Congratulations, you’re the new cyber sheriff in town.
After the latest high-profile breach in the news caught your attention, you realized your organization needs a paradigm shift—no more drifting aimlessly in an ocean of vulnerability alerts. You’ve been appointed the lead investigator, tasked with piecing together clues and shifting from a purely reactive incident response approach to proactively hunting down and neutralizing threats before they strike.

In the ever-changing threat landscape, the traditional approach of trying to patch every vulnerability has become increasingly unsustainable. Organizations face an exponentially growing attack surface, with limited resources to address every potential weakness. In short, “more risk, no more resources.” This is where threat hunting emerges as a critical discipline—not merely a “nice-to-have” activity, but a fundamental aspect of strategic defense.

In a previous post, we explored how threat hunting has become an essential part of modern cybersecurity strategies. As vulnerabilities become more numerous, trying to remediate them all is increasingly impractical. Don’t fall into the trap of confusing motion with progress. Instead, pinpoint the threats that actually matter to your organization, and take them out. A targeted, hypothesis-driven approach to threat hunting uncovers critical vulnerabilities and attack paths often missed by standard prioritization processes—and not all “critical” vulnerabilities pose an equal risk to you.

Why Methodology Matters

Effective threat hunting follows a well-defined methodology to guide each step of the process. Understanding where to look, why to look there, and how to interpret the findings is crucial for success. We at Zafran have collaborated with leading security teams across industries to refine and codify the threat hunting process. Drawing from these partnerships and leveraging the unique capabilities of the Zafran platform, we've structured our Exposure Hunting™ methodology (ASIDE: forgive me, the lawyers made me ™), a systematic and repeatable approach that transforms theoretical security concepts into practical, actionable intelligence. 

This article shares battle-tested strategies, common pitfalls to avoid, and tactical insights to elevate your threat hunting operations from reactive exercise to strategic advantage. 

‍

Forming a Hypothesis

We can’t get the right answers unless we start with the right questions.

The cornerstone of effective threat hunting is a well-structured hypothesis. The hypothesis should be a data-driven assumption, used to proactively search for threats, about how an adversary might target an environment or system. Unlike random guesses, these are informed starting points often triggered by:

• Threat Actor Analysis. Which adversarial groups are known to target your industry or specific assets?
• Current Events. Ongoing campaigns or recent breaches making headlines, especially those affecting similar organizations.
• New Vulnerabilities. Newly discovered vulnerabilities or exploits that might directly affect your infrastructure.
• Risk-Based Assessments. Your unique attack surface, critical systems, and exposure points.

A well-structured threat hunting hypothesis should be specific, testable, and falsifiable, meaning it can be proven true or false through investigation. Crucially, the hypothesis should  focus on threats that align with your environment. Here are a few examples of strong hypotheses:

• Threat Actor TTPs. Your organization uses VMWare ESXi and Fortinet FortiOS, both exploited by APT29. Given APT29’s known TTPs and focus on critical infrastructure like yourself, your environment may be similarly targeted.
• The Unpatchables. A major Windows exploitation has been all over the news. Knowing that you have legacy versions that you are unable to upgrade, you want to evaluate this exploitation potential in your network, covering the relevant attack surface and assessing the controls in place.
• Bruteforce Attempts. You've observed an unusual increase in failed login attempts across specific segments of your network, coinciding with a recently published report about a new credential-harvesting campaign targeting your industry.

Below are a couple of examples of threats that SHOULD NOT be at the heart of your investigation:

• Industry Mismatch. A hospital zeroing in on Salt Typhoon, despite the group targeting telecom companies and government agencies.
• Overly Broad Hypothesis. Simply asking “Do we have any vulnerabilities?” without narrowing the scope.
• Geographic Disconnect. A European-based organization obsessing over a threat actor known for targeting South Korean entities.
• Misaligned Motivation. A retail business focusing on state-backed attackers who primarily target government infrastructure.

The more you understand the specific risks facing your organization, the more likely your focused actions will have critical impact. Invest time in understanding the threat landscape by staying up to date with credible cyber intelligence sources and considering how they apply to your environment.

The more you understand the specific risks facing your organization, the more likely your focused actions will have critical impact.

As the threat landscape continues to evolve, so too must your approach to threat hunting. Adversaries frequently shift tactics, techniques, and even geographic targets, while new vulnerabilities can be exploited in the wild long before severity scores catch up. To stay ahead, it’s essential to regularly revisit and refine your hypotheses. Documenting your hypotheses and outcomes in a clear, referenceable format allows you to track progress, avoid redundant investigations, and build upon prior insights.

This practice can help you answer critical questions like: Have I investigated this threat actor before, and what did I learn that could shape my current hypothesis? Are there parts of the attack surface I’ve consistently overlooked? Are emerging trends signaling strategic risks that warrant new controls or capabilities?

We’ll explore this process in more detail in the final section, Closing the Loop.

‍The Zafran spice: When onboarding new customers, one of the most frequently cited operational challenges is the translation of threat intelligence into actionable insights specific to their environment. The Zafran Threat Exposure Management Platform assesses top threats by evaluating your specific infrastructure and correlating it with threat intelligence as part of our “Am I Protected Against” feature. This enables you to effortlessly bootstrap your next hunting hypothesis based on your exposure to various threat groups and high-profile vulnerabilities, ensuring you focus on what matters most to your organization.

Conducting the Investigation: Navigating the Data Landscape

Quaerere veritatem

With a solid hypothesis in hand, we begin our work to accept or reject it. Objectivity is key. The best threat hunters don’t fall in love with their hypotheses. They fall in love with the work required to rigorously test their hypotheses. To truthfully examine our hypothesis, we need to:

• Collect all relevant information
• Analyse the data and come to relevant conclusions

Data Collection

A thorough investigation requires comprehensive data from multiple sources. Think of this as assembling every puzzle piece before you start solving it.

Typical data sources include:

• Vulnerability scan results
• External attack surface mapping
• System logs and event monitoring
• Network traffic captures
• Runtime behaviors (e.g., process creation, memory usage)
• Configuration details of critical infrastructure

Common Data Challenges to Expect

• Normalization. Each tool uses its own language and scoring systems, making it difficult to translate results into a consistent view. For example, different vulnerability scanners might rely on unique severity scores or assign separate IDs for the same issue. Without aligning these discrepancies, you risk overlooking critical vulnerabilities or duplicating effort.
• Multiple Data Sources. Threat hunting often involves a sprawling set of tools—vulnerability scanners, network monitors, threat intel feeds, and more. Each source presents only part of the puzzle. To conduct a thorough investigation, you need a reliable way to correlate all these data points and reveal “toxic combinations” that might otherwise remain hidden.

Data Analysis

Finding toxic combinations

Collecting data is only half the battle. The real challenge lies in correlating that data to uncover “toxic combinations”—situations where multiple risk factors are mixed to form a potent threat cocktail. As you investigate, pay special attention to:

• Vulnerability Impact. How severe is the vulnerability, and what are its potential consequences?
• Threat Intelligence. Is it being actively exploited, or part of an ongoing campaign?
• Existing Protections. Are there security controls (e.g., WAF, firewalls, EDR) in place?
• Asset Context. Is the affected asset internet-facing, in active use, or critical to business operations?

Example:
Suppose your scanner flags a medium-CVSS web vulnerability in one of your payment applications. Because it’s labeled “medium,” it might not immediately top your remediation list. However, when you look deeper, you discover:

1. Active Exploitation. Threat intel confirms this vulnerability is currently being used by sophisticated threat actors.
2. Business-Critical Functionality. The affected system processes customer payments in real time.
3. Internet-Facing Exposure. The payment application is publicly accessible (by design), significantly increasing the risk.
4. Missing Protections. Although the application was presumed to be covered by a web application firewall, the specific WAF rules needed to block this exploit are NOT properly configured.

Taken together, these factors form a toxic combination—the convergence of an exploitable vulnerability on a critical, public-facing asset with inadequate protections. What looked like a moderate issue becomes a high-priority threat requiring immediate attention. Context matters.

The foot in the door

A good place to start the investigation is finding out what is exposed externally. Take the recent DeepSeek incident - having an exposed ClickHouse instance allowed access to internal information. The fix is relatively easy - reduce the attack surface. Externally exposed assets are the “foot in the door” of an attacker into your network. This finding demonstrates how visibility into external attack surfaces can reveal critical risks that might be overlooked in internal assessments.

‍The Zafran spice: With Zafran seamlessly integrated into your environment, data collection becomes a matter of a few clicks. The platform automatically correlates and normalizes inputs from multiple sources—giving you a clear, unified view of your true risk posture. Beyond aggregation, Zafran adds critical contextual analysis such as runtime presence of the CVE, internet exposure of the asset at risk, and configuration of available compensating controls, making it easy to spot which assets are exposed to the internet or lack proper segmentation. As a result, you can quickly identify toxic combinations of vulnerabilities, external access points, and missing security controls. And if you need to drill deeper, Zafran’s advanced querying capabilities let you explore your own hypotheses freely—empowering you to move from detection to actionable insights in record time.

Taking Action on Findings

There’s more than one answer to every problem. Drive the change effectively.

One key shift from traditional “threat hunting” to modern “exposure hunting” is the focus on proactively reducing risk by spotting systemic weaknesses—rather than just searching for active indicators of compromise. Think of it this way: rather than waiting for evidence of an attacker’s footsteps, you’re strengthening your defenses to keep them out in the first place.

A successful investigation is more than just a list of found issues; it also prescribes how to respond. This is where proactive practices outshine old, reactive measures. Armed with your findings, you can set the standard for how your organization counters a potential threat—eliminating root cause of the vulnerability, or raising additional defenses around it.

Types of Actions

Although there are many ways to address security gaps, actions generally fall into two main categories:

• Remediation – Risk Elimination
  Target the specific vulnerability or component and fix it at the source. Common remediation steps include patching, upgrading, or in some cases outright removing high-risk software. For example, some Zafran customers have replaced Adobe software entirely, instead of endlessly updating it whenever a new vulnerability arises.
  
  

• Mitigation – Risk Reduction
  Remove patching from the critical path. Reduce risk quickly by strengthening security layers to limit an attacker’s ability to exploit a flaw. You might restrict network access, enhance firewall rules, or isolate critical systems—especially if you can’t apply a fix immediately. Mitigation measures buy you time while still reducing overall risk.

‍Factors to Consider

• Level of Protection
  Certain actions have a more profound impact on risk reduction than others. Removing a vulnerable component entirely often offers stronger security than continuously patching it, but doing so may not be practical. Consider risk mitigation as a countermeasure.
• Time to Implement
  Organizational constraints can limit how quickly you can take action. Sometimes you can implement a high-impact solution directly; other times, you may need to coordinate with other teams. In such cases, consider starting with a quick mitigation until the ultimate fix is in place.

Example:
If you discover a legacy application with multiple vulnerabilities that can’t be patched right away, you might immediately restrict its network access (mitigation) while working toward patching the software (remediation).

To learn more about remediation & mitigations, see this guide.

‍The Zafran spice: Zafran makes it easier to prioritize your response by highlighting risk levels and suggesting realistic action paths:

• Actionable Mitigations. By analyzing your existing security controls, Zafran can recommend ways to leverage the tools you already have—for example, by enabling a specific WAF rule or tightening network segmentation.
• Balanced Approach. For each finding, Zafran will highlight both the optimized remediation steps and mitigation action for quick wins.
• Vulnerability Context. Each vulnerability is shown as part of a larger component—like a library within an application or a container image—so you understand its impact / reach.
• Internet Exposure. Zafran pinpoints externally exposed assets, flagging them as prime candidates for immediate mitigation. Of course, some assets are internet-facing by design, so extra attention should be given to mitigation techniques and remediation of root cause.

With these insights at your fingertips, you can confidently decide whether to remediate or mitigate, ensuring your organization stays one step ahead of potential attacks.

Closing the Loop - Documentation and Learning

Threat hunting is an iterative process, and a great way to encourage continuous improvement. To wrap up an investigation, we want to make sure we conclude and report everything we’ve learned and done to improve our defenses in light of our findings, in addition to retrospecting the process in hindsight.

Reporting

To lead change and improvement, you want to communicate the results to your directors. Every investigation should produce clear documentation covering:

• Hypothesis. What was the threat you were hunting, and its urgency? Was there an active threat relevant to your organization?
• Investigation summary. What did you look into?
• Findings. What were the results of your investigation? What were the gaps detected in your defenses?
• Action items. Share a prioritized risk reduction plan and rally cross-functional buy-in.

Refining the hypothesis

Threat hunting is never a one-and-done affair. Each investigation should inform the next, incorporating new knowledge about both attacker tactics and your own evolving defenses. Just as threat actors can shift gears—pivoting from phishing to exploit-based attacks, or refocusing from one region to another (like Salt Typhoon’s expansion from Asia to North America)—your organization also changes over time. You might deploy a new WAF rule, isolate critical systems, or enhance endpoint protections, reducing your exposure to a previously high-risk threat.

Meanwhile, vulnerabilities themselves can take on new dimensions. A new proof-of-concept exploit might surface, or widespread in-the-wild exploitation may confirm that a flaw is far more dangerous than initially assessed. Such developments demand a reevaluation of your assumptions: what used to be a medium-priority risk could now require urgent action—or vice versa if you’ve already hardened critical assets.

Ultimately, your hypothesis should never be static. Continual refinement is what creates a cycle of security improvement, ensuring that you stay focused on the risks that matter most while adapting to the shifting realities of both your adversaries and your own defenses.

‍The Zafran spice: One of the reasons Zafran built its Exposure Tracker capability was so that you can measure the impact of your continuous improvement efforts on your overall risk posture. By setting a query to identify the toxic combinations relevant to your hypothesis, you can share the impact of remediation efforts over time.

‍

Additionally, since the Zafran Platform aggregates vulnerability data from across your entire hybrid cloud environment, the threat evaluation is always updated; so the next time you embark on a hunting journey, the data in the platform will reflect the results from past efforts.  

Conclusion

The threat landscape never stands still. New vulnerabilities emerge daily, threat actors adapt, and hybrid cloud environments grow increasingly complex. The Exposure Hunting™ methodology we've outlined replaces ad-hoc motion with an iterative, high-impact process. By objectively testing relevant hypotheses, focusing action, and learning from each investigation, security teams can shift from perpetually playing catch-up to proactively thwarting the most pressing risks before they become incidents.

And that is better risk management that demonstrates the strategic value of security investments to the business.

Keep exploring
Zafran Security is creating an entirely new operating model for threat and vulnerability management. By analyzing your risk context and existing security tools, we prove that 90% of critical vulnerabilities are not exploitable, and then quickly mitigate and remediate the 10% that are. Backed by AI and built for action, Zafran transforms how modern enterprises secure what matters most. 

Check out zafran.io/platform to learn more. Plenty of more resources for you to continue your journey. And when you are ready to connect, we will be here.

‍