Threat hunting is proactively searching for attackers who bypass security controls.
Instead of waiting for alerts, analysts look for suspicious behavior manually.
- Unusual login times
- Abnormal data transfers
- Unknown processes running
Example:
An analyst finds a user logging in at 3 AM from a foreign IP address.
Exercise:
Review fake logs and identify abnormal user behavior.