Module 6: Operationalizing the Hunt
Turn hunting into a repeatable, measurable program. Document, automate, and prove value to leadership.
Lessons & Labs
Lesson 6.1 — Threat Report to Hunt Hypothesis
Multi-phase intelligence reading. Entity decomposition. Evidence prediction. Turning a published threat advisory into a structured hunt plan.
Lab 6.1 — Threat Report Dissection
Decompose a fictional CERT advisory on the NightCrypt ransomware campaign into MITRE-mapped, testable hunt hypotheses, prioritized query plans, and a Hunt Hypothesis Document (browser-only).
Lesson 6.2 — Documentation and Knowledge Management
Note-taking during hunts, organizing findings for reuse, building a team knowledge base. The Investigation Notebook System: fast notes during, slow review after.
Lab 6.2 — Hunt-to-Sigma Pipeline
Operationalize hunt findings: write Sigma rules for three patterns, convert with sigma-cli to OpenSearch/Wazuh, validate in Threat Hunting, and document tuning.
Lesson 6.3 — Metrics and Executive Reporting
Proving hunt value to leadership. Tracking coverage improvements, data source ROI, and detection gap closure over time.
Lesson 6.4 — Building a Hunt Program
Maturity levels from reactive (L0) to proactive (L4). Staffing models, cadence, automation boundaries, and the hunt-to-detect feedback loop.
Lab 6.3 — Capstone: Full Campaign Investigation
Conduct a comprehensive threat hunt across all log sources to identify three concurrent campaigns, build timelines, extract IOCs, and deliver an executive investigation summary.
Lesson 6.5 — Hunt Program Maturity Assessment
Self-assessment exercise across 5 dimensions: data coverage, hypothesis quality, tool proficiency, documentation maturity, and organizational integration. Score your program and build a 90-day improvement plan.