Creating Hypotheses

Author: Roger C.B. Johnsen

Introduction

The previous chapters introduced hypotheses as part of threat hunting methodology. This chapter goes deeper. It focuses on how to create hypotheses that are specific, testable, relevant and useful enough to drive an actual hunt.

Threat hunting relies on more than intuition and experience. Those things matter, but they are not enough. A hunt needs a structured question. It needs a reason. It needs observable behaviour. It needs data that can support or weaken the idea being tested.

That is where the hypothesis comes in.

  • A good hypothesis gives the hunt direction. It does not prove anything by itself. It does not guarantee that the team will find malicious activity. It simply gives the hunter a clear statement to test against evidence.
  • A weak hypothesis sends the hunter browsing through logs.
  • A strong hypothesis tells the hunter what evidence would matter.

A hypothesis is not a suspicion with better wording. It is a statement you can test against evidence.

– Roger Johnsen

What a Threat Hunting Hypothesis Is

A threat hunting hypothesis is a testable statement about behaviour that may indicate malicious activity, security weakness, detection failure, visibility gap or operational risk. It usually combines several elements:

ElementPurpose
AssumptionWhat do we think may be happening?
BehaviourWhat observable activity would support the assumption?
ContextWhy does this matter in our environment?
DataWhich telemetry can test the idea?
ScopeWhere and when will we look?
OutputWhat useful result may come from the hunt?

A hypothesis does not need to be complicated. It needs to be clear enough to test.

Weak example:

Attackers may be present in the network.

Better example:

If attackers gained initial access through malicious documents, Office applications may spawn PowerShell, cmd.exe, wscript.exe or similar interpreters on user workstations.

The second example gives the hunter something to do. It points towards process telemetry, parent-child relationships, command-line arguments, device context and user context. That is what makes it useful. A hypothesis should help the hunter move from a concern to an investigation.

What a Hypothesis Is Not

It is useful to be clear about what a hypothesis is not:

  • A hypothesis is not the same as an alert. An alert says that something matched existing logic. A hypothesis asks whether something may be happening that the existing logic does not fully cover.
  • A hypothesis is not the same as an IOC. An IOC can be a useful starting point, but an IOC search is usually narrow. A hypothesis should move towards behaviour and context.
  • A hypothesis is not the same as a threat report. A report may inspire the hunt, but the hunter still needs to translate the report into local telemetry and observable behaviour.
  • A hypothesis is not the same as a vague concern.

Concern:

We are worried about ransomware.

That may be a valid concern, but it is not yet a hunting hypothesis. A better version could be:

If ransomware operators are preparing for encryption, we may observe unusual archive creation, privilege escalation attempts, lateral movement, backup access or security tool tampering before encryption begins.

That version is still broad, but it has become testable. It points towards behaviours that can be scoped, searched and validated.

Not a hypothesisWhy it is weak
“There may be attackers here.”Too broad to test.
“Search for this IP address.”Indicator lookup, not a hypothesis.
“Look for suspicious PowerShell.”Too vague without behaviour, scope or context.
“APT groups target our sector.”Threat awareness, not a local test.
“This alert looks bad.”Observation, not a structured assumption.

A hypothesis should not only sound plausible. It should make the next analytical step clearer.

Where Hypotheses Come From

Threat hunting hypotheses can come from many sources. They do not all start with threat intelligence. Some of the best hypotheses come from local observations, weak detections, strange baseline behaviour or questions raised during incident response.

Useful sources include:

SourceHow it can become a hypothesis
Threat intelligenceTranslate adversary behaviour into local observable activity.
Past incidentsHunt for related behaviour, recurrence or missed signals.
SOC observationsTurn repeated alerts or analyst uncertainty into structured questions.
Detection gapsAsk what current alerting logic may fail to see.
Red team resultsHunt for tested techniques, missed detections or weak controls.
VulnerabilitiesAsk how exploitation or post-exploitation behaviour would appear.
Business contextFocus hunting on critical systems, processes or identities.
Baseline anomaliesInvestigate behaviour that does not fit expected activity.
Industry trendsConvert sector-relevant reporting into local hypotheses.
New telemetryAsk what behaviours can now be tested that were previously invisible.

The source matters less than the translation. Threat intelligence, for example, is not automatically a hypothesis. A report may describe an actor using PowerShell, scheduled tasks, cloud consent abuse or remote services. The hunter still has to ask:

What would this behaviour look like in our environment?

and:

Do we have the data needed to test it?

Threat intelligence gives you ideas. Telemetry decides whether those ideas can be tested.

– Roger Johnsen

From Input to Hypothesis

The practical work is turning raw input into a testable hypothesis. A simple flow is:

Input → Local relevance → Observable behaviour → Required data → Hypothesis

Example:

StageExample
InputThreat report describes phishing leading to PowerShell execution.
Local relevanceThe organisation receives many attachments by email and uses Microsoft 365.
Observable behaviourOffice applications spawning PowerShell or script interpreters.
Required dataEDR process telemetry, command-line logging, email context, device inventory.
HypothesisIf malicious documents are used for initial execution, Office applications may spawn PowerShell, cmd.exe, wscript.exe or similar interpreters on user workstations.

This translation step is important. Without it, the team may simply copy ideas from reports into hunts without checking whether they are relevant, observable or testable.

Another example:

StageExample
InputSOC sees repeated password spraying alerts.
Local relevanceSeveral users have cloud access and privileged roles.
Observable behaviourMany failed logins followed by successful authentication from shared infrastructure.
Required dataIdentity logs, MFA status, user risk, IP reputation, geolocation, device context.
HypothesisIf password spraying is successful, we may observe a pattern of repeated failed authentication attempts followed by successful login from unusual infrastructure.

The quality of the hypothesis depends on how well the input is translated into behaviour.

Making the Hypothesis Testable

A hypothesis should be testable. That means the hunter should be able to define what evidence would support it, what evidence would weaken it and what data is needed.

Ask these questions:

QuestionPurpose
What behaviour are we looking for?Prevents vague hunting.
Where should this behaviour appear?Identifies data sources.
Who or what is in scope?Defines the population.
What time period matters?Keeps the hunt bounded.
What would support the hypothesis?Defines useful evidence.
What would weaken the hypothesis?Reduces confirmation bias.
What benign explanations are likely?Improves validation.
What output can this hunt produce?Connects the hypothesis to improvement.

A testable hypothesis often contains three things:

If [condition or threat behaviour], then [observable activity] may appear in [specific scope or data].

Example:

If attackers are using valid accounts for lateral movement, then we may observe administrative logons from unusual source systems to servers where those users do not normally authenticate.

This is testable because it points towards:

  • authentication logs
  • source and destination systems
  • user roles
  • administrative logon types
  • baseline behaviour
  • time window
  • exceptions
  • validation paths

A hypothesis does not have to be perfect. It has to be good enough to test.

Using SMART Without Losing the Point

SMART can help refine hunting hypotheses, but it should not turn the hunt into management theatre.

SMART means:

KeywordMeaning in threat hunting
SpecificThe hypothesis identifies a behaviour, technique, asset group or user population.
MeasurableThe hunt can define what evidence, count, pattern or observation matters.
AchievableThe data and skills required are available.
RelevantThe hypothesis matters to the organisation or threat landscape.
Time-boundThe hunt has a defined time window or period of relevance.

Weak version:

We will look for suspicious logins.

SMART-er version:

During the last 30 days, we will identify successful logins to privileged accounts from unfamiliar countries, rare autonomous systems or unmanaged devices, and compare them against known travel, VPN usage and administrative patterns.

This is better because it defines:

  • time window
  • account population
  • observable behaviour
  • data needed
  • validation context

SMART should sharpen the hunt, not bury it in paperwork.

SMART is useful when it makes the hypothesis clearer. It is useless when it turns hunting into form-filling.

– Roger Johnsen

Weak and Strong Hypotheses

A strong hypothesis is not necessarily longer. It is more testable.

Weak hypothesisStronger hypothesis
There may be phishing.If phishing leads to credential theft, we may observe failed and successful logins from unusual infrastructure shortly after suspicious email delivery.
Attackers may use PowerShell.If attackers use PowerShell for execution, we may observe PowerShell launched by unusual parent processes with encoded commands, download behaviour or hidden execution.
There may be lateral movement.If attackers move laterally using remote services, we may observe administrative logons, remote service creation or remote command execution from systems that are not normal admin hosts.
Someone may be stealing data.If data is being staged for exfiltration, we may observe unusual archive creation, large file movement or outbound transfers to rare destinations outside business hours.
There may be persistence.If attackers establish persistence using scheduled tasks, we may observe newly created tasks with unusual names, paths, users or execution commands on endpoints.

The stronger versions do not claim that an attack is happening. They describe what evidence may support the idea. That is the point. A strong hypothesis should help the hunter decide:

  • where to look
  • what to look for
  • what context matters
  • what would be normal
  • what would be suspicious
  • what to do with the result

A weak hypothesis often produces open-ended searching. A strong hypothesis produces directed investigation.

Using MITRE ATT&CK as Structure

MITRE ATT&CK is useful for hypothesis creation because it provides a structured vocabulary for adversary behaviour. It can help the hunter ask:

  • Which tactic are we concerned about?
  • Which technique may be relevant?
  • What behaviour would that technique create?
  • Which data sources could show it?
  • Which detections do we already have?
  • What might our existing detections miss?

ATT&CK should be used as structure, not as a substitute for thinking. A technique page may describe adversary behaviour, but it does not automatically tell you what is relevant in your environment. The hunter still needs to translate the technique into local systems, logs and context.

Example:

ATT&CK areaHunting translation
Initial Access / PhishingWhich email, identity and endpoint behaviours would suggest successful phishing?
Execution / Command and Scripting InterpreterWhich parent-child process relationships and command-line patterns are unusual?
Persistence / Scheduled Task or JobWhich newly created tasks are rare, suspicious or inconsistent with normal administration?
Credential Access / OS Credential DumpingWhich processes accessed credential material, and is that expected?
Lateral Movement / Remote ServicesWhich users authenticated remotely to which systems, and is that normal?
ExfiltrationWhich large transfers, rare destinations or unusual protocols may indicate data leaving the environment?

The useful movement is:

ATT&CK technique → local behaviour → data source → hypothesis → hunt plan

Not:

ATT&CK technique → generic search → conclusion

Example Hypotheses

Below are examples of threat hunting hypotheses inspired by common ATT&CK areas. They are intentionally written as hypotheses, not conclusions.

Initial Access: Phishing

FieldExample
HypothesisIf phishing emails are used to steal credentials, we may observe suspicious email delivery followed by failed and successful authentication attempts from unusual infrastructure.
Possible dataEmail logs, identity logs, MFA events, device context, IP reputation.
What to validateWhether the login pattern fits the user, device, location, MFA history and known travel or VPN use.

Execution: PowerShell

FieldExample
HypothesisIf attackers use PowerShell for execution, we may observe PowerShell launched by unusual parent processes, encoded commands, download behaviour or hidden execution on endpoints.
Possible dataEDR process telemetry, command-line logs, PowerShell logs, network telemetry.
What to validateParent process, user context, script content, destination, frequency and known administrative activity.

Persistence: Scheduled Tasks

FieldExample
HypothesisIf attackers establish persistence using scheduled tasks, we may observe newly created tasks with unusual names, paths, users, triggers or execution commands.
Possible dataWindows event logs, EDR telemetry, task scheduler logs, file system telemetry.
What to validateTask creator, command path, trigger, signed binaries, endpoint role and administrative change history.

Credential Access: Credential Dumping

FieldExample
HypothesisIf attackers attempt credential dumping, we may observe suspicious access to LSASS, credential material, browser credential stores or security account databases.
Possible dataEDR telemetry, process access events, command-line logs, file access logs, security logs.
What to validateProcess lineage, tool behaviour, user privileges, endpoint role and known security tooling.

Lateral Movement: Remote Services

FieldExample
HypothesisIf attackers use remote services for lateral movement, we may observe administrative logons, remote service creation or remote command execution from systems that are not normal administrative hosts.
Possible dataAuthentication logs, EDR telemetry, Windows service events, network telemetry, asset inventory.
What to validateSource host, destination host, user role, logon type, service name, process lineage and normal admin patterns.

Exfiltration: Unusual Data Movement

FieldExample
HypothesisIf attackers stage or exfiltrate data, we may observe unusual archive creation, large file movement or outbound transfers to rare destinations outside normal business patterns.
Possible dataFile telemetry, proxy logs, DNS logs, network flow, DLP alerts, cloud storage logs.
What to validateBusiness process, user role, file type, destination, time of day, volume and previous baseline.

These examples are not meant to be copied blindly. They are templates for thinking. Each organisation must adapt the hypothesis to its own systems, telemetry, business context and threat landscape.

What Usually Goes Wrong

Several problems appear repeatedly when teams create hunting hypotheses.

ProblemWhy it hurts
The hypothesis is too broadThe hunt becomes endless and difficult to conclude.
The hypothesis is just an IOC searchThe team may miss behaviour that does not match known indicators.
The hypothesis cannot be testedThe required data does not exist or cannot answer the question.
The hypothesis ignores local contextThe hunt may be technically interesting but operationally irrelevant.
The hypothesis assumes malicious intent too earlyThe team jumps from observation to conclusion.
The hypothesis lacks scopeThe hunt expands beyond control.
The hypothesis has no output pathThe result does not improve detection, response, visibility or knowledge.
The hypothesis is copied from a report without translationThe hunt does not fit the organisation’s telemetry or environment.

Most weak hypotheses fail because they do not connect the idea to observable behaviour. The fix is usually simple:

Make the behaviour visible.
Make the scope clear.
Make the data explicit.
Make the conclusion testable.

Working Position for This Book

A threat hunting hypothesis is a practical tool. It should not be written to sound impressive. It should be written to guide investigation.

A good hypothesis connects:

Threat idea.
Local relevance.
Observable behaviour.
Data source.
Scope.
Validation.
Output.

That connection is what makes hypothesis-driven hunting useful. The hypothesis does not need to prove that an attacker is present. It needs to help the hunter test whether a behaviour exists, whether it matters and what should happen next.

A good hypothesis gives the hunt direction. A great hypothesis also tells you what evidence would change your mind.

– Roger Johnsen

Resources

Revision

Revised DateComment
2026-07-09Major rewrite. Reframed the article as a dedicated deep-dive on creating testable threat hunting hypotheses.
2024-11-02Added page