Effective Cyber Threat Hunting: Where and how does it fit?


  • Nombeko Ntingi ECCWS
  • Dr
  • Dr
  • Professor




cyber threat hunting, cyber counterintelligence, active cyber defense, cyber threat intelligence, cyber threat modelling, proactive


Traditionally threat detection in organisations is reactive through pre-defined and preconfigured rules that are embedded in automated tools such as firewalls, anti-virus software, security information and event management (SIEMs) and intrusion detection systems/intrusion prevention systems (IDS/IPS). As the fourth industrial revolution (4IR) brings with it an exponential increase in technological advances and global interconnectivity, the cyberspace presents security risks and threats the scale of which is unprecedented. These security risks and threats have the potential of exposing confidential information, damaging the reputation of credible organisations and/or inflicting harm. The regular occurrence and complexity of cyber intrusions makes the guarding enterprise and government networks a daunting task. Nation states and businesses need to be ingenious and consider innovative and proactive means of safeguarding their valuable assets. The growth of technological, physical and biological worlds necessitates the adoption of a proactive approach towards safeguarding cyber space.

This paper centers on cyber threat hunting (CTH) as one such proactive and important measure that can be adopted. The paper has a central contention that effective CTH cannot be an autonomous ‘plug in’ or a standalone intervention. To be effective CTH has to be synergistically integrated with relevant existing fields and practices. Academic work on such conceptual integration of where CTH fits is scarce. Within the confines of the paper we do not attempt to integrate CTH with many of the various relevant fields and practices. Instead, we limit the scope to postulations on CTH’s interface with two fields of central importance in cyber security, namely Cyber Counterintelligence (CCI) and Cyber Threat Monitoring and Analysis (CTMA). The paper’s corresponding two primary objectives are to position CTH within the broader field of CCI and further contextualise CTH within the CTMA domain. The postulations we advanced are qualified as tentative, exploratory work to be expanded on. The paper concludes with observations on further research.