The Hunter's Skillset and Maturity

The gap between running queries and hunting

KQL proficiency is prerequisite 3 from Section 0.6. It is necessary but not sufficient. An analyst who can write a complex multi-table join is not automatically an effective hunter. What separates running queries from hunting is cognitive, not technical.

Consider two analysts investigating the same hypothesis: "Service principals with newly added credentials authenticated from IPs not previously associated with the application." Both write identical KQL. Both receive the same 47-row result set. Analyst A scans the results, sees no obvious malware indicators, marks the hunt as negative, and moves on. Analyst B notices that three of the service principals authenticated from the same IP range, that the range belongs to a residential VPN provider, and that the credential additions occurred within a 90-minute window on a Saturday. That technique matches a documented pattern for Azure AD backdoor persistence. Analyst B escalates. KQL skill is not the differentiator. It is the five cognitive skills described below.

Five cognitive skills for effective hunting

Environmental knowledge. The hunter must know what normal looks like before they can recognize abnormal. Which service principals authenticate regularly and to which resources. Which users access SharePoint at 3 AM because they work in different time zones. Which automation accounts generate bulk AuditLogs entries every Sunday during the backup window. Which conditional access policies create expected sign-in failures for users in specific locations. This knowledge is acquired through months of working in the environment, reviewing alert triage notes, studying the architecture documentation, and building mental models of legitimate behavior. There is no shortcut. Each hunting campaign deepens this knowledge: the baseline data from a negative finding teaches the hunter what normal looks like for that specific activity. By the sixth campaign, the hunter has six behavioral baselines that compound into environmental fluency. It is why insider hunters like Priya have an advantage that external contractors cannot replicate in the first 90 days: they know the environment's behavioral patterns because they have been triaging its alerts.

Lateral thinking. The attacker does not follow the ATT&CK matrix in order. A finding in one table suggests a hypothesis about a different table. A hunter who discovers a suspicious OAuth consent in AuditLogs should immediately think: "What did this application access after consent? Check MicrosoftGraphActivityLogs. Did the same user receive a phishing email? Check EmailEvents. Was the consent preceded by an anomalous sign-in? Check SigninLogs." Each question generates a new query against a different data source. Generating these lateral hypotheses in real time, pivoting from one finding to the next, is the cognitive skill that transforms a single observation into a multi-stage investigation.

Ambiguity tolerance. Hunting produces ambiguous results. A result set of 200 rows contains 195 legitimate events and 5 suspicious ones, but which five? There is no label, no severity score, no playbook that says "row 47 is the attacker." The analyst must sit with the ambiguity, resist the urge to close the investigation prematurely, and work through the data methodically until the pattern emerges or until the data confirms that no pattern exists. SOC analysts trained on alert triage expect binary outcomes: true positive or false positive, escalate or close. Hunting requires tolerance for "this might be something, I need more data" as a stable working state that persists for hours across multiple sessions. The ability to function productively in uncertainty is the cognitive skill that most predicts hunting effectiveness.

Investigative patience. A hunting campaign that spans four weekly sessions does not produce its most important finding in the first hour. The first session establishes baseline. The second session refines the query based on environmental noise. The third session identifies the anomalous pattern. The fourth session confirms the finding and produces the detection rule. Analysts who expect results from every session burn out or abandon campaigns before the finding emerges. Investigative patience is the discipline to continue a campaign when the first two sessions produced only baseline data. The hunter who abandons a campaign after one session because 'nothing came up' has confused the absence of an immediate finding with the absence of value. The baseline from Session 1 is the foundation that makes Session 3's finding recognizable. Patience is a skill that improves with practice and deteriorates with constant interruption, which is why protected time matters.

Documentation discipline. Every hunt must be documented regardless of outcome. The hypothesis, the data sources queried, the KQL used, the results, the analysis, the finding (positive or negative), and the detection rule produced. This documentation serves four purposes: audit evidence, methodology improvement, knowledge transfer, and pipeline tracking. The most undervalued output of hunting is negative documentation: the record that a specific technique was investigated, that no evidence was found, and that a detection rule was deployed to monitor permanently. Without documentation, the hunting program cannot demonstrate value, cannot improve methodology, and cannot prove to leadership that the investment is working. The quarterly report that Section 0.8 describes depends entirely on the cumulative documentation from each campaign. Every undocumented hunt is a hunt that never happened from leadership's perspective.

David Bianco's Hunting Maturity Model. HMM2 (Procedural) is the first level where genuine hypothesis-driven hunting occurs. The HMM1-to-HMM2 transition is where most programs either succeed or stall.

The Hunting Maturity Model

David Bianco (then at Sqrrl, now part of the broader hunting community) developed the Hunting Maturity Model (HMM) as a five-level framework for assessing organizational hunting capability. It remains the most widely referenced maturity model for threat hunting programs.

HMM0 (Initial): The organization relies entirely on automated detection. Sentinel analytics rules fire alerts, the SOC triages them, and IR investigates confirmed incidents. No proactive hunting occurs. If a rule does not fire, the threat goes undetected. The 70% of ATT&CK techniques without detection rules operate with complete impunity. Most organizations start here, and many stay here for years without recognizing the gap.

HMM1 (Minimal): The organization can search for indicators of compromise when provided by external threat intelligence. A Microsoft threat advisory identifies a specific IP range associated with Storm-2949. The SOC analyst searches SigninLogs for that IP range. This is reactive searching: the trigger is external, the scope is predefined, and the methodology is "search for this specific value." Many organizations that claim to hunt are at HMM1. They run IOC sweeps when a vendor advisory arrives and call it hunting.

HMM2 (Procedural): The organization follows documented hunting procedures. A hypothesis is formulated from the backlog: "Service principals with newly added credentials may be authenticating from attacker-controlled infrastructure." The hunter identifies the data sources (AADServicePrincipalSignInLogs, AuditLogs), writes the query, analyzes the results against the behavioral baseline, documents the finding, and converts the query to a detection rule. The methodology is repeatable. The output is structured. This is the first level where the organization is genuinely hunting, and it is where this course takes you.

HMM3 (Innovative): The organization generates original hypotheses from internal data analysis. The hunter notices that a cluster of service principals have credential additions during European business hours but authenticate during US evening hours. No external intelligence suggested this pattern. The hunter recognized it by analyzing the organization's own AuditLogs over six months and identifying a temporal anomaly that standard IOC matching would never surface.

HMM4 (Leading): Hunting is automated and continuous. The organization has built systems that execute hunting workflows on a schedule, generate hypotheses from machine learning models trained on environmental data, and integrate hunting findings into the detection pipeline automatically. Few organizations reach HMM4, and it is not a realistic target for most. For a new program, the practical goal is reaching HMM2 within 90 days and sustaining it.

The two-axis assessment

Maturity depends on two axes: data capability and analyst skill. An organization with comprehensive data ingestion but no hunting methodology is HMM1 at best: they can run IOC sweeps but cannot formulate original hypotheses. An organization with skilled analysts but incomplete data ingestion is also capped: the analyst cannot hunt what the data does not record.

Assess your position honestly by answering two questions. First, can your organization collect and search data from all three clusters (identity, collaboration, endpoint) within a defined time window? If not, data gaps cap your maturity regardless of analyst skill. Second, can your analysts formulate a hypothesis, write the query, analyze ambiguous results, and document the finding without following a step-by-step playbook? If not, analyst capability caps your maturity regardless of data availability.

The HMM1-to-HMM2 transition

This is where programs succeed or stall. The difference between HMM1 and HMM2 is the difference between reactive IOC searching and proactive hypothesis-driven investigation. Four things drive the transition: a documented hypothesis backlog (not just a list of IOCs), a structured Hunt Cycle methodology (Module 1 teaches this), protected time for campaign execution (prerequisite 5), and a rule conversion pipeline that turns findings into detection rules.

This transition is measurable. At HMM1, the SOC runs IOC sweeps when advisories arrive. At HMM2, the hunter formulates an original hypothesis on Monday, executes the campaign across two sessions during the week, documents the finding on Friday, and submits the detection rule for deployment the following Monday. The difference is visible in the quarterly report: HMM1 programs produce a list of IOC sweeps performed. HMM2 programs produce a list of hypotheses tested, findings documented, and detection rules deployed. Leadership can see the difference without understanding the methodology.

Rachel's assessment of NE: data capability is moderate (identity and endpoint clusters ingested, collaboration cluster partially ingested), analyst skill is developing (Priya has the KQL and the environmental knowledge but has not yet executed a full Hunt Cycle). NE is at HMM1 with the infrastructure to reach HMM2 within the first 90 days. The external contractor with five years of experience would start at HMM2 capability but would lack environmental knowledge for 90 days. Priya with the Hunt Cycle methodology starts at HMM1 with environmental knowledge already in place. Rachel chooses Priya and budgets the contract role for Quarter 2 if the program scales.