Threat Hunt Book by Predefender
This notebook provides a comprehensive guide to Threat Hunting, structured in the form of a book.
With years of experience establishing SOC departments for Norwegian cybersecurity firms and working hands-on as a threat hunter, I have gathered practical lessons, field notes, and methods that I want to share.
My goal is simple: help SOC analysts become effective threat hunters from day one.
Roger C.B. Johnsen
Have feedback? I welcome thoughts, suggestions, and corrections. Feel free to reach out via my preferred contact links .
About the Content
The content has been refined with the help of tools like ChatGPT to improve grammar, clarity, and readability.
It includes a curated collection of notes, articles, presentations, cheat sheets, and personal reflections based on years of hands-on experience in threat hunting, SOC work, detection, and investigations.
Latest Updates
Jun. 28, 2026
New section: Detection Engineering New section to cover detection engineering handcraft
New article: Hunter to Detection A practical look on threat hunters role in detection engineering, and important tips for the SOC
Jun. 27, 2026
New article: MAC Addresses A practical look at MAC addresses, OUI lookups, MAC randomization, and how Layer 2 context can prevent mistakes during investigations.
Oct. 18, 2025
New article: From Alerts to Hypothesis How to move from alert-driven triage toward hypothesis-driven threat hunting.
Apr. 20, 2025
New section: Threat Hunting Frameworks Collected threat hunting framework content under one dedicated section.
Apr. 13, 2025
New framework pages: Magma , TaHiTI , and PEAK Added practical references for several established threat hunting frameworks.
Mar. 29, 2025
New page: When to Engage Threat Hunters Guidance on when threat hunters should be brought into security work, investigations, and operational decisions.
Mar. 21, 2025
New cheat sheets: Kusto Sentinel Tables , Sysmon , Windows Registry , and PowerShell Quick references based on recent hunts and common investigation needs.
Earlier Changes
Mar. 16, 2025
- Added new Cheat Sheets section.
- Added support for tags to make grouping articles easier. Testing started in the Cheat Sheets section.
Feb. 28, 2025
- Updated contact information.
- Added e-mail.
Feb. 22, 2025
- Overhauled multiple pages to improve clarity and meaning.
- Added Hierarchy of Needs .
Feb. 15, 2025
- Added SIEM Query Languages .
Jan. 11, 2025
- Added The Threat Hunter Persona .
Dec. 27, 2024
- Added the Release Plan page, accessible from the left site menu.
- Improved the left site menu by removing chapter and part prefixes.
Nov. 03, 2024
- Added No Result Hunts .
Nov. 02, 2024
- Added Creating Hypotheses .
Oct. 27, 2024
- Added T1105 , based on a recent threat hunt investigation.
- Added Planning a Threat Hunt .
- Added Intelligence Resources .
Oct. 26, 2024
- Added Starting a Threat Hunting Program .
- Added pages on Threat Hunting Deliveries .
Oct. 21, 2024
- Revised the introduction for Threat Hunting Deliveries.
Oct. 20, 2024
- Added a section on Threat Hunting Deliveries.
Oct. 19, 2024
- Added a section on conditional access for T1566 - Phishing .
Oct. 15, 2024
- Added a tip on Windows logon events.
Oct. 13, 2024
- Introduced Deliveries under Part 1, including the new SITREP page.
Oct. 12, 2024
- Introduced Mitre Field Notes, featuring T1566 - Phishing.
Oct. 11, 2024
- Added links to social platforms, X and Mastodon.
Oct. 06, 2024
- Quality assured the OpenSearch Python API ingester.
- Improved document formatting across the site.
- Added tips for Windows event log success and failure.
Sep. 30, 2024
- Added the FAQ page.
Sep. 29, 2024
- Added Understanding Data .
