Closing the Security Gap From Threat Hunting to Detection Engineering

By Ilya Kolmanovich, Alejandro Houspanossian, Joe Malenfant and Tomer Shloman · April 16, 2025

In today's rapidly evolving AI-fueled threat landscape, every organization is trying to stop threats as early as possible. Threat hunting and detection engineering are crucial components of a proactive cybersecurity strategy. Threat hunting involves actively searching for and identifying hidden threats that may have evaded existing security solutions. Detection engineering focuses on designing, implementing, and refining security detections to effectively identify and respond to threats. 

But where do you start? To help we wrote this comprehensive whitepaper about Detection Engineering, Threat Hunting, and how to implement both in your organization. If you’re not ready to delve deep into the paper, here’s a brief overview of how these combined tactics will  strengthen your organization's cybersecurity posture.

Threat hunting is essential because it enables organizations to:

• Reduce attacker dwell time: By proactively searching for threats, organizations can identify and neutralize malicious activities before they escalate, minimizing potential damage.
• Mitigate damage from unknown threats: Threat hunting helps uncover new or evolving attack tactics, techniques, and procedures (TTPs) that may not be detected by traditional security tools.
• Strengthen organizational resilience: Organizations can enhance their ability to adapt to and defend against unfamiliar threat vectors by recognizing and responding to them.

3 types of threat hunting

• IOC-based hunting: This reactive approach focuses on detecting known threat artifacts within the environment, such as file hashes, IP addresses, and domains.
• TTP-based hunting: This approach emphasizes the detection of threat actor TTPs by understanding how attackers operate and identifying patterns or sequences of behavior that suggest malicious intent.
• Hypothesis-driven hunting: This approach starts with an educated assumption about possible adversarial behavior based on threat intelligence, sector-specific attacks, organizational changes, or emerging threats to test the hypothesis. 

Detection engineering complements threat hunting by focusing on the development and refinement of threat detections. Key aspects of detection engineering include:

• Signature-based detection: Identifying threats based on known malicious indicators.
• Behavioral-based detection: Detecting threats based on their behavior and patterns.
• Custom detection rules: Tailoring detection strategies to an organization's specific requirements and risks.
• Continuous improvement: Regularly refining and adapting detections to address evolving threats and reduce false positives.

Key Stages of detection engineering include:

• Develop and Build: Research adversarial TTPs, fine-tune existing detections, develop and test new detections, and create release candidates.  
• Deliver: Validate release candidates and push them to production.
• Inspect and Adapt: Identify anomalies (false positives and true positives) and continuously refine detection logic.

Threat hunting and detection engineering: The dynamic duo

• Organizations can reduce attacker dwell time, mitigate damage from unknown threats, and strengthen their overall security posture by implementing these practices.
• A combination of different threat hunting types and robust detection engineering processes is crucial for comprehensive threat detection and response.
• Continuous learning, collaboration, and the integration of threat intelligence are key to the success of threat hunting and detection engineering programs.

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/