PP112: When You Look But Don’t Find: The Art of Knowing When to Stop
Sydney Maroney, co-creator of the PEAK Threat Hunting Framework, joins Packet Protector to discuss structured threat hunting, including when to stop a hunt. The conversation covers her frameworks for organizing hunts, using AI to solve documentation and memory problems, and how these principles apply beyond security to other technical disciplines.
Summary
Sydney Maroney, a detection engineer and threat hunter with experience at utilities, Nordstrom, telecom, and Splunk, joins hosts Jennifer Jabosh and Drew Conrey-Murray to discuss the art and science of threat hunting. The conversation opens with a foundational explanation of threat hunting: it begins with threat intelligence, forms a hypothesis about attacker behavior in an environment, and then searches logs to prove or disprove that hypothesis. Critically, Sydney emphasizes that a negative result — finding nothing — is still a successful hunt, as it builds knowledge, reveals process gaps, and can surface new detection ideas.
Sydney introduces the PEAK Threat Hunting Framework, which she co-created with David Bianco and Dr. Ryan Fetterman at Splunk. PEAK stands for Prepare, Execute, and Act with Knowledge, where Knowledge is woven throughout. She stresses that most hunters skip directly to Execute, but the Prepare phase — including scoping data sources, researching attacker behaviors, and forming a precise hypothesis — is where the most time should be spent. The Act phase includes documentation, which Sydney argues is critical: if it's not documented, it didn't happen. She notes that threat hunt outputs can include new detections, process improvements, risk findings, and expanded logging coverage.
The discussion then turns to the central theme of her blog post: knowing when to stop hunting. Sydney outlines several criteria, including coverage (do you have visibility into the relevant data sources?), diminishing returns (are you finding the same things repeatedly?), and time-boxing (setting hour-or-two increments and not exceeding them significantly without new findings). She describes a confidence spectrum — low, medium, high — that should be communicated transparently to leadership, especially when low confidence stems from visibility gaps like missing network logs. She advocates for raising these gaps as findings rather than hiding them.
Sydney also describes red flags for stopping too early or going too long, with scope creep being a primary concern. When hunters encounter interesting but off-topic threads, she recommends parking those in a backlog rather than chasing them, preserving curiosity while maintaining focus. She notes that hypothesis scope almost always needs to be narrowed once execution begins, as initial scopes frequently yield millions of events.
The conversation shifts to Sydney's newer Agentic Threat Hunting Framework, which layers AI on top of PEAK to solve the memory and documentation problem. Built around Markdown files stored in a repository, the framework enables both humans and AI agents to query past hunts semantically, answer questions like 'what have I hunted in the past six months,' and compound institutional knowledge over time. It includes a maturity model and a CLI with built-in semantic search, and is designed to help teams move beyond basic ChatGPT interactions into more agentic AI workflows.
Finally, Sydney discusses the Thor Collective, a group she co-founded with former colleagues Lauren Prail and John Gregeta. They publish a newsletter called Dispatch, run a podcast, and maintain a GitHub repository called Hearth, which contains nearly 200 threat hunting hypothesis ideas for practitioners looking for starting points.
About this episode
Starting an investigation—be it for troubleshooting, problem diagnosis, threat hunting, incident response, and so on—is fairly straightforward. There’s a question or thesis you’re pursuing, you have logs and data sources to check, and you have tools to deploy. But if you don’t find anything, does that mean there was nothing to find? Are you sure<a class="excerpt-read-more" href="https://packetpushers.net/podcasts/packet-protector/pp112-when-you-look-but-dont-find-the-art-of-knowing-when-to-stop/" title="ReadPP112: When You Look But Don’t Find: The Art of Knowing When to Stop">... Read more »</a>
Key Insights
- Sydney argues that a null result in threat hunting is still a success — proving or disproving a hypothesis both count, and the minimum output of any hunt is knowledge gained about attacker behavior in the environment.
- Sydney claims that the Prepare phase of PEAK should take the most time, yet most hunters skip directly to Execute, which typically produces less fruitful results than scoping and researching upfront.
- Sydney contends that visibility gaps discovered during a hunt — such as missing cloud or network logs — are legitimate findings that should be escalated to leadership, because hunters lack authority but leaders can mandate logging changes.
- Sydney describes diminishing returns as the point where queries begin surfacing already-investigated events, and argues this is the practical signal to call a hunt complete rather than any single definitive indicator.
- Sydney asserts that the confidence spectrum (low, medium, high) should be communicated transparently in hunt reports, particularly when low confidence results from visibility limitations, as hiding this information undermines organizational security posture.
- Sydney argues that scope creep is one of the biggest red flags in threat hunting, and that interesting but off-topic findings should be immediately moved to a backlog rather than pursued inline, preserving hunter curiosity without derailing the current hunt.
- Sydney claims that storing threat hunts in documents or JIRA tickets makes institutional knowledge nearly inaccessible, while a structured Markdown repository enables both humans and AI agents to semantically query past hunts and surface patterns over time.
- Sydney contends that the Agentic Threat Hunting Framework was built to solve a specific, common problem — hunters not remembering what was hunted six months ago — and that the solution is structured file-based memory that AI agents can read and reason over, rather than conversational AI chat.
Topics
Transcript
Hey, everybody, and welcome to this episode of Packet Protector, the podcast at the intersection of networking and security. I'm Jennifer J.J. Jabosh here with my co-host, Drew Conrey-Murray, and today's conversation starts with threat hunting, but don't tune out if that's not your lane. We're joined by Sydney Maroney, whose work in detection engineering and threat hunting leads to a bigger idea. More effort isn't always better. Her background runs from utilities to Nordstrom to telecom and Splunk, and she's the co-creator of the Peak Threat Hunting Framework. But what really caught our attention and the reason Drew and I brought her in is she had a recent blog, When to Stop Hunting, and it really cut to the…
Full transcript available for MurmurCast members
Sign Up to AccessMore from The Everything Feed - All Packet Pushers Pods
HW083: Inside the WLAN Pros Toolbox – A Free, Multipurpose App
Keith Parsons introduces the WLAN Pros Toolbox, a free cross-platform app containing over 100 Wi-Fi tools, calculators, and references available on iPhone, iPad, Mac, Android, and web browsers. Built using Flutter and AI-assisted development, the app is intentionally free with no ads, subscriptions, or data collection because Parsons believes essential professional tools should be accessible to all engineers worldwide.
NB582: Infoblox Adds Network Observability with Kentik Buy; Satellite Data Centers vs. the Environment
Network Break covers major tech news including Infoblox's acquisition of Kentik for network observability, alarming electricity consumption by data centers (especially in Ireland), security advances in AI agent detection, and developments in space infrastructure including Rocket Lab's acquisition of Iridium and environmental concerns about orbital data centers.
TCG079: Why Your State File is Actually a Distributed Systems Problem
Malcolm Matalka argues that Terraform's value lies not in its HCL syntax but in its state management, which is fundamentally a distributed systems problem inadequately solved by file-based locking. He discusses how StateGraph reimagines infrastructure state as a database rather than a JSON file, enabling concurrent operations, better queryability, and solving the scalability issues that plague teams as they grow.
NAN126: Fine-Tuning Open Source LLMs for Network Engineering
Edward Tuharu, founder of VXpert AI, discusses his career pivot from pursuing CCIE certification to building AI-powered NOC/SOC systems after recognizing the transformative potential of transformer architecture in 2022. He outlines the progression of AI technologies from prompting to RAG to fine-tuning to agentic systems, drawing parallels with networking protocol evolution and emphasizing the importance of domain-specific knowledge and fundamentals.
D2DO306: Platform Engineering in the Agentic Era (Sponsored)
Jad Elzane and Miles Gray from VMware by Broadcom discuss how platform engineering evolved from DevOps to address developer cognitive overload, and how Platform Engineering 2.0 must now accommodate AI agents as consumers alongside human developers, requiring new security guardrails and observability controls.