Threat Hunt Book by Predefender

This notebook provides a comprehensive guide to Threat Hunting, structured in the form of a book.

With years of experience establishing SOC departments for Norwegian cybersecurity firms and working hands-on as a threat hunter, I have gathered practical lessons, field notes, and methods that I want to share.

My goal is simple: help SOC analysts become effective threat hunters from day one.

Roger C.B. Johnsen


Have feedback? I welcome thoughts, suggestions, and corrections. Feel free to reach out via my preferred contact links .


About the Content

The content has been refined with the help of tools like ChatGPT to improve grammar, clarity, and readability.

It includes a curated collection of notes, articles, presentations, cheat sheets, and personal reflections based on years of hands-on experience in threat hunting, SOC work, detection, and investigations.


Latest Updates

Jun. 28, 2026

New section: Detection Engineering New section to cover detection engineering handcraft

New article: Hunter to Detection A practical look on threat hunters role in detection engineering, and important tips for the SOC

Jun. 27, 2026

New article: MAC Addresses A practical look at MAC addresses, OUI lookups, MAC randomization, and how Layer 2 context can prevent mistakes during investigations.

Oct. 18, 2025

New article: From Alerts to Hypothesis How to move from alert-driven triage toward hypothesis-driven threat hunting.

Apr. 20, 2025

New section: Threat Hunting Frameworks Collected threat hunting framework content under one dedicated section.

Apr. 13, 2025

New framework pages: Magma , TaHiTI , and PEAK Added practical references for several established threat hunting frameworks.

Mar. 29, 2025

New page: When to Engage Threat Hunters Guidance on when threat hunters should be brought into security work, investigations, and operational decisions.

Mar. 21, 2025

New cheat sheets: Kusto Sentinel Tables , Sysmon , Windows Registry , and PowerShell Quick references based on recent hunts and common investigation needs.


Earlier Changes

Mar. 16, 2025

  • Added new Cheat Sheets section.
  • Added support for tags to make grouping articles easier. Testing started in the Cheat Sheets section.

Feb. 28, 2025

  • Updated contact information.
  • Added e-mail.

Feb. 22, 2025

Feb. 15, 2025

Jan. 11, 2025

Dec. 27, 2024

  • Added the Release Plan page, accessible from the left site menu.
  • Improved the left site menu by removing chapter and part prefixes.

Nov. 03, 2024

Nov. 02, 2024

Oct. 27, 2024

Oct. 26, 2024

Oct. 21, 2024

  • Revised the introduction for Threat Hunting Deliveries.

Oct. 20, 2024

  • Added a section on Threat Hunting Deliveries.

Oct. 19, 2024

Oct. 15, 2024

  • Added a tip on Windows logon events.

Oct. 13, 2024

  • Introduced Deliveries under Part 1, including the new SITREP page.

Oct. 12, 2024

  • Introduced Mitre Field Notes, featuring T1566 - Phishing.

Oct. 11, 2024

  • Added links to social platforms, X and Mastodon.

Oct. 06, 2024

  • Quality assured the OpenSearch Python API ingester.
  • Improved document formatting across the site.
  • Added tips for Windows event log success and failure.

Sep. 30, 2024

  • Added the FAQ page.

Sep. 29, 2024


Threat Hunting Illustration Threat Hunting Illustration