PP112: When You Look But Don’t Find: The Art of Knowing When to Stop
Sydney Maroney, co-creator of the PEAK Threat Hunting Framework, joins Packet Protector to discuss structured threat hunting, including when to stop a hunt. The conversation covers her frameworks for organizing hunts, using AI to solve documentation and memory problems, and how these principles apply beyond security to other technical disciplines.
Summary
Sydney Maroney, a detection engineer and threat hunter with experience at utilities, Nordstrom, telecom, and Splunk, joins hosts Jennifer Jabosh and Drew Conrey-Murray to discuss the art and science of threat hunting. The conversation opens with a foundational explanation of threat hunting: it begins with threat intelligence, forms a hypothesis about attacker behavior in an environment, and then searches logs to prove or disprove that hypothesis. Critically, Sydney emphasizes that a negative result — finding nothing — is still a successful hunt, as it builds knowledge, reveals process gaps, and can surface new detection ideas.
Sydney introduces the PEAK Threat Hunting Framework, which she co-created with David Bianco and Dr. Ryan Fetterman at Splunk. PEAK stands for Prepare, Execute, and Act with Knowledge, where Knowledge is woven throughout. She stresses that most hunters skip directly to Execute, but the Prepare phase — including scoping data sources, researching attacker behaviors, and forming a precise hypothesis — is where the most time should be spent. The Act phase includes documentation, which Sydney argues is critical: if it's not documented, it didn't happen. She notes that threat hunt outputs can include new detections, process improvements, risk findings, and expanded logging coverage.
The discussion then turns to the central theme of her blog post: knowing when to stop hunting. Sydney outlines several criteria, including coverage (do you have visibility into the relevant data sources?), diminishing returns (are you finding the same things repeatedly?), and time-boxing (setting hour-or-two increments and not exceeding them significantly without new findings). She describes a confidence spectrum — low, medium, high — that should be communicated transparently to leadership, especially when low confidence stems from visibility gaps like missing network logs. She advocates for raising these gaps as findings rather than hiding them.
Sydney also describes red flags for stopping too early or going too long, with scope creep being a primary concern. When hunters encounter interesting but off-topic threads, she recommends parking those in a backlog rather than chasing them, preserving curiosity while maintaining focus. She notes that hypothesis scope almost always needs to be narrowed once execution begins, as initial scopes frequently yield millions of events.
The conversation shifts to Sydney's newer Agentic Threat Hunting Framework, which layers AI on top of PEAK to solve the memory and documentation problem. Built around Markdown files stored in a repository, the framework enables both humans and AI agents to query past hunts semantically, answer questions like 'what have I hunted in the past six months,' and compound institutional knowledge over time. It includes a maturity model and a CLI with built-in semantic search, and is designed to help teams move beyond basic ChatGPT interactions into more agentic AI workflows.
Finally, Sydney discusses the Thor Collective, a group she co-founded with former colleagues Lauren Prail and John Gregeta. They publish a newsletter called Dispatch, run a podcast, and maintain a GitHub repository called Hearth, which contains nearly 200 threat hunting hypothesis ideas for practitioners looking for starting points.
Key Insights
- Sydney argues that a null result in threat hunting is still a success — proving or disproving a hypothesis both count, and the minimum output of any hunt is knowledge gained about attacker behavior in the environment.
- Sydney claims that the Prepare phase of PEAK should take the most time, yet most hunters skip directly to Execute, which typically produces less fruitful results than scoping and researching upfront.
- Sydney contends that visibility gaps discovered during a hunt — such as missing cloud or network logs — are legitimate findings that should be escalated to leadership, because hunters lack authority but leaders can mandate logging changes.
- Sydney describes diminishing returns as the point where queries begin surfacing already-investigated events, and argues this is the practical signal to call a hunt complete rather than any single definitive indicator.
- Sydney asserts that the confidence spectrum (low, medium, high) should be communicated transparently in hunt reports, particularly when low confidence results from visibility limitations, as hiding this information undermines organizational security posture.
- Sydney argues that scope creep is one of the biggest red flags in threat hunting, and that interesting but off-topic findings should be immediately moved to a backlog rather than pursued inline, preserving hunter curiosity without derailing the current hunt.
- Sydney claims that storing threat hunts in documents or JIRA tickets makes institutional knowledge nearly inaccessible, while a structured Markdown repository enables both humans and AI agents to semantically query past hunts and surface patterns over time.
- Sydney contends that the Agentic Threat Hunting Framework was built to solve a specific, common problem — hunters not remembering what was hunted six months ago — and that the solution is structured file-based memory that AI agents can read and reason over, rather than conversational AI chat.
Topics
Full transcript available for MurmurCast members
Sign Up to Access