Threat Hunting Series: Detection Engineering VS Threat Hunting

Threat hunting is becoming mainstream, and despite the attention it receives, many people need help to differentiate it from other roles, such as detection engineering. This confusion leads to endless discussions on places like Twitter and Reddit.

I wrote this article to share my perspective on what makes threat hunting unique regarding its approach to solving a specific problem. I have a special place in my heart for both of these roles and I believe working together is the best approach no matter the method you choose to operate.

I tried to remain unbiased throughout the article in my effort to highlight both similarities and differences between detection engineering and threat hunting. Although, you should consider that this article is part of the threat hunting series, I am a threat hunter, and confirmation bias is hard to eliminate entirely. Any feedback is welcome!

The differences

Threat hunting

Threat hunting is a proactive practice of looking for evidence of adversarial activity that conventional security systems may miss. It entails actively searching for signs of malicious behaviour and abnormalities in a network or individual hosts. Detection engineering, on the other hand, is the process of developing and maintaining detection methods to identify malicious activity after it has become known.