Hypothesis-Driven Threat Hunting: Moving Beyond IOCs

Threat Hunting Hypothesis: Moving Beyond IOCs

Most threat hunting programs start with IOCs: file hashes, IP addresses, domain names. It feels productive. Collect the indicators, run the queries, check the boxes. The problem is that your adversary already knows this. A threat hunting hypothesis built on IOCs alone resets to zero every time the attacker rotates infrastructure.

Attackers rotate constantly. A threat actor can recompile malware for a new hash in minutes, spin up a fresh C2 server in hours, and register a new domain the same afternoon. The Pyramid of Pain, a foundational threat intelligence framework developed by David Bianco and documented by SANS, ranks indicators by how hard they are for adversaries to change. Hash values and IPs sit at the bottom. TTPs sit at the top. Hunting at the top of the pyramid is what separates proactive threat hunting from reactive alert triage.

Why Aren't IOCs Enough for Threat Hunting?

IOCs are easy for attackers to change in seconds to minutes, making IOC-based hunting a constant game of catch-up. Each infrastructure rotation invalidates existing indicators and resets detection coverage.

The speed asymmetry is stark. Attackers achieve mass exploitation of critical vulnerabilities within 5 days of disclosure. Organizations take a median of 32 days to patch (Verizon 2025 DBIR). If attackers move on a 5-day cycle and IOC rotation is even faster, an indicator-based hunting program is structurally reactive. By the time an IOC is published, distributed, and operationalized in your environment, the attacker has already moved on.

IOC-based hunting catches known, low-sophistication threats. But it offers no coverage against adversaries who actively evade it, which is exactly the threat profile that warrants a dedicated hunting program.

TTPs vs. IOCs: What Do Adversaries Find Hard to Change?

TTPs, Tactics, Techniques, and Procedures, are adversary behaviors and operational methods used to achieve objectives. Unlike IOCs, TTPs require weeks to months of operational retooling to change. That makes them far more durable hunting targets.

Each layer represents a different level of adversary investment:

• Tactics describe the attacker's objective: lateral movement, persistence, exfiltration.
• Techniques describe how that objective is achieved: Remote Desktop Protocol, scheduled task creation, cloud storage abuse.
• Procedures are the specific implementation: exact command strings, user account patterns, timing behaviors.

The deeper you hunt, the higher the cost you impose. Changing a file hash costs nothing. Changing how a threat actor group conducts lateral movement requires retraining operatives and rebuilding tooling.

MITRE ATT&CK provides the systematic catalog for this work. ATT&CK v18, released in October 2025, includes 691 Detection Strategies and 1,739 Analytics built around TTP-level behavioral detection. The framework's architecture is designed around the premise that behaviors are what defenders should track, not artifacts.

How Does Hypothesis-Driven Threat Hunting Work?

Hypothesis-driven threat hunting follows a four-step cycle. Form a hypothesis from threat intelligence or known adversary TTPs. Search for behavioral evidence. Analyze findings to confirm or refute. Respond while generating new hypotheses from what you learned.

Step 1: Form the hypothesis

A well-formed hunting hypothesis identifies three things: the suspected adversary behavior, the data sources needed to test it, and the behavioral indicators that would confirm or refute it.

Sources include threat intelligence feeds, MITRE ATT&CK technique profiles for adversary groups relevant to your industry, environmental risk assessments, and anomalies your detection tools have flagged but not fully explained.

A concrete example: "Adversaries are using living-off-the-land techniques to establish persistence via scheduled tasks." The behavior is LoTL persistence. The data source is endpoint telemetry. The indicators are unusual schtasks.exe invocations and unexpected scheduled task creation patterns.

This is not a theoretical exercise. According to the SANS 2025 Threat Hunting Survey, 76% of organizations encountered living-off-the-land techniques from nation-state actors in the past year (SANS 2025).

Step 2: Search for evidence

Query logs, endpoint telemetry, and network data for behavioral indicators matching the hypothesis. Focus on behavioral patterns, not hash values or known-bad IPs. Look for process behavior, authentication patterns, and data movement that deviate from your established baseline.

Step 3: Analyze findings

Confirm or refute the hypothesis. A refuted hypothesis is not a failed hunt. Absence of evidence for a well-formed hypothesis means the behavior is not occurring in your environment, or your visibility has a gap. Both are actionable.

Step 4: Respond and refine

Escalate confirmed threats. Convert confirmed behavioral patterns into detection rules. Use what you learned to generate the next hypothesis. The cycle compounds. Each hunt improves the next.

What Are Examples of Good Threat Hunting Hypotheses?

A strong threat hunting hypothesis names a specific adversary behavior, identifies the data sources needed to test it, and defines the behavioral indicators that would confirm it.

Hypothesis 1: Credential-based lateral movement

"Adversaries are using stolen credentials for lateral movement across internal systems."

Search for: unusual remote desktop connections from unexpected source IPs, authentication events from service accounts at unusual hours, privilege escalation from previously low-privilege accounts, and rapid authentication failures followed by success.

Hypothesis 2: Data exfiltration to cloud storage

"Attackers are staging and exfiltrating data to cloud storage services."

Search for: large outbound transfers to cloud storage endpoints, data staging in temp directories, unusual upload volume from low-baseline endpoints, and compression utilities run before large transfers.

Hypothesis 3: Living-off-the-land execution via PowerShell

"Attackers are using LOLBins to execute payloads and evade endpoint detection."

Search for: encoded PowerShell command strings, suspicious module loads from scripting engines, unusual parent-child process relationships such as Office applications spawning cmd.exe or powershell.exe, and WMI-based execution chains.

In July 2025, CISA and the U.S. Coast Guard conducted a federal proactive threat hunt at a critical infrastructure organization. The hunt searched across host, network, and cloud data and mapped findings to 18 MITRE ATT&CK techniques. The hunt found no malicious actor presence but identified six significant security gaps. It produced value without a confirmed breach.

How Does AI Help With Hypothesis-Driven Threat Hunting?

AI-augmented threat hunting enables continuous, systematic hypothesis testing by automating the search and analysis phases. Analysts focus on hypothesis generation and strategic response. This makes hypothesis-driven hunting viable for teams without dedicated full-time threat hunters.

Hypothesis generation is irreducibly human. Analysts understand the threat context, the business environment, and which risks are worth investigating. That judgment cannot be automated.

What AI changes is the execution layer. Instead of one analyst querying one data source for one hypothesis over a full day, AI-augmented systems search across all connected data sources simultaneously, run behavioral pattern matching at machine speed, test multiple hypotheses in parallel, and surface findings for analyst review.

The capacity constraint is significant. 61% of organizations cite staffing shortages as the top barrier to sophisticated threat hunting (SANS 2025). AI augmentation multiplies analyst capacity without adding headcount. A single analyst who previously ran one or two manual hunts per quarter can oversee continuous hypothesis testing.

The time compression matters too. Organizations using AI and automation reduce the breach identification and containment lifecycle by 80 days on average (IBM Cost of a Data Breach 2025).

Dropzone AI's AI Threat Hunter is built for this workflow. Analysts form the hypothesis. The AI Threat Hunter searches federated across SIEM, EDR, and cloud data sources, surfaces behavioral matches, and presents findings for analyst review.

Key Takeaways

• IOC-based hunting is reactive. Attackers rotate file hashes, IPs, and domains in minutes. TTPs require weeks of operational retooling to change, making them far more durable hunting targets.
• Hypothesis-driven threat hunting follows a four-step cycle: form a hypothesis, search for behavioral evidence, analyze findings, respond and refine.
• A well-formed hypothesis names a specific adversary behavior, the data sources needed to test it, and the behavioral indicators that confirm it.
• Analysts generate the hypotheses. AI automates the search and surfaces findings. That is what makes hypothesis-driven hunting scalable.
• 61% of security teams cite staffing as the top barrier to sophisticated threat hunting (SANS 2025). AI augmentation multiplies analyst capacity, not replaces analyst judgment.
• Learn how an AI-augmented SOC structures detection and response across human and AI roles. See how ECS scaled threat operations with Dropzone AI.

Conclusion

IOC-based hunting will always be part of a complete detection program. But it will never be sufficient. Attackers move faster than indicators can be published, distributed, and operationalized. Hypothesis-driven threat hunting shifts the advantage by targeting what adversaries cannot quickly change: their behaviors.

The barrier to running it at scale is not methodology. It is analyst capacity. With 61% of security teams citing staffing as the top constraint (SANS 2025), the organizations that close this gap augment analyst capacity through AI, not wait for headcount approval.

Dropzone AI's AI Threat Hunter automates the search and analysis phases of the hypothesis cycle so analysts can focus on generating better hypotheses and acting on findings. Request early access.