---
title: Leveling_Up_as_a_Threat_Hunter_Lets_Go_Hunting
tags:  #bsides #bsidesmelb #threathunting  
author: [Tatsuya-hasegawa](https://www.docswell.com/user/hackeT)
site: [Docswell](https://www.docswell.com/)
thumbnail: https://bcdn.docswell.com/page/D7Y4D55MEM.jpg?width=480
description: This document, presented by instructor Hasegawa, focuses on the practical aspects and career development of threat hunting, drawing on his own experience. It defines and outlines the purpose of threat hunting, introduces the entities that actually conduct it (internal teams, external SOCs, CSIRTs, etc.), and compares the skills cultivated in six roles: MSS developer/owner, MSSP SOC analyst, CSIRT incident handler/forensic analyst, threat researcher, security consultant, and full-commit hunter. Furthermore, it outlines the path to becoming a consultant, including practical hunting experience, establishing unique methodologies, and presenting at conferences. It also touches upon hypothesis design, countermeasures against cognitive bias, and the limitations and possibilities of AI/GenAI utilization. Finally, it concludes by encouraging connection via a LinkedIn QR code.  Recommended tags: Threat hunting, cybersecurity, career path, skill development, AI utilization
published: May 19, 26
canonical: https://www.docswell.com/s/hackeT/57NEQ8-bsidesmelb2026
---
# Page. 1

![Page Image](https://bcdn.docswell.com/page/D7Y4D55MEM.jpg)

🦅
🐜
Career Talk (30 mins)
Leveling Up as a Threat Hunter:
Letʼs Go Hunting!
Tatsuya Hasegawa (T.H)
Threat Hunter (T.H)
1


# Page. 2

![Page Image](https://bcdn.docswell.com/page/VENY6NN3J8.jpg)

Tatsuya Hasegawa
• Professional Threat Hunter for over 4y, total 16y in Cyber Security
• Threat Hunting Consultant
• SNS (HN: hackeT, X: @T_8ase)
Security Consultant
Visualization Developer
Threat Hunter
AI Engineer
Certifications
- GSE#404, GSP#414, CISSP, CISA,
Threat Hunting
- GX-FA, GX-FE, GX-IH GX-CS, + 10 GIACs
Consultant
2025 > Speaker of BSides (Tokyo & Brisbane), Workshop Leader of DEATHCON
2


# Page. 3

![Page Image](https://bcdn.docswell.com/page/Y79PLRRPE3.jpg)

My Threat Hunting Career
Amount of Proactive Time
Related to Threat Hunting
3


# Page. 4

![Page Image](https://bcdn.docswell.com/page/G78DXWWX7D.jpg)

My Role as Threat Hunting Consultant
• No hunt by myself, only regular
meetings along with the progress of
clientʼs hunters
• Advice for a deeper investigations,
reporting tips, and provide the next
hunt hole to drill (Hypothesis
Design)
• Discuss not only current attack
trends, but possible future threat
actorʼs perspectives
Trust and motivation mgt are essential for clientʼs hunters to achieve results.
4


# Page. 5

![Page Image](https://bcdn.docswell.com/page/L7LM8NNNJR.jpg)

Outline
1. Threat Hunting Landscape
2. Threat Hunting Skills and Experience Gained from Each Role
1.
2.
3.
4.
5.
6.
MSS Developer & Owner
MSSP SOC Analyst
CSIRT Incident Handler & Forensic Analyst
Threat Researcher
Security Consultant
Full-commit Threat Hunter
3. Path to Threat Hunting Consultant
4. Takeaways
5


# Page. 6

![Page Image](https://bcdn.docswell.com/page/4EMY6XXQEW.jpg)

Outline
1. Threat Hunting Landscape
2. Threat Hunting Skills and Experience Gained from Each Role
1.
2.
3.
4.
5.
6.
MSS Developer & Owner
MSSP SOC Analyst
CSIRT Incident Handler & Forensic Analyst
Threat Researcher
Security Consultant
Full-commit Threat Hunter
3. Path to Threat Hunting Consultant
4. Takeaways
6


# Page. 7

![Page Image](https://bcdn.docswell.com/page/PER9PNNKJ9.jpg)

What is Threat Hunting?
Security products can NOT detect all threats => potential risk/threat of FN
But having productʼs telemetries or logs!✨ We can..
Proactive detection, then respond quickly before risk spreads
Even with the same analytical perspective, new discoveries if the timing is different.
Threat hunting should be incorporated into daily operations.
Similar to security monitoring? 🧐
Þ Yes, but security monitoring 👉 “fixed-point observation” (定点観測 in JP)
Þ While, threat hunting 👉 “dynamic observation for weak area”
7


# Page. 8

![Page Image](https://bcdn.docswell.com/page/P7XQ3NN5EX.jpg)

Who usually performs practical Threat Hunting?
• In-house Hunting team
• Private SOC Analyst
• CSIRT Member (peacetime)
• MSSP SOC Analyst/Hunting Team
(As a Service)
• Out-sourced Hunter (contracted)
ʻIn-houseʼ
“Out-sourced”
Easy to Understand
for Normal
environment
- Active Baseline 😊
Difficult to
Understand for
Attack trends
- Delayed Trend 😞
Easy to Understand for
Attack trends
- Active Trend 😊
Difficult to
Understand for
Normal
environment
- Delayed Baseline
😞
8


# Page. 9

![Page Image](https://bcdn.docswell.com/page/37K9YNNR7D.jpg)

How is Threat Hunting approach?
• Intelligence-Driven Hypo
♦
• Known evil, malicious similarity
• ♦ IoC (Indicator of Compromise)
• ❤ IoA (Indicator of Attack)
Intelligence
-Driven
(IoC)
• ♣ Situation Awareness Hypo
• Baseline, deviation from benign
• ♠ Domain Expertise Hypo
❤
♠
Intelligence
Domain
Expertise
• Hunterʼs past experience
• Difficult to document and share
• Cognitive bias? But valuable resource
SANS “Generating Hypotheses for Successful Threat Hunting” 2016
https://www.sans.org/white-papers/37172/
-Driven
(IoA)
♣
Situation
Awareness
9


# Page. 10

![Page Image](https://bcdn.docswell.com/page/LJ3W9VVGJ5.jpg)

Hasegawa-style Drill Hunting
Based on EDA (Exploratory Data Analysis)
Scoping widely at first、then dig deeper with more knowledge
Noise
Noise
FP
FP
FP
Dig! Dig! Dig! with
understanding Noise
Security Product Area
FP
FP
Security Product Area
Dig Wide at First
10


# Page. 11

![Page Image](https://bcdn.docswell.com/page/8JDKG88NEG.jpg)

Moving from Bird to Insect, no silver bullet!
Look! Look! Inspect!
🦅
Bird eye
Data cut by 1
or 2 features/fields
Horizon
Normal events
Bubble
Understood data enough
Narrow down
while excluding normal/benign
Then, drill down!
Insect eye
🐜
Anomaly
Look at narrowed down
with many features/fields
Sunburst
Sankey
Multi-Dim Plot
11
Some icons from elastic


# Page. 12

![Page Image](https://bcdn.docswell.com/page/VEPK388N78.jpg)

Difference between general Hunting style
Easy
Team Operation
limited
GenAI
Automation
ML/DL, but limited
Easy
Scope Planning
Difficult
Easy
Knowledge Share
Difficult
limited
Find Unknown
Yes
Low
Uniqueness
High
Anomaly / Data Mining
Threat Intelligence
Unstructured
Structured
12


# Page. 13

![Page Image](https://bcdn.docswell.com/page/27VV4NNY7Q.jpg)

Outline
1. Threat Hunting Landscape
2. Threat Hunting Skills and Experience Gained from Each
Role
1.
2.
3.
4.
5.
6.
MSS Developer & Owner
MSSP SOC Analyst
CSIRT Incident Handler & Forensic Analyst
Threat Researcher
Security Consultant
Full-commit Threat Hunter
3. Path to Threat Hunting Consultant
4. Takeaways
13


# Page. 14

![Page Image](https://bcdn.docswell.com/page/5JGL1KKW7L.jpg)

1. MSS Developer & Owner
Experienced👇
Security productʼs habits & weaknesses🧐
Job tasks
ØSecurity product discovery
ØOperation design
ØProduction test / PoC ✨
ØService specification creation
ØTroubleshooting
14


# Page. 15

![Page Image](https://bcdn.docswell.com/page/47QYDNNQEP.jpg)

2. MSSP SOC Analyst
Experienced👇
False Positives of security product 🤯
Fundamentals of Detection Engineering
Job tasks
ØAlert handling
ØLog analysis ✨
ØPeriodic report creation
ØCustom rules development
15


# Page. 16

![Page Image](https://bcdn.docswell.com/page/KE4WZGGYJ1.jpg)

3. CSIRT Incident Handler & Forensic
Analyst
Experienced👇
False Negatives in real 😭
Pattern of Insider Threat
Job tasks
ØIncident Handling for variety ✨
ØForensic analysis ✨
ØForensic report creation
ØVulnerability management ✨
ØCommunity activity, e.g. ISAC
16


# Page. 17

![Page Image](https://bcdn.docswell.com/page/L71YRDDNJG.jpg)

4. Threat Researcher
Experienced👇
@Anti-Virus Vendor
Sophisticated Evasion Attack 🙃
Threatʼs Spread Speed
Job tasks
ØNew threat/evasion research ✨
ØMalware/Exploit deep analysis✨
ØThreat report creation
17


# Page. 18

![Page Image](https://bcdn.docswell.com/page/G7WG1Y8ME2.jpg)

5. Security Consultant
Experienced👇
Only a few 😞…
Job tasks
ØCustomer meetings
ØSecurity framework research
ØSecurity Audit
ØPresentation slides creation
18


# Page. 19

![Page Image](https://bcdn.docswell.com/page/4JZLPX8ME3.jpg)

6. Full-commit Threat Hunter
Experienced👇
Cost-effectiveness of time and result⚖
Predict threat actorʼs mind
Mental resilience😆
Job tasks
ØLog Analysis (Forensic) ✨
ØThreat Intelligence check ✨
ØHunt tool development
ØConsidering hunt PDCA ✨
ØHunt! Hunt! Hunt! Greedily! Commit to results!
19


# Page. 20

![Page Image](https://bcdn.docswell.com/page/YE6WM4P5EV.jpg)

Outline
1. Threat Hunting Landscape
2. Threat Hunting Skills and Experience Gained from Each Role
1.
2.
3.
4.
5.
6.
MSS Developer & Owner
MSSP SOC Analyst
CSIRT Incident Handler & Forensic Analyst
Threat Researcher
Security Consultant
Full-commit Threat Hunter
3. Path to Threat Hunting Consultant
4. Takeaways
20


# Page. 21

![Page Image](https://bcdn.docswell.com/page/GE5MZQKGE4.jpg)

Path to Threat Hunting Consultant
In my case
Lots of
practical
hunt
works🔥
Create
your own
hunt
method✨
Presents at
famous
security
conf 🎤
Going my way
Commit to results
IMPORTANT !!
Sustained involvement in real hunting
21


# Page. 22

![Page Image](https://bcdn.docswell.com/page/9729RPWDJR.jpg)

Outline
1. Threat Hunting Landscape
2. Threat Hunting Skills and Experience Gained from Each Role
1.
2.
3.
4.
5.
6.
MSS Developer & Owner
MSSP SOC Analyst
CSIRT Incident Handler & Forensic Analyst
Threat Researcher
Security Consultant
Full-commit Threat Hunter
3. Path to Threat Hunting Consultant
4. Takeaways
22


# Page. 23

![Page Image](https://bcdn.docswell.com/page/DJY4D5LM7M.jpg)

Compare 6 rolesʼ experiences for hunter
MSS
Dev&Own
MSSP
SOC
Ana
CSIRT IR
Forensic
Threat
Researc
Security
Consult
Fullcommit
Hunter
Hypothesis and Verification Loop
Data Analysis with Visualization
False
Positives
Evasion
Attack
False
Security
Negative
product’s
Fundame
habits &
Spread
Insider
weakness ntals of
Speed
Threat
DE
Very
Limited…
Costeffectiven
ess
Mental
resilience
23


# Page. 24

![Page Image](https://bcdn.docswell.com/page/V7NY6N43E8.jpg)

Best hunter experience
🦅
Hunter grows through
Facing “False Negatives”
🐜
ØGet as much chances as possible in your current role
ØHunt by yourself
ØLooking another hunterʼs results
ØForensic investigation in incident
ØPublic IR reports or TR reports (limited awareness)
Suspect False Negative is the first step to hunting!
24


# Page. 25

![Page Image](https://bcdn.docswell.com/page/YJ9PLRQP73.jpg)

Controlling Cognitive Bias
Hunters rely on their experience...
Be confident, but donʼt be alone!
Get feedback & new perspectives from others🐜
🦅
25


# Page. 26

![Page Image](https://bcdn.docswell.com/page/GJ8DXWGXJD.jpg)

Looking at Real Data Yourself
Practical advanced hunting requires
Data Analysis Skill
Payload Analysis
DL
ML
Statistics
Query Lang
🦅
🐜
26


# Page. 27

![Page Image](https://bcdn.docswell.com/page/LJLM8NGNER.jpg)

Thoughts on Hunting Automation
IMPORTANT !!
AI can mimic past exp, but hunters canʼt gain true exp from AI alone
Plan
☑GenAI
Act
✅Deep Analysis by AI
(Timeline correlation, DL)
☑GenAI
Whole New Hypotheses Planning
is the biggest challenge ..
Do
✅Scheduled Job
Check
27


# Page. 28

![Page Image](https://bcdn.docswell.com/page/47MY6XQQ7W.jpg)

Thank you!
This is my LinkedIn account QR.
Feel free to connect to me.
28