SANS Cyber Threat Hunting Survey 2025

Keypoints

• Annual cybersecurity reports typically start with an executive summary highlighting key trends, followed by detailed analyses of methodologies, threat actor behaviors, tools, and emerging challenges.
• They include comprehensive statistics on threat detection rates, staffing challenges, tool usage, and evolving adversary tactics to provide a holistic view of the cybersecurity landscape.
• The 2025 SANS Threat Hunting Survey outlines sections such as executive summary, planning strategies, hunting success metrics, threat actor tracking, and the impact of automation and AI.
• Reports emphasize the importance of balancing structured methodologies with adaptability, noting a decline in fully defined threat hunting plans but increased agility in updates.
• Significant findings demonstrate a decline in ransomware detections but an increase in nation-state threat encounters and targeted exfiltration activities.
• Reports highlight a shift towards internal threat hunting capabilities, with outsourcing decreasing and reliance on internally built tools rising.
• The use of frameworks like MITRE ATT&CK and Pyramid of Pain is common to systematize threat hunting approaches across organizations.
• Challenges such as cloud environment visibility and data normalization across tools persist as major barriers for effective threat hunting.
• Threat hunting success measurement shows mixed trends, with many organizations manually tracking effectiveness and some deprioritizing formal assessments.
• Living off the land (LOTL) techniques are frequently used by all adversary types, underscoring the need for behavior-based detection strategies.
• Reports consistently identify EDR/XDR, SIEM, and network detection tools as the most critical instruments for conducting threat hunts.
• Findings indicate an increased focus on automation to generate hunts based on threat intelligence, supplemented by growing internal threat research and decreasing reliance solely on vendor intelligence.