Module Summary

Module 0: The Detection Gap

Section 0.1 — The Detection Gap. The detection gap is measurable from two angles. Coverage ratio quantifies which ATT&CK techniques have detection rules and which do not. Dwell time quantifies the operational cost of the gap: days an attacker operates before discovery. NE's coverage ratio is 29.5%, with a 14-day median dwell time matching the Mandiant M-Trends 2026 global median. Both metrics establish the baseline that the hunting program will improve.

Section 0.2 — Why Detection Engineering Cannot Close the Gap. Five structural limitations prevent detection rules from covering the full threat surface: rules encode anticipation, require ingested telemetry, trade sensitivity for specificity, decay without self-evaluation, and generate alerts without investigation context. These limitations are architectural, not operational. Hunting addresses each one through a structurally different approach, and the hunt-to-detection pipeline connects the two disciplines.

Section 0.3 — The M365 Threat Landscape. Four technique categories dominate the current M365 threat landscape: AiTM session hijacking, living-off-the-cloud, OAuth persistence, and hybrid identity exploitation. All operate inside the detection gap using legitimate credentials and standard operations. The distinguishing signal is behavioral context, which is what hunting evaluates.

Section 0.4 — Where Hunting Fits. Hunting, incident response, and detection engineering are complementary disciplines connected by six handoffs. Hunting finds what rules miss and produces new rules. Detection engineering automates what hunting discovers. IR investigates what rules and hunts surface. The section also countered the common objections that prevent organizations from starting.

Section 0.5 — The Business Case for Hunting. The hunt-to-detection pipeline is a compounding investment: 72 analyst hours per year producing 12 or more detection rules at approximately $5,760 in annual cost. Three communication formats translate technical capability into leadership approval: the 60-second elevator pitch, the 15-minute leadership brief, and the one-page business case.

Section 0.6 — Organizational Readiness and Data Sources. Five prerequisites must be confirmed before Day 1: data ingestion, baseline detection rules, KQL proficiency, an IR process, and protected time. Three data clusters (identity, collaboration, endpoint) map to specific hunt campaigns across the course.

Section 0.7 — The Hunter's Skillset and Maturity. Five cognitive skills separate effective hunters from analysts running queries: environmental knowledge, lateral thinking, ambiguity tolerance, investigative patience, and documentation discipline. The Hunting Maturity Model measures program progression from HMM0 (Initial) through HMM4 (Leading). The practical target is reaching HMM2 (Procedural) within 90 days.

Section 0.8 — Your First 90 Days. Seven metrics (four value, three health) measure program effectiveness. The four-phase 90-day roadmap (Foundation, Backlog, Campaigns, Stabilization) produces four campaigns, three or more detection rules, measurable coverage improvement, and a quarterly report that proves the investment is working.

What's next

Module 1 teaches the Hunt Cycle: the six-step methodology that transforms a hypothesis into a documented finding and a deployed detection rule. You have the context, the business case, and the 90-day plan. Module 1 gives you the method. Modules 2 through 13 apply that method to specific M365 threat categories, building the campaigns that fill the detection gap you measured in Section 0.1.