Stop Chasing Ghosts: The Framework for Relevance-Driven Threat Hunting

Author: SCYTHE Labs.

In recent years, the cybersecurity landscape has become crowded with buzzwords: purple teaming, adversary emulation, proactive defense. While these practices have merit, many organizations are charging ahead with advanced detection efforts—often without understanding whether those efforts are actually relevant to their business.

This is where Lauren P.’s framework for relevance-based threat hunting comes in. As the Global Head of Detection and Response at Marsh McLennan and co-founder of the Thor Collective, Lauren brings hard-won experience to a simple but critical idea: threat hunting should be grounded in what actually matters to your organization.

The Problem: Hunting Without Context

Too often, threat hunting is executed like a generic exercise in "find the APT"—with teams chasing TTPs seen in flashy vendor reports without understanding if those threats actually apply to their environment. As Lauren aptly put it:

“Hunting for APT1 in a grocery chain makes about as much sense as scanning for grocery store malware in a high-end hat boutique.”

This disconnection leads to wasted cycles, unquantifiable ROI, and frustrated leadership. Even worse, it sends the wrong message to stakeholders: that cybersecurity teams are reactive, chasing ghosts instead of driving measurable improvement.

A Framework for Relevant Hunting

Lauren advocates for a structured approach centered on three key relevance factors:

1. Incident Trends in Your Org

Start by identifying what’s actually happening in your environment. Which business units are seeing the most incidents? What techniques are showing up in IR reports? Coordinate with your SOC and incident response teams to gather this context.

“If you can say, ‘We hunted in HR and found five process gaps that led to fewer incidents,’ you’ve bought credibility for your entire program.”

This "historical reactiveness" builds a foundation for proactive hypotheses. It's about pattern recognition over gut instinct.

2. Threats in Your Industry

What threats are hitting your peers? If you’re in financial services, look at actors targeting banking. If you're in healthcare, ransomware is likely top of mind. This offers what Lauren calls "herd immunity"—strengthening your defenses before threat actors inevitably pivot in your direction.

“Even if you haven’t seen it yet, your vertical likely will. Hunting now gives you time to close the gaps.”

3. Technology Stack Awareness

Relevance is technical as much as it is strategic. If your organization uses Google Workspace, you probably shouldn’t waste time hunting for Exchange CVEs.

“There’s no point in hunting for JavaScript abuse if your core stack is Python and C++.”

Partner with IT to get a real inventory of your systems, configurations, and coverage gaps. Know what logs you actually have. Visibility informs scope.

Every Hunt Must Have an Output

One of the strongest ideas Lauren puts forward is that a successful hunt doesn’t require finding an adversary. Instead, a hunt is valuable if it produces an output: a control gap, a missing detection, a broken process, or a visibility issue.

“You’re not working in a perfect org. If you found nothing, you probably just don’t have the right logs.”

For example, a hunt might reveal that DNS logs aren’t being collected. That alone is a win—it tells you something you didn’t know, and helps tune both your hunting and your defensive tooling.

Shift From One-Offs to Operational Models

A major barrier to success is over-scoping. Lauren recommends breaking large hunts into micro-hunts—smaller, protocol-specific queries that can be completed and measured independently.

“Instead of ‘exfil over non-standard ports,’ start with DNS, then do FTP, etc. It’s manageable, confidence-building, and lets you stack wins.”

Additionally, organizations should aim to operationalize what they learn. If you’re re-running the same hunt over and over, that’s a missed opportunity to codify findings into detection logic or alert rules.

Proactive vs. Reactive: A Balance Worth Striking

While the goal is to become proactive, Lauren argues that starting with reactive data isn’t a failure—it’s a foundation. Reviewing previous breaches, incidents, and detection failures provides a hypothesis-driven launch point that’s tailored to your environment.

“Proactivity can be subjective. If you’re reacting to past data before the next breach happens, that’s still a proactive move in your program’s maturity.”

The balance lies in marrying real-world telemetry with forward-looking hypotheses.

Building Organizational Support

Threat hunting cannot thrive in a vacuum. For it to scale, security teams need executive buy-in. Lauren emphasizes the importance of communicating hunting results in business-relevant terms:

• Fewer incidents = less downtime and operational disruption

• Reduced risk = lower compliance burden or insurance premiums

• Closed visibility gaps = faster response and improved security posture

“At the end of the day, it comes down to one thing—preventing money from leaving the organization.”

Getting Started: Three Takeaways

If your team wants to implement Lauren’s relevance-based threat hunting framework, here’s where to begin:

1. Start with Trends: Ask your SOC/IR teams what’s actually happening in your environment. Use that to guide the next hunt.

2. Focus on Your Industry: Understand what’s impacting your vertical, and hunt with those threats in mind—even if you haven’t seen them yet.

3. Know Your Stack: Inventory your technology and visibility. Don’t hunt for things your environment literally can’t detect or doesn't use.

Build, Share, Collaborate

Finally, Lauren encourages building community around these efforts. Through the Thor Collective’s Hearth project, threat hunters can share hypotheses, successful tactics, and real-world examples that others can use and adapt.

“This fight’s too big to go it alone. Share your lessons—you might stop something for someone else.”

Conclusion

Threat hunting that isn’t grounded in organizational reality is just threat theater. By applying relevance filters—trends, industry threats, and tech stack—teams can deliver meaningful outputs, gain stakeholder trust, and evolve from reactive to proactive defenders.

Every hunt should have an output. And the best way to ensure that? Start with what matters most—to your organization, your industry, and your technology.