The Cyber Hunting Maturity Model

Many organizations are quickly discovering that threat hunting is the next step in the evolution of the modern SOC, but remain unsure of how to start hunting or how far along they are in developing their own hunt capabilities. How can you quantify where your organization stands on the road to effective hunting? With a general model that can map hunting maturity across any organization.

What is Hunting?

Hunting also needs to be critically defined as being “manual or machine-assisted” as opposed to being only automated. Automated alerting is important, but cannot be the only thing your detection program relies on. In fact, one of the chief goals of hunting should be to improve your automated detection capabilities by prototyping new ways to detect malicious activity and turning those prototypes into production detection capabilities.

The Hunting Maturity Model

Of these factors, the analysts’ skills are probably the most important, since they are what allows them to turn data into detections. The quality and quantity of the data that an organization routinely collects from its IT environment is also a strong factor in determining the HMM level. The more data from around the enterprise (and the more different types of data) you provide to an expert hunter, the more results they will find. The toolsets you use will shape the style of your hunts and what kinds of hunting techniques you will be able to leverage.


The Hunting Maturity Model, developed by Sqrrl’s security architect and hunter @DavidJBianco, describes five levels of organizational hunting capability, ranging from HMM0 (the least capable) to HMM4 (the most). Let’s examine each level in detail.

HMM0 — Initial

HMM0 organizations also do not collect much information from their IT systems so their ability to proactively find threats is severely limited. Organizations at HMM0 are not considered to be capable of hunting.

HMM1 — Minimal

HMM1 organizations routinely collect at least a few types of data from around their enterprise into a central location such as a SIEM or log management product. Some may actually collect a lot of information. Thus, when new threats come to their attention, analysts are able to extract the key indicators from these reports and search historical data to find out if they have been seen in at least the recent past.

Because of this search capability, HMM1 is the first level in which any type of hunting occurs, even though it is minimal.

HMM2 — Procedural

Because most of the commonly available procedures rely in some way on least-frequency analysis (as of this writing, anyway), HMM2 organizations usually collect a large (sometimes very large) amount of data from across the enterprise.

HMM2 is the most common level of capability among organizations that have active hunting programs.

HMM3 — Innovative

Data collection at HMM3 at least as common as at HMM2, if not more advanced.

HMM3 organizations can be quite effective at finding and combating threat actor activity. However, as the number of hunting processes they develop increases over time, they may face scalability problems trying to perform them all on a reasonable schedule unless they increase the number of available analysts to match.

HMM4 — Leading

HMM4 organizations are extremely effective at resisting adversary actions. The high level of automation allows them to focus their efforts on creating a stream of new hunting processes, which results in constant improvement to the detection program as a whole.

Automation and the HMM

HMM4 organizations, on the other hand, are actively trying new methods to find the threat actors in their systems. They try new ideas all the time, knowing that some won’t pan out but others will. They are inventive, curious and agile, qualities you can’t get from a purely automated detection product. Although a good hunting platform can certainly give your team a boost, you can’t buy your way to HMM4.

Using the HMM

More importantly for those organizations who already hunt, the HMM can be used both to measure their current maturity and provide a roadmap for improvement. Hunt teams can match their current capabilities to those described in the model, then look ahead one step to see ideas for how they can develop their skills and/or data collection abilities in order to achieve the next level of maturity. In order to get anywhere, you must first know where you are and where you want to be.

This post originally appeared on Sqrrl’s Blog.

Target. Hunt. Disrupt. These are thoughts from the @SqrrlData team on CyberThreat Hunting, Behavioral Analytics, and Machine Learning for Enterprise Security.

Target. Hunt. Disrupt. These are thoughts from the @SqrrlData team on CyberThreat Hunting, Behavioral Analytics, and Machine Learning for Enterprise Security.