Huntbook by Predefender
Threat hunting is not about running random queries and hoping something suspicious appears.
It is about understanding behaviour, building context, forming hypotheses, testing assumptions, and turning observations into knowledge the organisation can use.
This book is a practical guide to how threat hunters think, investigate, document, and improve detection capability.
— Roger C.B. Johnsen
Start Reading Latest Updates RSS Feed
What This Book Is
Threat Hunt Book is a practical handbook for threat hunting. It’s written from the perspective of someone who has worked hands-on with SOC operations, investigations, detection, and threat hunting, and who has also helped establish SOC capabilities for Norwegian cybersecurity firms. The goal isn’t a perfect academic model of threat hunting. It’s to share practical methods, field notes, mental models, and lessons learned from real operational security work.
This book is about how to think during a hunt:
- how to move from observation to context
- how to build and test hypotheses
- how to understand security data
- how to reason about attacker behaviour
- how to document findings
- how to turn hunting knowledge into better detection
- how to avoid common analytical traps
Threat hunting is not a tool. It’s a discipline.
Who This Book Is For
This book is primarily written for threat hunters and security analysts who want to become better at structured investigation.
It’s also relevant for:
- SOC analysts who want to move beyond alert handling
- detection engineers who want to understand how hunting findings become detection logic
- security architects who need to understand how detection, telemetry, and response fit together
- incident responders who need better context during investigations
- defenders who want to understand how attacker behaviour appears in real environments
The aim is simple: help analysts become more effective threat hunters by understanding the method behind the work.
How to Use This Book
This isn’t meant to be read only from beginning to end. Use it as a practical reference. Read the methodology chapters to understand the thinking. Use the framework pages to compare hunting models. Use the field notes and technique pages when you need examples. Use the cheat sheets when you need quick reminders during investigations.
Some articles are conceptual. Some are practical. Some are reflective. Together, they describe how I approach threat hunting as a discipline.
About the Content
The content includes articles, notes, presentations, cheat sheets, field reflections, and practical guidance based on years of hands-on work in threat hunting, SOC operations, detection, and investigations.
Some pages are polished articles. Others are practical references or field notes. The common thread is that the content should help defenders understand what they’re looking at, why it matters, and what to do next.
The content has been refined with the help of tools like ChatGPT to improve grammar, clarity, structure, and readability. The ideas, experience, opinions, and editorial direction are my own.
Feedback
I welcome thoughts, suggestions, corrections, and professional disagreement.
If something is unclear, wrong, outdated, or useful, feel free to reach out via my preferred contact links .
Latest Updates
- When to Engage Threat Hunters - Jul. 09, 2026
- Creating Hypotheses - Jul. 09, 2026
- Planning a Threat Hunt - Jul. 09, 2026
- How to Start a Threat Hunting Program - Jul. 09, 2026
- Context Before Conclusion - Jul. 09, 2026
- From Alerts to Hypotheses - Jul. 09, 2026
- The Threat Hunter Persona - Jul. 09, 2026
- Hierarchy of Needs - Jul. 09, 2026
- Definition - Jul. 09, 2026
- Hunter to Detection - Jun. 28, 2026