Get the Skills you need from Home with SANS Online Training - Special Offers Available Now


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Demystifying The Hunt: How to Assess Your Threat Hunting Readiness and Prepare for the Next Step

  • Tuesday, October 01, 2019 at 1:00 PM EST (2019-10-01 17:00:00 UTC)
  • Gary Fisk, Fayyaz Rajpari, Matt Bromiley


  • Corelight
  • Optiv

You can now attend the webcast using your mobile device!



Many organizations want to threat hunt, but dont know where to begin, how to measure success, or how to scale an effective program. The bar to successful hunting can appear intimidatingly high, reachable by only the most sophisticated, well-staffed SOCs, but the reality is that one individual, with the right data and some directional guidance, can begin their hunting journey today and start making immediate security contributions to their organization.

Join seasoned security instructors on this webcast who will walk you through the threat hunting maturity model and help you prepare for each step of the journey with specific guidance, concrete examples, best practices, and sample threat hunts. Since virtually all attacks must cross the network and traffic provides an inalterable record of activity, this webcast will focus primarily on network-based threat hunting using the open-source Zeek network security monitor.

Register for this webcast to learn how to assemble the systems, data, people and processes youll need to threat hunt and also see practical threat hunting exercises demoed by the instructors that you can instrument in your own environment to look for adversary behavior such as DNS-tunneling, C2 communications and more.

Speaker Bios

Gary Fisk

Gary Fisk has built a broad security career at Digex, Oracle, Mandiant, FireEye, and now at Corelight. His career has ranged across security analytics, identity management, data security, threat intelligence, IR and security services, endpoint security (EDR), network security (NSM), and Enterprise Architecture.  This somewhat unfocused group of focus areas has resulted from a belief that enterprises must take a pragmatic, risk-driven approach to advancing their security maturity, and focus on tools to improve existing teams, procedures, and environments. Building on a ten-year foundation in IT and security operations, Gary’s history in tools and technology is founded in the cliche’ that “security is a team sport”, and that tools and tech are only valuable if they make the team better.

Fayyaz Rajpari

Fayyaz is passionate about cyber security and holds relationships across many security organizations and the fortune 100. He’s a product leader for all aspects of Security and Threat Intelligence at Recorded Future.  Prior to this, Fayyaz was an Executive Director for Optiv’s Security Consulting business. He's held a variety of roles from technical subject matter expert to product strategy for Endpoint Security, Threat analytics, Security Orchestration, Automation, and Response platform at Mandiant/FireEye.  As a key enabler of cyber security around the globe, Fayyaz takes pride on staying on top of the latest threat trends and loves to talk security whenever he can. 

Prior to FireEye / Mandiant, he's worked for Symantec and other large organizations with deep experience in many security domains, including network and endpoint security, incident response, encryption, identity & access management, and vulnerability management. He holds a Bachelor’s degree in Information Security with numerous security certifications including CISSP, CCSK, GCFW.

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.