Subscribe to the Non-Human & AI Identity Journal

Threat Hunting

Threat hunting is the proactive search for signs of compromise that bypassed normal detection controls. It combines logs, telemetry, and investigator judgement to find hidden attacker behaviour before it becomes a larger incident or disrupts recovery.

Expanded Definition

Threat hunting is a disciplined, hypothesis-driven search for attacker activity that has evaded preventive and detective controls. It sits between detection engineering and incident response, using log analysis, endpoint telemetry, cloud signals, and analyst judgement to uncover subtle compromise patterns that alerting may miss.

In mature security programs, threat hunting is not a random review of dashboards. It starts with a testable question such as whether service accounts are being reused, whether API keys are being probed after exposure, or whether lateral movement indicators appear in identity, cloud, and endpoint telemetry. For identity-heavy environments, that makes it especially relevant to NHI governance, because compromised credentials often look legitimate unless access patterns are reviewed in context. Guidance varies across vendors on how much automation should be included, but no single standard governs this yet. NIST’s Cybersecurity Framework treats continuous monitoring and detection as core outcomes, which aligns closely with hunting practices.

The most common misapplication is treating threat hunting as ad hoc log reviewing, which occurs when teams search without a hypothesis, scope, or telemetry strategy.

Examples and Use Cases

Implementing threat hunting rigorously often introduces analyst time and telemetry cost, requiring organisations to weigh faster attacker discovery against the expense of collecting and retaining richer data.

  • Searching for anomalous use of cloud credentials shortly after exposure, especially when public key leakage can be exploited within minutes, as highlighted in LLMjacking: How Attackers Hijack AI Using Compromised NHIs and related CISA guidance on active threats.
  • Reviewing service-account activity for impossible travel, unusual token refreshes, or privilege escalation patterns that would not normally trigger a standard rule.
  • Testing whether secrets embedded in code, CI/CD systems, or chat tooling have led to follow-on access, using lessons reflected in Ultimate Guide to NHIs — Why NHI Security Matters Now.
  • Correlating endpoint, identity, and cloud logs to identify living-off-the-land activity after a suspicious login, then validating it against the MITRE ATLAS adversarial AI threat matrix when AI systems or agents are in scope.
  • Hunting for persistence paths in AI-enabled workflows where an attacker may have altered prompts, tools, or credentials rather than deploying obvious malware.

NHIMG research on The 52 NHI breaches Report shows how often identity abuse becomes visible only after retrospective investigation, not at first detection.

Why It Matters for Security Teams

Threat hunting matters because modern attackers often behave like authorized users once they steal credentials, making simple signature-based detection insufficient. For security teams, the value is not just finding compromise earlier, but closing blind spots in logging, identity assurance, and response playbooks. This is especially important in NHI environments, where service accounts, API keys, and automation tokens can be overprivileged, long-lived, and difficult to distinguish from normal machine activity. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks notes that 80% of identity breaches involved compromised non-human identities, underscoring why hunting often begins where traditional IAM visibility ends.

That same logic applies to broader cyber operations. The CISA cyber threat advisories process and NIST CSF both reinforce the need for ongoing detection and analysis, not just preventive controls. In practice, threat hunting helps teams validate whether their telemetry is actually enough to expose compromise, especially when attack paths involve secrets, automation, or agentic workloads. Organisations typically encounter the value of threat hunting only after an intrusion has already bypassed alerts, at which point the discipline becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 DE.CM Threat hunting operationalizes continuous monitoring and detection under CSF outcomes.
OWASP Non-Human Identity Top 10 NHI-01 Hunting frequently targets compromised service accounts, keys, and other NHIs.
NIST SP 800-53 Rev 5 AU-6 AU-6 requires analysis and review of audit records to detect events of interest.
NIST AI RMF AI risk management includes monitoring and measuring emerging threats to AI systems.

Hunt for anomalous NHI use and verify that identity telemetry exposes abused non-human credentials.