Episode 2: Modernizing the threat hunting process | The Job Security Podcast

Introduction

It’s a running joke in security that if you ask three people what threat hunting is, you’ll get three different answers. For years, the threat hunting process has relied on individual style, intuition, and a lot of “run some queries and see what happens.”

The THOR Collective is trying to change that.

In this episode of The Job Security Podcast, host Dave Johnson and co-host Tyler Zito sit down with Sydney Marrone and Lauren Proehl, co-founders of the THOR Collective, to explore how modern teams can turn threat hunting from a solo act into a repeatable, documented, and collaborative threat hunting process.

They dig into:

• How threat hunting evolved from loose, hypothesis-only work to structured frameworks and shared community practices
• Where artificial intelligence helps (and hurts) the threat hunting process
• How to start a threat hunting program without overcomplicating it
• Why documentation, storytelling, and metrics are just as important as queries and detections
• The role of community and collaboration in “thrunting” (threat + hunting)

If your team is trying to turn “we should do more threat hunting” into a real, sustainable threat hunting process, this conversation is a roadmap — complete with scrapes, bruises, and lessons learned.

What is the THOR Collective?

A community built to normalize and share the threat hunting process

Dave Johnson: It’s commonly said that if you ask three people what threat hunting is, you’ll get three different answers. The people at the keel of the THOR Collective are trying to change that. Threat hunting has long been a solo act of raw intention, mixed methods, and unpredictable results. The THOR Collective is here to build community and establish better practices — and yes, even to make “thrunting” more efficient.

Sydney Marrone: THOR Collective was founded last year. Lauren brought an idea to me and to our other co-founder, John Gregator. The seed was a project we now call Hearth — a way to share threat hunting knowledge and artifacts with the community.

Back when we worked together at CenturyLink, our team was called THOR: Threat Hunting, Operations, and Research. When we regrouped, it felt natural to bring that name back, but this time as a collective instead of a single internal team.

We started by building Hearth under the THOR Collective umbrella, then expanded into other projects — Dispatch (our blog), a podcast, community resources, and even a small merch store. Over time, Dispatch became our main focus because we were having so much fun sharing ideas and seeing them resonate with other hunters.

Dave Johnson: So the THOR Collective is less “we have the one true threat hunting process” and more “here are the patterns that worked for us — and might work for you too.”

Lauren Proehl: Exactly. We’re not trying to be the be-all, end-all of threat hunting. We’re saying, “Here are the scrapes and bruises we’ve picked up building threat hunting programs. Here’s what we wish we’d known earlier.” If those lessons make your threat hunting process more efficient or effective, that’s a win.

We all work in different parts of the industry now — red teaming, hands-on threat hunting, leadership — and we’re seeing the face of threat hunting change minute by minute. THOR Collective is our way of going on that journey with the community instead of alone.

The evolution of the threat hunting process

From “run some queries and hope” to structured approaches

Dave Johnson: When you look back at how you started in threat hunting versus how you work today, what’s changed in the threat hunting process?

Sydney Marrone: Early on, it was almost entirely hypothesis-driven — but in a pretty loose way. The scope was almost non-existent. We’d say, “Let’s hunt for X,” then just start running queries and hope for the best.

We had a lifecycle on paper, but we were still figuring it out as we went. As threat hunting has matured, we’ve realized there are many ways to hunt, not just narrow, hypothesis-driven runs:

• Classic techniques like sorting and stacking
• Applying advanced statistics
• Leveraging machine learning
• Incorporating cyber threat intelligence instead of focusing only on internal telemetry

All of that has expanded what “threat hunting” actually means.

Lauren Proehl: I still reference the PEAK threat hunting framework as a gold standard for structuring the threat hunting process. It closely mirrors how I was hunting years ago, but PEAK is more mature and battle-tested.

Historically, you saw a lot of baselining and hypothesis-driven hunts from the late 2000s through roughly 2019–2020. Now, there’s this additional layer where:

• AI and machine learning are part of the toolset
• Threat hunting can happen in internal environments and across external data sets, like large malware sample collections or global telemetry from a vendor’s customer base

So the definition of threat hunting has widened — and the process has become more structured.

How AI is reshaping the threat hunting process

Threat side vs. defense side

Tyler Zito: We’ve all seen AI ramp up fast. How has that affected your threat hunting approach and the threat hunting process overall?

Lauren Proehl: I joke that I’m a “certified AI hater,” which isn’t totally fair — I just don’t think AI is replacing people’s jobs tomorrow. I see it more as augmentation over the next few years.

There are two different conversations:

1. Threats using AI

2. Defenders using AI in the threat hunting process

On the threat side, AI is reducing a lot of the old red flags:

• Phishing emails suddenly have perfect grammar
• Attackers use AI to write malware
• Social engineering content looks more polished and believable

But I haven’t seen evidence of fully autonomous, AI-driven attacks happening in the wild. Instead, AI is another tool in the attacker’s toolbox — just like it’s another tool in ours.

On the defense side, AI is significantly lowering the barrier to entry for threat hunting:

• It helps translate query languages across different platforms
• It summarizes long threat intel reports we don’t have time to read end-to-end
• It can help newer hunters understand complex data faster

Sydney Marrone: I’ve used a lot of AI tools, including code-focused models, in personal projects and side experiments. It’s honestly scary good at some of this.

For the threat hunting process, I see AI helping with:

• Summarization of hunts, tickets, and investigation notes
• Suggesting queries or filters as you explore data
• Helping newer hunters get unstuck when they don’t yet know a platform’s language

The key is balance. AI can make the threat hunting process much faster and more accessible, as long as people don’t rely on it entirely and still develop their own judgment.

How to start a threat hunting program (without overcomplicating it)

Start small, pick a framework, and fix the basics first

Dave Johnson: If someone has never built a threat hunting program before, where should they start?

Sydney Marrone: My biggest advice is: start small and don’t overcomplicate it.

A good starting point for your threat hunting process:

1. Adopt a framework

   • PEAK

   • Sqrrl

   • TaHiTI

   • Or a homegrown framework that borrows from these

   When Lauren and I started, she built out the lifecycle we used for hunting. Having that lifecycle written down is a huge step.

2. Begin with hypothesis-driven hunts
   It’s one of the simplest and most approachable ways to learn the process.

3. Make sure you’ve nailed the basics first
   Look at the Pyramid of Pain. The bottom — hashes, IPs, domains — are things your SOC or IR team should already be automating and detecting via your SIEM or other tooling.

   If you’re still manually chasing commodity IOCs, you’re going to struggle to make time for higher-value, behavior-based hunting.

Your threat hunters should be spending time on the top half of the Pyramid of Pain — behaviors, TTPs, and more durable indicators that actually push your detection coverage forward.

Dedicated time or it never happens

Lauren Proehl: The other huge piece is dedicated time. If you tell incident responders to “hunt in their downtime,” they’ll never hunt. There’s always another fire.

If you’re serious about a threat hunting program:

• Give teams dedicated days or blocks of hours to hunt
• Be realistic about what your current staff can handle
• If you’re a very small team (doing engineering, GRC, SOC, everything), consider services or partners to augment some areas so you can protect time for hunting

Threat hunting is one of those capabilities that I think is worth doing in-house as much as possible because no one knows your environment like you do. But services can help with IOCs, automation, and scaling hunts across multiple customers, which can inform what you do internally.

Use the tools you already have

Sydney Marrone: In a perfect world, you’d have:

• A well-tuned SIEM
• Strong EDR coverage
• Broad, well-parsed log sources

That’s the dream.

But a lot of organizations don’t have that fully in place yet. So part of your threat hunting process is to use what you have:

• Many tools — even AV consoles — have basic search capabilities
• EDR platforms offer hunt-style queries across endpoint telemetry
• You can evaluate each tool for hunt value and build hunts around their strengths

You can still do meaningful threat hunting without a full SIEM, as long as you understand what data you do have and what gaps you’re working around.

Storytelling and proving the value of your threat hunting process

Every hunt should have an output

Tyler Zito: One challenge we see a lot: it’s hard to explain the value of threat hunting to leadership and get real investment. How do you communicate what you’re doing?

Lauren Proehl: I think about it in two parts:

1. Don’t hunt in a bubble

2. Treat yourself like a marketer for your threat hunting program

I have a mantra: every single hunt should have an output.

That output isn’t always, “We found an active attacker.” In fact, most outputs are things like:

• Misconfigurations
• Missing logs from key systems
• Undocumented or risky processes
• Visibility gaps you wouldn’t have noticed otherwise

Those are real findings that move your security posture forward. Your job — and your manager’s job — is to package those findings so your org can see the impact.

We use:

• Metrics and dashboards
• Readouts and presentations for leadership
• Short, focused reports that highlight what changed as a result of a hunt

And we frame them around risk and business value, not just technical detail.

Sydney Marrone: Share everything. If you’re not talking about what you found, people will assume nothing is happening. The threat hunting process only proves its value if others can see the results.

Documenting the threat hunting process so it can be repeated

“If it isn’t documented, it didn’t happen.”

Dave Johnson: There’s an analogy in this episode about mountain rescue teams, search areas, and documenting where you’ve already looked. How does that apply to threat hunting?

Tyler Zito: In search and rescue, we:

• Track where each team searched
• Capture how thoroughly an area was covered
• Log any clues, even if we didn’t find the person

Over time, that creates a map of coverage. You know where you’ve looked, what you’ve ruled out, and where to go next.

Sydney Marrone: That’s exactly how we think about documentation in threat hunting. First you identify the areas of your environment you want to baseline and explore. Then you document:

• What parts of the environment you hunted
• What techniques you used
• What you found, even if it’s “no malicious activity observed”
• What still needs to be covered

You can map this back to something like the MITRE ATT&CK framework to see which tactics and techniques you’ve hunted for — and which areas are still blind spots in your threat hunting process.

Lauren Proehl: My rule is: if it isn’t documented, it didn’t happen.

Ideally, your hunts live in tickets or a structured system, not random Word docs. Once a hunt is complete, you should be able to hand your internal notes to another threat hunter and have them:

• Recreate your environment scope
• Re-run your queries
• Follow your reasoning
• Replicate your findings

If they can’t do that, your documentation probably isn’t strong enough.

Threat hunting utopia: What a mature threat hunting process looks like

Dave Johnson: If you could wave a magic wand and give organizations the perfect threat hunting process, what would that look like?

Sydney Marrone: You’d have:

• A dedicated, proactive threat hunting team
• Clear separation from alert triage and incident response
• A steady flow of intelligence-driven hypotheses about what to hunt for
• Time to go deep instead of reactionary alert chasing

And your biggest “finding” wouldn’t always be malware. It would often be knowledge — insights about how your environment behaves, where your logs fall short, and how your detection coverage maps to real attacker techniques.

Lauren Proehl: I’d add:

• Unlimited, well-parsed data
• A powerful, flexible SIEM (yes, I’m biased toward platforms that make hunting easier)
• Threat hunters who stay current on community research (including THOR Collective)
• Strong collaboration across teams and even across organizations

We’re not going to get perfect data or four extra hours a day. But we can move closer to that ideal by investing in:

• Good logging
• Solid documentation
• A repeatable threat hunting process
• And a community that shares what works and what doesn’t

Getting involved in the threat hunting community

Where to plug in and keep learning

Dave Johnson: For listeners who want to get more involved in threat hunting and the broader community, where should they start?

Lauren Proehl: Obviously we’re biased, but we’d love people to check out THOR Collective — especially our Dispatch blog and the projects around Hearth.

Beyond that:

• Blue Team Village at DEF CON is a fantastic place to learn, volunteer, and connect
• You can volunteer at conferences, even on registration or logistics, and still absorb a ton of knowledge just by being around other defenders
• Local and regional conferences (like CactusCon and others) are great places to start if DEF CON isn’t accessible

Our paid THOR Collective members get access to a members-only Discord where there’s a lot of ongoing discussion and collaboration, including previews of some of the AI tools Sydney is experimenting with. But you don’t have to pay to be part of the community. Start by reading, sharing, and contributing where you can.

Sydney Marrone: I’ll echo that: network and participate. It doesn’t have to be a big Vegas conference — local cons and small events are just as valuable.

The only way we really improve the threat hunting process across the industry is by doing this together — sharing what we learn, being honest about what didn’t work, and helping new hunters get up to speed faster than we did.

Frequently asked questions about building a threat hunting process

What is the threat hunting process?

The threat hunting process is a structured, proactive approach to searching for threats that haven’t triggered alerts or been detected by automated tools. It usually follows a repeatable lifecycle: form a hypothesis, gather and analyze data, investigate anomalies, document findings, and use those insights to strengthen detections and improve visibility.

How does threat hunting differ from incident response?

Incident response reacts to confirmed alerts or active threats.

Threat hunting is proactive—it looks for suspicious behavior before alerts fire. Hunters often uncover misconfigurations, missing logs, or process gaps along the way, so the value isn’t limited to catching attackers.

Do I need a SIEM to start threat hunting?

A SIEM helps, but you can start with the tools you already have. Many EDR platforms, AV consoles, and cloud services offer search and hunting capabilities. The key is knowing what data you have and building hunts around your visibility—not waiting for a perfect toolset.

Can AI help with the threat hunting process?

Yes—AI can summarize intel, translate query languages, and help reduce the barrier to entry for new hunters. But it shouldn’t replace human judgment. Think of AI as an assistant that speeds up the work, not a system that makes decisions for you.

How do you measure the success of threat hunting?

Every hunt should have an output. Success isn’t only catching attackers—it’s uncovering visibility gaps, logging issues, risky processes, and improvements that strengthen detection coverage. Over time, strong documentation and measurable changes in security posture show the value of the program.

What skills do new threat hunters need?

Curiosity is the biggest one. Beyond that: understanding attacker behavior, familiarity with query languages or EDR/SIEM tools, comfort with data analysis, and strong documentation habits. Frameworks like PEAK, Sqrrl, and TaHiTI help new hunters learn the process step-by-step.

How do I get started with threat hunting at my organization?

Start small. Pick a framework, choose a narrow hypothesis, block out dedicated time, and document everything you find—positive or negative. Use the tools you already have, and grow your scope as your visibility, confidence, and maturity improve.

This transcript has been edited for clarity and readability. The insights and recommendations discussed reflect the personal experiences and opinions of the speakers and may not represent the views of their affiliated institutions. Individuals considering cybersecurity careers should evaluate their own circumstances, aptitudes, and career goals when making educational decisions.

For more cybersecurity career insights and industry perspectives, subscribe to The Job Security Podcast on Apple, Spotify, or your app of choice or visit expel.com/blog for the latest in security operations and threat intelligence.