Two More Days to Get an iPad Air w/ Smart Keyboard with any 5 or 6 Day SANS Training - Register Today!


To attend this webcast, login to your SANS Account or create your Account.

Threat Hunting Is a Process, Not a Thing: SANS 2018 Survey Results, Part I

  • Wednesday, September 19, 2018 at 1:00 PM EDT (2018-09-19 17:00:00 UTC)
  • Chris Carlson, Helen Johnson, Rob Lee, Robert M. Lee, Dana Torgersen


  • Anomali
  • DomainTools
  • IBM
  • Malwarebytes
  • Qualys
  • RiskIQ

You can now attend the webcast using your mobile device!



How are organizations preparing their environments for hunting? How are they accessing their critical data needed in a hunt? And how are they using the threat and operational data uncovered during the hunt? This, our third survey on threat hunting, looks at maturity of hunting programs and where they are going, along with best practices being used in organizations to detect and remediate threats that would otherwise remain hidden.

In this webcast, SANS Threat Hunting and Incident Response Curriculum Chair Rob Lee will reveal how survey respondents answered questions that are immediately important to organizations conducting threat hunting. In this webcast, Rob will discuss:

  • Whether or not organizations are preparing their organizations for threat hunting with advanced planning, assessments, procedures and technical integrations
  • What prerequisites organizations should consider in preparing for a hunt
  • What data hunters need to access, how they are accessing it and usefulness of that data
  • Who does the hunting, who should do the hunting and whether or not hunting activities are coordinated across detection and response
  • Whether or not organizations are deploying continuous hunting to proactively look for threats, or simply following up on indicators

Register for Part II of this webcast, "Threat Hunting in Action," here.

Results will initially be discussed at the SANS Threat Hunting and Incident Response Summit on September 6-7. Full whitepaper developed by Rob Lee will be available on the day of the live webcast.

Speaker Bios

Chris Carlson

Chris Carlson is Vice President, Product Management at Qualys, responsible for definition, roadmap, and strategy of the Qualys Cloud Agent technology. He has more than 20 years of security industry experience spanning firewalls, VPNs, and intrusion prevention systems, to real-time event-processing, security analytics, and next-generation endpoint platforms. In addition to security architecture roles at UBS and Booz Allen and Hamilton, he has 15 years of product management experience at venture-funded start-ups and leading product companies like Hexis Cyber Solutions, Trustwave, Informatica and Agent Logic.

Helen Johnson

Helen Johnson, a sales engineer at DomainTools, has more than 15 years of experience in the tech industry, starting her career as a support engineer for an SSL VPN product. Helen has worked with networking and application delivery, security and NAS technologies, and she has held many varied roles, including presales and customer success. Prior to joining DomainTools, Helen was a technical account manager at EMC for the Isilon product, and a solutions engineer in business development at F5 Networks. Outside of work, Helen enjoys MST3K marathons, exercise, knitting and other tactile crafty endeavors.

Rob Lee

Rob Lee is the curriculum lead and author for digital forensic and incident response training at the SANS Institute. With more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention and incident response, he provides consulting services in the Washington, D.C. area. Before starting his own business, Rob worked with government agencies in the law enforcement, defense and intelligence communities as a lead for vulnerability discovery and exploit development teams, a cyber forensics branch, and a computer forensic and security software development team. He also worked for a leading incident response service provider and co-authored Know Your Enemy: Learning About Security Threats, 2nd Edition.

Robert M. Lee

Rob is a recognized pioneer in the industrial security incident response and threat intelligence community. He started in security as a U.S. Air Force Cyber Warfare Operations Officer tasked to the National Security Agency where he built a first-of-its-kind mission identifying and analyzing national threats to industrial infrastructure. He went on to build the industrial community’s first dedicated monitoring and incident response class at the SANS Institute (ICS515) and the industry recognized cyber threat intelligence course (FOR578).

Forbes named Robert to its 30 under 30 (2016) list as one of the “brightest entrepreneurs, breakout talents, and change agents” in Enterprise Technology. He is a business leader but also technical practitioner. Robert helped lead the investigation into the 2015 cyber attack on Ukraine’s power grid, he and his team at Dragos helped identify and analyze the CRASHOVERRIDE malware that attacked Ukraine’s grid in 2016 and the TRISIS malware deployed against an industrial safety system in the Middle East in 2017.

Dana Torgersen

Dana Torgersen is a senior product marketing manager with Malwarebytes. He is a veteran product marketer who cut his teeth in network and data center security while at Secure Computing, McAfee, Intel Security, Palo Alto Networks and security startup Illumio. Dana regularly addresses the security community across businesses, schools and government agencies, illustrating how they can protect their endpoints against advanced threats including exploits, malware and ransomware attacks. Dana holds a BS degree in Business Computer Systems from Bradley University and is based in the San Francisco Bay Area.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.