Glossary
Threat Hunting
Threat hunting is the proactive search for adversaries who have evaded existing detection rules. Threat hunters formulate hypotheses about adversary behavior, query telemetry across the environment, and look for evidence the hypothesis is true. Where the SOC alert queue is reactive, threat hunting is intentional and exploratory.
In depth
Mature threat hunting programs work from frameworks like MITRE ATT&CK to systematically test the organization's detection coverage. A hunt typically starts with a hypothesis ("if an attacker landed via this phishing technique, we would see this set of process behaviors"), pivots through endpoint and network telemetry to confirm or refute it, and feeds the findings back into detection engineering when a gap is found.
Threat Hunting and PocketSOC
Threat hunting is largely a desktop activity — deep telemetry queries, pivots across multiple platforms, lots of context. PocketSOC is not a hunting tool. It is a responder tool that picks up where hunting hands off: when a hunt confirms a real adversary, the containment and triage workflows are where PocketSOC shines.
Related terms
EDR →
Endpoint Detection and Response (EDR) is a category of security software that continuously monitors endpoints — laptops, servers, and workstations — for malicious activity.
SOC →
A Security Operations Center (SOC) is the team and facility responsible for continuously monitoring an organization's security posture.
Incident Response →
Incident response (IR) is the structured process of preparing for, detecting, containing, eradicating, recovering from, and learning from security incidents.