Organizations Are Finding Threats More Effectively: Results of a SANS Survey

Bethesda, Md. – A new SANS survey finds that organizations are broadening the scope of their threat hunting efforts and that dwell times are decreasing. The survey, to be released in a two-part webcast on September 19 and September 20, also indicates that threat hunting is not so much "about rebranding what many defenders have endeavored to do over the years," according to SANS authors Robert M. Lee and Rob T. Lee. Instead, they say, threat hunting is now "about placing an appropriate, dedicated focus on the effort by analysts who purposely set out to identify and counteract adversaries who may already be in the environment."

The survey found 43% of respondents' organizations are now performing continuous threat hunting operations, which the authors consider a strong indicator that threat hunting is growing in scope and need. As they point out, "In 2017, the number was only 35%, which shows that many organizations are now adopting methodologies that are key to reducing adversaries' overall dwell time."

The authors are hopeful that, as more organizations perform threat hunting, dwell time will shorten even more in the coming years. They indicate that dwell time currently averages above 90 days, but "as recently as 2013, the average dwell time was over six months. The decline since then shows that the adoption of threat hunting and stronger analytical techniques have had a significant impact on reducing the overall dwell time of adversaries across most networks."

Full results will be shared during a two-part webcast. Part 1, covering prerequisites organizations should consider when preparing for a hunt, will be held on September 19 at 1 PM EDT. The Part 2 webcast, airing on September 20 at 1 PM EDT, will cover benefits and drawbacks of integrating with cyber threat intelligence (CTI). Both webcasts are sponsored by Anomali, DomainTools, IBM, Malwarebytes, Qualys, RiskIQ and hosted by SANS.

Register to attend the September 19 webcast at and the September 20 webcast at

Those who register for the webcast will also receive access to the published results paper developed by Robert M. Lee and Rob T. Lee.

Tweet This:

SANS Threat Hunting Survey | Scope of threat hunting is growing | Sept. 19 |

SANS Threat Hunting Survey | Threat hunting decreases dwell time | Sept. 20 |

Learn how the scope of threat hunting is growing, and why dwell time is shrinking | Part 1, | Part 2,

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (