hunting versus incidents discovered through automated detection. M-Trends 2026, drawn from over 500,000 hours of incident response investigations, found global median dwell time rose to 14 days in 2025 — up from 11 days the year before. Organizations that detected intrusions internally did so in about 9 days. External notification cases averaged 25 days, pulled up by long-dwell espionage campaigns that averaged 122 days of undetected presence. If hunting discovers compromises at a median of 3 days while automated rules discover at a median of 14, hunting is compressing dwell time by 11 days per incident. Each compressed day represents attacker activity that didn't happen — data not exfiltrated, persistence not established, lateral movement not completed.

Detection rule production rate. Track the number of detection rules produced per hunt campaign. The target is at least one per campaign. Then track how many of those rules fire within 90 days of deployment. A rule that fires validates the hunt's hypothesis — the technique is occurring in the environment and is now caught automatically. A rule that doesn't fire within 90 days still covers a technique that may occur in the future. But the firing rate gives Phil a visceral measure: "Of the 12 rules produced by hunting this year, 7 have already detected activity that would have been missed."

The cost comparison leadership understands

The metrics build the operational case. The cost comparison builds the financial case.

Cost of finding a compromise through hunting. A hunt campaign takes one analyst 4–8 hours. At a fully loaded analyst cost of $65–85/hour (mid-market US), a single campaign costs $260–680. If the hunt discovers a compromise, incident response begins at day 3 instead of day 14 (the 2025 global median from M-Trends 2026) or day 25 (the median for breaches found through external notification). Remediation at day 3 is contained — password resets, session revocation, persistence removal. A few hours of focused work. Remediation at day 25 involves forensic investigation, breach notification assessment, legal review, regulatory reporting, and customer communication. Weeks of cross-functional effort.

Cost of finding a compromise through external notification. The IBM Cost of a Data Breach Report 2025 found the global average breach cost was $4.44 million, with US organizations averaging $10.22 million. The mean time to identify and contain a breach was 241 days globally. Organizations that deployed AI and automation extensively saved nearly $1.9 million per breach and cut their breach lifecycle by 80 days. Breaches discovered internally cost substantially less than those discovered through third-party notification.

The arithmetic. Twelve hunt campaigns per year at $680 each equals $8,160 in analyst time. Dedicating 8 hours per week to a sustained program costs approximately $33,000–$35,000 annually. One compromise discovered through hunting instead of external notification avoids remediation costs, regulatory penalties, legal fees, notification expenses, and reputational damage that dwarf the hunting investment. Hunting doesn't need to find a compromise every month to justify itself. It needs to find one per year that would otherwise have gone undetected. The probability of that finding increases with every campaign, because each hunt explores a different part of the known-unknown layer.

What hunting does not cost

A common objection: "We can't afford to take analysts off the alert queue for hunting." The implicit assumption is that hunting hours come at the expense of alert triage — a zero-sum allocation. This framing is wrong in two ways.

Hunting produces detection rules. Rules built from validated hunt data — tested against real production telemetry, tuned for the environment's actual noise level — produce fewer false positives than rules written speculatively from threat reports. Fewer false positives mean fewer wasted analyst hours on the alert queue. The hours "spent" on hunting return as hours saved on alert triage, plus the detection rule itself, which provides permanent coverage. The CardinalOps 2025 report found that 13% of existing SIEM rules in production environments are completely broken and will never fire. Hunt-derived rules avoid this problem because they're tested against real data before deployment.

Hunting produces environmental understanding. The analyst who has spent a week examining OAuth consent patterns across the tenant can triage an OAuth-related alert in minutes because they already know what normal looks like. The analyst who has never examined the baseline must build that understanding during every investigation — a process that takes hours per alert. Hunting front-loads the environmental knowledge that makes all other security operations faster. The time investment doesn't disappear when the hunt ends. It persists as institutional knowledge that reduces investigation time across every future alert in that domain.

When hunting finds nothing

Not every hunt finds a compromise. Most won't. This is frequently cited as evidence that hunting is not productive: "We hunted for six months and found nothing." The problem with that statement is that "nothing" is itself a finding.

A negative finding reduces organizational uncertainty. Before the hunt, you didn't know whether OAuth consent abuse had occurred in the last 90 days. After the hunt, you know it hasn't — or at least, you know it hasn't left evidence in the available telemetry. That reduction in uncertainty has compliance value (documented proactive monitoring) and operational value (you can prioritize other techniques with confidence that this one has been examined).

A negative finding establishes baselines. The authentication pattern hunt that reveals no anomalies also reveals what normal looks like: sign-in volume per user, geographic distribution, device diversity, time-of-day patterns. That baseline becomes the reference point for future hunts and for anomaly detection rules. The baseline is a deliverable. It has operational value independent of whether the hunt found a compromise.

A negative finding validates detection rules. A hunt that examines a technique already covered by a detection rule and finds no evidence the rule missed validates the rule's effectiveness. That validation is a finding — it confirms that detection engineering for that technique is sound. It also tests whether the rule's scope is too narrow, catching some variants but missing others.

A negative finding satisfies audit requirements. ISO 27001, NIST CSF 2.0, SOC 2, and PCI DSS all expect evidence of proactive threat monitoring. A hunt log that documents hypotheses tested, data sources examined, query logic used, and conclusions reached satisfies that requirement with evidence. An empty incident queue does not.