Back to Blog
Inside the SOC

Top Threat Hunting Frameworks (and How Your AI Team Automates Them)

TL;DR

48% of SOCs describe their threat hunting as "partially automated" (SANS SOC Survey 2025), often just retroactive analysis with manual correlation. Industry-standard frameworks like MITRE ATT&CK, Pyramid of Pain, and Cyber Kill Chain provide proven methodologies, but manual execution remains resource-prohibitive. AI-augmented SOC platforms automate systematic framework application across every alert while analysts maintain oversight of hypothesis formation, threat prioritization, and response strategies.

Introduction

Your SOC team knows MITRE ATT&CK. They understand the Pyramid of Pain. They've studied the Cyber Kill Chain. But turning framework knowledge into repeatable and well-executed threat hunts? That's where most teams struggle. Manual framework application requires deep expertise, time-intensive correlation across tools, and sustained focus that 24/7 operations make impossible. AI-augmented platforms change the equation by automating the systematic application of threat hunting methodologies while keeping analysts in control of strategy and response.

Why Threat Hunting Frameworks Matter

What is a threat hunting framework? It's a structured methodology that guides security analysts in proactively searching for hidden threats that evade automated detection.

Unlike ad hoc hunting (aimlessly searching logs hoping to find something), frameworks provide a common way to describe attacker behavior. Threat hunters can use frameworks to plan hunts based on:

  • Adversary behaviors
  • Indicator durability
  • Attack progression patterns

Why They Matter

Frameworks provide a common lingua franca for security professionals to describe attacker activity, and threat hunters can use IOCs and TTPs in threat reports to plan hunts.

Behavior-based detection is essential: 81% of intrusions from July 2024 through June 2025 were malware-free, requiring behavior analysis rather than signature matching.

Consistency across teams: 79% of SOCs operate 24/7 (SANS 2025), often with mixed experience levels. Frameworks ensure investigation quality doesn't vary by analyst or shift timing.

Efficiency through structure: Ad hoc hunting wastes time. Frameworks prioritize high-impact activities (TTPs that take adversaries months to change vs. indicators they change in seconds).

The reality gap: 48% of SOCs still describe hunting as "partially automated" using vendor tools (SANS 2025). Most teams understand frameworks intellectually but struggle with consistent manual application under operational pressure.

MITRE ATT&CK: The Behavior-Based Playbook

MITRE ATT&CK is the globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

Version 18.1 (December 2025):

  • 14 tactics across attack lifecycle
  • Hundreds of specific techniques
  • Organized by adversary behavior (not tools or malware)

Why It Works

Behavior-focused approach catches malware-free attacks (81% of modern intrusions). Instead of looking for specific malware signatures, you look for behavioral patterns:

  • Credential access techniques (T1003)
  • Lateral movement methods (T1021)
  • Persistence mechanisms (T1543)

Adversaries must use these behaviors regardless of which tools they deploy.

Manual Execution Challenges

  • Requires deep knowledge of hundreds of techniques across 14 categories
  • Time-intensive log correlation across multiple tools per technique
  • Investigation coverage depends on analyst familiarity with specific techniques

How AI Automates ATT&CK Hunting

Pre-trained knowledge: Understands techniques without per-analyst training

Extracts TTPs: Analyzes threat reports and threat intelligence to extract TTPs

Federated hunts: Hunts across SIEM, EDR, identity tools

Framework mapping: Investigation summaries mapped to ATT&CK

Example: AI detects suspicious PowerShell execution, automatically correlates activity across endpoint and identity logs, maps to T1059.001 (PowerShell), checks for related techniques (credential access, lateral movement), presents ATT&CK-mapped investigation in under 5 minutes (vs. 30-45 minutes manual).

Pyramid of Pain: Prioritizing High-Impact Detection

Created by David Bianco, this framework categorizes threat indicators by difficulty for adversaries to change.

The Six Levels

Level Adversary Pain Example Time to Change
Hash Values Trivial MD5, SHA1 file signatures Seconds
IP Addresses Easy C2 server locations Minutes
Domain Names Annoying Phishing/C2 domains Hours
Network/Host Artifacts Challenging URI patterns, registry keys Days
Tools Tough Custom malware frameworks Weeks
TTPs Severe Adversary methodology Months

Why It Works

Detecting high-pyramid tactics, techniques, and procedures (TTPs) inflicts maximum pain on adversaries. When you catch and block TTPs, adversaries can't just recompile malware or change an IP. They must rethink their entire approach.

Modern SOCs report 60% reduction in successful attacks when prioritizing TTP-level detection over hash and IP hunting.

Manual Execution Challenges

Each pyramid level requires different detection approaches:

  • Continuous rule refinement at every level
  • Labor-intensive artifact/tool/TTP database maintenance
  • Analysts spend disproportionate time on low-pyramid indicators (easier to automate but lower value)

How AI Automates Pyramid Hunting

Automatic escalation: Investigations prioritized by indicator sophistication

Low-pyramid processing: Hash/IP matches processed instantly with enrichment

High-pyramid escalation: TTP patterns flagged immediately for analyst review

Depth scaling: Investigation thoroughness matches pyramid level automatically

Example: 500 alerts across all pyramid levels. AI processes low-pyramid matches (known-bad IPs, hashes) instantly. Medium-pyramid alerts (artifacts, tools) batched for efficient review. High-pyramid TTP indicators escalated immediately. Result: analyst time focused on severe adversary pain points, not trivial indicators.

Cyber Kill Chain: Disrupting Attack Progression

Developed by Lockheed Martin, the Kill Chain models attack progression through seven sequential stages.

The Seven Stages

  1. Reconnaissance (Gathering target information)
  2. Weaponization (Creating attack tools)
  3. Delivery (Transmitting weapon to target)
  4. Exploitation (Triggering vulnerability)
  5. Installation (Installing malware/backdoor)
  6. Command & Control (Remote control channel)
  7. Actions on Objectives (Data theft, destruction)

Why It Works

Temporal context: Maps findings to attack progression

Early disruption: "Left-of-boom" hunting catches attacks before later-stage damage

Visibility assessment: Shows which stages your defenses cover and where gaps exist

Manual Execution Challenges

  • Multi-system timeline reconstruction from fragmented logs
  • Time pressure (late detection means attacker already established persistence)
  • Quality varies with analyst experience

How AI Automates Kill Chain Analysis

Automatic timeline building: Correlates events across lifecycle stages

Stage mapping: Identifies sequences (Delivery → Exploitation → C2)

Gap highlighting: Shows where visibility might be incomplete

Coherent narratives: Unified attack stories vs. disconnected events

Example: Investigating potential lateral movement, AI correlates a phishing email from three days ago (Delivery) with credential access attempts (Exploitation) and subsequent RDP sessions to multiple hosts (C2). Hours of manual log searching happen automatically, presenting unified kill chain timeline for analyst assessment.

How AI Teams Apply Frameworks at Scale

Lack of skilled staff is the top barrier to sophisticated threat hunting (SANS 2025). AI augmentation bridges the gap between understanding frameworks and executing them consistently.

The AI Augmentation Model

Pre-trained framework knowledge

  • Understands ATT&CK techniques, Pyramid levels, Kill Chain stages
  • No manual training required
  • Consistent application regardless of SOC workload or analyst availability

Continuous framework application

  • Every alert investigation uses frameworks
  • 24/7 operations (79% of SOCs) benefit from consistent methodology
  • Not just the investigations experienced analysts have time for

Analyst oversight maintained

  • AI handles systematic evidence gathering and framework mapping
  • Analysts review framework-contextualized findings
  • Human judgment drives threat assessment and response

Environment learning

  • Adapts to your normal PowerShell usage
  • Learns typical authentication patterns
  • Understands legitimate admin tool behaviors
  • Maintains framework rigor while learning environment specifics

This is systematic evidence gathering using proven methodologies, with security analysts maintaining control over hypothesis formation, threat prioritization, and response strategies.

Key Takeaways

  • MITRE ATT&CK, Pyramid of Pain, and Cyber Kill Chain provide proven methodologies, but extracting TTPs from threat intelligence, creating hunt packs, and executing the hunts is resource-prohibitive for most SOC teams
  • 48% of SOCs perform only "partially automated" hunting due to knowledge requirements (hundreds of techniques), time constraints (79% operate 24/7), and staffing limitations
  • AI-augmented approach enables consistent framework application through automated evidence gathering while analysts maintain strategic oversight
  • Operational impact: consistent investigation quality regardless of analyst experience or shift, faster response through automation, analyst focus on high-pyramid indicators

Frequently Asked Questions

What is a threat hunting framework?
A structured methodology guiding security analysts in proactively searching for hidden threats that evade automated detection systems. Frameworks provide systematic approaches for hypothesis-driven investigation based on adversary behaviors (MITRE ATT&CK), indicator durability (Pyramid of Pain), or attack progression (Cyber Kill Chain).
How do you use MITRE ATT&CK for threat hunting?
You use MITRE ATT&CK for threat hunting by following a five-step process: (1) form hypotheses about adversary techniques relevant to your threat landscape, (2) search for behavioral indicators of specific techniques (e.g., T1003 Credential Dumping), (3) correlate evidence across security tools to confirm technique presence, (4) map confirmed findings to ATT&CK matrix to identify related techniques, and (5) use discoveries to improve detection rules and inform future hypotheses. AI-augmented SOCs automate steps 2-4, allowing analysts to focus on hypothesis formation and strategic response.
What is the Pyramid of Pain in cybersecurity?
The Pyramid of Pain is a framework created by David Bianco that categorizes threat indicators by difficulty for adversaries to change. Six levels from trivial (hash values, seconds to change) to severe (TTPs, months to change). Detecting high-pyramid indicators forces adversaries to invest significant time rebuilding capabilities. Modern SOCs prioritizing TTP-level detection report 60% reduction in successful attacks.
How does AI help with threat hunting?
AI assists threat hunting by extracting TTPs from threat intelligence, creating hunt packs, and executing federated hunts across multiple tools, applying framework methodologies consistently to every investigation, maintaining pre-trained knowledge of adversary techniques, reconstructing attack timelines automatically, and prioritizing high-impact indicators for analyst review. This augments analyst capabilities rather than replacing expertise,analysts maintain control over hypothesis formation, threat prioritization, and all response decisions while AI handles systematic evidence gathering.
What is the Cyber Kill Chain framework?
The Cyber Kill Chain is a framework developed by Lockheed Martin that models cyberattack progression through seven sequential stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objectives. It helps threat hunters map findings to attack progression, focus on early-stage disruption ("left-of-boom"), and assess visibility across the attack lifecycle.
What's the difference between MITRE ATT&CK and the Pyramid of Pain?

MITRE ATT&CK organizes adversary behaviors by tactics and techniques based on real-world observations, providing a knowledge base for behavioral hunting. The Pyramid of Pain categorizes threat indicators by how difficult they are for adversaries to change (from trivial hash values to severe TTPs), guiding prioritization of detection efforts. They complement each other: ATT&CK provides the techniques to hunt for, Pyramid of Pain helps prioritize which indicators deliver maximum adversary pain.

How many techniques are in MITRE ATT&CK?

MITRE ATT&CK Version 18.1 (December 2025) contains hundreds of specific techniques organized across 14 tactical categories covering the full attack lifecycle from Initial Access through Impact. The framework is continuously updated based on real-world threat observations, with new techniques added as adversary behaviors evolve.

Is MITRE ATT&CK a framework or a tool?

MITRE ATT&CK is a knowledge base and framework, not a tool. It provides a structured taxonomy of adversary behaviors that security tools and platforms can leverage for detection, investigation, and response. Many security products (SIEM, EDR, XDR, threat intelligence platforms) integrate ATT&CK mapping to contextualize alerts and findings within the framework's behavioral model.

Experience AI-Augmented Framework Execution

Dropzone AI's autonomous alert investigation platform applies threat hunting frameworks systematically to every security alert. Our AI SOC analysts autonomously investigate using ATT&CK-mapped behavioral analysis, Pyramid-based prioritization, and Kill Chain timeline reconstruction. Integrates with your existing SIEM, EDR, and XDR tools without requiring custom playbooks or code.

Discover AI-augmented investigation at dropzone.ai.

A man with a beard and a green shirt.
Tyson Supasatit
Principal Product Marketing Manager

Tyson Supasatit is Principal Product Marketing Manager at Dropzone AI where he helps cybersecurity defenders understand what is possible with AI agents. Previously, Tyson worked at companies in the supply chain, cloud, endpoint, and network security markets. Connect with Tyson on Mastodon at https://infosec.exchange/@tsupasat

Read More

Self-Guided Demo

Test drive our hands-on interactive environment. Experience our AI SOC analyst autonomously investigate security alerts in real-time, just as it would in your SOC.
Self-Guided Demo
A screenshot of a dashboard with a purple background and the words "Dropzone AI" in the top left corner.

Read More from the Category

Inside the SOC

Top Threat Hunting Frameworks (and How Your AI Team Automates Them)

Your team knows MITRE ATT&CK but struggles to apply it consistently. Learn how AI automates framework execution across every alert, 24/7, at scale.
Tyson Supasatit
February 13, 2026
Inside the SOC

The Complete Guide to Proactive Threat Hunting

Stop waiting for alerts to fire. This guide shows you how to hunt threats proactively using MITRE ATT&CK, Kill Chain, and AI-augmented investigations.
Tyson Supasatit
February 10, 2026
Inside the SOC

What is Threat Hunting? A Beginner's Guide for 2026

Think threat hunting requires specialized platforms? Start with your existing SIEM and EDR. This guide shows you exactly how, step by step.
Tyson Supasatit
February 6, 2026
Copyright © Dropzone AI 2026. All Rights Reserved.