SANS Cyber Defense Initiative® 2020 Live Online: 30+ Interactive Courses | Virtual NetWars Tournaments. Save $300 thru 11/18


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS 2019 Threat Hunting Survey Results Released

Threat Hunting in its infancy; Few dedicated hunt teams; Metrics needed for measurable results

  • Bethesda, MD
  • October 15, 2019

Threat hunters still disagree on what constitutes threat hunting and how to hunt, according to the results of the SANS 2019 Threat Hunting Survey to be released by SANS Institute in two webcasts: the results webcast on October 29, 2019, and a panel discussion of results on October 30, 2019 at 1 PM Eastern.

“Many organizations use an alert-driven approach to threat hunting or use indicators of compromise [IoCs] to guide their hunts,” says Mathias Fuchs, a SANS instructor and co-author of the survey. “It seems that fewer organizations are using hypothesis-driven hunting—and that could leave them vulnerable to dangerous visibility gaps.”

Most respondents report using a variety of reactive approaches to threat hunting, including alerts (40%) or IoCs via a SIEM or other alerting system to find adversary tools or artifacts (57%). Such approaches are excellent supplements, but should not take the place of using proactive hunting techniques. Surprisingly, only 35% of respondents create hypotheses to guide their hunting activities.

Organizations continue to require threat hunters to work in multiple roles. Hunters report having major responsibilities for managing SOC alerts (34%) or IR and forensics of breaches (26%). Very few organizations have moved to a dedicated hunt team over the past three surveys, indicating that threat hunting—and threat hunting teams—are in their infancy.

“One reason we aren’t seeing more growth in dedicated threat hunting teams may be that organizations have difficulty measuring the benefits or organizational impact of threat hunting,” posits Josh Lemon, survey co-author and SANS instructor. “Being able to measure and show the performance abilities of a threat hunting team is critical to the life of a team and its engagement by the rest of the business; it's a metric that can make or break a team, its funding or its objectives.”

While 24% of respondents were unable to determine whether they had measurable improvements as a result of threat hunting, 61% reported having at least an 11% improvement in their overall security posture. Organizations have seen a marked improvement in more robust detections and better coverage across the environment, with 36% claiming significant improvement and another 53% realizing some improvement. Other key improvements are attack surface exposure/hardened networks and endpoints, with 35% seeing significant improvement and 58% seeing some improvement, and more accurate detections and fewer false positives, at 32% significant improvement and 51% some improvement.

Full results will be shared during an October 29, 2019, webcast at 1 PM EDT, sponsored by AnomaliAuthentic8CarbonBlackDomainToolsExtraHopLastlineSophosThreatConnectThreatQuotient, and Verodin, and hosted by SANS. Register to attend the webcast at

The authors and representatives from DomainTools, ExtraHop and ThreatConnect dig deeper into the results in a panel discussion on October 30, 2019, at 1 PM EDT. Register to attend that webcast at

Those who register for either webcast will also receive access to the published results paper developed by SANS analysts, instructors and threat hunting experts Mathias Fuchs and Josh Lemon.

Tweet This:

SANS 2019 Threat Hunting Survey Results Released | Tues. 10/29 1 PM Eastern |

Mathias Fuchs and Josh Lemon share SANS Threat Hunting Survey results | 10/29 1 PM Eastern |

Join Mathias Fuchs, Josh Lemon and threat hunting vendors for a panel discussion based on applying the results of the SANS Threat Hunting Survey | Wed. 10/30 1 PM Eastern |

Threat Hunting Survey Results and Discussion | Results 10/29 @ 1PM Eastern | | Panel Discussion 10/30 @ 1 PM Eastern |


About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner’s qualifications via over 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (