SANS Live Training is Available In-Person OR Live Online! Explore Upcoming Events.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Demystifying The Hunt: How to Assess Your Threat Hunting Readiness and Prepare for the Next Step

  • Tuesday, October 01, 2019 at 1:00 PM EST (2019-10-01 17:00:00 UTC)
  • Gary Fisk, Fayyaz Rajpari, Matt Bromiley


  • Corelight
  • Optiv

You can now attend the webcast using your mobile device!



Many organizations want to threat hunt, but dont know where to begin, how to measure success, or how to scale an effective program. The bar to successful hunting can appear intimidatingly high, reachable by only the most sophisticated, well-staffed SOCs, but the reality is that one individual, with the right data and some directional guidance, can begin their hunting journey today and start making immediate security contributions to their organization.

Join seasoned security instructors on this webcast who will walk you through the threat hunting maturity model and help you prepare for each step of the journey with specific guidance, concrete examples, best practices, and sample threat hunts. Since virtually all attacks must cross the network and traffic provides an inalterable record of activity, this webcast will focus primarily on network-based threat hunting using the open-source Zeek network security monitor.

Register for this webcast to learn how to assemble the systems, data, people and processes youll need to threat hunt and also see practical threat hunting exercises demoed by the instructors that you can instrument in your own environment to look for adversary behavior such as DNS-tunneling, C2 communications and more.

Speaker Bios

Gary Fisk

Gary Fisk has built a broad security career at Digex, Oracle, Mandiant, FireEye, and now at Corelight. His career has ranged across security analytics, identity management, data security, threat intelligence, IR and security services, endpoint security (EDR), network security (NSM), and Enterprise Architecture.  This somewhat unfocused group of focus areas has resulted from a belief that enterprises must take a pragmatic, risk-driven approach to advancing their security maturity, and focus on tools to improve existing teams, procedures, and environments. Building on a ten-year foundation in IT and security operations, Gary’s history in tools and technology is founded in the cliche’ that “security is a team sport”, and that tools and tech are only valuable if they make the team better.

Fayyaz Rajpari

Fayyaz has 19 years of deep cyber security industry experience gained from the largest pure play security solutions providers including Optiv, Mandiant, FireEye, and Symantec. He’s responsible for bringing thought leadership and executive oversight to all cyber security services and continuously involved in the most strategic pursuits around the globe. Fayyaz takes pride on staying on top of the latest threat trends and assists with multi-practice security initiatives including security operations required by the fortune 100. Prior roles include Senior Manager in Strategy and Product for Next Gen SIEM & Threat Analytics, Global Architect, and Cyber Security Specialist for Managed Security Services, Operations, Engineering, Incident Response, and next generation platforms.

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.