The 2019 SANS Threat Hunting Survey gathered current industry data from 575 respondents predominantly from small/medium to medium/large organizations that are working in the field of threat hunting or working alongside threat hunters. This year’s report aims to help organizations understand what threat hunting is, why it is essential to protect their organizations, and how novice and experienced hunters can improve their processes.

Results demonstrate that confusion still exists about what respondents believe constitutes threat hunting and how to properly approach threat hunting. In addition to uncovering these areas of confusion, the report offers practical takeaways and action items that readers can use to strengthen their cybersecurity defenses within their organizations.

In this year’s survey, we explore how threat hunting teams are tasked in an environment, where they hunt and how they hunt. More than half of the respondents use atomic indicators of compromise (IoCs) or an alert-driven approach to hunting. This year’s survey results show that respondents have decreased their hypothesis-driven hunting over the past three years, which may pose some dangerous visibility gaps for organizations.