SANS 2019 Threat Hunting Survey Results Released

Bethesda, Md. – Threat hunters still disagree on what constitutes threat hunting and how to hunt, according to the results of the SANS 2019 Threat Hunting Survey to be released by SANS Institute in two webcasts: the results webcast on October 29, 2019, and a panel discussion of results on October 30, 2019 at 1 PM Eastern.

“Many organizations use an alert-driven approach to threat hunting or use indicators of compromise [IoCs] to guide their hunts,” says Mathias Fuchs, a SANS instructor and co-author of the survey. “It seems that fewer organizations are using hypothesis-driven hunting—and that could leave them vulnerable to dangerous visibility gaps.”

Most respondents report using a variety of reactive approaches to threat hunting, including alerts (40%) or IoCs via a SIEM or other alerting system to find adversary tools or artifacts (57%). Such approaches are excellent supplements, but should not take the place of using proactive hunting techniques. Surprisingly, only 35% of respondents create hypotheses to guide their hunting activities.

Organizations continue to require threat hunters to work in multiple roles. Hunters report having major responsibilities for managing SOC alerts (34%) or IR and forensics of breaches (26%). Very few organizations have moved to a dedicated hunt team over the past three surveys, indicating that threat hunting—and threat hunting teams—are in their infancy.

“One reason we aren’t seeing more growth in dedicated threat hunting teams may be that organizations have difficulty measuring the benefits or organizational impact of threat hunting,” posits Josh Lemon, survey co-author and SANS instructor. “Being able to measure and show the performance abilities of a threat hunting team is critical to the life of a team and its engagement by the rest of the business; it's a metric that can make or break a team, its funding or its objectives.”

While 24% of respondents were unable to determine whether they had measurable improvements as a result of threat hunting, 61% reported having at least an 11% improvement in their overall security posture. Organizations have seen a marked improvement in more robust detections and better coverage across the environment, with 36% claiming significant improvement and another 53% realizing some improvement. Other key improvements are attack surface exposure/hardened networks and endpoints, with 35% seeing significant improvement and 58% seeing some improvement, and more accurate detections and fewer false positives, at 32% significant improvement and 51% some improvement.

Full results will be shared during an October 29, 2019, webcast at 1 PM EDT, sponsored by Anomali, Authentic8, CarbonBlack, DomainTools, ExtraHop, Lastline, Sophos, ThreatConnect, ThreatQuotient, and Verodin, and hosted by SANS. Register to attend the webcast at

The authors and representatives from DomainTools, ExtraHop and ThreatConnect dig deeper into the results in a panel discussion on October 30, 2019, at 1 PM EDT. Register to attend that webcast at

Those who register for either webcast will also receive access to the published results paper developed by SANS analysts, instructors and threat hunting experts Mathias Fuchs and Josh Lemon.

Tweet This:

SANS 2019 Threat Hunting Survey Results Released | Tues. 10/29 1 PM Eastern |

Mathias Fuchs and Josh Lemon share SANS Threat Hunting Survey results | 10/29 1 PM Eastern |

Join Mathias Fuchs, Josh Lemon and threat hunting vendors for a panel discussion based on applying the results of the SANS Threat Hunting Survey | Wed. 10/30 1 PM Eastern |

Threat Hunting Survey Results and Discussion | Results 10/29 @ 1PM Eastern | | Panel Discussion 10/30 @ 1 PM Eastern |

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (