What are threat hunting frameworks?

Threat hunting frameworks provide structured approaches for conducting hunts, turning “look for threats” into a systematic, repeatable methodology with defined processes and measurable coverage. The major frameworks each emphasize different aspects of hunting: MITRE ATT&CK maps attacker behaviors, TaHiTI structures intelligence-driven hunting, the Sqrrl loop formalizes the hypothesis cycle, and the Pyramid of Pain prioritizes hunting by how much it costs attackers to evade. Most mature hunting programs combine elements of multiple frameworks rather than adhering rigidly to one.

 

MITRE ATT&CK for threat hunting

MITRE ATT&CK is the most widely used framework in threat hunting because it provides a comprehensive, community-maintained taxonomy of attacker behaviors organized in a way that maps directly to hunting activities.

The framework organizes adversary behavior into tactics (what the attacker is trying to accomplish—initial access, persistence, lateral movement, etc.) and techniques (how they accomplish it). For hunters, ATT&CK serves two key functions: first, as a library of hunting hypotheses—each technique is a potential behavior to search for in your environment. Second, as a coverage map—by tracking which techniques you have active detections or hunting coverage for, you can systematically identify and close gaps.

ATT&CK-based hunting is particularly powerful because attacker techniques are more durable than indicators. Infrastructure rotates; techniques persist. Hunting for behaviors rather than artifacts produces more lasting defensive value.

 

The TaHiTI framework

Targeted Hunting integrating Threat Intelligence (TaHiTI) is a structured framework for intelligence-driven threat hunting developed by the financial sector security community. It provides a formal methodology for translating threat intelligence into hunting activities, with defined stages for intelligence intake, hunt planning, execution, and documentation.

TaHiTI’s core contribution is making the intelligence-to-hunt connection explicit and auditable. Rather than informal processes where a threat analyst reads an intelligence report and a hunter independently decides whether to act on it, TaHiTI defines how intelligence flows into hunt planning, what gets hunted and why, and how findings are documented and fed back into the intelligence cycle.

Organizations in regulated industries (particularly financial services) find TaHiTI valuable because it produces an auditable record of how threat intelligence is operationalized.

 

The Sqrrl hunting loop

The Sqrrl hunting loop (developed by the company that pioneered much of modern threat hunting methodology before being acquired by AWS) formalizes the iterative hypothesis-driven hunting cycle into four stages: Create hypothesis → investigate via tools and techniques → uncover new patterns and TTPs → inform and enrich analytics.

The loop’s key insight is that hunting isn’t linear, it’s cyclical. Each hunt produces findings that improve automated detection (the final stage feeds back into the beginning), and each improvement to detection generates new hypotheses about what still isn’t being caught. The Sqrrl loop makes this continuous improvement relationship explicit.

 

The Pyramid of Pain

The Pyramid of Pain, developed by security researcher David Bianco, categorizes indicators of compromise by how difficult they are for attackers to change. At the bottom: hash values (trivially changed). Moving up: IP addresses, domain names, network/host artifacts. At the top: tools and TTPs (expensive for attackers to change).

For hunters, the pyramid of pain provides a prioritization framework. Hunting for and detecting attacker TTPs (behaviors at the top of the pyramid) forces attackers to fundamentally change how they operate, which is costly and difficult. Hunting for file hashes forces them to recompile malware, which takes five minutes.

Building a hunting program that focuses on the top of the pyramid produces far more lasting defensive value than one focused on indicator-based hunting.

 

Kill chain-based hunting

The cyber kill chain (originally developed by Lockheed Martin) models attacker intrusions as a sequential set of stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Kill chain-based hunting focuses on detecting and disrupting attacker activity at specific stages in this sequence.

The strategic insight of kill chain-based hunting is that earlier disruption is more valuable. Stopping an attacker at the delivery or exploitation stage prevents all subsequent damage. Hunting for initial access and early-stage activity, even though it’s harder to detect, has higher ROI than focusing hunting exclusively on post-exploitation stages.

In practice, most organizations combine kill chain and ATT&CK frameworks: the kill chain provides strategic prioritization (focus earlier stages), ATT&CK provides the specific technique inventory for each stage.

 

Choosing and combining frameworks

No single framework is complete on its own. ATT&CK provides the best technique inventory but doesn’t dictate process. TaHiTI provides excellent process structure but is most valuable in intelligence-heavy environments. The Sqrrl loop provides the right mental model for continuous improvement but is light on specific methodology. The Pyramid of Pain provides excellent prioritization guidance but isn’t a hunting methodology on its own.

Most mature hunting programs use ATT&CK as their primary technique library and coverage map, incorporate the Sqrrl loop’s continuous improvement philosophy into their program design, apply Pyramid of Pain thinking to prioritize where to invest hunting effort, and use TaHiTI-style documentation when operationalizing specific intelligence.

 

Frequently asked questions

Which threat hunting framework should beginners start with? 

Start with MITRE ATT&CK. It provides a concrete, actionable inventory of things to hunt for, a community of practitioners sharing hunting content built around it, and a coverage mapping approach that immediately shows where your gaps are. The Pyramid of Pain is a useful conceptual companion, as it helps prioritize where within ATT&CK to focus first.

Is MITRE ATT&CK a threat hunting framework or a detection framework? 

Both. ATT&CK is equally useful for hunting (as a library of behaviors to search for) and for detection engineering (as a taxonomy for mapping your rule coverage). In threat hunting specifically, ATT&CK is used to generate hypotheses, structure hunt planning, and track coverage over time. Its versatility across both proactive and reactive security is a major reason for its widespread adoption.

Do MDR providers use these frameworks? 

Yes. Most mature MDR providers structure their hunting programs around MITRE ATT&CK and use it as both a technique library and a coverage reporting tool. Sharing ATT&CK-mapped hunt coverage with customers is an increasingly common way for MDR providers to demonstrate what their hunting program actually covers.

How do frameworks help with hunt documentation? 

Frameworks provide shared vocabulary that makes documentation consistent and searchable. Documenting a hunt as “investigated ATT&CK T1003.001 (LSASS Memory) across endpoint population” is far more useful than “looked for credential dumping” because it maps to a specific, queryable reference that future hunters can immediately understand and build on.